diff --git a/adapters/firebase/vite.config.mts b/adapters/firebase/vite.config.mts deleted file mode 100644 index 4be99db..0000000 --- a/adapters/firebase/vite.config.mts +++ /dev/null @@ -1,21 +0,0 @@ -import { nodeServerAdapter } from "@builder.io/qwik-city/adapters/node-server/vite"; -import { extendConfig } from "@builder.io/qwik-city/vite"; -import baseConfig from "../../vite.config.mts"; -import { builtinModules } from "module"; -export default extendConfig(baseConfig, () => { - return { - ssr: { - external: builtinModules, - noExternal: /./, - }, - build: { - minify: false, - ssr: true, - rollupOptions: { - input: ["./src/entry-firebase.tsx", "@qwik-city-plan"], - }, - outDir: "./functions/server", - }, - plugins: [nodeServerAdapter({ name: "firebase" })], - }; -}); diff --git a/dist/about/index.html b/dist/about/index.html index 338c26a..1433a71 100644 --- a/dist/about/index.html +++ b/dist/about/index.html @@ -1,14 +1,6 @@ -About | Digital Defense

AI Accelerated Quality -PRO

Settings

About

About the QA Supervisor

The objective of this project is to give you practical guidance on how to improve product quality, security, and further scale.

+About | Digital Defense

AI Accelerated Quality -PRO

Settings

About

About the QA Supervisor

The objective of this project is to give you practical guidance on how to improve product quality, security, and further scale.

-

Contributing

These are some of the projects that I have been contrbuted in open source trajectory

-

You can get the fork of these projects personal-security-checklist.yml

-

About the Author

Hi, This is Muhammad Farhan
▶ Demonstrated ability to create innovative AI solutions for diverse applications such as natural language processing, computer vision, and autonomous systems.
▶ Having hands on product development experience in IoT domain, specifically covered back-end development using Java, Python and related open source technologies.
▶ Experience in Agile software development using SCRUM.
▶ Expertise in Python, JavaScript, TypeScript, ReactJS, VueJS, Selenium, Postman, Playwright, Electron, Angular, Spring, ReadyAPI, Hibernate, MongoDB, MySQL and Cassandra.
▶ Proficient in design and development of software applications especially in software as a service (SaaS) layer and micro-services.
▶ Exposed to designing system level database, restful services.
▶ Having hands on experience in build automation using Jenkins, Gitlab CI, Circle CI


Alicia Sykes

I worked with various organizations, such as Siemens, Mentor Graphics, Intech and Imperious Tech.


I have a particular interest in process, self-hosting, Linux, security and automation testing.
So if this type of stuff interests you, check out these other projects:


For apps I've published, see engr-farhan.netlify.app, or follow me on GitHub

License

This project is split-licensed, with the checklist content (located in qa-checklist.yml) being licensed under CC BY-NC-SA 4.0. And everything else (including all the code), licensed under MIT.

-
-

What does this means for you?

\ No newline at end of file +

About the Author

Hi, This is Muhammad Farhan
▶ Demonstrated ability to create innovative AI solutions for diverse applications such as natural language processing, computer vision, and autonomous systems.
▶ Having hands on product development experience in IoT domain, specifically covered back-end development using Java, Python and related open source technologies.
▶ Experience in Agile software development using SCRUM.
▶ Expertise in Python, JavaScript, TypeScript, ReactJS, VueJS, Selenium, Postman, Playwright, Electron, Angular, Spring, ReadyAPI, Hibernate, MongoDB, MySQL and Cassandra.
▶ Proficient in design and development of software applications especially in software as a service (SaaS) layer and micro-services.
▶ Exposed to designing system level database, restful services.
▶ Having hands on experience in build automation using Jenkins, Gitlab CI, Circle CI


Alicia Sykes

I worked with various organizations, such as Siemens, Mentor Graphics, Intech and Imperious Tech.


I have a particular interest in process, self-hosting, Linux, security and automation testing.
So if this type of stuff interests you, check out these other projects:


For apps I've published, see engr-farhan.netlify.app, or follow me on GitHub

\ No newline at end of file diff --git a/dist/about/q-data.json b/dist/about/q-data.json index bb9e54e..a265ece 100644 --- a/dist/about/q-data.json +++ b/dist/about/q-data.json @@ -1 +1 @@ -{"_entry":"3o8","_objs":["CWE: Categorization for Assurance","cwe-security","Researchers can use this view to evaluate the breadth and depth of software assurance with respect to mitigating and managing weaknesses before they become vulnerabilities","dev","This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.","CWE-ID: 5J2EE Misconfiguration: Data Transmission Without Encryption","Essential","Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.Guidelines:::TYPE:Other:NOTE:If an application uses SSL to guarantee confidential communication with client browsers, the application configuration should make it impossible to view any access controlled page without SSL. There are three common ways for SSL to be bypassed: A user manually enters URL and types HTTP rather than HTTPS. Attackers intentionally send a user to an insecure URL. A programmer erroneously creates a relative link to a page in the application, which does not switch from HTTP to HTTPS. (This is particularly easy to do when the link moves between public and secured areas on a web site.)::",{"point":"5","priority":"6","details":"7"},"CWE-ID: 6J2EE Misconfiguration: Insufficient Session-ID Length","The J2EE application is configured to use an insufficient session ID length.Guidelines:",{"point":"9","priority":"6","details":"a"},"CWE-ID: 7J2EE Misconfiguration: Missing Custom Error Page","The default error page of a web application should not display sensitive information about the product.Guidelines:",{"point":"c","priority":"6","details":"d"},"CWE-ID: 8J2EE Misconfiguration: Entity Bean Declared Remote","When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean's data. These methods could be leveraged to read sensitive information, or to change data in ways that violate the application's expectations, potentially leading to other vulnerabilities.Guidelines:::TYPE:Other:NOTE:Entity beans that expose a remote interface become part of an application's attack surface. For performance reasons, an application should rarely use remote entity beans, so there is a good chance that a remote entity bean declaration is an error.::",{"point":"f","priority":"6","details":"g"},"CWE-ID: 9J2EE Misconfiguration: Weak Access Permissions for EJB Methods","If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the product.Guidelines:",{"point":"i","priority":"6","details":"j"},"CWE-ID: 11ASP.NET Misconfiguration: Creating Debug Binary","Debugging messages help attackers learn about the system and plan a form of attack.Guidelines:",{"point":"l","priority":"6","details":"m"},"CWE-ID: 12ASP.NET Misconfiguration: Missing Custom Error Page","An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses.Guidelines:",{"point":"o","priority":"6","details":"p"},"CWE-ID: 13ASP.NET Misconfiguration: Password in Configuration File","Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers.Guidelines:",{"point":"r","priority":"6","details":"s"},"CWE-ID: 14Compiler Removal of Code to Clear Buffers","Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka dead store removal.Guidelines:",{"point":"u","priority":"6","details":"v"},"CWE-ID: 15External Control of System or Configuration Setting","One or more system settings or configuration elements can be externally controlled by a user.Guidelines:",{"point":"x","priority":"6","details":"y"},"CWE-ID: 20Improper Input Validation","The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Guidelines:::TYPE:Relationship:NOTE:CWE-116 and CWE-20 have a close association because, depending on the nature of the structured message, proper input validation can indirectly prevent special characters from changing the meaning of a structured message. For example, by validating that a numeric ID field should only contain the 0-9 characters, the programmer effectively prevents injection attacks.::TYPE:Maintenance:NOTE:As of 2020, this entry is used more often than preferred, and it is a source of frequent confusion. It is being actively modified for CWE 4.1 and subsequent versions.::TYPE:Maintenance:NOTE:Concepts such as validation, data transformation, and neutralization are being refined, so relationships between CWE-20 and other entries such as CWE-707 may change in future versions, along with an update to the Vulnerability Theory document.::TYPE:Maintenance:NOTE:Input validation - whether missing or incorrect - is such an essential and widespread part of secure development that it is implicit in many different weaknesses. Traditionally, problems such as buffer overflows and XSS have been classified as input validation problems by many security professionals. However, input validation is not necessarily the only protection mechanism available for avoiding such problems, and in some cases it is not even sufficient. The CWE team has begun capturing these subtleties in chains within the Research Concepts view (CWE-1000), but more work is needed.::TYPE:Terminology:NOTE:The input validation term is extremely common, but it is used in many different ways. In some cases its usage can obscure the real underlying weakness or otherwise hide chaining and composite relationships. Some people use input validation as a general term that covers many different neutralization techniques for ensuring that input is appropriate, such as filtering, canonicalization, and escaping. Others use the term in a more narrow context to simply mean checking if an input conforms to expectations without changing it. CWE uses this more narrow interpretation.::",{"point":"10","priority":"6","details":"11"},"CWE-ID: 22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Guidelines:::TYPE:Relationship:NOTE:Pathname equivalence can be regarded as a type of canonicalization error.::TYPE:Relationship:NOTE:Some pathname equivalence issues are not directly related to directory traversal, rather are used to bypass security-relevant checks for whether a file/directory can be accessed by the attacker (e.g. a trailing / on a filename could bypass access rules that don't expect a trailing /, causing a server to provide the file when it normally would not).::TYPE:Terminology:NOTE:Like other weaknesses, terminology is often based on the types of manipulations used, instead of the underlying weaknesses. Some people use directory traversal only to refer to the injection of .. and equivalent sequences whose specific meaning is to traverse directories. Other variants like absolute pathname and drive letter have the *effect* of directory traversal, but some people may not call it such, since it doesn't involve .. or equivalent.::TYPE:Research Gap:NOTE:Many variants of path traversal attacks are probably under-studied with respect to root cause. CWE-790 and CWE-182 begin to cover part of this gap.::TYPE:Research Gap:NOTE:Incomplete diagnosis or reporting of vulnerabilities can make it difficult to know which variant is affected. For example, a researcher might say that .. is vulnerable, but not test ../ which may also be vulnerable. Any combination of directory separators (/, , etc.) and numbers of . (e.g. ....) can produce unique variants; for example, the //../ variant is not listed (CVE-2004-0325). See this entry's children and lower-level descendants.::",{"point":"13","priority":"6","details":"14"},"CWE-ID: 23Relative Path Traversal","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as .. that can resolve to a location that is outside of that directory.Guidelines:",{"point":"16","priority":"6","details":"17"},"CWE-ID: 24Path Traversal: '../filedir'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize ../ sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"19","priority":"6","details":"1a"},"CWE-ID: 25Path Traversal: '/../filedir'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize /../ sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1c","priority":"6","details":"1d"},"CWE-ID: 26Path Traversal: '/dir/../filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize /dir/../filename sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1f","priority":"6","details":"1g"},"CWE-ID: 27Path Traversal: 'dir/../../filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize multiple internal ../ sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1i","priority":"6","details":"1j"},"CWE-ID: 28Path Traversal: '..filedir'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize .. sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1l","priority":"6","details":"1m"},"CWE-ID: 29Path Traversal: '..filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '..filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1o","priority":"6","details":"1p"},"CWE-ID: 30Path Traversal: 'dir..filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize 'dir..filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1r","priority":"6","details":"1s"},"CWE-ID: 31Path Traversal: 'dir....filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize 'dir....filename' (multiple internal backslash dot dot) sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1u","priority":"6","details":"1v"},"CWE-ID: 32Path Traversal: '...' (Triple Dot)","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '...' (triple dot) sequences that can resolve to a location that is outside of that directory.Guidelines:::TYPE:Maintenance:NOTE:This manipulation-focused entry is currently hiding two distinct weaknesses, so it might need to be split. The manipulation is effective in two different contexts: it is equivalent to .... on Windows, or it can take advantage of incomplete filtering, e.g. if the programmer does a single-pass removal of ./ in a string (collapse of data into unsafe value, CWE-182).::",{"point":"1x","priority":"6","details":"1y"},"CWE-ID: 33Path Traversal: '....' (Multiple Dot)","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....' (multiple dot) sequences that can resolve to a location that is outside of that directory.Guidelines:::TYPE:Maintenance:NOTE:Like the triple-dot CWE-32, this manipulation probably hides multiple weaknesses that should be made more explicit.::",{"point":"20","priority":"6","details":"21"},"CWE-ID: 34Path Traversal: '....//'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....//' (doubled dot dot slash) sequences that can resolve to a location that is outside of that directory.Guidelines:::TYPE:Relationship:NOTE:This could occur due to a cleansing error that removes a single ../ from ....//::",{"point":"23","priority":"6","details":"24"},"CWE-ID: 35Path Traversal: '.../...//'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"26","priority":"6","details":"27"},"CWE-ID: 36Absolute Path Traversal","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as /abs/path that can resolve to a location that is outside of that directory.Guidelines:",{"point":"29","priority":"6","details":"2a"},"CWE-ID: 37Path Traversal: '/absolute/pathname/here'","The product accepts input in the form of a slash absolute path ('/absolute/pathname/here') without appropriate validation, which can allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"2c","priority":"6","details":"2d"},"CWE-ID: 38Path Traversal: 'absolutepathnamehere'","The product accepts input in the form of a backslash absolute path ('absolutepathnamehere') without appropriate validation, which can allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"2f","priority":"6","details":"2g"},"CWE-ID: 39Path Traversal: 'C:dirname'","The product accepts input that contains a drive letter or Windows volume letter ('C:dirname') that potentially redirects access to an unintended location or arbitrary file.Guidelines:",{"point":"2i","priority":"6","details":"2j"},"CWE-ID: 40Path Traversal: 'UNCsharename' (Windows UNC Share)","The product accepts input that identifies a Windows UNC share ('UNCsharename') that potentially redirects access to an unintended location or arbitrary file.Guidelines:",{"point":"2l","priority":"6","details":"2m"},"CWE-ID: 41Improper Resolution of Path Equivalence","The product is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object.Guidelines:::TYPE:Relationship:NOTE:Some of these manipulations could be effective in path traversal issues, too.::",{"point":"2o","priority":"6","details":"2p"},"CWE-ID: 42Path Equivalence: 'filename.' (Trailing Dot)","The product accepts path input in the form of trailing dot ('filedir.') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"2r","priority":"6","details":"2s"},"CWE-ID: 43Path Equivalence: 'filename....' (Multiple Trailing Dot)","The product accepts path input in the form of multiple trailing dot ('filedir....') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"2u","priority":"6","details":"2v"},"CWE-ID: 44Path Equivalence: 'file.name' (Internal Dot)","The product accepts path input in the form of internal dot ('file.ordir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:::TYPE:Relationship:NOTE:An improper attempt to remove the internal dots from the string could lead to CWE-181 (Incorrect Behavior Order: Validate Before Filter).::",{"point":"2x","priority":"6","details":"2y"},"CWE-ID: 45Path Equivalence: 'file...name' (Multiple Internal Dot)","The product accepts path input in the form of multiple internal dot ('file...dir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:::TYPE:Relationship:NOTE:An improper attempt to remove the internal dots from the string could lead to CWE-181 (Incorrect Behavior Order: Validate Before Filter).::",{"point":"30","priority":"6","details":"31"},"CWE-ID: 46Path Equivalence: 'filename ' (Trailing Space)","The product accepts path input in the form of trailing space ('filedir ') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"33","priority":"6","details":"34"},"CWE-ID: 47Path Equivalence: ' filename' (Leading Space)","The product accepts path input in the form of leading space (' filedir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"36","priority":"6","details":"37"},"CWE-ID: 48Path Equivalence: 'file name' (Internal Whitespace)","The product accepts path input in the form of internal space ('file(SPACE)name') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:::TYPE:Relationship:NOTE:This weakness is likely to overlap quoting problems, e.g. the Program Files unquoted search path (CWE-428). It also could be an equivalence issue if filtering removes all extraneous spaces.::TYPE:Relationship:NOTE:Whitespace can be a factor in other weaknesses not directly related to equivalence. It can also be used to spoof icons or hide files with dangerous names (see icon manipulation and visual truncation in CWE-451).::",{"point":"39","priority":"6","details":"3a"},"CWE-ID: 49Path Equivalence: 'filename/' (Trailing Slash)","The product accepts path input in the form of trailing slash ('filedir/') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3c","priority":"6","details":"3d"},"CWE-ID: 50Path Equivalence: '//multiple/leading/slash'","The product accepts path input in the form of multiple leading slash ('//multiple/leading/slash') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3f","priority":"6","details":"3g"},"CWE-ID: 51Path Equivalence: '/multiple//internal/slash'","The product accepts path input in the form of multiple internal slash ('/multiple//internal/slash/') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3i","priority":"6","details":"3j"},"CWE-ID: 52Path Equivalence: '/multiple/trailing/slash//'","The product accepts path input in the form of multiple trailing slash ('/multiple/trailing/slash//') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3l","priority":"6","details":"3m"},"CWE-ID: 53Path Equivalence: 'multipleinternalbackslash'","The product accepts path input in the form of multiple internal backslash ('multipletrailingslash') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3o","priority":"6","details":"3p"},"CWE-ID: 54Path Equivalence: 'filedir' (Trailing Backslash)","The product accepts path input in the form of trailing backslash ('filedir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3r","priority":"6","details":"3s"},"CWE-ID: 55Path Equivalence: '/./' (Single Dot Directory)","The product accepts path input in the form of single dot directory exploit ('/./') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3u","priority":"6","details":"3v"},"CWE-ID: 56Path Equivalence: 'filedir*' (Wildcard)","The product accepts path input in the form of asterisk wildcard ('filedir*') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3x","priority":"6","details":"3y"},"CWE-ID: 57Path Equivalence: 'fakedir/../realdir/filename'","The product contains protection mechanisms to restrict access to 'realdir/filename', but it constructs pathnames using external input in the form of 'fakedir/../realdir/filename' that are not handled by those mechanisms. This allows attackers to perform unauthorized actions against the targeted file.Guidelines:::TYPE:Theoretical:NOTE:This is a manipulation that uses an injection for one consequence (containment violation using relative path) to achieve a different consequence (equivalence by alternate name).::",{"point":"40","priority":"6","details":"41"},"CWE-ID: 58Path Equivalence: Windows 8.3 Filename","The product contains a protection mechanism that restricts access to a long filename on a Windows operating system, but it does not properly restrict access to the equivalent short 8.3 filename.Guidelines:::TYPE:Research Gap:NOTE:Probably under-studied.::",{"point":"43","priority":"6","details":"44"},"CWE-ID: 59Improper Link Resolution Before File Access ('Link Following')","The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.Guidelines:::TYPE:Theoretical:NOTE:Link following vulnerabilities are Multi-factor Vulnerabilities (MFV). They are the combination of multiple elements: file or directory permissions, filename predictability, race conditions, and in some cases, a design limitation in which there is no mechanism for performing atomic file creation operations. Some potential factors are race conditions, permissions, and predictability.::",{"point":"46","priority":"6","details":"47"},"CWE-ID: 61UNIX Symbolic Link (Symlink) Following","The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.Guidelines:::TYPE:Research Gap:NOTE:Symlink vulnerabilities are regularly found in C and shell programs, but all programming languages can have this problem. Even shell programs are probably under-reported. Second-order symlink vulnerabilities may exist in programs that invoke other programs that follow symlinks. They are rarely reported but are likely to be fairly common when process invocation is used [REF-493].::",{"point":"49","priority":"6","details":"4a"},"CWE-ID: 62UNIX Hard Link","The product, when opening a file or directory, does not sufficiently account for when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.Guidelines:",{"point":"4c","priority":"6","details":"4d"},"CWE-ID: 64Windows Shortcut Following (.LNK)","The product, when opening a file or directory, does not sufficiently handle when the file is a Windows shortcut (.LNK) whose target is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.Guidelines:::TYPE:Research Gap:NOTE:Under-studied. Windows .LNK files are more portable than Unix symlinks and have been used in remote exploits. Some Windows API's will access LNK's as if they are regular files, so one would expect that they would be reported more frequently.::",{"point":"4f","priority":"6","details":"4g"},"CWE-ID: 65Windows Hard Link","The product, when opening a file or directory, does not sufficiently handle when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.Guidelines:",{"point":"4i","priority":"6","details":"4j"},"CWE-ID: 66Improper Handling of File Names that Identify Virtual Resources","The product does not handle or incorrectly handles a file name that identifies a virtual resource that is not directly specified within the directory that is associated with the file name, causing the product to perform file-based operations on a resource that is not a file.Guidelines:",{"point":"4l","priority":"6","details":"4m"},"CWE-ID: 67Improper Handling of Windows Device Names","The product constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.Guidelines:",{"point":"4o","priority":"6","details":"4p"},"CWE-ID: 69Improper Handling of Windows ::DATA Alternate Data Stream","The product does not properly prevent access to, or detect usage of, alternate data streams (ADS).Guidelines:::TYPE:Theoretical:NOTE:This and similar problems exist because the same resource can have multiple identifiers that dictate which behavior can be performed on the resource.::",{"point":"4r","priority":"6","details":"4s"},"CWE-ID: 72Improper Handling of Apple HFS+ Alternate Data Stream Path","The product does not properly handle special paths that may identify the data or resource fork of a file on the HFS+ file system.Guidelines:::TYPE:Theoretical:NOTE:This and similar problems exist because the same resource can have multiple identifiers that dictate which behavior can be performed on the resource.::TYPE:Research Gap:NOTE:Under-studied::",{"point":"4u","priority":"6","details":"4v"},"CWE-ID: 73External Control of File Name or Path","The product allows user input to control or influence paths or file names that are used in filesystem operations.Guidelines:::TYPE:Maintenance:NOTE:CWE-114 is a Class, but it is listed a child of CWE-73 in view 1000. This suggests some abstraction problems that should be resolved in future versions.::TYPE:Relationship:NOTE:The external control of filenames can be the primary link in chains with other file-related weaknesses, as seen in the CanPrecede relationships. This is because software systems use files for many different purposes: to execute programs, load code libraries, to store application data, to store configuration settings, record temporary data, act as signals or semaphores to other processes, etc. However, those weaknesses do not always require external control. For example, link-following weaknesses (CWE-59) often involve pathnames that are not controllable by the attacker at all. The external control can be resultant from other issues. For example, in PHP applications, the register_globals setting can allow an attacker to modify variables that the programmer thought were immutable, enabling file inclusion (CWE-98) and path traversal (CWE-22). Operating with excessive privileges (CWE-250) might allow an attacker to specify an input filename that is not directly readable by the attacker, but is accessible to the privileged program. A buffer overflow (CWE-119) might give an attacker control over nearby memory locations that are related to pathnames, but were not directly modifiable by the attacker.::",{"point":"4x","priority":"6","details":"4y"},"CWE-ID: 74Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')","The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Guidelines:::TYPE:Theoretical:NOTE:Many people treat injection only as an input validation problem (CWE-20) because many people do not distinguish between the consequence/attack (injection) and the protection mechanism that prevents the attack from succeeding. However, input validation is only one potential protection mechanism (output encoding is another), and there is a chaining relationship between improper input validation and the improper enforcement of the structure of messages to other components. Other issues not directly related to input validation, such as race conditions, could similarly impact message structure.::",{"point":"50","priority":"6","details":"51"},"CWE-ID: 75Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)","The product does not adequately filter user-controlled input for special elements with control implications.Guidelines:",{"point":"53","priority":"6","details":"54"},"CWE-ID: 76Improper Neutralization of Equivalent Special Elements","The product correctly neutralizes certain special elements, but it improperly neutralizes equivalent special elements.Guidelines:",{"point":"56","priority":"6","details":"57"},"CWE-ID: 77Improper Neutralization of Special Elements used in a Command ('Command Injection')","The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.Guidelines:::TYPE:Terminology:NOTE:The command injection phrase carries different meanings to different people. For some people, it refers to any type of attack that can allow the attacker to execute commands of their own choosing, regardless of how those commands are inserted. The command injection could thus be resultant from another weakness. This usage also includes cases in which the functionality allows the user to specify an entire command, which is then executed; within CWE, this situation might be better regarded as an authorization problem (since an attacker should not be able to specify arbitrary commands.) Another common usage, which includes CWE-77 and its descendants, involves cases in which the attacker injects separators into the command being constructed.::",{"point":"59","priority":"6","details":"5a"},"CWE-ID: 78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Guidelines:::TYPE:Terminology:NOTE:The OS command injection phrase carries different meanings to different people. For some people, it only refers to cases in which the attacker injects command separators into arguments for an application-controlled program that is being invoked. For some people, it refers to any type of attack that can allow the attacker to execute OS commands of their own choosing. This usage could include untrusted search path weaknesses (CWE-426) that cause the application to find and execute an attacker-controlled program. Further complicating the issue is the case when argument injection (CWE-88) allows alternate command-line switches or options to be inserted into the command line, such as an -exec switch whose purpose may be to execute the subsequent argument as a command (this -exec switch exists in the UNIX find command, for example). In this latter case, however, CWE-88 could be regarded as the primary weakness in a chain with CWE-78.::TYPE:Research Gap:NOTE:More investigation is needed into the distinction between the OS command injection variants, including the role with argument injection (CWE-88). Equivalent distinctions may exist in other injection-related problems such as SQL injection.::",{"point":"5c","priority":"6","details":"5d"},"CWE-ID: 79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Guidelines:::TYPE:Relationship:NOTE:There can be a close relationship between XSS and CSRF (CWE-352). An attacker might use CSRF in order to trick the victim into submitting requests to the server in which the requests contain an XSS payload. A well-known example of this was the Samy worm on MySpace [REF-956]. The worm used XSS to insert malicious HTML sequences into a user's profile and add the attacker as a MySpace friend. MySpace friends of that victim would then execute the payload to modify their own profiles, causing the worm to propagate exponentially. Since the victims did not intentionally insert the malicious script themselves, CSRF was a root cause.::TYPE:Applicable Platform:NOTE:XSS flaws are very common in web applications, since they require a great deal of developer discipline to avoid them.::",{"point":"5f","priority":"6","details":"5g"},"CWE-ID: 80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as <, >, and & that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.Guidelines:",{"point":"5i","priority":"6","details":"5j"},"CWE-ID: 81Improper Neutralization of Script in an Error Message Web Page","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters that could be interpreted as web-scripting elements when they are sent to an error page.Guidelines:",{"point":"5l","priority":"6","details":"5m"},"CWE-ID: 82Improper Neutralization of Script in Attributes of IMG Tags in a Web Page","The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute.Guidelines:",{"point":"5o","priority":"6","details":"5p"},"CWE-ID: 83Improper Neutralization of Script in Attributes in a Web Page","The product does not neutralize or incorrectly neutralizes javascript: or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.Guidelines:",{"point":"5r","priority":"6","details":"5s"},"CWE-ID: 84Improper Neutralization of Encoded URI Schemes in a Web Page","The web application improperly neutralizes user-controlled input for executable script disguised with URI encodings.Guidelines:",{"point":"5u","priority":"6","details":"5v"},"CWE-ID: 85Doubled Character XSS Manipulations","The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters.Guidelines:",{"point":"5x","priority":"6","details":"5y"},"CWE-ID: 86Improper Neutralization of Invalid Characters in Identifiers in Web Pages","The product does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers.Guidelines:",{"point":"60","priority":"6","details":"61"},"CWE-ID: 87Improper Neutralization of Alternate XSS Syntax","The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.Guidelines:",{"point":"63","priority":"6","details":"64"},"CWE-ID: 88Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')","The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.Guidelines:::TYPE:Relationship:NOTE:At one layer of abstraction, this can overlap other weaknesses that have whitespace problems, e.g. injection of javascript into attributes of HTML tags.::",{"point":"66","priority":"6","details":"67"},"CWE-ID: 89Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:SQL injection can be resultant from special character mismanagement, MAID, or denylist/allowlist problems. It can be primary to authentication errors.::",{"point":"69","priority":"6","details":"6a"},"CWE-ID: 90Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')","The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:Factors: resultant to special character mismanagement, MAID, or denylist/allowlist problems. Can be primary to authentication and verification errors.::",{"point":"6c","priority":"6","details":"6d"},"CWE-ID: 91XML Injection (aka Blind XPath Injection)","The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.Guidelines:::TYPE:Maintenance:NOTE:The description for this entry is generally applicable to XML, but the name includes blind XPath injection which is more closely associated with CWE-643. Therefore this entry might need to be deprecated or converted to a general category - although injection into raw XML is not covered by CWE-643 or CWE-652.::TYPE:Theoretical:NOTE:In vulnerability theory terms, this is a representation-specific case of a Data/Directive Boundary Error.::TYPE:Research Gap:NOTE:Under-reported. This is likely found regularly by third party code auditors, but there are very few publicly reported examples.::",{"point":"6f","priority":"6","details":"6g"},"CWE-ID: 93Improper Neutralization of CRLF Sequences ('CRLF Injection')","The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.Guidelines:",{"point":"6i","priority":"6","details":"6j"},"CWE-ID: 94Improper Control of Generation of Code ('Code Injection')","The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.Guidelines:",{"point":"6l","priority":"6","details":"6m"},"CWE-ID: 95Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. eval).Guidelines:::TYPE:Other:NOTE:Factors: special character errors can play a role in increasing the variety of code that can be injected, although some vulnerabilities do not require special characters at all, e.g. when a single function without arguments can be referenced and a terminator character is not necessary.::",{"point":"6o","priority":"6","details":"6p"},"CWE-ID: 96Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.Guidelines:::TYPE:Relationship:NOTE:HTML injection (see CWE-79: XSS) could be thought of as an example of this, but the code is injected and executed on the client side, not the server side. Server-Side Includes (SSI) are an example of direct static code injection.::",{"point":"6r","priority":"6","details":"6s"},"CWE-ID: 97Improper Neutralization of Server-Side Includes (SSI) Within a Web Page","The product generates a web page, but does not neutralize or incorrectly neutralizes user-controllable input that could be interpreted as a server-side include (SSI) directive.Guidelines:::TYPE:Relationship:NOTE:This can be resultant from XSS/HTML injection because the same special characters can be involved. However, this is server-side code execution, not client-side.::",{"point":"6u","priority":"6","details":"6v"},"CWE-ID: 98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')","The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in require, include, or similar functions.Guidelines:::TYPE:Relationship:NOTE:This is frequently a functional consequence of other weaknesses. It is usually multi-factor with other factors (e.g. MAID), although not all inclusion bugs involve assumed-immutable data. Direct request weaknesses frequently play a role. Can overlap directory traversal in local inclusion problems.::",{"point":"6x","priority":"6","details":"6y"},"CWE-ID: 99Improper Control of Resource Identifiers ('Resource Injection')","The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.Guidelines:::TYPE:Relationship:NOTE:Resource injection that involves resources stored on the filesystem goes by the name path manipulation (CWE-73).::TYPE:Maintenance:NOTE:The relationship between CWE-99 and CWE-610 needs further investigation and clarification. They might be duplicates. CWE-99 Resource Injection, as originally defined in Seven Pernicious Kingdoms taxonomy, emphasizes the identifier used to access a system resource such as a file name or port number, yet it explicitly states that the resource injection term does not apply to path manipulation, which effectively identifies the path at which a resource can be found and could be considered to be one aspect of a resource identifier. Also, CWE-610 effectively covers any type of resource, whether that resource is at the system layer, the application layer, or the code layer.::",{"point":"70","priority":"6","details":"71"},"CWE-ID: 102Struts: Duplicate Validation Forms","The product uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not expect.Guidelines:",{"point":"73","priority":"6","details":"74"},"CWE-ID: 103Struts: Incomplete validate() Method Definition","The product has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate().Guidelines:::TYPE:Relationship:NOTE:This could introduce other weaknesses related to missing input validation.::TYPE:Maintenance:NOTE:The current description implies a loose composite of two separate weaknesses, so this node might need to be split or converted into a low-level category.::",{"point":"76","priority":"6","details":"77"},"CWE-ID: 104Struts: Form Bean Does Not Extend Validation Class","If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation.Guidelines:",{"point":"79","priority":"6","details":"7a"},"CWE-ID: 105Struts: Form Field Without Validator","The product has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation.Guidelines:",{"point":"7c","priority":"6","details":"7d"},"CWE-ID: 106Struts: Plug-in Framework not in Use","When an application does not use an input validation framework such as the Struts Validator, there is a greater risk of introducing weaknesses related to insufficient input validation.Guidelines:",{"point":"7f","priority":"6","details":"7g"},"CWE-ID: 107Struts: Unused Validation Form","An unused validation form indicates that validation logic is not up-to-date.Guidelines:",{"point":"7i","priority":"6","details":"7j"},"CWE-ID: 108Struts: Unvalidated Action Form","Every Action Form must have a corresponding validation form.Guidelines:",{"point":"7l","priority":"6","details":"7m"},"CWE-ID: 109Struts: Validator Turned Off","Automatic filtering via a Struts bean has been turned off, which disables the Struts Validator and custom validation logic. This exposes the application to other weaknesses related to insufficient input validation.Guidelines:::TYPE:Other:NOTE:The Action Form mapping in the demonstrative example disables the form's validate() method. The Struts bean: write tag automatically encodes special HTML characters, replacing a < with < and a > with >. This action can be disabled by specifying filter=false as an attribute of the tag to disable specified JSP pages. However, being disabled makes these pages susceptible to cross-site scripting attacks. An attacker may be able to insert malicious scripts as user input to write to these JSP pages.::",{"point":"7o","priority":"6","details":"7p"},"CWE-ID: 110Struts: Validator Without Form Field","Validation fields that do not appear in forms they are associated with indicate that the validation logic is out of date.Guidelines:",{"point":"7r","priority":"6","details":"7s"},"CWE-ID: 111Direct Use of Unsafe JNI","When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that code, even if those weaknesses cannot occur in Java.Guidelines:",{"point":"7u","priority":"6","details":"7v"},"CWE-ID: 112Missing XML Validation","The product accepts XML from an untrusted source but does not validate the XML against the proper schema.Guidelines:",{"point":"7x","priority":"6","details":"7y"},"CWE-ID: 113Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')","The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.Guidelines:",{"point":"80","priority":"6","details":"81"},"CWE-ID: 114Process Control","Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) on behalf of an attacker.Guidelines:::TYPE:Maintenance:NOTE:CWE-114 is a Class, but it is listed a child of CWE-73 in view 1000. This suggests some abstraction problems that should be resolved in future versions.::TYPE:Maintenance:NOTE:This entry seems to have close relationships with CWE-426/CWE-427. It seems more attack-oriented.::",{"point":"83","priority":"6","details":"84"},"CWE-ID: 115Misinterpretation of Input","The product misinterprets an input, whether from an attacker or another product, in a security-relevant fashion.Guidelines:::TYPE:Research Gap:NOTE:This concept needs further study. It is likely a factor in several weaknesses, possibly resultant as well. Overlaps Multiple Interpretation Errors (MIE).::",{"point":"86","priority":"6","details":"87"},"CWE-ID: 116Improper Encoding or Escaping of Output","The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.Guidelines:::TYPE:Relationship:NOTE:This weakness is primary to all weaknesses related to injection (CWE-74) since the inherent nature of injection involves the violation of structured messages.::TYPE:Relationship:NOTE:CWE-116 and CWE-20 have a close association because, depending on the nature of the structured message, proper input validation can indirectly prevent special characters from changing the meaning of a structured message. For example, by validating that a numeric ID field should only contain the 0-9 characters, the programmer effectively prevents injection attacks. However, input validation is not always sufficient, especially when less stringent data types must be supported, such as free-form text. Consider a SQL injection scenario in which a last name is inserted into a query. The name O'Reilly would likely pass the validation step since it is a common last name in the English language. However, it cannot be directly inserted into the database because it contains the ' apostrophe character, which would need to be escaped or otherwise neutralized. In this case, stripping the apostrophe might reduce the risk of SQL injection, but it would produce incorrect behavior because the wrong name would be recorded.::TYPE:Terminology:NOTE:The usage of the encoding and escaping terms varies widely. For example, in some programming languages, the terms are used interchangeably, while other languages provide APIs that use both terms for different tasks. This overlapping usage extends to the Web, such as the escape JavaScript function whose purpose is stated to be encoding. The concepts of encoding and escaping predate the Web by decades. Given such a context, it is difficult for CWE to adopt a consistent vocabulary that will not be misinterpreted by some constituency.::TYPE:Theoretical:NOTE:This is a data/directive boundary error in which data boundaries are not sufficiently enforced before it is sent to a different control sphere.::TYPE:Research Gap:NOTE:While many published vulnerabilities are related to insufficient output encoding, there is such an emphasis on input validation as a protection mechanism that the underlying causes are rarely described. Within CVE, the focus is primarily on well-understood issues like cross-site scripting and SQL injection. It is likely that this weakness frequently occurs in custom protocols that support multiple encodings, which are not necessarily detectable with automated techniques.::",{"point":"89","priority":"6","details":"8a"},"CWE-ID: 117Improper Output Neutralization for Logs","The product does not neutralize or incorrectly neutralizes output that is written to logs.Guidelines:",{"point":"8c","priority":"6","details":"8d"},"CWE-ID: 118Incorrect Access of Indexable Resource ('Range Error')","The product does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files.Guidelines:",{"point":"8f","priority":"6","details":"8g"},"CWE-ID: 119Improper Restriction of Operations within the Bounds of a Memory Buffer","The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.Guidelines:::TYPE:Applicable Platform:NOTE:It is possible in any programming languages without memory management support to attempt an operation outside of the bounds of a memory buffer, but the consequences will vary widely depending on the language, platform, and chip architecture.::",{"point":"8i","priority":"6","details":"8j"},"CWE-ID: 120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')","The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.Guidelines:::TYPE:Relationship:NOTE:At the code level, stack-based and heap-based overflows do not differ significantly, so there usually is not a need to distinguish them. From the attacker perspective, they can be quite different, since different techniques are required to exploit them.::TYPE:Terminology:NOTE:Many issues that are now called buffer overflows are substantively different than the classic overflow, including entirely different bug types that rely on overflow exploit techniques, such as integer signedness errors, integer overflows, and format string bugs. This imprecise terminology can make it difficult to determine which variant is being reported.::",{"point":"8l","priority":"6","details":"8m"},"CWE-ID: 121Stack-based Buffer Overflow","A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).Guidelines:::TYPE:Other:NOTE:Stack-based buffer overflows can instantiate in return address overwrites, stack pointer overwrites or frame pointer overwrites. They can also be considered function pointer overwrites, array indexer overwrites or write-what-where condition, etc.::",{"point":"8o","priority":"6","details":"8p"},"CWE-ID: 122Heap-based Buffer Overflow","A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().Guidelines:::TYPE:Relationship:NOTE:Heap-based buffer overflows are usually just as dangerous as stack-based buffer overflows.::",{"point":"8r","priority":"6","details":"8s"},"CWE-ID: 123Write-what-where Condition","Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow.Guidelines:",{"point":"8u","priority":"6","details":"8v"},"CWE-ID: 124Buffer Underwrite ('Buffer Underflow')","The product writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.Guidelines:::TYPE:Relationship:NOTE:This could be resultant from several errors, including a bad offset or an array index that decrements before the beginning of the buffer (see CWE-129).::",{"point":"8x","priority":"6","details":"8y"},"CWE-ID: 125Out-of-bounds Read","The product reads data past the end, or before the beginning, of the intended buffer.Guidelines:",{"point":"90","priority":"6","details":"91"},"CWE-ID: 126Buffer Over-read","The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.Guidelines:::TYPE:Relationship:NOTE:These problems may be resultant from missing sentinel values (CWE-463) or trusting a user-influenced input length variable.::",{"point":"93","priority":"6","details":"94"},"CWE-ID: 127Buffer Under-read","The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"96","priority":"6","details":"97"},"CWE-ID: 128Wrap-around Error","Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore wraps around to a very small, negative, or undefined value.Guidelines:::TYPE:Relationship:NOTE:The relationship between overflow and wrap-around needs to be examined more closely, since several entries (including CWE-190) are closely related.::",{"point":"99","priority":"6","details":"9a"},"CWE-ID: 129Improper Validation of Array Index","The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.Guidelines:::TYPE:Relationship:NOTE:This weakness can precede uncontrolled memory allocation (CWE-789) in languages that automatically expand an array when an index is used that is larger than the size of the array, such as JavaScript.::TYPE:Theoretical:NOTE:An improperly validated array index might lead directly to the always-incorrect behavior of access of array using out-of-bounds index.::",{"point":"9c","priority":"6","details":"9d"},"CWE-ID: 130Improper Handling of Length Parameter Inconsistency","The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.Guidelines:::TYPE:Relationship:NOTE:This probably overlaps other categories including zero-length issues.::",{"point":"9f","priority":"6","details":"9g"},"CWE-ID: 131Incorrect Calculation of Buffer Size","The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.Guidelines:::TYPE:Maintenance:NOTE:This is a broad category. Some examples include: simple math errors, incorrectly updating parallel counters, not accounting for size differences when transforming one input to another format (e.g. URL canonicalization or other transformation that can generate a result that's larger than the original input, i.e. expansion). This level of detail is rarely available in public reports, so it is difficult to find good examples.::TYPE:Maintenance:NOTE:This weakness may be a composite or a chain. It also may contain layering or perspective differences. This issue may be associated with many different types of incorrect calculations (CWE-682), although the integer overflow (CWE-190) is probably the most prevalent. This can be primary to resource consumption problems (CWE-400), including uncontrolled memory allocation (CWE-789). However, its relationship with out-of-bounds buffer access (CWE-119) must also be considered.::",{"point":"9i","priority":"6","details":"9j"},"CWE-ID: 134Use of Externally-Controlled Format String","The product uses a function that accepts a format string as an argument, but the format string originates from an external source.Guidelines:::TYPE:Applicable Platform:NOTE:This weakness is possible in any programming language that support format strings.::TYPE:Other:NOTE:While Format String vulnerabilities typically fall under the Buffer Overflow category, technically they are not overflowed buffers. The Format String vulnerability is fairly new (circa 1999) and stems from the fact that there is no realistic way for a function that takes a variable number of arguments to determine just how many arguments were passed in. The most common functions that take a variable number of arguments, including C-runtime functions, are the printf() family of calls. The Format String problem appears in a number of ways. A *printf() call without a format specifier is dangerous and can be exploited. For example, printf(input); is exploitable, while printf(y, input); is not exploitable in that context. The result of the first call, used incorrectly, allows for an attacker to be able to peek at stack memory since the input string will be used as the format specifier. The attacker can stuff the input string with format specifiers and begin reading stack values, since the remaining parameters will be pulled from the stack. Worst case, this improper use may give away enough control to allow an arbitrary value (or values in the case of an exploit program) to be written into the memory of the running program. Frequently targeted entities are file names, process names, identifiers. Format string problems are a classic C/C++ issue that are now rare due to the ease of discovery. One main reason format string vulnerabilities can be exploited is due to the %n operator. The %n operator will write the number of characters, which have been printed by the format string therefore far, to the memory pointed to by its argument. Through skilled creation of a format string, a malicious user may use values on the stack to create a write-what-where condition. Once this is achieved, they can execute arbitrary code. Other operators can be used as well; for example, a %9999s operator could also trigger a buffer overflow, or when used in file-formatting functions like fprintf, it can generate a much larger output than intended.::TYPE:Research Gap:NOTE:Format string issues are under-studied for languages other than C. Memory or disk consumption, control flow or variable alteration, and data corruption may result from format string exploitation in applications written in other languages such as Perl, PHP, Python, etc.::",{"point":"9l","priority":"6","details":"9m"},"CWE-ID: 135Incorrect Calculation of Multi-Byte String Length","The product does not correctly calculate the length of strings that can contain wide or multi-byte characters.Guidelines:",{"point":"9o","priority":"6","details":"9p"},"CWE-ID: 138Improper Neutralization of Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:This weakness can be related to interpretation conflicts or interaction errors in intermediaries (such as proxies or application firewalls) when the intermediary's model of an endpoint does not account for protocol-specific special elements.::TYPE:Relationship:NOTE:See this entry's children for different types of special elements that have been observed at one point or another. However, it can be difficult to find suitable CVE examples. In an attempt to be complete, CWE includes some types that do not have any associated observed example.::TYPE:Research Gap:NOTE:This weakness is probably under-studied for proprietary or custom formats. It is likely that these issues are fairly common in applications that use their own custom format for configuration files, logs, meta-data, messaging, etc. They would only be found by accident or with a focused effort based on an understanding of the format.::",{"point":"9r","priority":"6","details":"9s"},"CWE-ID: 140Improper Neutralization of Delimiters","The product does not neutralize or incorrectly neutralizes delimiters.Guidelines:",{"point":"9u","priority":"6","details":"9v"},"CWE-ID: 141Improper Neutralization of Parameter/Argument Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component.Guidelines:",{"point":"9x","priority":"6","details":"9y"},"CWE-ID: 142Improper Neutralization of Value Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component.Guidelines:",{"point":"a0","priority":"6","details":"a1"},"CWE-ID: 143Improper Neutralization of Record Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component.Guidelines:",{"point":"a3","priority":"6","details":"a4"},"CWE-ID: 144Improper Neutralization of Line Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as line delimiters when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:Depending on the language and syntax being used, this could be the same as the record delimiter (CWE-143).::",{"point":"a6","priority":"6","details":"a7"},"CWE-ID: 145Improper Neutralization of Section Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as section delimiters when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:Depending on the language and syntax being used, this could be the same as the record delimiter (CWE-143).::",{"point":"a9","priority":"6","details":"aa"},"CWE-ID: 146Improper Neutralization of Expression/Command Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:A shell metacharacter (covered in CWE-150) is one example of a potential delimiter that may need to be neutralized.::",{"point":"ac","priority":"6","details":"ad"},"CWE-ID: 147Improper Neutralization of Input Terminators","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as input terminators when they are sent to a downstream component.Guidelines:",{"point":"af","priority":"6","details":"ag"},"CWE-ID: 148Improper Neutralization of Input Leaders","The product does not properly handle when a leading character or sequence (leader) is missing or malformed, or if multiple leaders are used when only one should be allowed.Guidelines:",{"point":"ai","priority":"6","details":"aj"},"CWE-ID: 149Improper Neutralization of Quoting Syntax","Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.Guidelines:",{"point":"al","priority":"6","details":"am"},"CWE-ID: 150Improper Neutralization of Escape, Meta, or Control Sequences","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.Guidelines:",{"point":"ao","priority":"6","details":"ap"},"CWE-ID: 151Improper Neutralization of Comment Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as comment delimiters when they are sent to a downstream component.Guidelines:",{"point":"ar","priority":"6","details":"as"},"CWE-ID: 152Improper Neutralization of Macro Symbols","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as macro symbols when they are sent to a downstream component.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"au","priority":"6","details":"av"},"CWE-ID: 153Improper Neutralization of Substitution Characters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as substitution characters when they are sent to a downstream component.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"ax","priority":"6","details":"ay"},"CWE-ID: 154Improper Neutralization of Variable Name Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as variable name delimiters when they are sent to a downstream component.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"b0","priority":"6","details":"b1"},"CWE-ID: 155Improper Neutralization of Wildcards or Matching Symbols","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as wildcards or matching symbols when they are sent to a downstream component.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"b3","priority":"6","details":"b4"},"CWE-ID: 156Improper Neutralization of Whitespace","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as whitespace when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:Can overlap other separator characters or delimiters.::",{"point":"b6","priority":"6","details":"b7"},"CWE-ID: 157Failure to Sanitize Paired Delimiters","The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"b9","priority":"6","details":"ba"},"CWE-ID: 158Improper Neutralization of Null Byte or NUL Character","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:This can be a factor in multiple interpretation errors, other interaction errors, filename equivalence, etc.::",{"point":"bc","priority":"6","details":"bd"},"CWE-ID: 159Improper Handling of Invalid Use of Special Elements","The product does not properly filter, remove, quote, or otherwise manage the invalid use of special elements in user-controlled input, which could cause adverse effect on its behavior and integrity.Guidelines:::TYPE:Maintenance:NOTE:The list of children for this entry is far from complete. However, the types of special elements might be too precise for use within CWE.::TYPE:Terminology:NOTE:Precise terminology for the underlying weaknesses does not exist. Therefore, these weaknesses use the terminology associated with the manipulation.::TYPE:Research Gap:NOTE:Customized languages and grammars, even those that are specific to a particular product, are potential sources of weaknesses that are related to special elements. However, most researchers concentrate on the most commonly used representations for data transmission, such as HTML and SQL. Any representation that is commonly used is likely to be a rich source of weaknesses; researchers are encouraged to investigate previously unexplored representations.::",{"point":"bf","priority":"6","details":"bg"},"CWE-ID: 160Improper Neutralization of Leading Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes leading special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bi","priority":"6","details":"bj"},"CWE-ID: 161Improper Neutralization of Multiple Leading Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple leading special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bl","priority":"6","details":"bm"},"CWE-ID: 162Improper Neutralization of Trailing Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes trailing special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bo","priority":"6","details":"bp"},"CWE-ID: 163Improper Neutralization of Multiple Trailing Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple trailing special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"br","priority":"6","details":"bs"},"CWE-ID: 164Improper Neutralization of Internal Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes internal special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bu","priority":"6","details":"bv"},"CWE-ID: 165Improper Neutralization of Multiple Internal Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple internal special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bx","priority":"6","details":"by"},"CWE-ID: 166Improper Handling of Missing Special Element","The product receives input from an upstream component, but it does not handle or incorrectly handles when an expected special element is missing.Guidelines:",{"point":"c0","priority":"6","details":"c1"},"CWE-ID: 167Improper Handling of Additional Special Element","The product receives input from an upstream component, but it does not handle or incorrectly handles when an additional unexpected special element is provided.Guidelines:",{"point":"c3","priority":"6","details":"c4"},"CWE-ID: 168Improper Handling of Inconsistent Special Elements","The product does not properly handle input in which an inconsistency exists between two or more special characters or reserved words.Guidelines:",{"point":"c6","priority":"6","details":"c7"},"CWE-ID: 170Improper Null Termination","The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.Guidelines:::TYPE:Relationship:NOTE:Factors: this is usually resultant from other weaknesses such as off-by-one errors, but it can be primary to boundary condition violations such as buffer overflows. In buffer overflows, it can act as an expander for assumed-immutable data.::TYPE:Relationship:NOTE:Overlaps missing input terminator.::TYPE:Applicable Platform:NOTE:Conceptually, this does not just apply to the C language; any language or representation that involves a terminator could have this type of problem.::TYPE:Maintenance:NOTE:As currently described, this entry is more like a category than a weakness.::",{"point":"c9","priority":"6","details":"ca"},"CWE-ID: 172Encoding Error","The product does not properly encode or decode the data, resulting in unexpected values.Guidelines:::TYPE:Relationship:NOTE:Partially overlaps path traversal and equivalence weaknesses.::TYPE:Maintenance:NOTE:This is more like a category than a weakness.::TYPE:Maintenance:NOTE:Many other types of encodings should be listed in this category.::",{"point":"cc","priority":"6","details":"cd"},"CWE-ID: 173Improper Handling of Alternate Encoding","The product does not properly handle when an input uses an alternate encoding that is valid for the control sphere to which the input is being sent.Guidelines:",{"point":"cf","priority":"6","details":"cg"},"CWE-ID: 174Double Decoding of the Same Data","The product decodes the same input twice, which can limit the effectiveness of any protection mechanism that occurs in between the decoding operations.Guidelines:::TYPE:Research Gap:NOTE:Probably under-studied.::",{"point":"ci","priority":"6","details":"cj"},"CWE-ID: 175Improper Handling of Mixed Encoding","The product does not properly handle when the same input uses several different (mixed) encodings.Guidelines:",{"point":"cl","priority":"6","details":"cm"},"CWE-ID: 176Improper Handling of Unicode Encoding","The product does not properly handle when an input contains Unicode encoding.Guidelines:",{"point":"co","priority":"6","details":"cp"},"CWE-ID: 177Improper Handling of URL Encoding (Hex Encoding)","The product does not properly handle when all or part of an input has been URL encoded.Guidelines:",{"point":"cr","priority":"6","details":"cs"},"CWE-ID: 178Improper Handling of Case Sensitivity","The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.Guidelines:::TYPE:Research Gap:NOTE:These are probably under-studied in Windows and Mac environments, where file names are case-insensitive and thus are subject to equivalence manipulations involving case.::",{"point":"cu","priority":"6","details":"cv"},"CWE-ID: 179Incorrect Behavior Order: Early Validation","The product validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous inputs that only arise after the modification.Guidelines:::TYPE:Research Gap:NOTE:These errors are mostly reported in path traversal vulnerabilities, but the concept applies whenever validation occurs.::",{"point":"cx","priority":"6","details":"cy"},"CWE-ID: 180Incorrect Behavior Order: Validate Before Canonicalize","The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step.Guidelines:::TYPE:Relationship:NOTE:This overlaps other categories.::",{"point":"d0","priority":"6","details":"d1"},"CWE-ID: 181Incorrect Behavior Order: Validate Before Filter","The product validates data before it has been filtered, which prevents the product from detecting data that becomes invalid after the filtering step.Guidelines:::TYPE:Research Gap:NOTE:This category is probably under-studied.::",{"point":"d3","priority":"6","details":"d4"},"CWE-ID: 182Collapse of Data into Unsafe Value","The product filters data in a way that causes it to be reduced or collapsed into an unsafe value that violates an expected security property.Guidelines:::TYPE:Relationship:NOTE:Overlaps regular expressions, although an implementation might not necessarily use regexp's.::",{"point":"d6","priority":"6","details":"d7"},"CWE-ID: 183Permissive List of Allowed Inputs","The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.Guidelines:",{"point":"d9","priority":"6","details":"da"},"CWE-ID: 184Incomplete List of Disallowed Inputs","The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses.Guidelines:::TYPE:Relationship:NOTE:Multiple interpretation errors can indirectly introduce inputs that should be disallowed. For example, a list of dangerous shell metacharacters might not include a metacharacter that only has meaning in one particular shell, not all of them; or a check for XSS manipulations might ignore an unusual construct that is supported by one web browser, but not others.::",{"point":"dc","priority":"6","details":"dd"},"CWE-ID: 185Incorrect Regular Expression","The product specifies a regular expression in a way that causes data to be improperly matched or compared.Guidelines:::TYPE:Relationship:NOTE:While there is some overlap with allowlist/denylist problems, this entry is intended to deal with incorrectly written regular expressions, regardless of their intended use. Not every regular expression is intended for use as an allowlist or denylist. In addition, allowlists and denylists can be implemented using other mechanisms besides regular expressions.::TYPE:Research Gap:NOTE:Regexp errors are likely a primary factor in many MFVs, especially those that require multiple manipulations to exploit. However, they are rarely diagnosed at this level of detail.::",{"point":"df","priority":"6","details":"dg"},"CWE-ID: 186Overly Restrictive Regular Expression","A regular expression is overly restrictive, which prevents dangerous values from being detected.Guidelines:::TYPE:Relationship:NOTE:Can overlap allowlist/denylist errors (CWE-183/CWE-184)::",{"point":"di","priority":"6","details":"dj"},"CWE-ID: 187Partial String Comparison","The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.Guidelines:::TYPE:Relationship:NOTE:This is conceptually similar to other weaknesses, such as insufficient verification and regular expression errors. It is primary to some weaknesses.::",{"point":"dl","priority":"6","details":"dm"},"CWE-ID: 188Reliance on Data/Memory Layout","The product makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior.Guidelines:",{"point":"do","priority":"6","details":"dp"},"CWE-ID: 190Integer Overflow or Wraparound","The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.Guidelines:::TYPE:Relationship:NOTE:Integer overflows can be primary to buffer overflows.::TYPE:Terminology:NOTE:Integer overflow is sometimes used to cover several types of errors, including signedness errors, or buffer overflows that involve manipulation of integer data types instead of characters. Part of the confusion results from the fact that 0xffffffff is -1 in a signed context. Other confusion also arises because of the role that integer overflows have in chains.::",{"point":"dr","priority":"6","details":"ds"},"CWE-ID: 191Integer Underflow (Wrap or Wraparound)","The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.Guidelines:",{"point":"du","priority":"6","details":"dv"},"CWE-ID: 192Integer Coercion Error","Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types.Guidelines:::TYPE:Maintenance:NOTE:Within C, it might be that coercion is semantically different than casting, possibly depending on whether the programmer directly specifies the conversion, or if the compiler does it implicitly. This has implications for the presentation of this entry and others, such as CWE-681, and whether there is enough of a difference for these entries to be split.::",{"point":"dx","priority":"6","details":"dy"},"CWE-ID: 193Off-by-one Error","A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.Guidelines:::TYPE:Relationship:NOTE:This is not always a buffer overflow. For example, an off-by-one error could be a factor in a partial comparison, a read from the wrong memory location, an incorrect conditional, etc.::",{"point":"e0","priority":"6","details":"e1"},"CWE-ID: 194Unexpected Sign Extension","The product performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses.Guidelines:::TYPE:Relationship:NOTE:Sign extension errors can lead to buffer overflows and other memory-based problems. They are also likely to be factors in other weaknesses that are not based on memory operations, but rely on numeric calculation.::TYPE:Maintenance:NOTE:This entry is closely associated with signed-to-unsigned conversion errors (CWE-195) and other numeric errors. These relationships need to be more closely examined within CWE.::",{"point":"e3","priority":"6","details":"e4"},"CWE-ID: 195Signed to Unsigned Conversion Error","The product uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive.Guidelines:",{"point":"e6","priority":"6","details":"e7"},"CWE-ID: 196Unsigned to Signed Conversion Error","The product uses an unsigned primitive and performs a cast to a signed primitive, which can produce an unexpected value if the value of the unsigned primitive can not be represented using a signed primitive.Guidelines:",{"point":"e9","priority":"6","details":"ea"},"CWE-ID: 197Numeric Truncation Error","Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion.Guidelines:::TYPE:Research Gap:NOTE:This weakness has traditionally been under-studied and under-reported, although vulnerabilities in popular software have been published in 2008 and 2009.::",{"point":"ec","priority":"6","details":"ed"},"CWE-ID: 198Use of Incorrect Byte Ordering","The product receives input from an upstream component, but it does not account for byte ordering (e.g. big-endian and little-endian) when processing the input, causing an incorrect number or value to be used.Guidelines:::TYPE:Research Gap:NOTE:Under-reported.::",{"point":"ef","priority":"6","details":"eg"},"CWE-ID: 200Exposure of Sensitive Information to an Unauthorized Actor","The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Guidelines:::TYPE:Maintenance:NOTE:As a result of mapping analysis in the 2020 Top 25 and more recent versions, this weakness is under review, since it is frequently misused in mapping to cover many problems that lead to loss of confidentiality. See Mapping Notes, Extended Description, and Alternate Terms.::",{"point":"ei","priority":"6","details":"ej"},"CWE-ID: 201Insertion of Sensitive Information Into Sent Data","The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.Guidelines:",{"point":"el","priority":"6","details":"em"},"CWE-ID: 202Exposure of Sensitive Information Through Data Queries","When trying to keep information confidential, an attacker can often infer some of the information by using statistics.Guidelines:::TYPE:Maintenance:NOTE:The relationship between CWE-202 and CWE-612 needs to be investigated more closely, as they may be different descriptions of the same kind of problem. CWE-202 is also being considered for deprecation, as it is not clearly described and may have been misunderstood by CWE users. It could be argued that this issue is better covered by CAPEC; an attacker can utilize their data-query privileges to perform this kind of operation, and if the attacker should not be allowed to perform the operation - or if the sensitive data should not have been made accessible at all - then that is more appropriately classified as a separate CWE related to authorization (see the parent, CWE-1230).::",{"point":"eo","priority":"6","details":"ep"},"CWE-ID: 203Observable Discrepancy","The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.Guidelines:",{"point":"er","priority":"6","details":"es"},"CWE-ID: 204Observable Response Discrepancy","The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.Guidelines:::TYPE:Relationship:NOTE:can overlap errors related to escalated privileges::",{"point":"eu","priority":"6","details":"ev"},"CWE-ID: 205Observable Behavioral Discrepancy","The product's behaviors indicate important differences that may be observed by unauthorized actors in a way that reveals (1) its internal state or decision process, or (2) differences from other products with equivalent functionality.Guidelines:",{"point":"ex","priority":"6","details":"ey"},"CWE-ID: 206Observable Internal Behavioral Discrepancy","The product performs multiple behaviors that are combined to produce a single result, but the individual behaviors are observable separately in a way that allows attackers to reveal internal state or internal decision points.Guidelines:",{"point":"f0","priority":"6","details":"f1"},"CWE-ID: 207Observable Behavioral Discrepancy With Equivalent Products","The product operates in an environment in which its existence or specific identity should not be known, but it behaves differently than other products with equivalent functionality, in a way that is observable to an attacker.Guidelines:",{"point":"f3","priority":"6","details":"f4"},"CWE-ID: 208Observable Timing Discrepancy","Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.Guidelines:::TYPE:Relationship:NOTE:Often primary in cryptographic applications and algorithms.::",{"point":"f6","priority":"6","details":"f7"},"CWE-ID: 209Generation of Error Message Containing Sensitive Information","The product generates an error message that includes sensitive information about its environment, users, or associated data.Guidelines:",{"point":"f9","priority":"6","details":"fa"},"CWE-ID: 210Self-generated Error Message Containing Sensitive Information","The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.Guidelines:",{"point":"fc","priority":"6","details":"fd"},"CWE-ID: 211Externally-Generated Error Message Containing Sensitive Information","The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information.Guidelines:::TYPE:Relationship:NOTE:This is inherently a resultant vulnerability from a weakness within the product or an interaction error.::",{"point":"ff","priority":"6","details":"fg"},"CWE-ID: 212Improper Removal of Sensitive Information Before Storage or Transfer","The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.Guidelines:::TYPE:Relationship:NOTE:This entry is intended to be different from resultant information leaks, including those that occur from improper buffer initialization and reuse, improper encryption, interaction errors, and multiple interpretation errors. This entry could be regarded as a privacy leak, depending on the type of information that is leaked.::TYPE:Relationship:NOTE:There is a close association between CWE-226 and CWE-212. The difference is partially that of perspective. CWE-226 is geared towards the final stage of the resource lifecycle, in which the resource is deleted, eliminated, expired, or otherwise released for reuse. Technically, this involves a transfer to a different control sphere, in which the original contents of the resource are no longer relevant. CWE-212, however, is intended for sensitive data in resources that are intentionally shared with others, so they are still active. This distinction is useful from the perspective of the CWE research view (CWE-1000).::TYPE:Terminology:NOTE:The terms cleansing and scrubbing have multiple uses within computing. In information security, these are used for the removal of sensitive data, but they are also used for the modification of incoming/outgoing data so that it conforms to specifications.::",{"point":"fi","priority":"6","details":"fj"},"CWE-ID: 213Exposure of Sensitive Information Due to Incompatible Policies","The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product's administrator, users, or others whose information is being processed.Guidelines:::TYPE:Maintenance:NOTE:This entry is being considered for deprecation. It overlaps many other entries related to information exposures. It might not be essential to preserve this entry, since other key stakeholder policies are covered elsewhere, e.g. personal privacy leaks (CWE-359) and system-level exposures that are important to system administrators (CWE-497).::TYPE:Theoretical:NOTE:In vulnerability theory terms, this covers cases in which the developer's Intended Policy allows the information to be made available, but the information might be in violation of a Universal Policy in which the product's administrator should have control over which information is considered sensitive and therefore should not be exposed.::",{"point":"fl","priority":"6","details":"fm"},"CWE-ID: 214Invocation of Process Using Visible Sensitive Information","A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system.Guidelines:::TYPE:Research Gap:NOTE:Under-studied, especially environment variables.::",{"point":"fo","priority":"6","details":"fp"},"CWE-ID: 215Insertion of Sensitive Information Into Debugging Code","The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.Guidelines:::TYPE:Relationship:NOTE:This overlaps other categories.::",{"point":"fr","priority":"6","details":"fs"},"CWE-ID: 219Storage of File with Sensitive Data Under Web Root","The product stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties.Guidelines:",{"point":"fu","priority":"6","details":"fv"},"CWE-ID: 220Storage of File With Sensitive Data Under FTP Root","The product stores sensitive data under the FTP server root with insufficient access control, which might make it accessible to untrusted parties.Guidelines:",{"point":"fx","priority":"6","details":"fy"},"CWE-ID: 221Information Loss or Omission","The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.Guidelines:",{"point":"g0","priority":"6","details":"g1"},"CWE-ID: 222Truncation of Security-relevant Information","The product truncates the display, recording, or processing of security-relevant information in a way that can obscure the source or nature of an attack.Guidelines:",{"point":"g3","priority":"6","details":"g4"},"CWE-ID: 223Omission of Security-relevant Information","The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.Guidelines:",{"point":"g6","priority":"6","details":"g7"},"CWE-ID: 224Obscured Security-relevant Information by Alternate Name","The product records security-relevant information according to an alternate name of the affected entity, instead of the canonical name.Guidelines:",{"point":"g9","priority":"6","details":"ga"},"CWE-ID: 226Sensitive Information in Resource Not Removed Before Reuse","The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or zeroize the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.Guidelines:::TYPE:Relationship:NOTE:There is a close association between CWE-226 and CWE-212. The difference is partially that of perspective. CWE-226 is geared towards the final stage of the resource lifecycle, in which the resource is deleted, eliminated, expired, or otherwise released for reuse. Technically, this involves a transfer to a different control sphere, in which the original contents of the resource are no longer relevant. CWE-212, however, is intended for sensitive data in resources that are intentionally shared with others, so they are still active. This distinction is useful from the perspective of the CWE research view (CWE-1000).::TYPE:Maintenance:NOTE:This entry needs modification to clarify the differences with CWE-212. The description also combines two problems that are distinct from the CWE research perspective: the inadvertent transfer of information to another sphere, and improper initialization/shutdown. Some of the associated taxonomy mappings reflect these different uses.::TYPE:Research Gap:NOTE:This is frequently found for network packets, but it can also exist in local memory allocation, files, etc.::",{"point":"gc","priority":"6","details":"gd"},"CWE-ID: 228Improper Handling of Syntactically Invalid Structure","The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification.Guidelines:::TYPE:Maintenance:NOTE:This entry needs more investigation. Public vulnerability research generally focuses on the manipulations that generate invalid structure, instead of the weaknesses that are exploited by those manipulations. For example, a common attack involves making a request that omits a required field, which can trigger a crash in some cases. The crash could be due to a named chain such as CWE-690 (Unchecked Return Value to NULL Pointer Dereference), but public reports rarely cover this aspect of a vulnerability.::TYPE:Theoretical:NOTE:The validity of input could be roughly classified along syntactic, semantic, and lexical dimensions. If the specification requires that an input value should be delimited with the [ and ] square brackets, then any input that does not follow this specification would be syntactically invalid. If the input between the brackets is expected to be a number, but the letters aaa are provided, then the input is syntactically invalid. If the input is a number and enclosed in brackets, but the number is outside of the allowable range, then it is semantically invalid. The inter-relationships between these properties - and their associated weaknesses- need further exploration.::",{"point":"gf","priority":"6","details":"gg"},"CWE-ID: 229Improper Handling of Values","The product does not properly handle when the expected number of values for parameters, fields, or arguments is not provided in input, or if those values are undefined.Guidelines:",{"point":"gi","priority":"6","details":"gj"},"CWE-ID: 230Improper Handling of Missing Values","The product does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empty, blank, or null.Guidelines:::TYPE:Research Gap:NOTE:Some crash by port scan bugs are probably due to this, but lack of diagnosis makes it difficult to be certain.::",{"point":"gl","priority":"6","details":"gm"},"CWE-ID: 231Improper Handling of Extra Values","The product does not handle or incorrectly handles when more values are provided than expected.Guidelines:::TYPE:Relationship:NOTE:This can overlap buffer overflows.::",{"point":"go","priority":"6","details":"gp"},"CWE-ID: 232Improper Handling of Undefined Values","The product does not handle or incorrectly handles when a value is not defined or supported for the associated parameter, field, or argument name.Guidelines:",{"point":"gr","priority":"6","details":"gs"},"CWE-ID: 233Improper Handling of Parameters","The product does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined.Guidelines:",{"point":"gu","priority":"6","details":"gv"},"CWE-ID: 234Failure to Handle Missing Parameter","If too few arguments are sent to a function, the function will still pop the expected number of arguments from the stack. Potentially, a variable number of arguments could be exhausted in a function as well.Guidelines:::TYPE:Maintenance:NOTE:This entry will be deprecated in a future version of CWE. The term missing parameter was used in both PLOVER and CLASP, with completely different meanings. However, data from both taxonomies was merged into this entry. In PLOVER, it was meant to cover malformed inputs that do not contain required parameters, such as a missing parameter in a CGI request. This entry's observed examples and classification came from PLOVER. However, the description, demonstrative example, and other information are derived from CLASP. They are related to an incorrect number of function arguments, which is already covered by CWE-685.::",{"point":"gx","priority":"6","details":"gy"},"CWE-ID: 235Improper Handling of Extra Parameters","The product does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount.Guidelines:::TYPE:Relationship:NOTE:This type of problem has a big role in multiple interpretation vulnerabilities and various HTTP attacks.::",{"point":"h0","priority":"6","details":"h1"},"CWE-ID: 236Improper Handling of Undefined Parameters","The product does not handle or incorrectly handles when a particular parameter, field, or argument name is not defined or supported by the product.Guidelines:",{"point":"h3","priority":"6","details":"h4"},"CWE-ID: 237Improper Handling of Structural Elements","The product does not handle or incorrectly handles inputs that are related to complex structures.Guidelines:",{"point":"h6","priority":"6","details":"h7"},"CWE-ID: 238Improper Handling of Incomplete Structural Elements","The product does not handle or incorrectly handles when a particular structural element is not completely specified.Guidelines:::TYPE:Relationship:NOTE:Can be primary to other problems.::",{"point":"h9","priority":"6","details":"ha"},"CWE-ID: 239Failure to Handle Incomplete Element","The product does not properly handle when a particular element is not completely specified.Guidelines:",{"point":"hc","priority":"6","details":"hd"},"CWE-ID: 240Improper Handling of Inconsistent Structural Elements","The product does not handle or incorrectly handles when two or more structural elements should be consistent, but are not.Guidelines:",{"point":"hf","priority":"6","details":"hg"},"CWE-ID: 241Improper Handling of Unexpected Data Type","The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).Guidelines:::TYPE:Research Gap:NOTE:Probably under-studied.::",{"point":"hi","priority":"6","details":"hj"},"CWE-ID: 242Use of Inherently Dangerous Function","The product calls a function that can never be guaranteed to work safely.Guidelines:",{"point":"hl","priority":"6","details":"hm"},"CWE-ID: 243Creation of chroot Jail Without Changing Working Directory","The product uses the chroot() system call to create a jail, but does not change the working directory afterward. This does not prevent access to files outside of the jail.Guidelines:",{"point":"ho","priority":"6","details":"hp"},"CWE-ID: 244Improper Clearing of Heap Memory Before Release ('Heap Inspection')","Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory.Guidelines:",{"point":"hr","priority":"6","details":"hs"},"CWE-ID: 245J2EE Bad Practices: Direct Management of Connections","The J2EE application directly manages connections, instead of using the container's connection management facilities.Guidelines:",{"point":"hu","priority":"6","details":"hv"},"CWE-ID: 246J2EE Bad Practices: Direct Use of Sockets","The J2EE application directly uses sockets instead of using framework method calls.Guidelines:",{"point":"hx","priority":"6","details":"hy"},"CWE-ID: 248Uncaught Exception","An exception is thrown from a function, but it is not caught.Guidelines:",{"point":"i0","priority":"6","details":"i1"},"CWE-ID: 250Execution with Unnecessary Privileges","The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.Guidelines:::TYPE:Relationship:NOTE:There is a close association with CWE-653 (Insufficient Separation of Privileges). CWE-653 is about providing separate components for each privilege; CWE-250 is about ensuring that each component has the least amount of privileges possible.::TYPE:Maintenance:NOTE:CWE-271, CWE-272, and CWE-250 are all closely related and possibly overlapping. CWE-271 is probably better suited as a category. Both CWE-272 and CWE-250 are in active use by the community. The least privilege phrase has multiple interpretations.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"i3","priority":"6","details":"i4"},"CWE-ID: 252Unchecked Return Value","The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.Guidelines:",{"point":"i6","priority":"6","details":"i7"},"CWE-ID: 253Incorrect Check of Function Return Value","The product incorrectly checks a return value from a function, which prevents it from detecting errors or exceptional conditions.Guidelines:",{"point":"i9","priority":"6","details":"ia"},"CWE-ID: 256Plaintext Storage of a Password","Storing a password in plaintext may result in a system compromise.Guidelines:",{"point":"ic","priority":"6","details":"id"},"CWE-ID: 257Storing Passwords in a Recoverable Format","The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.Guidelines:::TYPE:Maintenance:NOTE:The meaning of this entry needs to be investigated more closely, especially with respect to what is meant by recoverable.::",{"point":"if","priority":"6","details":"ig"},"CWE-ID: 258Empty Password in Configuration File","Using an empty string as a password is insecure.Guidelines:",{"point":"ii","priority":"6","details":"ij"},"CWE-ID: 259Use of Hard-coded Password","The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.Guidelines:::TYPE:Maintenance:NOTE:This entry could be split into multiple variants: an inbound variant (as seen in the second demonstrative example) and an outbound variant (as seen in the first demonstrative example). These variants are likely to have different consequences, detectability, etc. More importantly, from a vulnerability theory perspective, they could be characterized as different behaviors.::",{"point":"il","priority":"6","details":"im"},"CWE-ID: 260Password in Configuration File","The product stores a password in a configuration file that might be accessible to actors who do not know the password.Guidelines:",{"point":"io","priority":"6","details":"ip"},"CWE-ID: 261Weak Encoding for Password","Obscuring a password with a trivial encoding does not protect the password.Guidelines:::TYPE:Other:NOTE:The crypt family of functions uses weak cryptographic algorithms and should be avoided. It may be present in some projects for compatibility.::",{"point":"ir","priority":"6","details":"is"},"CWE-ID: 262Not Using Password Aging","The product does not have a mechanism in place for managing password aging.Guidelines:",{"point":"iu","priority":"6","details":"iv"},"CWE-ID: 263Password Aging with Long Expiration","The product supports password aging, but the expiration period is too long.Guidelines:",{"point":"ix","priority":"6","details":"iy"},"CWE-ID: 266Incorrect Privilege Assignment","A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.Guidelines:",{"point":"j0","priority":"6","details":"j1"},"CWE-ID: 267Privilege Defined With Unsafe Actions","A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity.Guidelines:::TYPE:Maintenance:NOTE:Note: there are 2 separate sub-categories here: - privilege incorrectly allows entities to perform certain actions - object is incorrectly accessible to entities with a given privilege::",{"point":"j3","priority":"6","details":"j4"},"CWE-ID: 268Privilege Chaining","Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination.Guidelines:::TYPE:Relationship:NOTE:There is some conceptual overlap with Unsafe Privilege.::",{"point":"j6","priority":"6","details":"j7"},"CWE-ID: 269Improper Privilege Management","The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.Guidelines:::TYPE:Maintenance:NOTE:The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693).::",{"point":"j9","priority":"6","details":"ja"},"CWE-ID: 270Privilege Context Switching Error","The product does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control.Guidelines:::TYPE:Research Gap:NOTE:This concept needs more study.::",{"point":"jc","priority":"6","details":"jd"},"CWE-ID: 271Privilege Dropping / Lowering Errors","The product does not drop privileges before passing control of a resource to an actor that does not have those privileges.Guidelines:::TYPE:Maintenance:NOTE:CWE-271, CWE-272, and CWE-250 are all closely related and possibly overlapping. CWE-271 is probably better suited as a category.::",{"point":"jf","priority":"6","details":"jg"},"CWE-ID: 272Least Privilege Violation","The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.Guidelines:::TYPE:Maintenance:NOTE:CWE-271, CWE-272, and CWE-250 are all closely related and possibly overlapping. CWE-271 is probably better suited as a category.::TYPE:Other:NOTE:If system privileges are not dropped when it is reasonable to do so, this is not a vulnerability by itself. According to the principle of least privilege, access should be allowed only when it is absolutely necessary to the function of a given system, and only for the minimal necessary amount of time. Any further allowance of privilege widens the window of time during which a successful exploitation of the system will provide an attacker with that same privilege. If at all possible, limit the allowance of system privilege to small, simple sections of code that may be called atomically. When a program calls a privileged function, such as chroot(), it must first acquire root privilege. As soon as the privileged operation has completed, the program should drop root privilege and return to the privilege level of the invoking user.::",{"point":"ji","priority":"6","details":"jj"},"CWE-ID: 273Improper Check for Dropped Privileges","The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.Guidelines:",{"point":"jl","priority":"6","details":"jm"},"CWE-ID: 274Improper Handling of Insufficient Privileges","The product does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses.Guidelines:::TYPE:Maintenance:NOTE:CWE-280 and CWE-274 are too similar. It is likely that CWE-274 will be deprecated in the future.::TYPE:Relationship:NOTE:Overlaps dropped privileges, insufficient permissions.::TYPE:Theoretical:NOTE:This has a layering relationship with Unchecked Error Condition and Unchecked Return Value.::TYPE:Theoretical:NOTE:Within the context of vulnerability theory, privileges and permissions are two sides of the same coin. Privileges are associated with actors, and permissions are associated with resources. To perform access control, at some point the product makes a decision about whether the actor (and the privileges that have been assigned to that actor) is allowed to access the resource (based on the permissions that have been specified for that resource).::",{"point":"jo","priority":"6","details":"jp"},"CWE-ID: 276Incorrect Default Permissions","During installation, installed file permissions are set to allow anyone to modify those files.Guidelines:",{"point":"jr","priority":"6","details":"js"},"CWE-ID: 277Insecure Inherited Permissions","A product defines a set of insecure permissions that are inherited by objects that are created by the program.Guidelines:",{"point":"ju","priority":"6","details":"jv"},"CWE-ID: 278Insecure Preserved Inherited Permissions","A product inherits a set of insecure permissions for an object, e.g. when copying from an archive file, without user awareness or involvement.Guidelines:",{"point":"jx","priority":"6","details":"jy"},"CWE-ID: 279Incorrect Execution-Assigned Permissions","While it is executing, the product sets the permissions of an object in a way that violates the intended permissions that have been specified by the user.Guidelines:",{"point":"k0","priority":"6","details":"k1"},"CWE-ID: 280Improper Handling of Insufficient Permissions or Privileges","The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.Guidelines:::TYPE:Maintenance:NOTE:CWE-280 and CWE-274 are too similar. It is likely that CWE-274 will be deprecated in the future.::TYPE:Relationship:NOTE:This can be both primary and resultant. When primary, it can expose a variety of weaknesses because a resource might not have the expected state, and subsequent operations might fail. It is often resultant from Unchecked Error Condition (CWE-391).::TYPE:Theoretical:NOTE:Within the context of vulnerability theory, privileges and permissions are two sides of the same coin. Privileges are associated with actors, and permissions are associated with resources. To perform access control, at some point the software makes a decision about whether the actor (and the privileges that have been assigned to that actor) is allowed to access the resource (based on the permissions that have been specified for that resource).::TYPE:Research Gap:NOTE:This type of issue is under-studied, since researchers often concentrate on whether an object has too many permissions, instead of not enough. These weaknesses are likely to appear in environments with fine-grained models for permissions and privileges, which can include operating systems and other large-scale software packages. However, even highly simplistic permission/privilege models are likely to contain these issues if the developer has not considered the possibility of access failure.::",{"point":"k3","priority":"6","details":"k4"},"CWE-ID: 281Improper Preservation of Permissions","The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.Guidelines:",{"point":"k6","priority":"6","details":"k7"},"CWE-ID: 282Improper Ownership Management","The product assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.Guidelines:::TYPE:Maintenance:NOTE:The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693).::",{"point":"k9","priority":"6","details":"ka"},"CWE-ID: 283Unverified Ownership","The product does not properly verify that a critical resource is owned by the proper entity.Guidelines:::TYPE:Relationship:NOTE:This overlaps insufficient comparison, verification errors, permissions, and privileges.::",{"point":"kc","priority":"6","details":"kd"},"CWE-ID: 284Improper Access Control","The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.Guidelines:::TYPE:Maintenance:NOTE:This entry needs more work. Possible sub-categories include: Trusted group includes undesired entities (partially covered by CWE-286) Group can perform undesired actions ACL parse error does not fail closed::",{"point":"kf","priority":"6","details":"kg"},"CWE-ID: 285Improper Authorization","The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.Guidelines:",{"point":"ki","priority":"6","details":"kj"},"CWE-ID: 286Incorrect User Management","The product does not properly manage a user within its environment.Guidelines:::TYPE:Maintenance:NOTE:The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693).::TYPE:Maintenance:NOTE:This item needs more work. Possible sub-categories include: user in wrong group, and user with insecure profile or configuration. It also might be better expressed as a category than a weakness.::",{"point":"kl","priority":"6","details":"km"},"CWE-ID: 287Improper Authentication","When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Guidelines:::TYPE:Relationship:NOTE:This can be resultant from SQL injection vulnerabilities and other issues.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"ko","priority":"6","details":"kp"},"CWE-ID: 288Authentication Bypass Using an Alternate Path or Channel","A product requires authentication, but the product has an alternate path or channel that does not require authentication.Guidelines:::TYPE:Relationship:NOTE:overlaps Unprotected Alternate Channel::",{"point":"kr","priority":"6","details":"ks"},"CWE-ID: 289Authentication Bypass by Alternate Name","The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.Guidelines:::TYPE:Relationship:NOTE:Overlaps equivalent encodings, canonicalization, authorization, multiple trailing slash, trailing space, mixed case, and other equivalence issues.::TYPE:Theoretical:NOTE:Alternate names are useful in data driven manipulation attacks, not just for authentication.::",{"point":"ku","priority":"6","details":"kv"},"CWE-ID: 290Authentication Bypass by Spoofing","This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.Guidelines:::TYPE:Relationship:NOTE:This can be resultant from insufficient verification.::",{"point":"kx","priority":"6","details":"ky"},"CWE-ID: 291Reliance on IP Address for Authentication","The product uses an IP address for authentication.Guidelines:",{"point":"l0","priority":"6","details":"l1"},"CWE-ID: 293Using Referer Field for Authentication","The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking.Guidelines:",{"point":"l3","priority":"6","details":"l4"},"CWE-ID: 294Authentication Bypass by Capture-replay","A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).Guidelines:",{"point":"l6","priority":"6","details":"l7"},"CWE-ID: 295Improper Certificate Validation","The product does not validate, or incorrectly validates, a certificate.Guidelines:",{"point":"l9","priority":"6","details":"la"},"CWE-ID: 296Improper Following of a Certificate's Chain of Trust","The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.Guidelines:",{"point":"lc","priority":"6","details":"ld"},"CWE-ID: 297Improper Validation of Certificate with Host Mismatch","The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.Guidelines:",{"point":"lf","priority":"6","details":"lg"},"CWE-ID: 298Improper Validation of Certificate Expiration","A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age.Guidelines:",{"point":"li","priority":"6","details":"lj"},"CWE-ID: 299Improper Check for Certificate Revocation","The product does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised.Guidelines:",{"point":"ll","priority":"6","details":"lm"},"CWE-ID: 300Channel Accessible by Non-Endpoint","The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.Guidelines:::TYPE:Maintenance:NOTE:The summary identifies multiple distinct possibilities, suggesting that this is a category that must be broken into more specific weaknesses.::",{"point":"lo","priority":"6","details":"lp"},"CWE-ID: 301Reflection Attack in an Authentication Protocol","Simple authentication protocols are subject to reflection attacks if a malicious user can use the target machine to impersonate a trusted user.Guidelines:::TYPE:Maintenance:NOTE:The term reflection is used in multiple ways within CWE and the community, so its usage should be reviewed.::",{"point":"lr","priority":"6","details":"ls"},"CWE-ID: 302Authentication Bypass by Assumed-Immutable Data","The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.Guidelines:",{"point":"lu","priority":"6","details":"lv"},"CWE-ID: 303Incorrect Implementation of Authentication Algorithm","The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.Guidelines:",{"point":"lx","priority":"6","details":"ly"},"CWE-ID: 304Missing Critical Step in Authentication","The product implements an authentication technique, but it skips a step that weakens the technique.Guidelines:",{"point":"m0","priority":"6","details":"m1"},"CWE-ID: 305Authentication Bypass by Primary Weakness","The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.Guidelines:::TYPE:Relationship:NOTE:Most authentication bypass errors are resultant, not primary.::",{"point":"m3","priority":"6","details":"m4"},"CWE-ID: 306Missing Authentication for Critical Function","The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.Guidelines:",{"point":"m6","priority":"6","details":"m7"},"CWE-ID: 307Improper Restriction of Excessive Authentication Attempts","The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.Guidelines:",{"point":"m9","priority":"6","details":"ma"},"CWE-ID: 308Use of Single-factor Authentication","The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme.Guidelines:",{"point":"mc","priority":"6","details":"md"},"CWE-ID: 309Use of Password System for Primary Authentication","The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.Guidelines:",{"point":"mf","priority":"6","details":"mg"},"CWE-ID: 311Missing Encryption of Sensitive Data","The product does not encrypt sensitive or critical information before storage or transmission.Guidelines:::TYPE:Relationship:NOTE:There is an overlapping relationship between insecure storage of sensitive information (CWE-922) and missing encryption of sensitive information (CWE-311). Encryption is often used to prevent an attacker from reading the sensitive data. However, encryption does not prevent the attacker from erasing or overwriting the data.::",{"point":"mi","priority":"6","details":"mj"},"CWE-ID: 312Cleartext Storage of Sensitive Information","The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"ml","priority":"6","details":"mm"},"CWE-ID: 313Cleartext Storage in a File or on Disk","The product stores sensitive information in cleartext in a file, or on disk.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"mo","priority":"6","details":"mp"},"CWE-ID: 314Cleartext Storage in the Registry","The product stores sensitive information in cleartext in the registry.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"mr","priority":"6","details":"ms"},"CWE-ID: 315Cleartext Storage of Sensitive Information in a Cookie","The product stores sensitive information in cleartext in a cookie.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"mu","priority":"6","details":"mv"},"CWE-ID: 316Cleartext Storage of Sensitive Information in Memory","The product stores sensitive information in cleartext in memory.Guidelines:::TYPE:Relationship:NOTE:This could be a resultant weakness, e.g. if the compiler removes code that was intended to wipe memory.::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"mx","priority":"6","details":"my"},"CWE-ID: 317Cleartext Storage of Sensitive Information in GUI","The product stores sensitive information in cleartext within the GUI.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"n0","priority":"6","details":"n1"},"CWE-ID: 318Cleartext Storage of Sensitive Information in Executable","The product stores sensitive information in cleartext in an executable.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"n3","priority":"6","details":"n4"},"CWE-ID: 319Cleartext Transmission of Sensitive Information","The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.Guidelines:::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"n6","priority":"6","details":"n7"},"CWE-ID: 321Use of Hard-coded Cryptographic Key","The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.Guidelines:::TYPE:Other:NOTE:The main difference between the use of hard-coded passwords and the use of hard-coded cryptographic keys is the false sense of security that the former conveys. Many people believe that simply hashing a hard-coded password before storage will protect the information from malicious users. However, many hashes are reversible (or at least vulnerable to brute force attacks) -- and further, many authentication protocols simply request the hash itself, making it no better than a password.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"n9","priority":"6","details":"na"},"CWE-ID: 322Key Exchange without Entity Authentication","The product performs a key exchange with an actor without verifying the identity of that actor.Guidelines:",{"point":"nc","priority":"6","details":"nd"},"CWE-ID: 323Reusing a Nonce, Key Pair in Encryption","Nonces should be used for the present occasion and only once.Guidelines:",{"point":"nf","priority":"6","details":"ng"},"CWE-ID: 324Use of a Key Past its Expiration Date","The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.Guidelines:",{"point":"ni","priority":"6","details":"nj"},"CWE-ID: 325Missing Cryptographic Step","The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.Guidelines:::TYPE:Relationship:NOTE:Overlaps incomplete/missing security check.::TYPE:Relationship:NOTE:Can be resultant.::",{"point":"nl","priority":"6","details":"nm"},"CWE-ID: 326Inadequate Encryption Strength","The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.Guidelines:",{"point":"no","priority":"6","details":"np"},"CWE-ID: 327Use of a Broken or Risky Cryptographic Algorithm","The product uses a broken or risky cryptographic algorithm or protocol.Guidelines:::TYPE:Maintenance:NOTE:Since CWE 4.4, various cryptography-related entries, including CWE-327 and CWE-1240, have been slated for extensive research, analysis, and community consultation to define consistent terminology, improve relationships, and reduce overlap or duplication. As of CWE 4.6, this work is still ongoing.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"nr","priority":"6","details":"ns"},"CWE-ID: 328Use of Weak Hash","The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).Guidelines:::TYPE:Maintenance:NOTE:Since CWE 4.4, various cryptography-related entries including CWE-328 have been slated for extensive research, analysis, and community consultation to define consistent terminology, improve relationships, and reduce overlap or duplication. As of CWE 4.6, this work is still ongoing.::",{"point":"nu","priority":"6","details":"nv"},"CWE-ID: 329Generation of Predictable IV with CBC Mode","The product generates and uses a predictable initialization Vector (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible to dictionary attacks when they are encrypted under the same key.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"nx","priority":"6","details":"ny"},"CWE-ID: 330Use of Insufficiently Random Values","The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.Guidelines:::TYPE:Relationship:NOTE:This can be primary to many other weaknesses such as cryptographic errors, authentication errors, symlink following, information leaks, and others.::TYPE:Maintenance:NOTE:As of CWE 4.3, CWE-330 and its descendants are being investigated by the CWE crypto team to identify gaps related to randomness and unpredictability, as well as the relationships between randomness and cryptographic primitives. This subtree analysis might result in the addition or deprecation of existing entries; the reorganization of relationships in some views, e.g. the research view (CWE-1000); more consistent use of terminology; and/or significant modifications to related entries.::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"o0","priority":"6","details":"o1"},"CWE-ID: 331Insufficient Entropy","The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"o3","priority":"6","details":"o4"},"CWE-ID: 332Insufficient Entropy in PRNG","The lack of entropy available for, or used by, a Pseudo-Random Number Generator (PRNG) can be a stability and security threat.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"o6","priority":"6","details":"o7"},"CWE-ID: 333Improper Handling of Insufficient Entropy in TRNG","True random number generators (TRNG) generally have a limited source of entropy and therefore can fail or block.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"o9","priority":"6","details":"oa"},"CWE-ID: 334Small Space of Random Values","The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"oc","priority":"6","details":"od"},"CWE-ID: 335Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)","The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"of","priority":"6","details":"og"},"CWE-ID: 336Same Seed in Pseudo-Random Number Generator (PRNG)","A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"oi","priority":"6","details":"oj"},"CWE-ID: 337Predictable Seed in Pseudo-Random Number Generator (PRNG)","A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"ol","priority":"6","details":"om"},"CWE-ID: 338Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)","The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"oo","priority":"6","details":"op"},"CWE-ID: 339Small Seed Space in PRNG","A Pseudo-Random Number Generator (PRNG) uses a relatively small seed space, which makes it more susceptible to brute force attacks.Guidelines:::TYPE:Maintenance:NOTE:This entry may have a chaining relationship with predictable from observable state (CWE-341).::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"or","priority":"6","details":"os"},"CWE-ID: 340Generation of Predictable Numbers or Identifiers","The product uses a scheme that generates numbers or identifiers that are more predictable than required.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"ou","priority":"6","details":"ov"},"CWE-ID: 341Predictable from Observable State","A number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"ox","priority":"6","details":"oy"},"CWE-ID: 342Predictable Exact Value from Previous Values","An exact value or random number can be precisely predicted by observing previous values.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"p0","priority":"6","details":"p1"},"CWE-ID: 343Predictable Value Range from Previous Values","The product's random number generator produces a series of values which, when observed, can be used to infer a relatively small range of possibilities for the next value that could be generated.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"p3","priority":"6","details":"p4"},"CWE-ID: 344Use of Invariant Value in Dynamically Changing Context","The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.Guidelines:::TYPE:Relationship:NOTE:overlaps default configuration.::",{"point":"p6","priority":"6","details":"p7"},"CWE-ID: 345Insufficient Verification of Data Authenticity","The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.Guidelines:::TYPE:Relationship:NOTE:origin validation could fall under this.::TYPE:Maintenance:NOTE:The specific ways in which the origin is not properly identified should be laid out as separate weaknesses. In some sense, this is more like a category.::",{"point":"p9","priority":"6","details":"pa"},"CWE-ID: 346Origin Validation Error","The product does not properly verify that the source of data or communication is valid.Guidelines:::TYPE:Maintenance:NOTE:This entry has some significant overlap with other CWE entries and may need some clarification. See terminology notes.::TYPE:Terminology:NOTE:The Origin Validation Error term was originally used in a 1995 thesis [REF-324]. Although not formally defined, an issue is considered to be an origin validation error if either (1) an object [accepts] input from an unauthorized subject, or (2) the system [fails] to properly or completely authenticate a subject. A later section says that an origin validation error can occur when the system (1) does not properly authenticate a user or process or (2) does not properly authenticate the shared data or libraries. The only example provided in the thesis (covered by OSVDB:57615) involves a setuid program running command-line arguments without dropping privileges. So, this definition (and its examples in the thesis) effectively cover other weaknesses such as CWE-287 (Improper Authentication), CWE-285 (Improper Authorization), and CWE-250 (Execution with Unnecessary Privileges). There appears to be little usage of this term today, except in the SecurityFocus vulnerability database, where the term is used for a variety of issues, including web-browser problems that allow violation of the Same Origin Policy and improper validation of the source of an incoming message.::",{"point":"pc","priority":"6","details":"pd"},"CWE-ID: 347Improper Verification of Cryptographic Signature","The product does not verify, or incorrectly verifies, the cryptographic signature for data.Guidelines:",{"point":"pf","priority":"6","details":"pg"},"CWE-ID: 348Use of Less Trusted Source","The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.Guidelines:",{"point":"pi","priority":"6","details":"pj"},"CWE-ID: 349Acceptance of Extraneous Untrusted Data With Trusted Data","The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.Guidelines:",{"point":"pl","priority":"6","details":"pm"},"CWE-ID: 350Reliance on Reverse DNS Resolution for a Security-Critical Action","The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.Guidelines:::TYPE:Maintenance:NOTE:CWE-350, CWE-247, and CWE-292 were merged into CWE-350 in CWE 2.5. CWE-247 was originally derived from Seven Pernicious Kingdoms, CWE-350 from PLOVER, and CWE-292 from CLASP. All taxonomies focused closely on the use of reverse DNS for authentication of incoming requests.::",{"point":"po","priority":"6","details":"pp"},"CWE-ID: 351Insufficient Type Distinction","The product does not properly distinguish between different types of elements in a way that leads to insecure behavior.Guidelines:::TYPE:Relationship:NOTE:Overlaps others, e.g. Multiple Interpretation Errors.::",{"point":"pr","priority":"6","details":"ps"},"CWE-ID: 352Cross-Site Request Forgery (CSRF)","The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.Guidelines:::TYPE:Relationship:NOTE:There can be a close relationship between XSS and CSRF (CWE-352). An attacker might use CSRF in order to trick the victim into submitting requests to the server in which the requests contain an XSS payload. A well-known example of this was the Samy worm on MySpace [REF-956]. The worm used XSS to insert malicious HTML sequences into a user's profile and add the attacker as a MySpace friend. MySpace friends of that victim would then execute the payload to modify their own profiles, causing the worm to propagate exponentially. Since the victims did not intentionally insert the malicious script themselves, CSRF was a root cause.::TYPE:Theoretical:NOTE:The CSRF topology is multi-channel: Attacker (as outsider) to intermediary (as user). The interaction point is either an external or internal channel. Intermediary (as user) to server (as victim). The activation point is an internal channel.::",{"point":"pu","priority":"6","details":"pv"},"CWE-ID: 353Missing Support for Integrity Check","The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.Guidelines:",{"point":"px","priority":"6","details":"py"},"CWE-ID: 354Improper Validation of Integrity Check Value","The product does not validate or incorrectly validates the integrity check values or checksums of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.Guidelines:",{"point":"q0","priority":"6","details":"q1"},"CWE-ID: 356Product UI does not Warn User of Unsafe Actions","The product's user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick users into inflicting damage to their system.Guidelines:::TYPE:Relationship:NOTE:Often resultant, e.g. in unhandled error conditions.::TYPE:Relationship:NOTE:Can overlap privilege errors, conceptually at least.::",{"point":"q3","priority":"6","details":"q4"},"CWE-ID: 357Insufficient UI Warning of Dangerous Operations","The user interface provides a warning to a user regarding dangerous or sensitive operations, but the warning is not noticeable enough to warrant attention.Guidelines:",{"point":"q6","priority":"6","details":"q7"},"CWE-ID: 358Improperly Implemented Security Check for Standard","The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.Guidelines:::TYPE:Relationship:NOTE:This is a missing step error on the product side, which can overlap weaknesses such as insufficient verification and spoofing. It is frequently found in cryptographic and authentication errors. It is sometimes resultant.::",{"point":"q9","priority":"6","details":"qa"},"CWE-ID: 359Exposure of Private Personal Information to an Unauthorized Actor","The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.Guidelines:::TYPE:Maintenance:NOTE:This entry overlaps many other entries that are not organized around the kind of sensitive information that is exposed. However, because privacy is treated with such importance due to regulations and other factors, and it may be useful for weakness-finding tools to highlight capabilities that detect personal private information instead of system information, it is not clear whether - and how - this entry should be deprecated.::",{"point":"qc","priority":"6","details":"qd"},"CWE-ID: 360Trust of System Event Data","Security based on event locations are insecure and can be spoofed.Guidelines:",{"point":"qf","priority":"6","details":"qg"},"CWE-ID: 362Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')","The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.Guidelines:::TYPE:Maintenance:NOTE:The relationship between race conditions and synchronization problems (CWE-662) needs to be further developed. They are not necessarily two perspectives of the same core concept, since synchronization is only one technique for avoiding race conditions, and synchronization can be used for other purposes besides race condition prevention.::TYPE:Research Gap:NOTE:Race conditions in web applications are under-studied and probably under-reported. However, in 2008 there has been growing interest in this area.::TYPE:Research Gap:NOTE:Much of the focus of race condition research has been in Time-of-check Time-of-use (TOCTOU) variants (CWE-367), but many race conditions are related to synchronization problems that do not necessarily require a time-of-check.::TYPE:Research Gap:NOTE:From a classification/taxonomy perspective, the relationships between concurrency and program state need closer investigation and may be useful in organizing related issues.::",{"point":"qi","priority":"6","details":"qj"},"CWE-ID: 363Race Condition Enabling Link Following","The product checks the status of a file or directory before accessing it, which produces a race condition in which the file can be replaced with a link before the access is performed, causing the product to access the wrong file.Guidelines:::TYPE:Relationship:NOTE:This is already covered by the Link Following weakness (CWE-59). It is included here because so many people associate race conditions with link problems; however, not all link following issues involve race conditions.::",{"point":"ql","priority":"6","details":"qm"},"CWE-ID: 364Signal Handler Race Condition","The product uses a signal handler that introduces a race condition.Guidelines:",{"point":"qo","priority":"6","details":"qp"},"CWE-ID: 366Race Condition within a Thread","If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.Guidelines:",{"point":"qr","priority":"6","details":"qs"},"CWE-ID: 367Time-of-check Time-of-use (TOCTOU) Race Condition","The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.Guidelines:::TYPE:Relationship:NOTE:TOCTOU issues do not always involve symlinks, and not every symlink issue is a TOCTOU problem.::TYPE:Research Gap:NOTE:Non-symlink TOCTOU issues are not reported frequently, but they are likely to occur in code that attempts to be secure.::",{"point":"qu","priority":"6","details":"qv"},"CWE-ID: 368Context Switching Race Condition","A product performs a series of non-atomic actions to switch between contexts that cross privilege or other security boundaries, but a race condition allows an attacker to modify or misrepresent the product's behavior during the switch.Guidelines:::TYPE:Relationship:NOTE:Can overlap signal handler race conditions.::TYPE:Research Gap:NOTE:Under-studied as a concept. Frequency unknown; few vulnerability reports give enough detail to know when a context switching race condition is a factor.::",{"point":"qx","priority":"6","details":"qy"},"CWE-ID: 369Divide By Zero","The product divides a value by zero.Guidelines:",{"point":"r0","priority":"6","details":"r1"},"CWE-ID: 370Missing Check for Certificate Revocation after Initial Check","The product does not check the revocation status of a certificate after its initial revocation check, which can cause the product to perform privileged actions even after the certificate is revoked at a later time.Guidelines:",{"point":"r3","priority":"6","details":"r4"},"CWE-ID: 372Incomplete Internal State Distinction","The product does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect operations in a security-relevant manner.Guidelines:::TYPE:Relationship:NOTE:This conceptually overlaps other categories such as insufficient verification, but this entry refers to the product's incorrect perception of its own state.::TYPE:Relationship:NOTE:This is probably resultant from other weaknesses such as unhandled error conditions, inability to handle out-of-order steps, multiple interpretation errors, etc.::TYPE:Maintenance:NOTE:This entry is being considered for deprecation. It was poorly-defined in PLOVER and is not easily described using the behavior/resource/property model of vulnerability theory.::",{"point":"r6","priority":"6","details":"r7"},"CWE-ID: 374Passing Mutable Objects to an Untrusted Method","The product sends non-cloned mutable data as an argument to a method or function.Guidelines:",{"point":"r9","priority":"6","details":"ra"},"CWE-ID: 375Returning a Mutable Object to an Untrusted Caller","Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function.Guidelines:",{"point":"rc","priority":"6","details":"rd"},"CWE-ID: 377Insecure Temporary File","Creating and using insecure temporary files can leave application and system data vulnerable to attack.Guidelines:::TYPE:Other:NOTE:Applications require temporary files so frequently that many different mechanisms exist for creating them in the C Library and Windows(R) API. Most of these functions are vulnerable to various forms of attacks. The functions designed to aid in the creation of temporary files can be broken into two groups based whether they simply provide a filename or actually open a new file. - Group 1: Unique Filenames: The first group of C Library and WinAPI functions designed to help with the process of creating temporary files do so by generating a unique file name for a new temporary file, which the program is then supposed to open. This group includes C Library functions like tmpnam(), tempnam(), mktemp() and their C++ equivalents prefaced with an _ (underscore) as well as the GetTempFileName() function from the Windows API. This group of functions suffers from an underlying race condition on the filename chosen. Although the functions guarantee that the filename is unique at the time it is selected, there is no mechanism to prevent another process or an attacker from creating a file with the same name after it is selected but before the application attempts to open the file. Beyond the risk of a legitimate collision caused by another call to the same function, there is a high probability that an attacker will be able to create a malicious collision because the filenames generated by these functions are not sufficiently randomized to make them difficult to guess. If a file with the selected name is created, then depending on how the file is opened the existing contents or access permissions of the file may remain intact. If the existing contents of the file are malicious in nature, an attacker may be able to inject dangerous data into the application when it reads data back from the temporary file. If an attacker pre-creates the file with relaxed access permissions, then data stored in the temporary file by the application may be accessed, modified or corrupted by an attacker. On Unix based systems an even more insidious attack is possible if the attacker pre-creates the file as a link to another important file. Then, if the application truncates or writes data to the file, it may unwittingly perform damaging operations for the attacker. This is an especially serious threat if the program operates with elevated permissions. Finally, in the best case the file will be opened with the a call to open() using the O_CREAT and O_EXCL flags or to CreateFile() using the CREATE_NEW attribute, which will fail if the file already exists and therefore prevent the types of attacks described above. However, if an attacker is able to accurately predict a sequence of temporary file names, then the application may be prevented from opening necessary temporary storage causing a denial of service (DoS) attack. This type of attack would not be difficult to mount given the small amount of randomness used in the selection of the filenames generated by these functions. - Group 2: Unique Files: The second group of C Library functions attempts to resolve some of the security problems related to temporary files by not only generating a unique file name, but also opening the file. This group includes C Library functions like tmpfile() and its C++ equivalents prefaced with an _ (underscore), as well as the slightly better-behaved C Library function mkstemp(). The tmpfile() style functions construct a unique filename and open it in the same way that fopen() would if passed the flags wb+, that is, as a binary file in read/write mode. If the file already exists, tmpfile() will truncate it to size zero, possibly in an attempt to assuage the security concerns mentioned earlier regarding the race condition that exists between the selection of a supposedly unique filename and the subsequent opening of the selected file. However, this behavior clearly does not solve the function's security problems. First, an attacker can pre-create the file with relaxed access-permissions that will likely be retained by the file opened by tmpfile(). Furthermore, on Unix based systems if the attacker pre-creates the file as a link to another important file, the application may use its possibly elevated permissions to truncate that file, thereby doing damage on behalf of the attacker. Finally, if tmpfile() does create a new file, the access permissions applied to that file will vary from one operating system to another, which can leave application data vulnerable even if an attacker is unable to predict the filename to be used in advance. Finally, mkstemp() is a reasonably safe way create temporary files. It will attempt to create and open a unique file based on a filename template provided by the user combined with a series of randomly generated characters. If it is unable to create such a file, it will fail and return -1. On modern systems the file is opened using mode 0600, which means the file will be secure from tampering unless the user explicitly changes its access permissions. However, mkstemp() still suffers from the use of predictable file names and can leave an application vulnerable to denial of service attacks if an attacker causes mkstemp() to fail by predicting and pre-creating the filenames to be used.::",{"point":"rf","priority":"6","details":"rg"},"CWE-ID: 378Creation of Temporary File With Insecure Permissions","Opening temporary files without appropriate measures or controls can leave the file, its contents and any function that it impacts vulnerable to attack.Guidelines:",{"point":"ri","priority":"6","details":"rj"},"CWE-ID: 379Creation of Temporary File in Directory with Insecure Permissions","The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.Guidelines:",{"point":"rl","priority":"6","details":"rm"},"CWE-ID: 382J2EE Bad Practices: Use of System.exit()","A J2EE application uses System.exit(), which also shuts down its container.Guidelines:",{"point":"ro","priority":"6","details":"rp"},"CWE-ID: 383J2EE Bad Practices: Direct Use of Threads","Thread management in a Web application is forbidden in some circumstances and is always highly error prone.Guidelines:",{"point":"rr","priority":"6","details":"rs"},"CWE-ID: 384Session Fixation","Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.Guidelines:::TYPE:Other:NOTE:Other attack vectors include DNS poisoning and related network based attacks where an attacker causes the user to visit a malicious site by redirecting a request for a valid site. Network based attacks typically involve a physical presence on the victim's network or control of a compromised machine on the network, which makes them harder to exploit remotely, but their significance should not be overlooked. Less secure session management mechanisms, such as the default implementation in Apache Tomcat, allow session identifiers normally expected in a cookie to be specified on the URL as well, which enables an attacker to cause a victim to use a fixed session identifier simply by emailing a malicious URL.::",{"point":"ru","priority":"6","details":"rv"},"CWE-ID: 385Covert Timing Channel","Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are working to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks that create or exploit covert channels. As a result of that work, this entry might change in CWE 4.10.::",{"point":"rx","priority":"6","details":"ry"},"CWE-ID: 386Symbolic Name not Mapping to Correct Object","A constant symbolic reference to an object is used, even though the reference can resolve to a different object over time.Guidelines:",{"point":"s0","priority":"6","details":"s1"},"CWE-ID: 390Detection of Error Condition Without Action","The product detects a specific error, but takes no actions to handle the error.Guidelines:",{"point":"s3","priority":"6","details":"s4"},"CWE-ID: 391Unchecked Error Condition","[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.Guidelines:::TYPE:Maintenance:NOTE:This entry is slated for deprecation; it has multiple widespread interpretations by CWE analysts. It currently combines information from three different taxonomies, but each taxonomy is talking about a slightly different issue. CWE analysts might map to this entry based on any of these issues. 7PK has Empty Catch Block which has an association with empty exception block (CWE-1069); in this case, the exception has performed the check, but does not handle. In PLOVER there is Unchecked Return Value which is CWE-252, but unlike Empty Catch Block there isn't even a check of the issue - and Unchecked Error Condition implies lack of a check. For CLASP, Uncaught Exception (CWE-248) is associated with incorrect error propagation - uncovered in CWE 3.2 and earlier, at least. There are other issues related to error handling and checks.::TYPE:Other:NOTE:When a programmer ignores an exception, they implicitly state that they are operating under one of two assumptions: This method call can never fail. It doesn't matter if this call fails.::",{"point":"s6","priority":"6","details":"s7"},"CWE-ID: 392Missing Report of Error Condition","The product encounters an error but does not provide a status code or return value to indicate that an error has occurred.Guidelines:",{"point":"s9","priority":"6","details":"sa"},"CWE-ID: 393Return of Wrong Status Code","A function or operation returns an incorrect return value or status code that does not indicate an error, but causes the product to modify its behavior based on the incorrect result.Guidelines:::TYPE:Relationship:NOTE:This can be primary or resultant, but it is probably most often primary to other issues.::",{"point":"sc","priority":"6","details":"sd"},"CWE-ID: 394Unexpected Status Code or Return Value","The product does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the product.Guidelines:::TYPE:Relationship:NOTE:Usually primary, but can be resultant from issues such as behavioral change or API abuse. This can produce resultant vulnerabilities.::",{"point":"sf","priority":"6","details":"sg"},"CWE-ID: 395Use of NullPointerException Catch to Detect NULL Pointer Dereference","Catching NullPointerException should not be used as an alternative to programmatic checks to prevent dereferencing a null pointer.Guidelines:",{"point":"si","priority":"6","details":"sj"},"CWE-ID: 396Declaration of Catch for Generic Exception","Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.Guidelines:",{"point":"sl","priority":"6","details":"sm"},"CWE-ID: 397Declaration of Throws for Generic Exception","Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.Guidelines:::TYPE:Applicable Platform:NOTE:For C++, this weakness only applies to C++98, C++03, and C++11. It relies on a feature known as Dynamic Exception Specification, which was part of early versions of C++ but was deprecated in C++11. It has been removed for C++17 and later.::",{"point":"so","priority":"6","details":"sp"},"CWE-ID: 400Uncontrolled Resource Consumption","The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Guidelines:::TYPE:Maintenance:NOTE:Resource consumption could be interpreted as a consequence instead of an insecure behavior, so this entry is being considered for modification. It appears to be referenced too frequently when more precise mappings are available. Some of its children, such as CWE-771, might be better considered as a chain.::TYPE:Theoretical:NOTE:Vulnerability theory is largely about how behaviors and resources interact. Resource exhaustion can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect the underlying weaknesses that enable these attacks (or consequences) to take place.::TYPE:Other:NOTE:Database queries that take a long time to process are good DoS targets. An attacker would have to write a few lines of Perl code to generate enough traffic to exceed the site's ability to keep up. This would effectively prevent authorized users from using the site at all. Resources can be exploited simply by ensuring that the target machine must do much more work and consume more resources in order to service a request than the attacker must do to initiate a request. A prime example of this can be found in old switches that were vulnerable to macof attacks (so named for a tool developed by Dugsong). These attacks flooded a switch with random IP and MAC address combinations, therefore exhausting the switch's cache, which held the information of which port corresponded to which MAC addresses. Once this cache was exhausted, the switch would fail in an insecure way and would begin to act simply as a hub, broadcasting all traffic on all ports and allowing for basic sniffing attacks.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"sr","priority":"6","details":"ss"},"CWE-ID: 401Missing Release of Memory after Effective Lifetime","The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.Guidelines:::TYPE:Relationship:NOTE:This is often a resultant weakness due to improper handling of malformed data or early termination of sessions.::TYPE:Terminology:NOTE:memory leak has sometimes been used to describe other kinds of issues, e.g. for information leaks in which the contents of memory are inadvertently leaked (CVE-2003-0400 is one such example of this terminology conflict).::",{"point":"su","priority":"6","details":"sv"},"CWE-ID: 402Transmission of Private Resources into a New Sphere ('Resource Leak')","The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product.Guidelines:",{"point":"sx","priority":"6","details":"sy"},"CWE-ID: 403Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')","A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors.Guidelines:",{"point":"t0","priority":"6","details":"t1"},"CWE-ID: 404Improper Resource Shutdown or Release","The product does not release or incorrectly releases a resource before it is made available for re-use.Guidelines:::TYPE:Relationship:NOTE:Overlaps memory leaks, asymmetric resource consumption, malformed input errors.::",{"point":"t3","priority":"6","details":"t4"},"CWE-ID: 405Asymmetric Resource Consumption (Amplification)","The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is asymmetric.Guidelines:",{"point":"t6","priority":"6","details":"t7"},"CWE-ID: 406Insufficient Control of Network Message Volume (Network Amplification)","The product does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the product to transmit more traffic than should be allowed for that actor.Guidelines:::TYPE:Relationship:NOTE:This can be resultant from weaknesses that simplify spoofing attacks.::TYPE:Theoretical:NOTE:Network amplification, when performed with spoofing, is normally a multi-channel attack from attacker (acting as user) to amplifier, and amplifier to victim.::",{"point":"t9","priority":"6","details":"ta"},"CWE-ID: 407Inefficient Algorithmic Complexity","An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.Guidelines:",{"point":"tc","priority":"6","details":"td"},"CWE-ID: 408Incorrect Behavior Order: Early Amplification","The product allows an entity to perform a legitimate but expensive operation before authentication or authorization has taken place.Guidelines:::TYPE:Relationship:NOTE:Overlaps authentication errors.::",{"point":"tf","priority":"6","details":"tg"},"CWE-ID: 409Improper Handling of Highly Compressed Data (Data Amplification)","The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.Guidelines:",{"point":"ti","priority":"6","details":"tj"},"CWE-ID: 410Insufficient Resource Pool","The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.Guidelines:",{"point":"tl","priority":"6","details":"tm"},"CWE-ID: 412Unrestricted Externally Accessible Lock","The product properly checks for the existence of a lock, but the lock can be externally controlled or influenced by an actor that is outside of the intended sphere of control.Guidelines:::TYPE:Relationship:NOTE:This overlaps Insufficient Resource Pool when the pool is of size 1. It can also be resultant from race conditions, although the timing window could be quite large in some cases.::",{"point":"to","priority":"6","details":"tp"},"CWE-ID: 413Improper Resource Locking","The product does not lock or does not correctly lock a resource when the product must have exclusive access to the resource.Guidelines:",{"point":"tr","priority":"6","details":"ts"},"CWE-ID: 414Missing Lock Check","A product does not check to see if a lock is present before performing sensitive operations on a resource.Guidelines:",{"point":"tu","priority":"6","details":"tv"},"CWE-ID: 415Double Free","The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.Guidelines:::TYPE:Relationship:NOTE:This is usually resultant from another weakness, such as an unhandled error or race condition between threads. It could also be primary to weaknesses such as buffer overflows.::TYPE:Theoretical:NOTE:It could be argued that Double Free would be most appropriately located as a child of Use after Free, but Use and Release are considered to be distinct operations within vulnerability theory, therefore this is more accurately Release of a Resource after Expiration or Release, which doesn't exist yet.::",{"point":"tx","priority":"6","details":"ty"},"CWE-ID: 416Use After Free","Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.Guidelines:",{"point":"u0","priority":"6","details":"u1"},"CWE-ID: 419Unprotected Primary Channel","The product uses a primary channel for administration or restricted functionality, but it does not properly protect the channel.Guidelines:",{"point":"u3","priority":"6","details":"u4"},"CWE-ID: 420Unprotected Alternate Channel","The product protects a primary channel, but it does not use the same level of protection for an alternate channel.Guidelines:::TYPE:Relationship:NOTE:This can be primary to authentication errors, and resultant from unhandled error conditions.::",{"point":"u6","priority":"6","details":"u7"},"CWE-ID: 421Race Condition During Access to Alternate Channel","The product opens an alternate channel to communicate with an authorized user, but the channel is accessible to other actors.Guidelines:",{"point":"u9","priority":"6","details":"ua"},"CWE-ID: 422Unprotected Windows Messaging Channel ('Shatter')","The product does not properly verify the source of a message in the Windows Messaging System while running at elevated privileges, creating an alternate channel through which an attacker can directly send a message to the product.Guidelines:::TYPE:Relationship:NOTE:Overlaps privilege errors and UI errors.::TYPE:Research Gap:NOTE:Possibly under-reported, probably under-studied. It is suspected that a number of publicized vulnerabilities that involve local privilege escalation on Windows systems may be related to Shatter attacks, but they are not labeled as such. Alternate channel attacks likely exist in other operating systems and messaging models, e.g. in privileged X Windows applications, but examples are not readily available.::",{"point":"uc","priority":"6","details":"ud"},"CWE-ID: 424Improper Protection of Alternate Path","The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.Guidelines:",{"point":"uf","priority":"6","details":"ug"},"CWE-ID: 425Direct Request ('Forced Browsing')","The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.Guidelines:::TYPE:Relationship:NOTE:Overlaps Modification of Assumed-Immutable Data (MAID), authorization errors, container errors; often primary to other weaknesses such as XSS and SQL injection.::TYPE:Theoretical:NOTE:Forced browsing is a step-based manipulation involving the omission of one or more steps, whose order is assumed to be immutable. The application does not verify that the first step was performed successfully before the second step. The consequence is typically authentication bypass or path disclosure, although it can be primary to all kinds of weaknesses, especially in languages such as PHP, which allow external modification of assumed-immutable variables.::",{"point":"ui","priority":"6","details":"uj"},"CWE-ID: 426Untrusted Search Path","The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.Guidelines:",{"point":"ul","priority":"6","details":"um"},"CWE-ID: 427Uncontrolled Search Path Element","The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.Guidelines:::TYPE:Relationship:NOTE:Unlike untrusted search path (CWE-426), which inherently involves control over the definition of a control sphere (i.e., modification of a search path), this entry concerns a fixed control sphere in which some part of the sphere may be under attacker control (i.e., the search path cannot be modified by an attacker, but one element of the path can be under attacker control).::TYPE:Theoretical:NOTE:This weakness is not a clean fit under CWE-668 or CWE-610, which suggests that the control sphere model might need enhancement or clarification.::",{"point":"uo","priority":"6","details":"up"},"CWE-ID: 428Unquoted Search Path or Element","The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.Guidelines:::TYPE:Applicable Platform:NOTE:This weakness could apply to any OS that supports spaces in filenames, especially any OS that make it easy for a user to insert spaces into filenames or folders, such as Windows. While spaces are technically supported in Unix, the practice is generally avoided. .::TYPE:Maintenance:NOTE:This weakness primarily involves the lack of quoting, which is not explicitly stated as a part of CWE-116. CWE-116 also describes output in light of structured messages, but the generation of a filename or search path (as in this weakness) might not be considered a structured message. An additional complication is the relationship to control spheres. Unlike untrusted search path (CWE-426), which inherently involves control over the definition of a control sphere, this entry concerns a fixed control sphere in which some part of the sphere may be under attacker control. This is not a clean fit under CWE-668 or CWE-610, which suggests that the control sphere model needs enhancement or clarification.::",{"point":"ur","priority":"6","details":"us"},"CWE-ID: 430Deployment of Wrong Handler","The wrong handler is assigned to process an object.Guidelines:",{"point":"uu","priority":"6","details":"uv"},"CWE-ID: 431Missing Handler","A handler is not available or implemented.Guidelines:",{"point":"ux","priority":"6","details":"uy"},"CWE-ID: 432Dangerous Signal Handler not Disabled During Sensitive Operations","The product uses a signal handler that shares state with other signal handlers, but it does not properly mask or prevent those signal handlers from being invoked while the original signal handler is still running.Guidelines:",{"point":"v0","priority":"6","details":"v1"},"CWE-ID: 433Unparsed Raw Web Content Delivery","The product stores raw content or supporting code under the web document root with an extension that is not specifically handled by the server.Guidelines:::TYPE:Relationship:NOTE:This overlaps direct requests (CWE-425), alternate path (CWE-424), permissions (CWE-275), and sensitive file under web root (CWE-219).::",{"point":"v3","priority":"6","details":"v4"},"CWE-ID: 434Unrestricted Upload of File with Dangerous Type","The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.Guidelines:::TYPE:Relationship:NOTE:This can have a chaining relationship with incomplete denylist / permissive allowlist errors when the product tries, but fails, to properly limit which types of files are allowed (CWE-183, CWE-184). This can also overlap multiple interpretation errors for intermediaries, e.g. anti-virus products that do not remove or quarantine attachments with certain file extensions that can be processed by client systems.::",{"point":"v6","priority":"6","details":"v7"},"CWE-ID: 435Improper Interaction Between Multiple Correctly-Behaving Entities","An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses.Guidelines:::TYPE:Research Gap:NOTE:Weaknesses related to this Pillar appear to be under-studied, especially with respect to classification schemes. Input from academic and other communities could help identify and resolve gaps or organizational difficulties within CWE.::TYPE:Relationship:NOTE:The Interaction Error term, in CWE and elsewhere, is only intended to describe products that behave according to specification. When one or more of the products do not comply with specifications, then it is more likely to be API Abuse (CWE-227) or an interpretation conflict (CWE-436). This distinction can be blurred in real world scenarios, especially when de facto standards do not comply with specifications, or when there are no standards but there is widespread adoption. As a result, it can be difficult to distinguish these weaknesses during mapping and classification.::",{"point":"v9","priority":"6","details":"va"},"CWE-ID: 436Interpretation Conflict","Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.Guidelines:",{"point":"vc","priority":"6","details":"vd"},"CWE-ID: 437Incomplete Model of Endpoint Features","A product acts as an intermediary or monitor between two or more endpoints, but it does not have a complete model of an endpoint's features, behaviors, or state, potentially causing the product to perform incorrect actions based on this incomplete model.Guidelines:::TYPE:Relationship:NOTE:This can be related to interaction errors, although in some cases, one of the endpoints is not performing correctly according to specification.::",{"point":"vf","priority":"6","details":"vg"},"CWE-ID: 439Behavioral Change in New Version or Environment","A's behavior or functionality changes with a new version of A, or a new environment, which is not known (or manageable) by B.Guidelines:",{"point":"vi","priority":"6","details":"vj"},"CWE-ID: 440Expected Behavior Violation","A feature, API, or function does not perform according to its specification.Guidelines:::TYPE:Theoretical:NOTE:The behavior of an application that is not consistent with the expectations of the developer may lead to incorrect use of the software.::",{"point":"vl","priority":"6","details":"vm"},"CWE-ID: 441Unintended Proxy or Intermediary ('Confused Deputy')","The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.Guidelines:::TYPE:Relationship:NOTE:This weakness has a chaining relationship with CWE-668 (Exposure of Resource to Wrong Sphere) because the proxy effectively provides the attacker with access to the target's resources that the attacker cannot directly obtain.::TYPE:Maintenance:NOTE:This could possibly be considered as an emergent resource.::TYPE:Theoretical:NOTE:It could be argued that the confused deputy is a fundamental aspect of most vulnerabilities that require an active attacker. Even for common implementation issues such as buffer overflows, SQL injection, OS command injection, and path traversal, the vulnerable program already has the authorization to run code or access files. The vulnerability arises when the attacker causes the program to run unexpected code or access unexpected files.::",{"point":"vo","priority":"6","details":"vp"},"CWE-ID: 444Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')","The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.Guidelines:::TYPE:Theoretical:NOTE:Request smuggling can be performed due to a multiple interpretation error, where the target is an intermediary or monitor, via a consistency manipulation (Transfer-Encoding and Content-Length headers).::",{"point":"vr","priority":"6","details":"vs"},"CWE-ID: 446UI Discrepancy for Security Feature","The user interface does not correctly enable or configure a security feature, but the interface provides feedback that causes the user to believe that the feature is in a secure state.Guidelines:::TYPE:Maintenance:NOTE:This entry is likely a loose composite that could be broken down into the different types of errors that cause the user interface to have incorrect interactions with the underlying security feature.::",{"point":"vu","priority":"6","details":"vv"},"CWE-ID: 447Unimplemented or Unsupported Feature in UI","A UI function for a security feature appears to be supported and gives feedback to the user that suggests that it is supported, but the underlying functionality is not implemented.Guidelines:::TYPE:Research Gap:NOTE:This issue needs more study, as there are not many examples. It is not clear whether it is primary or resultant.::",{"point":"vx","priority":"6","details":"vy"},"CWE-ID: 448Obsolete Feature in UI","A UI function is obsolete and the product does not warn the user.Guidelines:",{"point":"w0","priority":"6","details":"w1"},"CWE-ID: 449The UI Performs the Wrong Action","The UI performs the wrong action with respect to the user's request.Guidelines:",{"point":"w3","priority":"6","details":"w4"},"CWE-ID: 450Multiple Interpretations of UI Input","The UI has multiple interpretations of user input but does not prompt the user when it selects the less secure interpretation.Guidelines:",{"point":"w6","priority":"6","details":"w7"},"CWE-ID: 451User Interface (UI) Misrepresentation of Critical Information","The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks.Guidelines:::TYPE:Maintenance:NOTE:This entry should be broken down into more precise entries. See extended description.::TYPE:Research Gap:NOTE:Misrepresentation problems are frequently studied in web browsers, but there are no known efforts for classifying these kinds of problems in terms of the shortcomings of the interface. In addition, many misrepresentation issues are resultant.::",{"point":"w9","priority":"6","details":"wa"},"CWE-ID: 453Insecure Default Variable Initialization","The product, by default, initializes an internal variable with an insecure or less secure value than is possible.Guidelines:::TYPE:Maintenance:NOTE:This overlaps other categories, probably should be split into separate items.::",{"point":"wc","priority":"6","details":"wd"},"CWE-ID: 454External Initialization of Trusted Variables or Data Stores","The product initializes critical internal variables or data stores using inputs that can be modified by untrusted actors.Guidelines:::TYPE:Relationship:NOTE:Overlaps Missing variable initialization, especially in PHP.::TYPE:Applicable Platform:NOTE:This is often found in PHP due to register_globals and the common practice of storing library/include files under the web document root so that they are available using a direct request.::",{"point":"wf","priority":"6","details":"wg"},"CWE-ID: 455Non-exit on Failed Initialization","The product does not exit or otherwise modify its operation when security-relevant errors occur during initialization, such as when a configuration file has a format error or a hardware security module (HSM) cannot be activated, which can cause the product to execute in a less secure fashion than intended by the administrator.Guidelines:::TYPE:Research Gap:NOTE:Under-studied. These issues are not frequently reported, and it is difficult to find published examples.::",{"point":"wi","priority":"6","details":"wj"},"CWE-ID: 456Missing Initialization of a Variable","The product does not initialize critical variables, which causes the execution environment to use unexpected values.Guidelines:::TYPE:Relationship:NOTE:This weakness is a major factor in a number of resultant weaknesses, especially in web applications that allow global variable initialization (such as PHP) with libraries that can be directly requested.::TYPE:Research Gap:NOTE:It is highly likely that a large number of resultant weaknesses have missing initialization as a primary factor, but researcher reports generally do not provide this level of detail.::",{"point":"wl","priority":"6","details":"wm"},"CWE-ID: 457Use of Uninitialized Variable","The code uses a variable that has not been initialized, leading to unpredictable or unintended results.Guidelines:",{"point":"wo","priority":"6","details":"wp"},"CWE-ID: 459Incomplete Cleanup","The product does not properly clean up and remove temporary or supporting resources after they have been used.Guidelines:::TYPE:Relationship:NOTE:CWE-459 is a child of CWE-404 because, while CWE-404 covers any type of improper shutdown or release of a resource, CWE-459 deals specifically with a multi-step shutdown process in which a crucial step for proper cleanup is omitted or impossible. That is, CWE-459 deals specifically with a cleanup or shutdown process that does not successfully remove all potentially sensitive data.::TYPE:Relationship:NOTE:Overlaps other categories such as permissions and containment. Concept needs further development. This could be primary (e.g. leading to infoleak) or resultant (e.g. resulting from unhandled error conditions or early termination).::",{"point":"wr","priority":"6","details":"ws"},"CWE-ID: 460Improper Cleanup on Thrown Exception","The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow.Guidelines:",{"point":"wu","priority":"6","details":"wv"},"CWE-ID: 462Duplicate Key in Associative List (Alist)","Duplicate keys in associative lists can lead to non-unique keys being mistaken for an error.Guidelines:",{"point":"wx","priority":"6","details":"wy"},"CWE-ID: 463Deletion of Data Structure Sentinel","The accidental deletion of a data-structure sentinel can cause serious programming logic problems.Guidelines:",{"point":"x0","priority":"6","details":"x1"},"CWE-ID: 464Addition of Data Structure Sentinel","The accidental addition of a data-structure sentinel can cause serious programming logic problems.Guidelines:",{"point":"x3","priority":"6","details":"x4"},"CWE-ID: 466Return of Pointer Value Outside of Expected Range","A function can return a pointer to memory that is outside of the buffer that the pointer is expected to reference.Guidelines:::TYPE:Maintenance:NOTE:This entry should have a chaining relationship with CWE-119 instead of a parent / child relationship, however the focus of this weakness does not map cleanly to any existing entries in CWE. A new parent is being considered which covers the more generic problem of incorrect return values. There is also an abstract relationship to weaknesses in which one component sends incorrect messages to another component; in this case, one routine is sending an incorrect value to another.::",{"point":"x6","priority":"6","details":"x7"},"CWE-ID: 467Use of sizeof() on a Pointer Type","The code calls sizeof() on a malloced pointer type, which always returns the wordsize/8. This can produce an unexpected result if the programmer intended to determine how much memory has been allocated.Guidelines:",{"point":"x9","priority":"6","details":"xa"},"CWE-ID: 468Incorrect Pointer Scaling","In C and C++, one may often accidentally refer to the wrong memory due to the semantics of when math operations are implicitly scaled.Guidelines:",{"point":"xc","priority":"6","details":"xd"},"CWE-ID: 469Use of Pointer Subtraction to Determine Size","The product subtracts one pointer from another in order to determine size, but this calculation can be incorrect if the pointers do not exist in the same memory chunk.Guidelines:",{"point":"xf","priority":"6","details":"xg"},"CWE-ID: 470Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')","The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.Guidelines:",{"point":"xi","priority":"6","details":"xj"},"CWE-ID: 471Modification of Assumed-Immutable Data (MAID)","The product does not properly protect an assumed-immutable element from being modified by an attacker.Guidelines:::TYPE:Relationship:NOTE:MAID issues can be primary to many other weaknesses, and they are a major factor in languages that provide easy access to internal program constructs, such as PHP's register_globals and similar features. However, MAID issues can also be resultant from weaknesses that modify internal state; for example, a program might validate some data and store it in memory, but a buffer overflow could overwrite that validated data, leading to a change in program logic.::TYPE:Theoretical:NOTE:There are many examples where the MUTABILITY property is a major factor in a vulnerability.::",{"point":"xl","priority":"6","details":"xm"},"CWE-ID: 472External Control of Assumed-Immutable Web Parameter","The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.Guidelines:::TYPE:Relationship:NOTE:This is a primary weakness for many other weaknesses and functional consequences, including XSS, SQL injection, path disclosure, and file inclusion.::TYPE:Theoretical:NOTE:This is a technology-specific MAID problem.::",{"point":"xo","priority":"6","details":"xp"},"CWE-ID: 473PHP External Variable Modification","A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies. This can expose the application to numerous weaknesses that would not exist otherwise.Guidelines:::TYPE:Relationship:NOTE:This is a language-specific instance of Modification of Assumed-Immutable Data (MAID). This can be resultant from direct request (alternate path) issues. It can be primary to weaknesses such as PHP file inclusion, SQL injection, XSS, authentication bypass, and others.::",{"point":"xr","priority":"6","details":"xs"},"CWE-ID: 474Use of Function with Inconsistent Implementations","The code uses a function that has inconsistent implementations across operating systems and versions.Guidelines:",{"point":"xu","priority":"6","details":"xv"},"CWE-ID: 475Undefined Behavior for Input to API","The behavior of this function is undefined unless its control parameter is set to a specific value.Guidelines:::TYPE:Other:NOTE:The Linux Standard Base Specification 2.0.1 for libc places constraints on the arguments to some internal functions [21]. If the constraints are not met, the behavior of the functions is not defined. It is unusual for this function to be called directly. It is almost always invoked through a macro defined in a system header file, and the macro ensures that the following constraints are met: The value 1 must be passed to the third parameter (the version number) of the following file system function: __xmknod The value 2 must be passed to the third parameter (the group argument) of the following wide character string functions: __wcstod_internal __wcstof_internal __wcstol_internal __wcstold_internal __wcstoul_internal The value 3 must be passed as the first parameter (the version number) of the following file system functions: __xstat __lxstat __fxstat __xstat64 __lxstat64 __fxstat64::",{"point":"xx","priority":"6","details":"xy"},"CWE-ID: 476NULL Pointer Dereference","A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.Guidelines:",{"point":"y0","priority":"6","details":"y1"},"CWE-ID: 477Use of Obsolete Function","The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained.Guidelines:",{"point":"y3","priority":"6","details":"y4"},"CWE-ID: 478Missing Default Case in Multiple Condition Expression","The code does not have a default case in an expression with multiple conditions, such as a switch statement.Guidelines:",{"point":"y6","priority":"6","details":"y7"},"CWE-ID: 479Signal Handler Use of a Non-reentrant Function","The product defines a signal handler that calls a non-reentrant function.Guidelines:",{"point":"y9","priority":"6","details":"ya"},"CWE-ID: 480Use of Incorrect Operator","The product accidentally uses the wrong operator, which changes the logic in security-relevant ways.Guidelines:",{"point":"yc","priority":"6","details":"yd"},"CWE-ID: 481Assigning instead of Comparing","The code uses an operator for assignment when the intention was to perform a comparison.Guidelines:",{"point":"yf","priority":"6","details":"yg"},"CWE-ID: 482Comparing instead of Assigning","The code uses an operator for comparison when the intention was to perform an assignment.Guidelines:",{"point":"yi","priority":"6","details":"yj"},"CWE-ID: 483Incorrect Block Delimitation","The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.Guidelines:",{"point":"yl","priority":"6","details":"ym"},"CWE-ID: 484Omitted Break Statement in Switch","The product omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition.Guidelines:",{"point":"yo","priority":"6","details":"yp"},"CWE-ID: 486Comparison of Classes by Name","The product compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name.Guidelines:",{"point":"yr","priority":"6","details":"ys"},"CWE-ID: 487Reliance on Package-level Scope","Java packages are not inherently closed; therefore, relying on them for code security is not a good practice.Guidelines:",{"point":"yu","priority":"6","details":"yv"},"CWE-ID: 488Exposure of Data Element to Wrong Session","The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.Guidelines:",{"point":"yx","priority":"6","details":"yy"},"CWE-ID: 489Active Debug Code","The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.Guidelines:::TYPE:Other:NOTE:In J2EE a main method may be a good indicator that debug code has been left in the application, although there may not be any direct security impact.::",{"point":"z0","priority":"6","details":"z1"},"CWE-ID: 491Public cloneable() Method Without Final ('Object Hijack')","A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state.Guidelines:",{"point":"z3","priority":"6","details":"z4"},"CWE-ID: 492Use of Inner Class Containing Sensitive Data","Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers.Guidelines:::TYPE:Other:NOTE:Mobile code, in this case a Java Applet, is code that is transmitted across a network and executed on a remote machine. Because mobile code developers have little if any control of the environment in which their code will execute, special security concerns become relevant. One of the biggest environmental threats results from the risk that the mobile code will run side-by-side with other, potentially malicious, mobile code. Because all of the popular web browsers execute code from multiple sources together in the same JVM, many of the security guidelines for mobile code are focused on preventing manipulation of your objects' state and behavior by adversaries who have access to the same virtual machine where your program is running.::",{"point":"z6","priority":"6","details":"z7"},"CWE-ID: 493Critical Public Variable Without Final Modifier","The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.Guidelines:",{"point":"z9","priority":"6","details":"za"},"CWE-ID: 494Download of Code Without Integrity Check","The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.Guidelines:::TYPE:Research Gap:NOTE:This is critical for mobile code, but it is likely to become more and more common as developers continue to adopt automated, network-based product distributions and upgrades. Software-as-a-Service (SaaS) might introduce additional subtleties. Common exploitation scenarios may include ad server compromises and bad upgrades.::",{"point":"zc","priority":"6","details":"zd"},"CWE-ID: 495Private Data Structure Returned From A Public Method","The product has a method that is declared public, but returns a reference to a private data structure, which could then be modified in unexpected ways.Guidelines:",{"point":"zf","priority":"6","details":"zg"},"CWE-ID: 496Public Data Assigned to Private Array-Typed Field","Assigning public data to a private array is equivalent to giving public access to the array.Guidelines:",{"point":"zi","priority":"6","details":"zj"},"CWE-ID: 497Exposure of Sensitive System Information to an Unauthorized Control Sphere","The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.Guidelines:",{"point":"zl","priority":"6","details":"zm"},"CWE-ID: 498Cloneable Class Containing Sensitive Information","The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class.Guidelines:",{"point":"zo","priority":"6","details":"zp"},"CWE-ID: 499Serializable Class Containing Sensitive Data","The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another class.Guidelines:",{"point":"zr","priority":"6","details":"zs"},"CWE-ID: 500Public Static Field Not Marked Final","An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways.Guidelines:",{"point":"zu","priority":"6","details":"zv"},"CWE-ID: 501Trust Boundary Violation","The product mixes trusted and untrusted data in the same data structure or structured message.Guidelines:",{"point":"zx","priority":"6","details":"zy"},"CWE-ID: 502Deserialization of Untrusted Data","The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.Guidelines:::TYPE:Maintenance:NOTE:The relationships between CWE-502 and CWE-915 need further exploration. CWE-915 is more narrowly scoped to object modification, and is not necessarily used for deserialization.::",{"point":"100","priority":"6","details":"101"},"CWE-ID: 506Embedded Malicious Code","The product contains code that appears to be malicious in nature.Guidelines:::TYPE:Terminology:NOTE:The term Trojan horse was introduced by Dan Edwards and recorded by James Anderson [18] to characterize a particular computer security threat; it has been redefined many times [4,18-20].::",{"point":"103","priority":"6","details":"104"},"CWE-ID: 507Trojan Horse","The product appears to contain benign or useful functionality, but it also contains code that is hidden from normal operation that violates the intended security policy of the user or the system administrator.Guidelines:::TYPE:Other:NOTE:Potentially malicious dynamic code compiled at runtime can conceal any number of attacks that will not appear in the baseline. The use of dynamically compiled code could also allow the injection of attacks on post-deployed applications.::TYPE:Terminology:NOTE:Definitions of Trojan horse and related terms have varied widely over the years, but common usage in 2008 generally refers to software that performs a legitimate function, but also contains malicious code. Almost any malicious code can be called a Trojan horse, since the author of malicious code needs to disguise it somehow so that it will be invoked by a nonmalicious user (unless the author means also to invoke the code, in which case they presumably already possess the authorization to perform the intended sabotage). A Trojan horse that replicates itself by copying its code into other program files (see case MA1) is commonly referred to as a virus. One that replicates itself by creating new processes or files to contain its code, instead of modifying existing storage entities, is often called a worm. Denning provides a general discussion of these terms; differences of opinion about the term applicable to a particular flaw or its exploitations sometimes occur.::",{"point":"106","priority":"6","details":"107"},"CWE-ID: 508Non-Replicating Malicious Code","Non-replicating malicious code only resides on the target system or product that is attacked; it does not attempt to spread to other systems.Guidelines:",{"point":"109","priority":"6","details":"10a"},"CWE-ID: 509Replicating Malicious Code (Virus or Worm)","Replicating malicious code, including viruses and worms, will attempt to attack other systems once it has successfully compromised the target system or the product.Guidelines:",{"point":"10c","priority":"6","details":"10d"},"CWE-ID: 510Trapdoor","A trapdoor is a hidden piece of code that responds to a special input, allowing its user access to resources without passing through the normal security enforcement mechanism.Guidelines:",{"point":"10f","priority":"6","details":"10g"},"CWE-ID: 511Logic/Time Bomb","The product contains code that is designed to disrupt the legitimate operation of the product (or its environment) when a certain time passes, or when a certain logical condition is met.Guidelines:",{"point":"10i","priority":"6","details":"10j"},"CWE-ID: 512Spyware","The product collects personally identifiable information about a human user or the user's activities, but the product accesses this information using other resources besides itself, and it does not require that user's explicit approval or direct input into the product.Guidelines:",{"point":"10l","priority":"6","details":"10m"},"CWE-ID: 514Covert Channel","A covert channel is a path that can be used to transfer information in a way not intended by the system's designers.Guidelines:::TYPE:Theoretical:NOTE:A covert channel can be thought of as an emergent resource, meaning that it was not an originally intended resource, however it exists due the application's behaviors.::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are working to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks that create or exploit covert channels. As a result of that work, this entry might change in CWE 4.10.::",{"point":"10o","priority":"6","details":"10p"},"CWE-ID: 515Covert Storage Channel","A covert storage channel transfers information through the setting of bits by one program and the reading of those bits by another. What distinguishes this case from that of ordinary operation is that the bits are used to convey encoded information.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are working to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks that create or exploit covert channels. As a result of that work, this entry might change in CWE 4.10.::",{"point":"10r","priority":"6","details":"10s"},"CWE-ID: 520.NET Misconfiguration: Use of Impersonation","Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms of attacks.Guidelines:",{"point":"10u","priority":"6","details":"10v"},"CWE-ID: 521Weak Password Requirements","The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.Guidelines:",{"point":"10x","priority":"6","details":"10y"},"CWE-ID: 522Insufficiently Protected Credentials","The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.Guidelines:",{"point":"110","priority":"6","details":"111"},"CWE-ID: 523Unprotected Transport of Credentials","Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.Guidelines:",{"point":"113","priority":"6","details":"114"},"CWE-ID: 524Use of Cache Containing Sensitive Information","The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.Guidelines:",{"point":"116","priority":"6","details":"117"},"CWE-ID: 525Use of Web Browser Cache Containing Sensitive Information","The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.Guidelines:",{"point":"119","priority":"6","details":"11a"},"CWE-ID: 526Cleartext Storage of Sensitive Information in an Environment Variable","The product uses an environment variable to store unencrypted sensitive information.Guidelines:",{"point":"11c","priority":"6","details":"11d"},"CWE-ID: 527Exposure of Version-Control Repository to an Unauthorized Control Sphere","The product stores a CVS, git, or other repository in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.Guidelines:",{"point":"11f","priority":"6","details":"11g"},"CWE-ID: 528Exposure of Core Dump File to an Unauthorized Control Sphere","The product generates a core dump file in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.Guidelines:",{"point":"11i","priority":"6","details":"11j"},"CWE-ID: 529Exposure of Access Control List Files to an Unauthorized Control Sphere","The product stores access control list files in a directory or other container that is accessible to actors outside of the intended control sphere.Guidelines:",{"point":"11l","priority":"6","details":"11m"},"CWE-ID: 530Exposure of Backup File to an Unauthorized Control Sphere","A backup file is stored in a directory or archive that is made accessible to unauthorized actors.Guidelines:",{"point":"11o","priority":"6","details":"11p"},"CWE-ID: 531Inclusion of Sensitive Information in Test Code","Accessible test applications can pose a variety of security risks. Since developers or administrators rarely consider that someone besides themselves would even know about the existence of these applications, it is common for them to contain sensitive information or functions.Guidelines:",{"point":"11r","priority":"6","details":"11s"},"CWE-ID: 532Insertion of Sensitive Information into Log File","Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.Guidelines:",{"point":"11u","priority":"6","details":"11v"},"CWE-ID: 535Exposure of Information Through Shell Error Message","A command shell error message indicates that there exists an unhandled exception in the web application code. In many cases, an attacker can leverage the conditions that cause these errors in order to gain unauthorized access to the system.Guidelines:",{"point":"11x","priority":"6","details":"11y"},"CWE-ID: 536Servlet Runtime Error Message Containing Sensitive Information","A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker.Guidelines:",{"point":"120","priority":"6","details":"121"},"CWE-ID: 537Java Runtime Error Message Containing Sensitive Information","In many cases, an attacker can leverage the conditions that cause unhandled exception errors in order to gain unauthorized access to the system.Guidelines:",{"point":"123","priority":"6","details":"124"},"CWE-ID: 538Insertion of Sensitive Information into Externally-Accessible File or Directory","The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.Guidelines:::TYPE:Maintenance:NOTE:Depending on usage, this could be a weakness or a category. Further study of all its children is needed, and the entire sub-tree may need to be clarified. The current organization is based primarily on the exposure of sensitive information as a consequence, instead of as a primary weakness.::TYPE:Maintenance:NOTE:There is a close relationship with CWE-552, which is more focused on weaknesses. As a result, it may be more appropriate to convert CWE-538 to a category.::",{"point":"126","priority":"6","details":"127"},"CWE-ID: 539Use of Persistent Cookies Containing Sensitive Information","The web application uses persistent cookies, but the cookies contain sensitive information.Guidelines:",{"point":"129","priority":"6","details":"12a"},"CWE-ID: 540Inclusion of Sensitive Information in Source Code","Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.Guidelines:",{"point":"12c","priority":"6","details":"12d"},"CWE-ID: 541Inclusion of Sensitive Information in an Include File","If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system.Guidelines:",{"point":"12f","priority":"6","details":"12g"},"CWE-ID: 543Use of Singleton Pattern Without Synchronization in a Multithreaded Context","The product uses the singleton pattern when creating a resource within a multithreaded environment.Guidelines:",{"point":"12i","priority":"6","details":"12j"},"CWE-ID: 544Missing Standardized Error Handling Mechanism","The product does not use a standardized method for handling errors throughout the code, which might introduce inconsistent error handling and resultant weaknesses.Guidelines:",{"point":"12l","priority":"6","details":"12m"},"CWE-ID: 546Suspicious Comment","The code contains comments that suggest the presence of bugs, incomplete functionality, or weaknesses.Guidelines:",{"point":"12o","priority":"6","details":"12p"},"CWE-ID: 547Use of Hard-coded, Security-relevant Constants","The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change.Guidelines:",{"point":"12r","priority":"6","details":"12s"},"CWE-ID: 548Exposure of Information Through Directory Listing","A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers.Guidelines:",{"point":"12u","priority":"6","details":"12v"},"CWE-ID: 549Missing Password Field Masking","The product does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords.Guidelines:",{"point":"12x","priority":"6","details":"12y"},"CWE-ID: 550Server-generated Error Message Containing Sensitive Information","Certain conditions, such as network failure, will cause a server error message to be displayed.Guidelines:",{"point":"130","priority":"6","details":"131"},"CWE-ID: 551Incorrect Behavior Order: Authorization Before Parsing and Canonicalization","If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.Guidelines:",{"point":"133","priority":"6","details":"134"},"CWE-ID: 552Files or Directories Accessible to External Parties","The product makes files or directories accessible to unauthorized actors, even though they should not be.Guidelines:",{"point":"136","priority":"6","details":"137"},"CWE-ID: 553Command Shell in Externally Accessible Directory","A possible shell file exists in /cgi-bin/ or other accessible directories. This is extremely dangerous and can be used by an attacker to execute commands on the web server.Guidelines:",{"point":"139","priority":"6","details":"13a"},"CWE-ID: 554ASP.NET Misconfiguration: Not Using Input Validation Framework","The ASP.NET application does not use an input validation framework.Guidelines:",{"point":"13c","priority":"6","details":"13d"},"CWE-ID: 555J2EE Misconfiguration: Plaintext Password in Configuration File","The J2EE application stores a plaintext password in a configuration file.Guidelines:",{"point":"13f","priority":"6","details":"13g"},"CWE-ID: 556ASP.NET Misconfiguration: Use of Identity Impersonation","Configuring an ASP.NET application to run with impersonated credentials may give the application unnecessary privileges.Guidelines:",{"point":"13i","priority":"6","details":"13j"},"CWE-ID: 558Use of getlogin() in Multithreaded Application","The product uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values.Guidelines:",{"point":"13l","priority":"6","details":"13m"},"CWE-ID: 560Use of umask() with chmod-style Argument","The product calls umask() with an incorrect argument that is specified as if it is an argument to chmod().Guidelines:::TYPE:Other:NOTE:Some umask() manual pages begin with the false statement: umask sets the umask to mask & 0777 Although this behavior would better align with the usage of chmod(), where the user provided argument specifies the bits to enable on the specified file, the behavior of umask() is in fact opposite: umask() sets the umask to ~mask & 0777. The documentation goes on to describe the correct usage of umask(): The umask is used by open() to set initial file permissions on a newly-created file. Specifically, permissions in the umask are turned off from the mode argument to open(2) (so, for example, the common umask default value of 022 results in new files being created with permissions 0666 & ~022 = 0644 = rw-r--r-- in the usual case where the mode is specified as 0666).::",{"point":"13o","priority":"6","details":"13p"},"CWE-ID: 561Dead Code","The product contains dead code, which can never be executed.Guidelines:",{"point":"13r","priority":"6","details":"13s"},"CWE-ID: 562Return of Stack Variable Address","A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.Guidelines:",{"point":"13u","priority":"6","details":"13v"},"CWE-ID: 563Assignment to Variable without Use","The variable's value is assigned but never used, making it a dead store.Guidelines:",{"point":"13x","priority":"6","details":"13y"},"CWE-ID: 564SQL Injection: Hibernate","Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.Guidelines:",{"point":"140","priority":"6","details":"141"},"CWE-ID: 565Reliance on Cookies without Validation and Integrity Checking","The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.Guidelines:::TYPE:Relationship:NOTE:This problem can be primary to many types of weaknesses in web applications. A developer may perform proper validation against URL parameters while assuming that attackers cannot modify cookies. As a result, the program might skip basic input validation to enable cross-site scripting, SQL injection, price tampering, and other attacks..::",{"point":"143","priority":"6","details":"144"},"CWE-ID: 566Authorization Bypass Through User-Controlled SQL Primary Key","The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.Guidelines:",{"point":"146","priority":"6","details":"147"},"CWE-ID: 567Unsynchronized Access to Shared Data in a Multithreaded Context","The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.Guidelines:",{"point":"149","priority":"6","details":"14a"},"CWE-ID: 568finalize() Method Without super.finalize()","The product contains a finalize() method that does not call super.finalize().Guidelines:",{"point":"14c","priority":"6","details":"14d"},"CWE-ID: 570Expression is Always False","The product contains an expression that will always evaluate to false.Guidelines:",{"point":"14f","priority":"6","details":"14g"},"CWE-ID: 571Expression is Always True","The product contains an expression that will always evaluate to true.Guidelines:",{"point":"14i","priority":"6","details":"14j"},"CWE-ID: 572Call to Thread run() instead of start()","The product calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee.Guidelines:",{"point":"14l","priority":"6","details":"14m"},"CWE-ID: 573Improper Following of Specification by Caller","The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.Guidelines:",{"point":"14o","priority":"6","details":"14p"},"CWE-ID: 574EJB Bad Practices: Use of Synchronization Primitives","The product violates the Enterprise JavaBeans (EJB) specification by using thread synchronization primitives.Guidelines:",{"point":"14r","priority":"6","details":"14s"},"CWE-ID: 575EJB Bad Practices: Use of AWT Swing","The product violates the Enterprise JavaBeans (EJB) specification by using AWT/Swing.Guidelines:",{"point":"14u","priority":"6","details":"14v"},"CWE-ID: 576EJB Bad Practices: Use of Java I/O","The product violates the Enterprise JavaBeans (EJB) specification by using the java.io package.Guidelines:",{"point":"14x","priority":"6","details":"14y"},"CWE-ID: 577EJB Bad Practices: Use of Sockets","The product violates the Enterprise JavaBeans (EJB) specification by using sockets.Guidelines:",{"point":"150","priority":"6","details":"151"},"CWE-ID: 578EJB Bad Practices: Use of Class Loader","The product violates the Enterprise JavaBeans (EJB) specification by using the class loader.Guidelines:",{"point":"153","priority":"6","details":"154"},"CWE-ID: 579J2EE Bad Practices: Non-serializable Object Stored in Session","The product stores a non-serializable object as an HttpSession attribute, which can hurt reliability.Guidelines:",{"point":"156","priority":"6","details":"157"},"CWE-ID: 580clone() Method Without super.clone()","The product contains a clone() method that does not call super.clone() to obtain the new object.Guidelines:",{"point":"159","priority":"6","details":"15a"},"CWE-ID: 581Object Model Violation: Just One of Equals and Hashcode Defined","The product does not maintain equal hashcodes for equal objects.Guidelines:",{"point":"15c","priority":"6","details":"15d"},"CWE-ID: 582Array Declared Public, Final, and Static","The product declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified.Guidelines:",{"point":"15f","priority":"6","details":"15g"},"CWE-ID: 583finalize() Method Declared Public","The product violates secure coding principles for mobile code by declaring a finalize() method public.Guidelines:",{"point":"15i","priority":"6","details":"15j"},"CWE-ID: 584Return Inside Finally Block","The code has a return statement inside a finally block, which will cause any thrown exception in the try block to be discarded.Guidelines:",{"point":"15l","priority":"6","details":"15m"},"CWE-ID: 585Empty Synchronized Block","The product contains an empty synchronized block.Guidelines:",{"point":"15o","priority":"6","details":"15p"},"CWE-ID: 586Explicit Call to Finalize()","The product makes an explicit call to the finalize() method from outside the finalizer.Guidelines:",{"point":"15r","priority":"6","details":"15s"},"CWE-ID: 587Assignment of a Fixed Address to a Pointer","The product sets a pointer to a specific address other than NULL or 0.Guidelines:",{"point":"15u","priority":"6","details":"15v"},"CWE-ID: 588Attempt to Access Child of a Non-structure Pointer","Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption.Guidelines:",{"point":"15x","priority":"6","details":"15y"},"CWE-ID: 589Call to Non-ubiquitous API","The product uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allow denial of service or other consequences.Guidelines:",{"point":"160","priority":"6","details":"161"},"CWE-ID: 590Free of Memory not on the Heap","The product calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc().Guidelines:::TYPE:Other:NOTE:In C++, if the new operator was used to allocate the memory, it may be allocated with the malloc(), calloc() or realloc() family of functions in the implementation. Someone aware of this behavior might choose to map this problem to CWE-590 or to its parent, CWE-762, depending on their perspective.::",{"point":"163","priority":"6","details":"164"},"CWE-ID: 591Sensitive Data Storage in Improperly Locked Memory","The product stores sensitive data in memory that is not locked, or that has been incorrectly locked, which might cause the memory to be written to swap files on disk by the virtual memory manager. This can make the data more accessible to external actors.Guidelines:",{"point":"166","priority":"6","details":"167"},"CWE-ID: 593Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created","The product modifies the SSL context after connection creation has begun.Guidelines:",{"point":"169","priority":"6","details":"16a"},"CWE-ID: 594J2EE Framework: Saving Unserializable Objects to Disk","When the J2EE container attempts to write unserializable objects to disk there is no guarantee that the process will complete successfully.Guidelines:",{"point":"16c","priority":"6","details":"16d"},"CWE-ID: 595Comparison of Object References Instead of Object Contents","The product compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects.Guidelines:",{"point":"16f","priority":"6","details":"16g"},"CWE-ID: 597Use of Wrong Operator in String Comparison","The product uses the wrong operator when comparing a string, such as using == when the .equals() method should be used instead.Guidelines:",{"point":"16i","priority":"6","details":"16j"},"CWE-ID: 598Use of GET Request Method With Sensitive Query Strings","The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.Guidelines:",{"point":"16l","priority":"6","details":"16m"},"CWE-ID: 599Missing Validation of OpenSSL Certificate","The product uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all necessary security requirements.Guidelines:::TYPE:Relationship:NOTE:CWE-295 and CWE-599 are very similar, although CWE-599 has a more narrow scope that is only applied to OpenSSL certificates. As a result, other children of CWE-295 can be regarded as children of CWE-599 as well. CWE's use of one-dimensional hierarchical relationships is not well-suited to handle different kinds of abstraction relationships based on concepts like types of resources (OpenSSL certificate as a child of any certificate) and types of behaviors (not validating expiration as a child of improper validation).::",{"point":"16o","priority":"6","details":"16p"},"CWE-ID: 600Uncaught Exception in Servlet","The Servlet does not catch all exceptions, which may reveal sensitive debugging information.Guidelines:::TYPE:Maintenance:NOTE:The Missing Catch Block concept is probably broader than just Servlets, but the broader concept is not sufficiently covered in CWE.::",{"point":"16r","priority":"6","details":"16s"},"CWE-ID: 601URL Redirection to Untrusted Site ('Open Redirect')","A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.Guidelines:",{"point":"16u","priority":"6","details":"16v"},"CWE-ID: 602Client-Side Enforcement of Server-Side Security","The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.Guidelines:",{"point":"16x","priority":"6","details":"16y"},"CWE-ID: 603Use of Client-Side Authentication","A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check.Guidelines:",{"point":"170","priority":"6","details":"171"},"CWE-ID: 605Multiple Binds to the Same Port","When multiple sockets are allowed to bind to the same port, other services on that port may be stolen or spoofed.Guidelines:",{"point":"173","priority":"6","details":"174"},"CWE-ID: 606Unchecked Input for Loop Condition","The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping.Guidelines:",{"point":"176","priority":"6","details":"177"},"CWE-ID: 607Public Static Final Field References Mutable Object","A public or protected static final field references a mutable object, which allows the object to be changed by malicious code, or accidentally from another package.Guidelines:",{"point":"179","priority":"6","details":"17a"},"CWE-ID: 608Struts: Non-private Field in ActionForm Class","An ActionForm class contains a field that has not been declared private, which can be accessed without using a setter or getter.Guidelines:",{"point":"17c","priority":"6","details":"17d"},"CWE-ID: 609Double-Checked Locking","The product uses double-checked locking to access a resource without the overhead of explicit synchronization, but the locking is insufficient.Guidelines:",{"point":"17f","priority":"6","details":"17g"},"CWE-ID: 610Externally Controlled Reference to a Resource in Another Sphere","The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.Guidelines:::TYPE:Relationship:NOTE:This is a general class of weakness, but most research is focused on more specialized cases, such as path traversal (CWE-22) and symlink following (CWE-61). A symbolic link has a name; in general, it appears like any other file in the file system. However, the link includes a reference to another file, often in another directory - perhaps in another sphere of control. Many common library functions that accept filenames will follow a symbolic link and use the link's target instead.::TYPE:Maintenance:NOTE:The relationship between CWE-99 and CWE-610 needs further investigation and clarification. They might be duplicates. CWE-99 Resource Injection, as originally defined in Seven Pernicious Kingdoms taxonomy, emphasizes the identifier used to access a system resource such as a file name or port number, yet it explicitly states that the resource injection term does not apply to path manipulation, which effectively identifies the path at which a resource can be found and could be considered to be one aspect of a resource identifier. Also, CWE-610 effectively covers any type of resource, whether that resource is at the system layer, the application layer, or the code layer.::",{"point":"17i","priority":"6","details":"17j"},"CWE-ID: 611Improper Restriction of XML External Entity Reference","The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.Guidelines:::TYPE:Relationship:NOTE:CWE-918 (SSRF) and CWE-611 (XXE) are closely related, because they both involve web-related technologies and can launch outbound requests to unexpected destinations. However, XXE can be performed client-side, or in other contexts in which the software is not acting directly as a server, so the Server portion of the SSRF acronym does not necessarily apply.::",{"point":"17l","priority":"6","details":"17m"},"CWE-ID: 612Improper Authorization of Index Containing Sensitive Information","The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the original information.Guidelines:::TYPE:Research Gap:NOTE:This weakness is probably under-studied and under-reported.::",{"point":"17o","priority":"6","details":"17p"},"CWE-ID: 613Insufficient Session Expiration","According to WASC, Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.Guidelines:::TYPE:Other:NOTE:The lack of proper session expiration may improve the likely success of certain attacks. For example, an attacker may intercept a session ID, possibly via a network sniffer or Cross-site Scripting attack. Although short session expiration times do not help if a stolen token is immediately used, they will protect against ongoing replaying of the session ID. In another scenario, a user might access a web site from a shared computer (such as at a library, Internet cafe, or open work environment). Insufficient Session Expiration could allow an attacker to use the browser's back button to access web pages previously accessed by the victim.::",{"point":"17r","priority":"6","details":"17s"},"CWE-ID: 614Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.Guidelines:",{"point":"17u","priority":"6","details":"17v"},"CWE-ID: 615Inclusion of Sensitive Information in Source Code Comments","While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc.Guidelines:",{"point":"17x","priority":"6","details":"17y"},"CWE-ID: 616Incomplete Identification of Uploaded File Variables (PHP)","The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files.Guidelines:",{"point":"180","priority":"6","details":"181"},"CWE-ID: 617Reachable Assertion","The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.Guidelines:",{"point":"183","priority":"6","details":"184"},"CWE-ID: 618Exposed Unsafe ActiveX Method","An ActiveX control is intended for use in a web browser, but it exposes dangerous methods that perform actions that are outside of the browser's security model (e.g. the zone or domain).Guidelines:",{"point":"186","priority":"6","details":"187"},"CWE-ID: 619Dangling Database Cursor ('Cursor Injection')","If a database cursor is not closed properly, then it could become accessible to other users while retaining the same privileges that were originally assigned, leaving the cursor dangling.Guidelines:",{"point":"189","priority":"6","details":"18a"},"CWE-ID: 620Unverified Password Change","When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.Guidelines:",{"point":"18c","priority":"6","details":"18d"},"CWE-ID: 621Variable Extraction Error","The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables.Guidelines:::TYPE:Research Gap:NOTE:Probably under-reported for PHP. Seems under-studied for other interpreted languages.::",{"point":"18f","priority":"6","details":"18g"},"CWE-ID: 622Improper Validation of Function Hook Arguments","The product adds hooks to user-accessible API functions, but it does not properly validate the arguments. This could lead to resultant vulnerabilities.Guidelines:",{"point":"18i","priority":"6","details":"18j"},"CWE-ID: 623Unsafe ActiveX Control Marked Safe For Scripting","An ActiveX control is intended for restricted use, but it has been marked as safe-for-scripting.Guidelines:",{"point":"18l","priority":"6","details":"18m"},"CWE-ID: 624Executable Regular Expression Error","The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.Guidelines:::TYPE:Research Gap:NOTE:Under-studied. The existing PHP reports are limited to highly skilled researchers, but there are few examples for other languages. It is suspected that this is under-reported for all languages. Usability factors might make it more prevalent in PHP, but this theory has not been investigated.::",{"point":"18o","priority":"6","details":"18p"},"CWE-ID: 625Permissive Regular Expression","The product uses a regular expression that does not sufficiently restrict the set of allowed values.Guidelines:",{"point":"18r","priority":"6","details":"18s"},"CWE-ID: 626Null Byte Interaction Error (Poison Null Byte)","The product does not properly handle null bytes or NUL characters when passing data between different representations or components.Guidelines:::TYPE:Terminology:NOTE:Current usage of poison null byte is typically related to this C/Perl/PHP interaction error, but the original term in 1998 was applied to an off-by-one buffer overflow involving a null byte.::TYPE:Research Gap:NOTE:There are not many CVE examples, because the poison NULL byte is a design limitation, which typically is not included in CVE by itself. It is typically used as a facilitator manipulation to widen the scope of potential attacks against other vulnerabilities.::",{"point":"18u","priority":"6","details":"18v"},"CWE-ID: 627Dynamic Variable Evaluation","In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions.Guidelines:::TYPE:Research Gap:NOTE:Under-studied, probably under-reported. Few researchers look for this issue; most public reports are for PHP, although other languages are affected. This issue is likely to grow in PHP as developers begin to implement functionality in place of register_globals.::",{"point":"18x","priority":"6","details":"18y"},"CWE-ID: 628Function Call with Incorrectly Specified Arguments","The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.Guidelines:",{"point":"190","priority":"6","details":"191"},"CWE-ID: 636Not Failing Securely ('Failing Open')","When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.Guidelines:::TYPE:Research Gap:NOTE:Since design issues are hard to fix, they are rarely publicly reported, so there are few CVE examples of this problem as of January 2008. Most publicly reported issues occur as the result of an implementation error instead of design, such as CVE-2005-3177 (Improper handling of large numbers of resources) or CVE-2005-2969 (inadvertently disabling a verification step, leading to selection of a weaker protocol).::",{"point":"193","priority":"6","details":"194"},"CWE-ID: 637Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')","The product uses a more complex mechanism than necessary, which could lead to resultant weaknesses when the mechanism is not correctly understood, modeled, configured, implemented, or used.Guidelines:",{"point":"196","priority":"6","details":"197"},"CWE-ID: 638Not Using Complete Mediation","The product does not perform access checks on a resource every time the resource is accessed by an entity, which can create resultant weaknesses if that entity's rights or privileges change over time.Guidelines:",{"point":"199","priority":"6","details":"19a"},"CWE-ID: 639Authorization Bypass Through User-Controlled Key","The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.Guidelines:",{"point":"19c","priority":"6","details":"19d"},"CWE-ID: 640Weak Password Recovery Mechanism for Forgotten Password","The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.Guidelines:::TYPE:Maintenance:NOTE:This entry might be reclassified as a category or loose composite, since it lists multiple specific errors that can make the mechanism weak. However, under view 1000, it could be a weakness under protection mechanism failure, although it is different from most PMF issues since it is related to a feature that is designed to bypass a protection mechanism (specifically, the lack of knowledge of a password).::TYPE:Maintenance:NOTE:This entry probably needs to be split; see extended description.::",{"point":"19f","priority":"6","details":"19g"},"CWE-ID: 641Improper Restriction of Names for Files and Other Resources","The product constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name.Guidelines:",{"point":"19i","priority":"6","details":"19j"},"CWE-ID: 642External Control of Critical State Data","The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.Guidelines:",{"point":"19l","priority":"6","details":"19m"},"CWE-ID: 643Improper Neutralization of Data within XPath Expressions ('XPath Injection')","The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.Guidelines:::TYPE:Relationship:NOTE:This weakness is similar to other weaknesses that enable injection style attacks, such as SQL injection, command injection and LDAP injection. The main difference is that the target of attack here is the XML database.::",{"point":"19o","priority":"6","details":"19p"},"CWE-ID: 644Improper Neutralization of HTTP Headers for Scripting Syntax","The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.Guidelines:",{"point":"19r","priority":"6","details":"19s"},"CWE-ID: 645Overly Restrictive Account Lockout Mechanism","The product contains an account lockout protection mechanism, but the mechanism is too restrictive and can be triggered too easily, which allows attackers to deny service to legitimate users by causing their accounts to be locked out.Guidelines:",{"point":"19u","priority":"6","details":"19v"},"CWE-ID: 646Reliance on File Name or Extension of Externally-Supplied File","The product allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attackers to cause the file to be misclassified and processed in a dangerous fashion.Guidelines:",{"point":"19x","priority":"6","details":"19y"},"CWE-ID: 647Use of Non-Canonical URL Paths for Authorization Decisions","The product defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization.Guidelines:",{"point":"1a0","priority":"6","details":"1a1"},"CWE-ID: 648Incorrect Use of Privileged APIs","The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.Guidelines:",{"point":"1a3","priority":"6","details":"1a4"},"CWE-ID: 649Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking","The product uses obfuscation or encryption of inputs that should not be mutable by an external actor, but the product does not use integrity checks to detect if those inputs have been modified.Guidelines:",{"point":"1a6","priority":"6","details":"1a7"},"CWE-ID: 650Trusting HTTP Permission Methods on the Server Side","The server contains a protection mechanism that assumes that any URI that is accessed using HTTP GET will not cause a state change to the associated resource. This might allow attackers to bypass intended access restrictions and conduct resource modification and deletion attacks, since some applications allow GET to modify state.Guidelines:",{"point":"1a9","priority":"6","details":"1aa"},"CWE-ID: 651Exposure of WSDL File Containing Sensitive Information","The Web services architecture may require exposing a Web Service Definition Language (WSDL) file that contains information on the publicly accessible services and how callers of these services should interact with them (e.g. what parameters they expect and what types they return).Guidelines:",{"point":"1ac","priority":"6","details":"1ad"},"CWE-ID: 652Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')","The product uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.Guidelines:::TYPE:Relationship:NOTE:This weakness is similar to other weaknesses that enable injection style attacks, such as SQL injection, command injection and LDAP injection. The main difference is that the target of attack here is the XML database.::",{"point":"1af","priority":"6","details":"1ag"},"CWE-ID: 653Improper Isolation or Compartmentalization","The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.Guidelines:::TYPE:Relationship:NOTE:There is a close association with CWE-250 (Execution with Unnecessary Privileges). CWE-653 is about providing separate components for each privilege; CWE-250 is about ensuring that each component has the least amount of privileges possible. In this fashion, compartmentalization becomes one mechanism for reducing privileges.::TYPE:Terminology:NOTE:The term Separation of Privilege is used in several different ways in the industry, but they generally combine two closely related principles: compartmentalization (this node) and using only one factor in a security decision (CWE-654). Proper compartmentalization implicitly introduces multiple factors into a security decision, but there can be cases in which multiple factors are required for authentication or other mechanisms that do not involve compartmentalization, such as performing all required checks on a submitted certificate. It is likely that CWE-653 and CWE-654 will provoke further discussion.::",{"point":"1ai","priority":"6","details":"1aj"},"CWE-ID: 654Reliance on a Single Factor in a Security Decision","A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality.Guidelines:::TYPE:Maintenance:NOTE:This entry is closely associated with the term Separation of Privilege. This term is used in several different ways in the industry, but they generally combine two closely related principles: compartmentalization (CWE-653) and using only one factor in a security decision (this entry). Proper compartmentalization implicitly introduces multiple factors into a security decision, but there can be cases in which multiple factors are required for authentication or other mechanisms that do not involve compartmentalization, such as performing all required checks on a submitted certificate. It is likely that CWE-653 and CWE-654 will provoke further discussion.::",{"point":"1al","priority":"6","details":"1am"},"CWE-ID: 655Insufficient Psychological Acceptability","The product has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose.Guidelines:::TYPE:Other:NOTE:This weakness covers many security measures causing user inconvenience, requiring effort or causing frustration, that are disproportionate to the risks or value of the protected assets, or that are perceived to be ineffective.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"1ao","priority":"6","details":"1ap"},"CWE-ID: 656Reliance on Security Through Obscurity","The product uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism.Guidelines:::TYPE:Relationship:NOTE:Note that there is a close relationship between this weakness and CWE-603 (Use of Client-Side Authentication). If developers do not believe that a user can reverse engineer a client, then they are more likely to choose client-side authentication in the belief that it is safe.::",{"point":"1ar","priority":"6","details":"1as"},"CWE-ID: 657Violation of Secure Design Principles","The product violates well-established principles for secure design.Guidelines:::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"1au","priority":"6","details":"1av"},"CWE-ID: 662Improper Synchronization","The product utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.Guidelines:::TYPE:Maintenance:NOTE:Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships.::",{"point":"1ax","priority":"6","details":"1ay"},"CWE-ID: 663Use of a Non-reentrant Function in a Concurrent Context","The product calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity to call the same function or otherwise influence its state.Guidelines:",{"point":"1b0","priority":"6","details":"1b1"},"CWE-ID: 664Improper Control of a Resource Through its Lifetime","The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.Guidelines:::TYPE:Maintenance:NOTE:More work is needed on this entry and its children. There are perspective/layering issues; for example, one breakdown is based on lifecycle phase (CWE-404, CWE-665), while other children are independent of lifecycle, such as CWE-400. Others do not specify as many bases or variants, such as CWE-704, which primarily covers numbers at this stage.::",{"point":"1b3","priority":"6","details":"1b4"},"CWE-ID: 665Improper Initialization","The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.Guidelines:",{"point":"1b6","priority":"6","details":"1b7"},"CWE-ID: 666Operation on Resource in Wrong Phase of Lifetime","The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors.Guidelines:",{"point":"1b9","priority":"6","details":"1ba"},"CWE-ID: 667Improper Locking","The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.Guidelines:::TYPE:Maintenance:NOTE:Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships.::",{"point":"1bc","priority":"6","details":"1bd"},"CWE-ID: 668Exposure of Resource to Wrong Sphere","The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.Guidelines:::TYPE:Theoretical:NOTE:A control sphere is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product's security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for administrators who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be users who are authenticated to the operating system on which the product is installed. Each sphere has different sets of actors and allowable behaviors.::",{"point":"1bf","priority":"6","details":"1bg"},"CWE-ID: 669Incorrect Resource Transfer Between Spheres","The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.Guidelines:",{"point":"1bi","priority":"6","details":"1bj"},"CWE-ID: 670Always-Incorrect Control Flow Implementation","The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.Guidelines:::TYPE:Maintenance:NOTE:This node could possibly be split into lower-level nodes. Early Return is for returning control to the caller too soon (e.g., CWE-584). Excess Return is when control is returned too far up the call stack (CWE-600, CWE-395). Improper control limitation occurs when the product maintains control at a lower level of execution, when control should be returned further up the call stack (CWE-455). Incorrect syntax covers code that's just plain wrong such as CWE-484 and CWE-483.::",{"point":"1bl","priority":"6","details":"1bm"},"CWE-ID: 671Lack of Administrator Control over Security","The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.Guidelines:",{"point":"1bo","priority":"6","details":"1bp"},"CWE-ID: 672Operation on a Resource after Expiration or Release","The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.Guidelines:",{"point":"1br","priority":"6","details":"1bs"},"CWE-ID: 673External Influence of Sphere Definition","The product does not prevent the definition of control spheres from external actors.Guidelines:::TYPE:Theoretical:NOTE:A control sphere is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product's security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for administrators who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be users who are authenticated to the operating system on which the product is installed. Each sphere has different sets of actors and allowable behaviors.::",{"point":"1bu","priority":"6","details":"1bv"},"CWE-ID: 674Uncontrolled Recursion","The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.Guidelines:",{"point":"1bx","priority":"6","details":"1by"},"CWE-ID: 675Multiple Operations on Resource in Single-Operation Context","The product performs the same operation on a resource two or more times, when the operation should only be applied once.Guidelines:::TYPE:Relationship:NOTE:This weakness is probably closely associated with other issues related to doubling, such as CWE-462 (duplicate key in alist) or CWE-102 (Struts duplicate validation forms). It's usually a case of an API contract violation (CWE-227).::",{"point":"1c0","priority":"6","details":"1c1"},"CWE-ID: 676Use of Potentially Dangerous Function","The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.Guidelines:::TYPE:Relationship:NOTE:This weakness is different than CWE-242 (Use of Inherently Dangerous Function). CWE-242 covers functions with such significant security problems that they can never be guaranteed to be safe. Some functions, if used properly, do not directly pose a security risk, but can introduce a weakness if not called correctly. These are regarded as potentially dangerous. A well-known example is the strcpy() function. When provided with a destination buffer that is larger than its source, strcpy() will not overflow. However, it is so often misused that some developers prohibit strcpy() entirely.::",{"point":"1c3","priority":"6","details":"1c4"},"CWE-ID: 680Integer Overflow to Buffer Overflow","The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow.Guidelines:",{"point":"1c6","priority":"6","details":"1c7"},"CWE-ID: 681Incorrect Conversion between Numeric Types","When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.Guidelines:",{"point":"1c9","priority":"6","details":"1ca"},"CWE-ID: 682Incorrect Calculation","The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.Guidelines:::TYPE:Research Gap:NOTE:Weaknesses related to this Pillar appear to be under-studied, especially with respect to classification schemes. Input from academic and other communities could help identify and resolve gaps or organizational difficulties within CWE.::",{"point":"1cc","priority":"6","details":"1cd"},"CWE-ID: 683Function Call With Incorrect Order of Arguments","The product calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses.Guidelines:",{"point":"1cf","priority":"6","details":"1cg"},"CWE-ID: 684Incorrect Provision of Specified Functionality","The code does not function according to its published specifications, potentially leading to incorrect usage.Guidelines:",{"point":"1ci","priority":"6","details":"1cj"},"CWE-ID: 685Function Call With Incorrect Number of Arguments","The product calls a function, procedure, or routine, but the caller specifies too many arguments, or too few arguments, which may lead to undefined behavior and resultant weaknesses.Guidelines:",{"point":"1cl","priority":"6","details":"1cm"},"CWE-ID: 686Function Call With Incorrect Argument Type","The product calls a function, procedure, or routine, but the caller specifies an argument that is the wrong data type, which may lead to resultant weaknesses.Guidelines:",{"point":"1co","priority":"6","details":"1cp"},"CWE-ID: 687Function Call With Incorrectly Specified Argument Value","The product calls a function, procedure, or routine, but the caller specifies an argument that contains the wrong value, which may lead to resultant weaknesses.Guidelines:::TYPE:Relationship:NOTE:When primary, this weakness is most likely to occur in rarely-tested code, since the wrong value can change the semantic meaning of the program's execution and lead to obviously-incorrect behavior. It can also be resultant from issues in which the program assigns the wrong value to a variable, and that variable is later used in a function call. In that sense, this issue could be argued as having chaining relationships with many implementation errors in CWE.::",{"point":"1cr","priority":"6","details":"1cs"},"CWE-ID: 688Function Call With Incorrect Variable or Reference as Argument","The product calls a function, procedure, or routine, but the caller specifies the wrong variable or reference as one of the arguments, which may lead to undefined behavior and resultant weaknesses.Guidelines:",{"point":"1cu","priority":"6","details":"1cv"},"CWE-ID: 689Permission Race Condition During Resource Copy","The product, while copying or cloning a resource, does not set the resource's permissions or access control until the copy is complete, leaving the resource exposed to other spheres while the copy is taking place.Guidelines:::TYPE:Research Gap:NOTE:Under-studied. It seems likely that this weakness could occur in any situation in which a complex or large copy operation occurs, when the resource can be made available to other spheres as soon as it is created, but before its initialization is complete.::",{"point":"1cx","priority":"6","details":"1cy"},"CWE-ID: 690Unchecked Return Value to NULL Pointer Dereference","The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference.Guidelines:",{"point":"1d0","priority":"6","details":"1d1"},"CWE-ID: 691Insufficient Control Flow Management","The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.Guidelines:",{"point":"1d3","priority":"6","details":"1d4"},"CWE-ID: 692Incomplete Denylist to Cross-Site Scripting","The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.Guidelines:",{"point":"1d6","priority":"6","details":"1d7"},"CWE-ID: 693Protection Mechanism Failure","The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.Guidelines:::TYPE:Research Gap:NOTE:The concept of protection mechanisms is well established, but protection mechanism failures have not been studied comprehensively. It is suspected that protection mechanisms can have significantly different types of weaknesses than the weaknesses that they are intended to prevent.::",{"point":"1d9","priority":"6","details":"1da"},"CWE-ID: 694Use of Multiple Resources with Duplicate Identifier","The product uses multiple resources that can have the same identifier, in a context in which unique identifiers are required.Guidelines:::TYPE:Relationship:NOTE:This weakness is probably closely associated with other issues related to doubling, such as CWE-675 (Duplicate Operations on Resource). It's often a case of an API contract violation (CWE-227).::",{"point":"1dc","priority":"6","details":"1dd"},"CWE-ID: 695Use of Low-Level Functionality","The product uses low-level functionality that is explicitly prohibited by the framework or specification under which the product is supposed to operate.Guidelines:",{"point":"1df","priority":"6","details":"1dg"},"CWE-ID: 696Incorrect Behavior Order","The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses.Guidelines:",{"point":"1di","priority":"6","details":"1dj"},"CWE-ID: 697Incorrect Comparison","The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.Guidelines:::TYPE:Research Gap:NOTE:Weaknesses related to this Pillar appear to be under-studied, especially with respect to classification schemes. Input from academic and other communities could help identify and resolve gaps or organizational difficulties within CWE.::TYPE:Maintenance:NOTE:This entry likely has some relationships with case sensitivity (CWE-178), but case sensitivity is a factor in other types of weaknesses besides comparison. Also, in cryptography, certain attacks are possible when certain comparison operations do not take place in constant time, causing a timing-related information leak (CWE-208).::",{"point":"1dl","priority":"6","details":"1dm"},"CWE-ID: 698Execution After Redirect (EAR)","The web application sends a redirect to another location, but instead of exiting, it executes additional code.Guidelines:",{"point":"1do","priority":"6","details":"1dp"},"CWE-ID: 703Improper Check or Handling of Exceptional Conditions","The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.Guidelines:::TYPE:Relationship:NOTE:This is a high-level class that might have some overlap with other classes. It could be argued that even normal weaknesses such as buffer overflows involve unusual or exceptional conditions. In that sense, this might be an inherent aspect of most other weaknesses within CWE, similar to API Abuse (CWE-227) and Indicator of Poor Code Quality (CWE-398). However, this entry is currently intended to unify disparate concepts that do not have other places within the Research Concepts view (CWE-1000).::",{"point":"1dr","priority":"6","details":"1ds"},"CWE-ID: 704Incorrect Type Conversion or Cast","The product does not correctly convert an object, resource, or structure from one type to a different type.Guidelines:",{"point":"1du","priority":"6","details":"1dv"},"CWE-ID: 705Incorrect Control Flow Scoping","The product does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.Guidelines:",{"point":"1dx","priority":"6","details":"1dy"},"CWE-ID: 706Use of Incorrectly-Resolved Name or Reference","The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.Guidelines:",{"point":"1e0","priority":"6","details":"1e1"},"CWE-ID: 707Improper Neutralization","The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.Guidelines:::TYPE:Maintenance:NOTE:Concepts such as validation, data transformation, and neutralization are being refined, so relationships between CWE-20 and other entries such as CWE-707 may change in future versions, along with an update to the Vulnerability Theory document.::",{"point":"1e3","priority":"6","details":"1e4"},"CWE-ID: 708Incorrect Ownership Assignment","The product assigns an owner to a resource, but the owner is outside of the intended control sphere.Guidelines:::TYPE:Maintenance:NOTE:This overlaps verification errors, permissions, and privileges. A closely related weakness is the incorrect assignment of groups to a resource. It is not clear whether it would fall under this entry or require a different entry.::",{"point":"1e6","priority":"6","details":"1e7"},"CWE-ID: 710Improper Adherence to Coding Standards","The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.Guidelines:",{"point":"1e9","priority":"6","details":"1ea"},"CWE-ID: 732Incorrect Permission Assignment for Critical Resource","The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.Guidelines:::TYPE:Maintenance:NOTE:The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693).::",{"point":"1ec","priority":"6","details":"1ed"},"CWE-ID: 733Compiler Optimization Removal or Modification of Security-critical Code","The developer builds a security-critical protection mechanism into the software, but the compiler optimizes the program such that the mechanism is removed or modified.Guidelines:",{"point":"1ef","priority":"6","details":"1eg"},"CWE-ID: 749Exposed Dangerous Method or Function","The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.Guidelines:::TYPE:Research Gap:NOTE:Under-reported and under-studied. This weakness could appear in any technology, language, or framework that allows the programmer to provide a functional interface to external parties, but it is not heavily reported. In 2007, CVE began showing a notable increase in reports of exposed method vulnerabilities in ActiveX applications, as well as IOCTL access to OS-level resources. These weaknesses have been documented for Java applications in various secure programming sources, but there are few reports in CVE, which suggests limited awareness in most parts of the vulnerability research community.::",{"point":"1ei","priority":"6","details":"1ej"},"CWE-ID: 754Improper Check for Unusual or Exceptional Conditions","The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.Guidelines:::TYPE:Relationship:NOTE:Sometimes, when a return value can be used to indicate an error, an unchecked return value is a code-layer instance of a missing application-layer check for exceptional conditions. However, return values are not always needed to communicate exceptional conditions. For example, expiration of resources, values passed by reference, asynchronously modified data, sockets, etc. may indicate exceptional conditions without the use of a return value.::",{"point":"1el","priority":"6","details":"1em"},"CWE-ID: 755Improper Handling of Exceptional Conditions","The product does not handle or incorrectly handles an exceptional condition.Guidelines:",{"point":"1eo","priority":"6","details":"1ep"},"CWE-ID: 756Missing Custom Error Page","The product does not return custom error pages to the user, possibly exposing sensitive information.Guidelines:",{"point":"1er","priority":"6","details":"1es"},"CWE-ID: 757Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')","A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties.Guidelines:::TYPE:Relationship:NOTE:This is related to CWE-300, although not all downgrade attacks necessarily require an entity that redirects or interferes with the network. See examples.::",{"point":"1eu","priority":"6","details":"1ev"},"CWE-ID: 758Reliance on Undefined, Unspecified, or Implementation-Defined Behavior","The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity.Guidelines:",{"point":"1ex","priority":"6","details":"1ey"},"CWE-ID: 759Use of a One-Way Hash without a Salt","The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.Guidelines:",{"point":"1f0","priority":"6","details":"1f1"},"CWE-ID: 760Use of a One-Way Hash with a Predictable Salt","The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"1f3","priority":"6","details":"1f4"},"CWE-ID: 761Free of Pointer not at Start of Buffer","The product calls free() on a pointer to a memory resource that was allocated on the heap, but the pointer is not at the start of the buffer.Guidelines:::TYPE:Maintenance:NOTE:Currently, CWE-763 is the parent, however it may be desirable to have an intermediate parent which is not function-specific, similar to how CWE-762 is an intermediate parent between CWE-763 and CWE-590.::",{"point":"1f6","priority":"6","details":"1f7"},"CWE-ID: 762Mismatched Memory Management Routines","The product attempts to return a memory resource to the system, but it calls a release function that is not compatible with the function that was originally used to allocate that resource.Guidelines:::TYPE:Applicable Platform:NOTE:This weakness is possible in any programming language that allows manual management of memory.::",{"point":"1f9","priority":"6","details":"1fa"},"CWE-ID: 763Release of Invalid Pointer or Reference","The product attempts to return a memory resource to the system, but it calls the wrong release function or calls the appropriate release function incorrectly.Guidelines:::TYPE:Maintenance:NOTE:The view-1000 subtree that is associated with this weakness needs additional work. Several entries will likely be created in this branch. Currently the focus is on free() of memory, but delete and other related release routines may require the creation of intermediate entries that are not specific to a particular function. In addition, the role of other types of invalid pointers, such as an expired pointer, i.e. CWE-415 Double Free and release of uninitialized pointers, related to CWE-457.::",{"point":"1fc","priority":"6","details":"1fd"},"CWE-ID: 764Multiple Locks of a Critical Resource","The product locks a critical resource more times than intended, leading to an unexpected state in the system.Guidelines:::TYPE:Maintenance:NOTE:An alternate way to think about this weakness is as an imbalance between the number of locks / unlocks in the control flow. Over the course of execution, if each lock call is not followed by a subsequent call to unlock in a reasonable amount of time, then system performance may be degraded or at least operating at less than peak levels if there is competition for the locks. This entry may need to be modified to reflect these concepts in the future.::",{"point":"1ff","priority":"6","details":"1fg"},"CWE-ID: 765Multiple Unlocks of a Critical Resource","The product unlocks a critical resource more times than intended, leading to an unexpected state in the system.Guidelines:::TYPE:Maintenance:NOTE:An alternate way to think about this weakness is as an imbalance between the number of locks / unlocks in the control flow. Over the course of execution, if each lock call is not followed by a subsequent call to unlock in a reasonable amount of time, then system performance may be degraded or at least operating at less than peak levels if there is competition for the locks. This entry may need to be modified to reflect these concepts in the future.::",{"point":"1fi","priority":"6","details":"1fj"},"CWE-ID: 766Critical Data Element Declared Public","The product declares a critical variable, field, or member to be public when intended security policy requires it to be private.Guidelines:",{"point":"1fl","priority":"6","details":"1fm"},"CWE-ID: 767Access to Critical Private Variable via Public Method","The product defines a public method that reads or modifies a private variable.Guidelines:::TYPE:Maintenance:NOTE:This entry is closely associated with access control for public methods. If the public methods are restricted with proper access controls, then the information in the private variable will not be exposed to unexpected parties. There may be chaining or composite relationships between improper access controls and this weakness.::",{"point":"1fo","priority":"6","details":"1fp"},"CWE-ID: 768Incorrect Short Circuit Evaluation","The product contains a conditional statement with multiple logical expressions in which one of the non-leading expressions may produce side effects. This may lead to an unexpected state in the program after the execution of the conditional, because short-circuiting logic may prevent the side effects from occurring.Guidelines:",{"point":"1fr","priority":"6","details":"1fs"},"CWE-ID: 770Allocation of Resources Without Limits or Throttling","The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.Guidelines:::TYPE:Relationship:NOTE:This entry is different from uncontrolled resource consumption (CWE-400) in that there are other weaknesses that are related to inability to control resource consumption, such as holding on to a resource too long after use, or not correctly keeping track of active resources so that they can be managed and released when they are finished (CWE-771).::TYPE:Theoretical:NOTE:Vulnerability theory is largely about how behaviors and resources interact. Resource exhaustion can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect one of the underlying weaknesses that enable these attacks (or consequences) to take place.::",{"point":"1fu","priority":"6","details":"1fv"},"CWE-ID: 771Missing Reference to Active Allocated Resource","The product does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed.Guidelines:",{"point":"1fx","priority":"6","details":"1fy"},"CWE-ID: 772Missing Release of Resource after Effective Lifetime","The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.Guidelines:::TYPE:Maintenance:NOTE:Resource exhaustion (CWE-400) is currently treated as a weakness, although it is more like a category of weaknesses that all have the same type of consequence. While this entry treats CWE-400 as a parent in view 1000, the relationship is probably more appropriately described as a chain.::TYPE:Theoretical:NOTE:Vulnerability theory is largely about how behaviors and resources interact. Resource exhaustion can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect one of the underlying weaknesses that enable these attacks (or consequences) to take place.::",{"point":"1g0","priority":"6","details":"1g1"},"CWE-ID: 773Missing Reference to Active File Descriptor or Handle","The product does not properly maintain references to a file descriptor or handle, which prevents that file descriptor/handle from being reclaimed.Guidelines:",{"point":"1g3","priority":"6","details":"1g4"},"CWE-ID: 774Allocation of File Descriptors or Handles Without Limits or Throttling","The product allocates file descriptors or handles on behalf of an actor without imposing any restrictions on how many descriptors can be allocated, in violation of the intended security policy for that actor.Guidelines:",{"point":"1g6","priority":"6","details":"1g7"},"CWE-ID: 775Missing Release of File Descriptor or Handle after Effective Lifetime","The product does not release a file descriptor or handle after its effective lifetime has ended, i.e., after the file descriptor/handle is no longer needed.Guidelines:",{"point":"1g9","priority":"6","details":"1ga"},"CWE-ID: 776Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.Guidelines:",{"point":"1gc","priority":"6","details":"1gd"},"CWE-ID: 777Regular Expression without Anchors","The product uses a regular expression to perform neutralization, but the regular expression is not anchored and may allow malicious or malformed data to slip through.Guidelines:",{"point":"1gf","priority":"6","details":"1gg"},"CWE-ID: 778Insufficient Logging","When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.Guidelines:",{"point":"1gi","priority":"6","details":"1gj"},"CWE-ID: 779Logging of Excessive Data","The product logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack.Guidelines:",{"point":"1gl","priority":"6","details":"1gm"},"CWE-ID: 780Use of RSA Algorithm without OAEP","The product uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption.Guidelines:::TYPE:Maintenance:NOTE:This entry could probably have a new parent related to improper padding, however the role of padding in cryptographic algorithms can vary, such as hiding the length of the plaintext and providing additional random bits for the cipher. In general, cryptographic problems in CWE are not well organized and further research is needed.::",{"point":"1go","priority":"6","details":"1gp"},"CWE-ID: 781Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code","The product defines an IOCTL that uses METHOD_NEITHER for I/O, but it does not validate or incorrectly validates the addresses that are provided.Guidelines:::TYPE:Applicable Platform:NOTE:Because IOCTL functionality is typically performing low-level actions and closely interacts with the operating system, this weakness may only appear in code that is written in low-level languages.::TYPE:Research Gap:NOTE:While this type of issue has been known since 2006, it is probably still under-studied and under-reported. Most of the focus has been on high-profile software and security products, but other kinds of system software also use drivers. Since exploitation requires the development of custom code, it requires some skill to find this weakness. Because exploitation typically requires local privileges, it might not be a priority for active attackers. However, remote exploitation may be possible for software such as device drivers. Even when remote vectors are not available, it may be useful as the final privilege-escalation step in multi-stage remote attacks against application-layer software, or as the primary attack by a local user on a multi-user system.::",{"point":"1gr","priority":"6","details":"1gs"},"CWE-ID: 782Exposed IOCTL with Insufficient Access Control","The product implements an IOCTL with functionality that should be restricted, but it does not properly enforce access control for the IOCTL.Guidelines:::TYPE:Relationship:NOTE:This can be primary to many other weaknesses when the programmer assumes that the IOCTL can only be accessed by trusted parties. For example, a program or driver might not validate incoming addresses in METHOD_NEITHER IOCTLs in Windows environments (CWE-781), which could allow buffer overflow and similar attacks to take place, even when the attacker never should have been able to access the IOCTL at all.::TYPE:Applicable Platform:NOTE:Because IOCTL functionality is typically performing low-level actions and closely interacts with the operating system, this weakness may only appear in code that is written in low-level languages.::",{"point":"1gu","priority":"6","details":"1gv"},"CWE-ID: 783Operator Precedence Logic Error","The product uses an expression in which operator precedence causes incorrect logic to be used.Guidelines:",{"point":"1gx","priority":"6","details":"1gy"},"CWE-ID: 784Reliance on Cookies without Validation and Integrity Checking in a Security Decision","The product uses a protection mechanism that relies on the existence or values of a cookie, but it does not properly ensure that the cookie is valid for the associated user.Guidelines:::TYPE:Maintenance:NOTE:A new parent might need to be defined for this entry. This entry is specific to cookies, which reflects the significant number of vulnerabilities being reported for cookie-based authentication in CVE during 2008 and 2009. However, other types of inputs - such as parameters or headers - could also be used for similar authentication or authorization. Similar issues (under the Research view) include CWE-247 and CWE-472.::",{"point":"1h0","priority":"6","details":"1h1"},"CWE-ID: 785Use of Path Manipulation Function without Maximum-sized Buffer","The product invokes a function for normalizing paths or file names, but it provides an output buffer that is smaller than the maximum possible size, such as PATH_MAX.Guidelines:::TYPE:Maintenance:NOTE:This entry is at a much lower level of abstraction than most entries because it is function-specific. It also has significant overlap with other entries that can vary depending on the perspective. For example, incorrect usage could trigger either a stack-based overflow (CWE-121) or a heap-based overflow (CWE-122). The CWE team has not decided how to handle such entries.::",{"point":"1h3","priority":"6","details":"1h4"},"CWE-ID: 786Access of Memory Location Before Start of Buffer","The product reads or writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.Guidelines:",{"point":"1h6","priority":"6","details":"1h7"},"CWE-ID: 787Out-of-bounds Write","The product writes data past the end, or before the beginning, of the intended buffer.Guidelines:",{"point":"1h9","priority":"6","details":"1ha"},"CWE-ID: 788Access of Memory Location After End of Buffer","The product reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer.Guidelines:",{"point":"1hc","priority":"6","details":"1hd"},"CWE-ID: 789Memory Allocation with Excessive Size Value","The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.Guidelines:::TYPE:Relationship:NOTE:This weakness can be closely associated with integer overflows (CWE-190). Integer overflow attacks would concentrate on providing an extremely large number that triggers an overflow that causes less memory to be allocated than expected. By providing a large value that does not trigger an integer overflow, the attacker could still cause excessive amounts of memory to be allocated.::TYPE:Applicable Platform:NOTE:Uncontrolled memory allocation is possible in many languages, such as dynamic array allocation in perl or initial size parameters in Collections in Java. However, languages like C and C++ where programmers have the power to more directly control memory management will be more susceptible.::",{"point":"1hf","priority":"6","details":"1hg"},"CWE-ID: 790Improper Filtering of Special Elements","The product receives data from an upstream component, but does not filter or incorrectly filters special elements before sending it to a downstream component.Guidelines:",{"point":"1hi","priority":"6","details":"1hj"},"CWE-ID: 791Incomplete Filtering of Special Elements","The product receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component.Guidelines:",{"point":"1hl","priority":"6","details":"1hm"},"CWE-ID: 792Incomplete Filtering of One or More Instances of Special Elements","The product receives data from an upstream component, but does not completely filter one or more instances of special elements before sending it to a downstream component.Guidelines:",{"point":"1ho","priority":"6","details":"1hp"},"CWE-ID: 793Only Filtering One Instance of a Special Element","The product receives data from an upstream component, but only filters a single instance of a special element before sending it to a downstream component.Guidelines:",{"point":"1hr","priority":"6","details":"1hs"},"CWE-ID: 794Incomplete Filtering of Multiple Instances of Special Elements","The product receives data from an upstream component, but does not filter all instances of a special element before sending it to a downstream component.Guidelines:",{"point":"1hu","priority":"6","details":"1hv"},"CWE-ID: 795Only Filtering Special Elements at a Specified Location","The product receives data from an upstream component, but only accounts for special elements at a specified location, thereby missing remaining special elements that may exist before sending it to a downstream component.Guidelines:",{"point":"1hx","priority":"6","details":"1hy"},"CWE-ID: 796Only Filtering Special Elements Relative to a Marker","The product receives data from an upstream component, but only accounts for special elements positioned relative to a marker (e.g. at the beginning/end of a string; the second argument), thereby missing remaining special elements that may exist before sending it to a downstream component.Guidelines:",{"point":"1i0","priority":"6","details":"1i1"},"CWE-ID: 797Only Filtering Special Elements at an Absolute Position","The product receives data from an upstream component, but only accounts for special elements at an absolute position (e.g. byte number 10), thereby missing remaining special elements that may exist before sending it to a downstream component.Guidelines:",{"point":"1i3","priority":"6","details":"1i4"},"CWE-ID: 798Use of Hard-coded Credentials","The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.Guidelines:::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"1i6","priority":"6","details":"1i7"},"CWE-ID: 799Improper Control of Interaction Frequency","The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.Guidelines:",{"point":"1i9","priority":"6","details":"1ia"},"CWE-ID: 804Guessable CAPTCHA","The product uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.Guidelines:",{"point":"1ic","priority":"6","details":"1id"},"CWE-ID: 805Buffer Access with Incorrect Length Value","The product uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer.Guidelines:",{"point":"1if","priority":"6","details":"1ig"},"CWE-ID: 806Buffer Access Using Size of Source Buffer","The product uses the size of a source buffer when reading from or writing to a destination buffer, which may cause it to access memory that is outside of the bounds of the buffer.Guidelines:",{"point":"1ii","priority":"6","details":"1ij"},"CWE-ID: 807Reliance on Untrusted Inputs in a Security Decision","The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.Guidelines:",{"point":"1il","priority":"6","details":"1im"},"CWE-ID: 820Missing Synchronization","The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.Guidelines:::TYPE:Maintenance:NOTE:Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships.::",{"point":"1io","priority":"6","details":"1ip"},"CWE-ID: 821Incorrect Synchronization","The product utilizes a shared resource in a concurrent manner, but it does not correctly synchronize access to the resource.Guidelines:::TYPE:Maintenance:NOTE:Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships.::",{"point":"1ir","priority":"6","details":"1is"},"CWE-ID: 822Untrusted Pointer Dereference","The product obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer.Guidelines:::TYPE:Maintenance:NOTE:There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.::TYPE:Terminology:NOTE:Many weaknesses related to pointer dereferences fall under the general term of memory corruption or memory safety. As of September 2010, there is no commonly-used terminology that covers the lower-level variants.::",{"point":"1iu","priority":"6","details":"1iv"},"CWE-ID: 823Use of Out-of-range Pointer Offset","The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.Guidelines:::TYPE:Maintenance:NOTE:There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.::TYPE:Terminology:NOTE:Many weaknesses related to pointer dereferences fall under the general term of memory corruption or memory safety. As of September 2010, there is no commonly-used terminology that covers the lower-level variants.::",{"point":"1ix","priority":"6","details":"1iy"},"CWE-ID: 824Access of Uninitialized Pointer","The product accesses or uses a pointer that has not been initialized.Guidelines:::TYPE:Maintenance:NOTE:There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.::TYPE:Terminology:NOTE:Many weaknesses related to pointer dereferences fall under the general term of memory corruption or memory safety. As of September 2010, there is no commonly-used terminology that covers the lower-level variants.::",{"point":"1j0","priority":"6","details":"1j1"},"CWE-ID: 825Expired Pointer Dereference","The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.Guidelines:::TYPE:Maintenance:NOTE:There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.::TYPE:Terminology:NOTE:Many weaknesses related to pointer dereferences fall under the general term of memory corruption or memory safety. As of September 2010, there is no commonly-used terminology that covers the lower-level variants.::",{"point":"1j3","priority":"6","details":"1j4"},"CWE-ID: 826Premature Release of Resource During Expected Lifetime","The product releases a resource that is still intended to be used by itself or another actor.Guidelines:::TYPE:Research Gap:NOTE:Under-studied and under-reported as of September 2010. This weakness has been reported in high-visibility software, although the focus has been primarily on memory allocation and de-allocation. There are very few examples of this weakness that are not directly related to memory management, although such weaknesses are likely to occur in real-world software for other types of resources.::",{"point":"1j6","priority":"6","details":"1j7"},"CWE-ID: 827Improper Control of Document Type Definition","The product does not restrict a reference to a Document Type Definition (DTD) to the intended control sphere. This might allow attackers to reference arbitrary DTDs, possibly causing the product to expose files, consume excessive system resources, or execute arbitrary http requests on behalf of the attacker.Guidelines:",{"point":"1j9","priority":"6","details":"1ja"},"CWE-ID: 828Signal Handler with Functionality that is not Asynchronous-Safe","The product defines a signal handler that contains code sequences that are not asynchronous-safe, i.e., the functionality is not reentrant, or it can be interrupted.Guidelines:",{"point":"1jc","priority":"6","details":"1jd"},"CWE-ID: 829Inclusion of Functionality from Untrusted Control Sphere","The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.Guidelines:",{"point":"1jf","priority":"6","details":"1jg"},"CWE-ID: 830Inclusion of Web Functionality from an Untrusted Source","The product includes web functionality (such as a web widget) from another domain, which causes it to operate within the domain of the product, potentially granting total access and control of the product to the untrusted source.Guidelines:",{"point":"1ji","priority":"6","details":"1jj"},"CWE-ID: 831Signal Handler Function Associated with Multiple Signals","The product defines a function that is used as a handler for more than one signal.Guidelines:",{"point":"1jl","priority":"6","details":"1jm"},"CWE-ID: 832Unlock of a Resource that is not Locked","The product attempts to unlock a resource that is not locked.Guidelines:",{"point":"1jo","priority":"6","details":"1jp"},"CWE-ID: 833Deadlock","The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.Guidelines:",{"point":"1jr","priority":"6","details":"1js"},"CWE-ID: 834Excessive Iteration","The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.Guidelines:",{"point":"1ju","priority":"6","details":"1jv"},"CWE-ID: 835Loop with Unreachable Exit Condition ('Infinite Loop')","The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.Guidelines:",{"point":"1jx","priority":"6","details":"1jy"},"CWE-ID: 836Use of Password Hash Instead of Password for Authentication","The product records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store.Guidelines:",{"point":"1k0","priority":"6","details":"1k1"},"CWE-ID: 837Improper Enforcement of a Single, Unique Action","The product requires that an actor should only be able to perform an action once, or to have only one unique action, but the product does not enforce or improperly enforces this restriction.Guidelines:",{"point":"1k3","priority":"6","details":"1k4"},"CWE-ID: 838Inappropriate Encoding for Output Context","The product uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is expected by the downstream component.Guidelines:",{"point":"1k6","priority":"6","details":"1k7"},"CWE-ID: 839Numeric Range Comparison Without Minimum Check","The product checks a value to ensure that it is less than or equal to a maximum, but it does not also verify that the value is greater than or equal to the minimum.Guidelines:",{"point":"1k9","priority":"6","details":"1ka"},"CWE-ID: 841Improper Enforcement of Behavioral Workflow","The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.Guidelines:::TYPE:Research Gap:NOTE:This weakness is typically associated with business logic flaws, except when it produces resultant weaknesses. The classification of business logic flaws has been under-studied, although exploitation of business flaws frequently happens in real-world systems, and many applied vulnerability researchers investigate them. The greatest focus is in web applications. There is debate within the community about whether these problems represent particularly new concepts, or if they are variations of well-known principles. Many business logic flaws appear to be oriented toward business processes, application flows, and sequences of behaviors, which are not as well-represented in CWE as weaknesses related to input validation, memory management, etc.::",{"point":"1kc","priority":"6","details":"1kd"},"CWE-ID: 842Placement of User into Incorrect Group","The product or the administrator places a user into an incorrect group.Guidelines:",{"point":"1kf","priority":"6","details":"1kg"},"CWE-ID: 843Access of Resource Using Incompatible Type ('Type Confusion')","The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.Guidelines:::TYPE:Applicable Platform:NOTE:This weakness is possible in any type-unsafe programming language.::TYPE:Research Gap:NOTE:Type confusion weaknesses have received some attention by applied researchers and major software vendors for C and C++ code. Some publicly-reported vulnerabilities probably have type confusion as a root-cause weakness, but these may be described as memory corruption instead. For other languages, there are very few public reports of type confusion weaknesses. These are probably under-studied. Since many programs rely directly or indirectly on loose typing, a potential type confusion behavior might be intentional, possibly requiring more manual analysis.::",{"point":"1ki","priority":"6","details":"1kj"},"CWE-ID: 862Missing Authorization","The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Guidelines:",{"point":"1kl","priority":"6","details":"1km"},"CWE-ID: 863Incorrect Authorization","The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.Guidelines:",{"point":"1ko","priority":"6","details":"1kp"},"CWE-ID: 908Use of Uninitialized Resource","The product uses or accesses a resource that has not been initialized.Guidelines:",{"point":"1kr","priority":"6","details":"1ks"},"CWE-ID: 909Missing Initialization of Resource","The product does not initialize a critical resource.Guidelines:",{"point":"1ku","priority":"6","details":"1kv"},"CWE-ID: 910Use of Expired File Descriptor","The product uses or accesses a file descriptor after it has been closed.Guidelines:",{"point":"1kx","priority":"6","details":"1ky"},"CWE-ID: 911Improper Update of Reference Count","The product uses a reference count to manage a resource, but it does not update or incorrectly updates the reference count.Guidelines:",{"point":"1l0","priority":"6","details":"1l1"},"CWE-ID: 912Hidden Functionality","The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the product's users or administrators.Guidelines:",{"point":"1l3","priority":"6","details":"1l4"},"CWE-ID: 913Improper Control of Dynamically-Managed Code Resources","The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.Guidelines:",{"point":"1l6","priority":"6","details":"1l7"},"CWE-ID: 914Improper Control of Dynamically-Identified Variables","The product does not properly restrict reading from or writing to dynamically-identified variables.Guidelines:",{"point":"1l9","priority":"6","details":"1la"},"CWE-ID: 915Improperly Controlled Modification of Dynamically-Determined Object Attributes","The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.Guidelines:::TYPE:Maintenance:NOTE:The relationships between CWE-502 and CWE-915 need further exploration. CWE-915 is more narrowly scoped to object modification, and is not necessarily used for deserialization.::",{"point":"1lc","priority":"6","details":"1ld"},"CWE-ID: 916Use of Password Hash With Insufficient Computational Effort","The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.Guidelines:",{"point":"1lf","priority":"6","details":"1lg"},"CWE-ID: 917Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')","The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.Guidelines:::TYPE:Maintenance:NOTE:The interrelationships and differences between CWE-917 and CWE-1336 need to be further clarified.::TYPE:Relationship:NOTE:In certain versions of Spring 3.0.5 and earlier, there was a vulnerability (CVE-2011-2730) in which Expression Language tags would be evaluated twice, which effectively exposed any application to EL injection. However, even for later versions, this weakness is still possible depending on configuration.::",{"point":"1li","priority":"6","details":"1lj"},"CWE-ID: 918Server-Side Request Forgery (SSRF)","The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.Guidelines:::TYPE:Relationship:NOTE:CWE-918 (SSRF) and CWE-611 (XXE) are closely related, because they both involve web-related technologies and can launch outbound requests to unexpected destinations. However, XXE can be performed client-side, or in other contexts in which the software is not acting directly as a server, so the Server portion of the SSRF acronym does not necessarily apply.::",{"point":"1ll","priority":"6","details":"1lm"},"CWE-ID: 920Improper Restriction of Power Consumption","The product operates in an environment in which power is a limited resource that cannot be automatically replenished, but the product does not properly restrict the amount of power that its operation consumes.Guidelines:",{"point":"1lo","priority":"6","details":"1lp"},"CWE-ID: 921Storage of Sensitive Data in a Mechanism without Access Control","The product stores sensitive information in a file system or device that does not have built-in access control.Guidelines:",{"point":"1lr","priority":"6","details":"1ls"},"CWE-ID: 922Insecure Storage of Sensitive Information","The product stores sensitive information without properly limiting read or write access by unauthorized actors.Guidelines:::TYPE:Relationship:NOTE:There is an overlapping relationship between insecure storage of sensitive information (CWE-922) and missing encryption of sensitive information (CWE-311). Encryption is often used to prevent an attacker from reading the sensitive data. However, encryption does not prevent the attacker from erasing or overwriting the data. While data tampering would be visible upon inspection, the integrity and availability of the data is compromised prior to the audit.::TYPE:Maintenance:NOTE:This is a high-level entry that includes children from various parts of the CWE research view (CWE-1000). Currently, most of the information is in these child entries. This entry will be made more comprehensive in later CWE versions.::",{"point":"1lu","priority":"6","details":"1lv"},"CWE-ID: 923Improper Restriction of Communication Channel to Intended Endpoints","The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.Guidelines:",{"point":"1lx","priority":"6","details":"1ly"},"CWE-ID: 924Improper Enforcement of Message Integrity During Transmission in a Communication Channel","The product establishes a communication channel with an endpoint and receives a message from that endpoint, but it does not sufficiently ensure that the message was not modified during transmission.Guidelines:::TYPE:Maintenance:NOTE:This entry should be made more comprehensive in later CWE versions, as it is likely an important design flaw that underlies (or chains to) other weaknesses.::",{"point":"1m0","priority":"6","details":"1m1"},"CWE-ID: 925Improper Verification of Intent by Broadcast Receiver","The Android application uses a Broadcast Receiver that receives an Intent but does not properly verify that the Intent came from an authorized source.Guidelines:::TYPE:Maintenance:NOTE:This entry will be made more comprehensive in later CWE versions.::",{"point":"1m3","priority":"6","details":"1m4"},"CWE-ID: 926Improper Export of Android Application Components","The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.Guidelines:",{"point":"1m6","priority":"6","details":"1m7"},"CWE-ID: 927Use of Implicit Intent for Sensitive Communication","The Android application uses an implicit intent for transmitting sensitive data to other applications.Guidelines:",{"point":"1m9","priority":"6","details":"1ma"},"CWE-ID: 939Improper Authorization in Handler for Custom URL Scheme","The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.Guidelines:",{"point":"1mc","priority":"6","details":"1md"},"CWE-ID: 940Improper Verification of Source of a Communication Channel","The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin.Guidelines:::TYPE:Relationship:NOTE:While many access control issues involve authenticating the user, this weakness is more about authenticating the actual source of the communication channel itself; there might not be any user in such cases.::",{"point":"1mf","priority":"6","details":"1mg"},"CWE-ID: 941Incorrectly Specified Destination in a Communication Channel","The product creates a communication channel to initiate an outgoing request to an actor, but it does not correctly specify the intended destination for that actor.Guidelines:",{"point":"1mi","priority":"6","details":"1mj"},"CWE-ID: 942Permissive Cross-domain Policy with Untrusted Domains","The product uses a cross-domain policy file that includes domains that should not be trusted.Guidelines:",{"point":"1ml","priority":"6","details":"1mm"},"CWE-ID: 943Improper Neutralization of Special Elements in Data Query Logic","The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.Guidelines:::TYPE:Relationship:NOTE:It could be argued that data query languages are effectively a command language - albeit with a limited set of commands - and thus any query-language injection issue could be treated as a child of CWE-74. However, CWE-943 is intended to better organize query-oriented issues to separate them from fully-functioning programming languages, and also to provide a more precise identifier for the many query languages that do not have their own CWE identifier.::",{"point":"1mo","priority":"6","details":"1mp"},"CWE-ID: 1004Sensitive Cookie Without 'HttpOnly' Flag","The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.Guidelines:",{"point":"1mr","priority":"6","details":"1ms"},"CWE-ID: 1007Insufficient Visual Distinction of Homoglyphs Presented to User","The product displays information or identifiers to a user, but the display mechanism does not make it easy for the user to distinguish between visually similar or identical glyphs (homoglyphs), which may cause the user to misinterpret a glyph and perform an unintended, insecure action.Guidelines:",{"point":"1mu","priority":"6","details":"1mv"},"CWE-ID: 1021Improper Restriction of Rendered UI Layers or Frames","The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.Guidelines:",{"point":"1mx","priority":"6","details":"1my"},"CWE-ID: 1022Use of Web Link to Untrusted Target with window.opener Access","The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property.Guidelines:",{"point":"1n0","priority":"6","details":"1n1"},"CWE-ID: 1023Incomplete Comparison with Missing Factors","The product performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors.Guidelines:",{"point":"1n3","priority":"6","details":"1n4"},"CWE-ID: 1024Comparison of Incompatible Types","The product performs a comparison between two entities, but the entities are of different, incompatible types that cannot be guaranteed to provide correct results when they are directly compared.Guidelines:",{"point":"1n6","priority":"6","details":"1n7"},"CWE-ID: 1025Comparison Using Wrong Factors","The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.Guidelines:",{"point":"1n9","priority":"6","details":"1na"},"CWE-ID: 1037Processor Optimization Removal or Modification of Security-critical Code","The developer builds a security-critical protection mechanism into the software, but the processor optimizes the execution of the program such that the mechanism is removed or modified.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. As a result, this entry might change significantly in CWE 4.10.::",{"point":"1nc","priority":"6","details":"1nd"},"CWE-ID: 1038Insecure Automated Optimizations","The product uses a mechanism that automatically optimizes code, e.g. to improve a characteristic such as performance, but the optimizations can have an unintended side effect that might violate an intended security assumption.Guidelines:",{"point":"1nf","priority":"6","details":"1ng"},"CWE-ID: 1039Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations","The product uses an automated mechanism such as machine learning to recognize complex data inputs (e.g. image or audio) as a particular concept or category, but it does not properly detect or handle inputs that have been modified or constructed in a way that causes the mechanism to detect a different, incorrect concept.Guidelines:::TYPE:Relationship:NOTE:Further investigation is needed to determine if better relationships exist or if additional organizational entries need to be created. For example, this issue might be better related to recognition of input as an incorrect type, which might place it as a sibling of CWE-704 (incorrect type conversion).::",{"point":"1ni","priority":"6","details":"1nj"},"CWE-ID: 1041Use of Redundant Code","The product has multiple functions, methods, procedures, macros, etc. that contain the same code.Guidelines:",{"point":"1nl","priority":"6","details":"1nm"},"CWE-ID: 1042Static Member Data Element outside of a Singleton Class Element","The code contains a member element that is declared as static (but not final), in which its parent class element is not a singleton class - that is, a class element that can be used only once in the 'to' association of a Create action.Guidelines:",{"point":"1no","priority":"6","details":"1np"},"CWE-ID: 1043Data Element Aggregating an Excessively Large Number of Non-Primitive Elements","The product uses a data element that has an excessively large number of sub-elements with non-primitive data types such as structures or aggregated objects.Guidelines:",{"point":"1nr","priority":"6","details":"1ns"},"CWE-ID: 1044Architecture with Number of Horizontal Layers Outside of Expected Range","The product's architecture contains too many - or too few - horizontal layers.Guidelines:",{"point":"1nu","priority":"6","details":"1nv"},"CWE-ID: 1045Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor","A parent class has a virtual destructor method, but the parent has a child class that does not have a virtual destructor.Guidelines:",{"point":"1nx","priority":"6","details":"1ny"},"CWE-ID: 1046Creation of Immutable Text Using String Concatenation","The product creates an immutable text string using string concatenation operations.Guidelines:",{"point":"1o0","priority":"6","details":"1o1"},"CWE-ID: 1047Modules with Circular Dependencies","The product contains modules in which one module has references that cycle back to itself, i.e., there are circular dependencies.Guidelines:",{"point":"1o3","priority":"6","details":"1o4"},"CWE-ID: 1048Invokable Control Element with Large Number of Outward Calls","The code contains callable control elements that contain an excessively large number of references to other application objects external to the context of the callable, i.e. a Fan-Out value that is excessively large.Guidelines:",{"point":"1o6","priority":"6","details":"1o7"},"CWE-ID: 1049Excessive Data Query Operations in a Large Data Table","The product performs a data query with a large number of joins and sub-queries on a large data table.Guidelines:",{"point":"1o9","priority":"6","details":"1oa"},"CWE-ID: 1050Excessive Platform Resource Consumption within a Loop","The product has a loop body or loop condition that contains a control element that directly or indirectly consumes platform resources, e.g. messaging, sessions, locks, or file descriptors.Guidelines:",{"point":"1oc","priority":"6","details":"1od"},"CWE-ID: 1051Initialization with Hard-Coded Network Resource Configuration Data","The product initializes data using hard-coded values that act as network resource identifiers.Guidelines:",{"point":"1of","priority":"6","details":"1og"},"CWE-ID: 1052Excessive Use of Hard-Coded Literals in Initialization","The product initializes a data element using a hard-coded literal that is not a simple integer or static constant element.Guidelines:",{"point":"1oi","priority":"6","details":"1oj"},"CWE-ID: 1053Missing Documentation for Design","The product does not have documentation that represents how it is designed.Guidelines:",{"point":"1ol","priority":"6","details":"1om"},"CWE-ID: 1054Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer","The code at one architectural layer invokes code that resides at a deeper layer than the adjacent layer, i.e., the invocation skips at least one layer, and the invoked code is not part of a vertical utility layer that can be referenced from any horizontal layer.Guidelines:",{"point":"1oo","priority":"6","details":"1op"},"CWE-ID: 1055Multiple Inheritance from Concrete Classes","The product contains a class with inheritance from more than one concrete class.Guidelines:",{"point":"1or","priority":"6","details":"1os"},"CWE-ID: 1056Invokable Control Element with Variadic Parameters","A named-callable or method control element has a signature that supports a variable (variadic) number of parameters or arguments.Guidelines:",{"point":"1ou","priority":"6","details":"1ov"},"CWE-ID: 1057Data Access Operations Outside of Expected Data Manager Component","The product uses a dedicated, central data manager component as required by design, but it contains code that performs data-access operations that do not use this data manager.Guidelines:",{"point":"1ox","priority":"6","details":"1oy"},"CWE-ID: 1058Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element","The code contains a function or method that operates in a multi-threaded environment but owns an unsafe non-final static storable or member data element.Guidelines:",{"point":"1p0","priority":"6","details":"1p1"},"CWE-ID: 1059Insufficient Technical Documentation","The product does not contain sufficient technical or engineering documentation (whether on paper or in electronic form) that contains descriptions of all the relevant software/hardware elements of the product, such as its usage, structure, architectural components, interfaces, design, implementation, configuration, operation, etc.Guidelines:",{"point":"1p3","priority":"6","details":"1p4"},"CWE-ID: 1060Excessive Number of Inefficient Server-Side Data Accesses","The product performs too many data queries without using efficient data processing functionality such as stored procedures.Guidelines:",{"point":"1p6","priority":"6","details":"1p7"},"CWE-ID: 1061Insufficient Encapsulation","The product does not sufficiently hide the internal representation and implementation details of data or methods, which might allow external components or modules to modify data unexpectedly, invoke unexpected functionality, or introduce dependencies that the programmer did not intend.Guidelines:",{"point":"1p9","priority":"6","details":"1pa"},"CWE-ID: 1062Parent Class with References to Child Class","The code has a parent class that contains references to a child class, its methods, or its members.Guidelines:",{"point":"1pc","priority":"6","details":"1pd"},"CWE-ID: 1063Creation of Class Instance within a Static Code Block","A static code block creates an instance of a class.Guidelines:",{"point":"1pf","priority":"6","details":"1pg"},"CWE-ID: 1064Invokable Control Element with Signature Containing an Excessive Number of Parameters","The product contains a function, subroutine, or method whose signature has an unnecessarily large number of parameters/arguments.Guidelines:",{"point":"1pi","priority":"6","details":"1pj"},"CWE-ID: 1065Runtime Resource Management Control Element in a Component Built to Run on Application Servers","The product uses deployed components from application servers, but it also uses low-level functions/methods for management of resources, instead of the API provided by the application server.Guidelines:",{"point":"1pl","priority":"6","details":"1pm"},"CWE-ID: 1066Missing Serialization Control Element","The product contains a serializable data element that does not have an associated serialization method.Guidelines:",{"point":"1po","priority":"6","details":"1pp"},"CWE-ID: 1067Excessive Execution of Sequential Searches of Data Resource","The product contains a data query against an SQL table or view that is configured in a way that does not utilize an index and may cause sequential searches to be performed.Guidelines:",{"point":"1pr","priority":"6","details":"1ps"},"CWE-ID: 1068Inconsistency Between Implementation and Documented Design","The implementation of the product is not consistent with the design as described within the relevant documentation.Guidelines:",{"point":"1pu","priority":"6","details":"1pv"},"CWE-ID: 1069Empty Exception Block","An invokable code block contains an exception handling block that does not contain any code, i.e. is empty.Guidelines:",{"point":"1px","priority":"6","details":"1py"},"CWE-ID: 1070Serializable Data Element Containing non-Serializable Item Elements","The product contains a serializable, storable data element such as a field or member, but the data element contains member elements that are not serializable.Guidelines:",{"point":"1q0","priority":"6","details":"1q1"},"CWE-ID: 1071Empty Code Block","The source code contains a block that does not contain any code, i.e., the block is empty.Guidelines:",{"point":"1q3","priority":"6","details":"1q4"},"CWE-ID: 1072Data Resource Access without Use of Connection Pooling","The product accesses a data resource through a database without using a connection pooling capability.Guidelines:",{"point":"1q6","priority":"6","details":"1q7"},"CWE-ID: 1073Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses","The product contains a client with a function or method that contains a large number of data accesses/queries that are sent through a data manager, i.e., does not use efficient database capabilities.Guidelines:",{"point":"1q9","priority":"6","details":"1qa"},"CWE-ID: 1074Class with Excessively Deep Inheritance","A class has an inheritance level that is too high, i.e., it has a large number of parent classes.Guidelines:",{"point":"1qc","priority":"6","details":"1qd"},"CWE-ID: 1075Unconditional Control Flow Transfer outside of Switch Block","The product performs unconditional control transfer (such as a goto) in code outside of a branching structure such as a switch block.Guidelines:",{"point":"1qf","priority":"6","details":"1qg"},"CWE-ID: 1076Insufficient Adherence to Expected Conventions","The product's architecture, source code, design, documentation, or other artifact does not follow required conventions.Guidelines:",{"point":"1qi","priority":"6","details":"1qj"},"CWE-ID: 1077Floating Point Comparison with Incorrect Operator","The code performs a comparison such as an equality test between two float (floating point) values, but it uses comparison operators that do not account for the possibility of loss of precision.Guidelines:",{"point":"1ql","priority":"6","details":"1qm"},"CWE-ID: 1078Inappropriate Source Code Style or Formatting","The source code does not follow desired style or formatting for indentation, white space, comments, etc.Guidelines:",{"point":"1qo","priority":"6","details":"1qp"},"CWE-ID: 1079Parent Class without Virtual Destructor Method","A parent class contains one or more child classes, but the parent class does not have a virtual destructor method.Guidelines:",{"point":"1qr","priority":"6","details":"1qs"},"CWE-ID: 1080Source Code File with Excessive Number of Lines of Code","A source code file has too many lines of code.Guidelines:",{"point":"1qu","priority":"6","details":"1qv"},"CWE-ID: 1082Class Instance Self Destruction Control Element","The code contains a class instance that calls the method or function to delete or destroy itself.Guidelines:",{"point":"1qx","priority":"6","details":"1qy"},"CWE-ID: 1083Data Access from Outside Expected Data Manager Component","The product is intended to manage data access through a particular data manager component such as a relational or non-SQL database, but it contains code that performs data access operations without using that component.Guidelines:",{"point":"1r0","priority":"6","details":"1r1"},"CWE-ID: 1084Invokable Control Element with Excessive File or Data Access Operations","A function or method contains too many operations that utilize a data manager or file resource.Guidelines:",{"point":"1r3","priority":"6","details":"1r4"},"CWE-ID: 1085Invokable Control Element with Excessive Volume of Commented-out Code","A function, method, procedure, etc. contains an excessive amount of code that has been commented out within its body.Guidelines:",{"point":"1r6","priority":"6","details":"1r7"},"CWE-ID: 1086Class with Excessive Number of Child Classes","A class contains an unnecessarily large number of children.Guidelines:",{"point":"1r9","priority":"6","details":"1ra"},"CWE-ID: 1087Class with Virtual Method without a Virtual Destructor","A class contains a virtual method, but the method does not have an associated virtual destructor.Guidelines:",{"point":"1rc","priority":"6","details":"1rd"},"CWE-ID: 1088Synchronous Access of Remote Resource without Timeout","The code has a synchronous call to a remote resource, but there is no timeout for the call, or the timeout is set to infinite.Guidelines:",{"point":"1rf","priority":"6","details":"1rg"},"CWE-ID: 1089Large Data Table with Excessive Number of Indices","The product uses a large data table that contains an excessively large number of indices.Guidelines:",{"point":"1ri","priority":"6","details":"1rj"},"CWE-ID: 1090Method Containing Access of a Member Element from Another Class","A method for a class performs an operation that directly accesses a member element from another class.Guidelines:",{"point":"1rl","priority":"6","details":"1rm"},"CWE-ID: 1091Use of Object without Invoking Destructor Method","The product contains a method that accesses an object but does not later invoke the element's associated finalize/destructor method.Guidelines:",{"point":"1ro","priority":"6","details":"1rp"},"CWE-ID: 1092Use of Same Invokable Control Element in Multiple Architectural Layers","The product uses the same control element across multiple architectural layers.Guidelines:",{"point":"1rr","priority":"6","details":"1rs"},"CWE-ID: 1093Excessively Complex Data Representation","The product uses an unnecessarily complex internal representation for its data structures or interrelationships between those structures.Guidelines:",{"point":"1ru","priority":"6","details":"1rv"},"CWE-ID: 1094Excessive Index Range Scan for a Data Resource","The product contains an index range scan for a large data table, but the scan can cover a large number of rows.Guidelines:",{"point":"1rx","priority":"6","details":"1ry"},"CWE-ID: 1095Loop Condition Value Update within the Loop","The product uses a loop with a control flow condition based on a value that is updated within the body of the loop.Guidelines:",{"point":"1s0","priority":"6","details":"1s1"},"CWE-ID: 1096Singleton Class Instance Creation without Proper Locking or Synchronization","The product implements a Singleton design pattern but does not use appropriate locking or other synchronization mechanism to ensure that the singleton class is only instantiated once.Guidelines:",{"point":"1s3","priority":"6","details":"1s4"},"CWE-ID: 1097Persistent Storable Data Element without Associated Comparison Control Element","The product uses a storable data element that does not have all of the associated functions or methods that are necessary to support comparison.Guidelines:",{"point":"1s6","priority":"6","details":"1s7"},"CWE-ID: 1098Data Element containing Pointer Item without Proper Copy Control Element","The code contains a data element with a pointer that does not have an associated copy or constructor method.Guidelines:",{"point":"1s9","priority":"6","details":"1sa"},"CWE-ID: 1099Inconsistent Naming Conventions for Identifiers","The product's code, documentation, or other artifacts do not consistently use the same naming conventions for variables, callables, groups of related callables, I/O capabilities, data types, file names, or similar types of elements.Guidelines:",{"point":"1sc","priority":"6","details":"1sd"},"CWE-ID: 1100Insufficient Isolation of System-Dependent Functions","The product or code does not isolate system-dependent functionality into separate standalone modules.Guidelines:",{"point":"1sf","priority":"6","details":"1sg"},"CWE-ID: 1101Reliance on Runtime Component in Generated Code","The product uses automatically-generated code that cannot be executed without a specific runtime support component.Guidelines:",{"point":"1si","priority":"6","details":"1sj"},"CWE-ID: 1102Reliance on Machine-Dependent Data Representation","The code uses a data representation that relies on low-level data representation or constructs that may vary across different processors, physical machines, OSes, or other physical components.Guidelines:",{"point":"1sl","priority":"6","details":"1sm"},"CWE-ID: 1103Use of Platform-Dependent Third Party Components","The product relies on third-party components that do not provide equivalent functionality across all desirable platforms.Guidelines:",{"point":"1so","priority":"6","details":"1sp"},"CWE-ID: 1104Use of Unmaintained Third Party Components","The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer.Guidelines:",{"point":"1sr","priority":"6","details":"1ss"},"CWE-ID: 1105Insufficient Encapsulation of Machine-Dependent Functionality","The product or code uses machine-dependent functionality, but it does not sufficiently encapsulate or isolate this functionality from the rest of the code.Guidelines:",{"point":"1su","priority":"6","details":"1sv"},"CWE-ID: 1106Insufficient Use of Symbolic Constants","The source code uses literal constants that may need to change or evolve over time, instead of using symbolic constants.Guidelines:",{"point":"1sx","priority":"6","details":"1sy"},"CWE-ID: 1107Insufficient Isolation of Symbolic Constant Definitions","The source code uses symbolic constants, but it does not sufficiently place the definitions of these constants into a more centralized or isolated location.Guidelines:",{"point":"1t0","priority":"6","details":"1t1"},"CWE-ID: 1108Excessive Reliance on Global Variables","The code is structured in a way that relies too much on using or setting global variables throughout various points in the code, instead of preserving the associated information in a narrower, more local context.Guidelines:",{"point":"1t3","priority":"6","details":"1t4"},"CWE-ID: 1109Use of Same Variable for Multiple Purposes","The code contains a callable, block, or other code element in which the same variable is used to control more than one unique task or store more than one instance of data.Guidelines:",{"point":"1t6","priority":"6","details":"1t7"},"CWE-ID: 1110Incomplete Design Documentation","The product's design documentation does not adequately describe control flow, data flow, system initialization, relationships between tasks, components, rationales, or other important aspects of the design.Guidelines:",{"point":"1t9","priority":"6","details":"1ta"},"CWE-ID: 1111Incomplete I/O Documentation","The product's documentation does not adequately define inputs, outputs, or system/software interfaces.Guidelines:",{"point":"1tc","priority":"6","details":"1td"},"CWE-ID: 1112Incomplete Documentation of Program Execution","The document does not fully define all mechanisms that are used to control or influence how product-specific programs are executed.Guidelines:",{"point":"1tf","priority":"6","details":"1tg"},"CWE-ID: 1113Inappropriate Comment Style","The source code uses comment styles or formats that are inconsistent or do not follow expected standards for the product.Guidelines:",{"point":"1ti","priority":"6","details":"1tj"},"CWE-ID: 1114Inappropriate Whitespace Style","The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product.Guidelines:",{"point":"1tl","priority":"6","details":"1tm"},"CWE-ID: 1115Source Code Element without Standard Prologue","The source code contains elements such as source files that do not consistently provide a prologue or header that has been standardized for the project.Guidelines:",{"point":"1to","priority":"6","details":"1tp"},"CWE-ID: 1116Inaccurate Comments","The source code contains comments that do not accurately describe or explain aspects of the portion of the code with which the comment is associated.Guidelines:",{"point":"1tr","priority":"6","details":"1ts"},"CWE-ID: 1117Callable with Insufficient Behavioral Summary","The code contains a function or method whose signature and/or associated inline documentation does not sufficiently describe the callable's inputs, outputs, side effects, assumptions, or return codes.Guidelines:",{"point":"1tu","priority":"6","details":"1tv"},"CWE-ID: 1118Insufficient Documentation of Error Handling Techniques","The documentation does not sufficiently describe the techniques that are used for error handling, exception processing, or similar mechanisms.Guidelines:",{"point":"1tx","priority":"6","details":"1ty"},"CWE-ID: 1119Excessive Use of Unconditional Branching","The code uses too many unconditional branches (such as goto).Guidelines:",{"point":"1u0","priority":"6","details":"1u1"},"CWE-ID: 1120Excessive Code Complexity","The code is too complex, as calculated using a well-defined, quantitative measure.Guidelines:",{"point":"1u3","priority":"6","details":"1u4"},"CWE-ID: 1121Excessive McCabe Cyclomatic Complexity","The code contains McCabe cyclomatic complexity that exceeds a desirable maximum.Guidelines:",{"point":"1u6","priority":"6","details":"1u7"},"CWE-ID: 1122Excessive Halstead Complexity","The code is structured in a way that a Halstead complexity measure exceeds a desirable maximum.Guidelines:",{"point":"1u9","priority":"6","details":"1ua"},"CWE-ID: 1123Excessive Use of Self-Modifying Code","The product uses too much self-modifying code.Guidelines:",{"point":"1uc","priority":"6","details":"1ud"},"CWE-ID: 1124Excessively Deep Nesting","The code contains a callable or other code grouping in which the nesting / branching is too deep.Guidelines:",{"point":"1uf","priority":"6","details":"1ug"},"CWE-ID: 1125Excessive Attack Surface","The product has an attack surface whose quantitative measurement exceeds a desirable maximum.Guidelines:",{"point":"1ui","priority":"6","details":"1uj"},"CWE-ID: 1126Declaration of Variable with Unnecessarily Wide Scope","The source code declares a variable in one scope, but the variable is only used within a narrower scope.Guidelines:",{"point":"1ul","priority":"6","details":"1um"},"CWE-ID: 1127Compilation with Insufficient Warnings or Errors","The code is compiled without sufficient warnings enabled, which may prevent the detection of subtle bugs or quality issues.Guidelines:",{"point":"1uo","priority":"6","details":"1up"},"CWE-ID: 1164Irrelevant Code","The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness.Guidelines:",{"point":"1ur","priority":"6","details":"1us"},"CWE-ID: 1173Improper Use of Validation Framework","The product does not use, or incorrectly uses, an input validation framework that is provided by the source language or an independent library.Guidelines:",{"point":"1uu","priority":"6","details":"1uv"},"CWE-ID: 1174ASP.NET Misconfiguration: Improper Model Validation","The ASP.NET application does not use, or incorrectly uses, the model validation framework.Guidelines:",{"point":"1ux","priority":"6","details":"1uy"},"CWE-ID: 1176Inefficient CPU Computation","The product performs CPU computations using algorithms that are not as efficient as they could be for the needs of the developer, i.e., the computations can be optimized further.Guidelines:",{"point":"1v0","priority":"6","details":"1v1"},"CWE-ID: 1177Use of Prohibited Code","The product uses a function, library, or third party component that has been explicitly prohibited, whether by the developer or the customer.Guidelines:",{"point":"1v3","priority":"6","details":"1v4"},"CWE-ID: 1188Initialization of a Resource with an Insecure Default","The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.Guidelines:::TYPE:Maintenance:NOTE:This entry improves organization of concepts under initialization. The typical CWE model is to cover Missing and Incorrect behaviors. Arguably, this entry could be named as Incorrect instead of Insecure. This might be changed in the near future.::",{"point":"1v6","priority":"6","details":"1v7"},"CWE-ID: 1189Improper Isolation of Shared Resources on System-on-a-Chip (SoC)","The System-On-a-Chip (SoC) does not properly isolate shared resources between trusted and untrusted agents.Guidelines:",{"point":"1v9","priority":"6","details":"1va"},"CWE-ID: 1190DMA Device Enabled Too Early in Boot Phase","The product enables a Direct Memory Access (DMA) capable device before the security configuration settings are established, which allows an attacker to extract data from or gain privileges on the product.Guidelines:",{"point":"1vc","priority":"6","details":"1vd"},"CWE-ID: 1191On-Chip Debug and Test Interface With Improper Access Control","The chip does not implement or does not correctly perform access control to check whether users are authorized to access internal registers and test modes through the physical debug/test interface.Guidelines:::TYPE:Relationship:NOTE:CWE-1191 and CWE-1244 both involve physical debug access, but the weaknesses are different. CWE-1191 is effectively about missing authorization for a debug interface, i.e. JTAG. CWE-1244 is about providing internal assets with the wrong debug access level, exposing the asset to untrusted debug agents.::",{"point":"1vf","priority":"6","details":"1vg"},"CWE-ID: 1192Improper Identifier for IP Block used in System-On-Chip (SOC)","The System-on-Chip (SoC) does not have unique, immutable identifiers for each of its components.Guidelines:",{"point":"1vi","priority":"6","details":"1vj"},"CWE-ID: 1193Power-On of Untrusted Execution Core Before Enabling Fabric Access Control","The product enables components that contain untrusted firmware before memory and fabric access controls have been enabled.Guidelines:",{"point":"1vl","priority":"6","details":"1vm"},"CWE-ID: 1204Generation of Weak Initialization Vector (IV)","The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or unique according to the expected cryptographic requirements for that primitive.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"1vo","priority":"6","details":"1vp"},"CWE-ID: 1209Failure to Disable Reserved Bits","The reserved bits in a hardware design are not disabled prior to production. Typically, reserved bits are used for future capabilities and should not support any functional logic in the design. However, designers might covertly use these bits to debug or further develop new capabilities in production hardware. Adversaries with access to these bits will write to them in hopes of compromising hardware state.Guidelines:",{"point":"1vr","priority":"6","details":"1vs"},"CWE-ID: 1220Insufficient Granularity of Access Control","The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.Guidelines:",{"point":"1vu","priority":"6","details":"1vv"},"CWE-ID: 1221Incorrect Register Defaults or Module Parameters","Hardware description language code incorrectly defines register defaults or hardware Intellectual Property (IP) parameters to insecure values.Guidelines:",{"point":"1vx","priority":"6","details":"1vy"},"CWE-ID: 1222Insufficient Granularity of Address Regions Protected by Register Locks","The product defines a large address region protected from modification by the same register lock control bit. This results in a conflict between the functional requirement that some addresses need to be writable by software during operation and the security requirement that the system configuration lock bit must be set during the boot process.Guidelines:",{"point":"1w0","priority":"6","details":"1w1"},"CWE-ID: 1223Race Condition for Write-Once Attributes","A write-once register in hardware design is programmable by an untrusted software component earlier than the trusted software component, resulting in a race condition issue.Guidelines:",{"point":"1w3","priority":"6","details":"1w4"},"CWE-ID: 1224Improper Restriction of Write-Once Bit Fields","The hardware design control register sticky bits or write-once bit fields are improperly implemented, such that they can be reprogrammed by software.Guidelines:",{"point":"1w6","priority":"6","details":"1w7"},"CWE-ID: 1229Creation of Emergent Resource","The product manages resources or behaves in a way that indirectly creates a new, distinct resource that can be used by attackers in violation of the intended policy.Guidelines:",{"point":"1w9","priority":"6","details":"1wa"},"CWE-ID: 1230Exposure of Sensitive Information Through Metadata","The product prevents direct access to a resource containing sensitive information, but it does not sufficiently limit access to metadata that is derived from the original, sensitive information.Guidelines:",{"point":"1wc","priority":"6","details":"1wd"},"CWE-ID: 1231Improper Prevention of Lock Bit Modification","The product uses a trusted lock bit for restricting access to registers, address regions, or other resources, but the product does not prevent the value of the lock bit from being modified after it has been set.Guidelines:",{"point":"1wf","priority":"6","details":"1wg"},"CWE-ID: 1232Improper Lock Behavior After Power State Transition","Register lock bit protection disables changes to system configuration once the bit is set. Some of the protected registers or lock bits become programmable after power state transitions (e.g., Entry and wake from low power sleep modes) causing the system configuration to be changeable.Guidelines:",{"point":"1wi","priority":"6","details":"1wj"},"CWE-ID: 1233Security-Sensitive Hardware Controls with Missing Lock Bit Protection","The product uses a register lock bit protection mechanism, but it does not ensure that the lock bit prevents modification of system registers or controls that perform changes to important hardware system configuration.Guidelines:",{"point":"1wl","priority":"6","details":"1wm"},"CWE-ID: 1234Hardware Internal or Debug Modes Allow Override of Locks","System configuration protection may be bypassed during debug mode.Guidelines:",{"point":"1wo","priority":"6","details":"1wp"},"CWE-ID: 1235Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations","The code uses boxed primitives, which may introduce inefficiencies into performance-critical operations.Guidelines:",{"point":"1wr","priority":"6","details":"1ws"},"CWE-ID: 1236Improper Neutralization of Formula Elements in a CSV File","The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.Guidelines:",{"point":"1wu","priority":"6","details":"1wv"},"CWE-ID: 1239Improper Zeroization of Hardware Register","The hardware product does not properly clear sensitive information from built-in registers when the user of the hardware block changes.Guidelines:",{"point":"1wx","priority":"6","details":"1wy"},"CWE-ID: 1240Use of a Cryptographic Primitive with a Risky Implementation","To fulfill the need for a cryptographic primitive, the product implements a cryptographic algorithm using a non-standard, unproven, or disallowed/non-compliant cryptographic implementation.Guidelines:::TYPE:Terminology:NOTE:Terminology for cryptography varies widely, from informal and colloquial to mathematically-defined, with different precision and formalism depending on whether the stakeholder is a developer, cryptologist, etc. Yet there is a need for CWE to be self-consistent while remaining understandable and acceptable to multiple audiences. As of CWE 4.6, CWE terminology around primitives and algorithms is emerging as shown by the following example, subject to future consultation and agreement within the CWE and cryptography communities. Suppose one wishes to send encrypted data using a CLI tool such as OpenSSL. One might choose to use AES with a 256-bit key and require tamper protection (GCM mode, for instance). For compatibility's sake, one might also choose the ciphertext to be formatted to the PKCS#5 standard. In this case, the cryptographic system would be AES-256-GCM with PKCS#5 formatting. The cryptographic function would be AES-256 in the GCM mode of operation, and the algorithm would be AES. Colloquially, one would say that AES (and sometimes AES-256) is the cryptographic primitive, because it is the algorithm that realizes the concept of symmetric encryption (without modes of operation or other protocol related modifications). In practice, developers and architects typically refer to base cryptographic algorithms (AES, SHA, etc.) as cryptographic primitives.::TYPE:Maintenance:NOTE:Since CWE 4.4, various cryptography-related entries, including CWE-327 and CWE-1240, have been slated for extensive research, analysis, and community consultation to define consistent terminology, improve relationships, and reduce overlap or duplication. As of CWE 4.6, this work is still ongoing.::",{"point":"1x0","priority":"6","details":"1x1"},"CWE-ID: 1241Use of Predictable Algorithm in Random Number Generator","The device uses an algorithm that is predictable and generates a pseudo-random number.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"1x3","priority":"6","details":"1x4"},"CWE-ID: 1242Inclusion of Undocumented Features or Chicken Bits","The device includes chicken bits or undocumented features that can create entry points for unauthorized actors.Guidelines:",{"point":"1x6","priority":"6","details":"1x7"},"CWE-ID: 1243Sensitive Non-Volatile Information Not Protected During Debug","Access to security-sensitive information stored in fuses is not limited during debug.Guidelines:",{"point":"1x9","priority":"6","details":"1xa"},"CWE-ID: 1244Internal Asset Exposed to Unsafe Debug Access Level or State","The product uses physical debug or test interfaces with support for multiple access levels, but it assigns the wrong debug access level to an internal asset, providing unintended access to the asset from untrusted debug agents.Guidelines:::TYPE:Relationship:NOTE:CWE-1191 and CWE-1244 both involve physical debug access, but the weaknesses are different. CWE-1191 is effectively about missing authorization for a debug interface, i.e. JTAG. CWE-1244 is about providing internal assets with the wrong debug access level, exposing the asset to untrusted debug agents.::",{"point":"1xc","priority":"6","details":"1xd"},"CWE-ID: 1245Improper Finite State Machines (FSMs) in Hardware Logic","Faulty finite state machines (FSMs) in the hardware logic allow an attacker to put the system in an undefined state, to cause a denial of service (DoS) or gain privileges on the victim's system.Guidelines:",{"point":"1xf","priority":"6","details":"1xg"},"CWE-ID: 1246Improper Write Handling in Limited-write Non-Volatile Memories","The product does not implement or incorrectly implements wear leveling operations in limited-write non-volatile memories.Guidelines:",{"point":"1xi","priority":"6","details":"1xj"},"CWE-ID: 1247Improper Protection Against Voltage and Clock Glitches","The device does not contain or contains incorrectly implemented circuitry or sensors to detect and mitigate voltage and clock glitches and protect sensitive information or software contained on the device.Guidelines:",{"point":"1xl","priority":"6","details":"1xm"},"CWE-ID: 1248Semiconductor Defects in Hardware Logic with Security-Sensitive Implications","The security-sensitive hardware module contains semiconductor defects.Guidelines:",{"point":"1xo","priority":"6","details":"1xp"},"CWE-ID: 1249Application-Level Admin Tool with Inconsistent View of Underlying Operating System","The product provides an application for administrators to manage parts of the underlying operating system, but the application does not accurately identify all of the relevant entities or resources that exist in the OS; that is, the application's model of the OS's state is inconsistent with the OS's actual state.Guidelines:",{"point":"1xr","priority":"6","details":"1xs"},"CWE-ID: 1250Improper Preservation of Consistency Between Independent Representations of Shared State","The product has or supports multiple distributed components or sub-systems that are each required to keep their own local copy of shared data - such as state or cache - but the product does not ensure that all local copies remain consistent with each other.Guidelines:::TYPE:Research Gap:NOTE:Issues related to state and cache - creation, preservation, and update - are a significant gap in CWE that is expected to be addressed in future versions. It likely has relationships to concurrency and synchronization, incorrect behavior order, and other areas that already have some coverage in CWE, although the focus has typically been on independent processes on the same operating system - not on independent systems that are all a part of a larger system-of-systems.::",{"point":"1xu","priority":"6","details":"1xv"},"CWE-ID: 1251Mirrored Regions with Different Values","The product's architecture mirrors regions without ensuring that their contents always stay in sync.Guidelines:::TYPE:Research Gap:NOTE:Issues related to state and cache - creation, preservation, and update - are a significant gap in CWE that is expected to be addressed in future versions. It has relationships to concurrency and synchronization, incorrect behavior order, and other areas that already have some coverage in CWE, although the focus has typically been on independent processes on the same operating system - not on independent systems that are all a part of a larger system-of-systems.::",{"point":"1xx","priority":"6","details":"1xy"},"CWE-ID: 1252CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations","The CPU is not configured to provide hardware support for exclusivity of write and execute operations on memory. This allows an attacker to execute data from all of memory.Guidelines:",{"point":"1y0","priority":"6","details":"1y1"},"CWE-ID: 1253Incorrect Selection of Fuse Values","The logic level used to set a system to a secure state relies on a fuse being unblown. An attacker can set the system to an insecure state merely by blowing the fuse.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1y3","priority":"6","details":"1y4"},"CWE-ID: 1254Incorrect Comparison Logic Granularity","The product's comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failure on one of these steps, the operation may be vulnerable to a timing attack that can result in the interception of the process for nefarious purposes.Guidelines:",{"point":"1y6","priority":"6","details":"1y7"},"CWE-ID: 1255Comparison Logic is Vulnerable to Power Side-Channel Attacks","A device's real time power consumption may be monitored during security token evaluation and the information gleaned may be used to determine the value of the reference token.Guidelines:",{"point":"1y9","priority":"6","details":"1ya"},"CWE-ID: 1256Improper Restriction of Software Interfaces to Hardware Features","The product provides software-controllable device functionality for capabilities such as power and clock management, but it does not properly limit functionality that can lead to modification of hardware memory or register bits, or the ability to observe physical side channels.Guidelines:",{"point":"1yc","priority":"6","details":"1yd"},"CWE-ID: 1257Improper Access Control Applied to Mirrored or Aliased Memory Regions","Aliased or mirrored memory regions in hardware designs may have inconsistent read/write permissions enforced by the hardware. A possible result is that an untrusted agent is blocked from accessing a memory region but is not blocked from accessing the corresponding aliased memory region.Guidelines:",{"point":"1yf","priority":"6","details":"1yg"},"CWE-ID: 1258Exposure of Sensitive System Information Due to Uncleared Debug Information","The hardware does not fully clear security-sensitive values, such as keys and intermediate values in cryptographic operations, when debug mode is entered.Guidelines:",{"point":"1yi","priority":"6","details":"1yj"},"CWE-ID: 1259Improper Restriction of Security Token Assignment","The System-On-A-Chip (SoC) implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens are improperly protected.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements. Currently it is expressed as a general absence of a protection mechanism as opposed to a specific mistake, and the entry's name and description could be interpreted as applying to software.::",{"point":"1yl","priority":"6","details":"1ym"},"CWE-ID: 1260Improper Handling of Overlap Between Protected Memory Ranges","The product allows address regions to overlap, which can result in the bypassing of intended memory protection.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.6, CWE-1260 and CWE-1316 are siblings under view 1000, but CWE-1260 might be a parent of CWE-1316. More analysis is warranted.::",{"point":"1yo","priority":"6","details":"1yp"},"CWE-ID: 1261Improper Handling of Single Event Upsets","The hardware logic does not effectively handle when single-event upsets (SEUs) occur.Guidelines:",{"point":"1yr","priority":"6","details":"1ys"},"CWE-ID: 1262Improper Access Control for Register Interface","The product uses memory-mapped I/O registers that act as an interface to hardware functionality from software, but there is improper access control to those registers.Guidelines:",{"point":"1yu","priority":"6","details":"1yv"},"CWE-ID: 1263Improper Physical Access Control","The product is designed with access restricted to certain information, but it does not sufficiently protect against an unauthorized actor with physical access to these areas.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1yx","priority":"6","details":"1yy"},"CWE-ID: 1264Hardware Logic with Insecure De-Synchronization between Control and Data Channels","The hardware logic for error handling and security checks can incorrectly forward data before the security check is complete.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. As a result, this entry might change significantly in CWE 4.10.::",{"point":"1z0","priority":"6","details":"1z1"},"CWE-ID: 1265Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls","During execution of non-reentrant code, the product performs a call that unintentionally produces a nested invocation of the non-reentrant code.Guidelines:",{"point":"1z3","priority":"6","details":"1z4"},"CWE-ID: 1266Improper Scrubbing of Sensitive Data from Decommissioned Device","The product does not properly provide a capability for the product administrator to remove sensitive data at the time the product is decommissioned. A scrubbing capability could be missing, insufficient, or incorrect.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1z6","priority":"6","details":"1z7"},"CWE-ID: 1267Policy Uses Obsolete Encoding","The product uses an obsolete encoding mechanism to implement access controls.Guidelines:",{"point":"1z9","priority":"6","details":"1za"},"CWE-ID: 1268Policy Privileges are not Assigned Consistently Between Control and Data Agents","The product's hardware-enforced access control for a particular resource improperly accounts for privilege discrepancies between control and write policies.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1zc","priority":"6","details":"1zd"},"CWE-ID: 1269Product Released in Non-Release Configuration","The product released to market is released in pre-production or manufacturing configuration.Guidelines:",{"point":"1zf","priority":"6","details":"1zg"},"CWE-ID: 1270Generation of Incorrect Security Tokens","The product implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens generated in the system are incorrect.Guidelines:",{"point":"1zi","priority":"6","details":"1zj"},"CWE-ID: 1271Uninitialized Value on Reset for Registers Holding Security Settings","Security-critical logic is not set to a known value on reset.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1zl","priority":"6","details":"1zm"},"CWE-ID: 1272Sensitive Information Uncleared Before Debug/Power State Transition","The product performs a power or debug state transition, but it does not clear sensitive information that should no longer be accessible due to changes to information access restrictions.Guidelines:",{"point":"1zo","priority":"6","details":"1zp"},"CWE-ID: 1273Device Unlock Credential Sharing","The credentials necessary for unlocking a device are shared across multiple parties and may expose sensitive information.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1zr","priority":"6","details":"1zs"},"CWE-ID: 1274Improper Access Control for Volatile Memory Containing Boot Code","The product conducts a secure-boot process that transfers bootloader code from Non-Volatile Memory (NVM) into Volatile Memory (VM), but it does not have sufficient access control or other protections for the Volatile Memory.Guidelines:",{"point":"1zu","priority":"6","details":"1zv"},"CWE-ID: 1275Sensitive Cookie with Improper SameSite Attribute","The SameSite attribute for sensitive cookies is not set, or an insecure value is used.Guidelines:",{"point":"1zx","priority":"6","details":"1zy"},"CWE-ID: 1276Hardware Child Block Incorrectly Connected to Parent System","Signals between a hardware IP and the parent system design are incorrectly connected causing security risks.Guidelines:",{"point":"200","priority":"6","details":"201"},"CWE-ID: 1277Firmware Not Updateable","The product does not provide its users with the ability to update or patch its firmware to address any vulnerabilities or weaknesses that may be present.Guidelines:::TYPE:Terminology:NOTE:The firmware term does not have a single commonly-shared definition, so there may be variations in how this CWE entry is interpreted during mapping.::",{"point":"203","priority":"6","details":"204"},"CWE-ID: 1278Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques","Information stored in hardware may be recovered by an attacker with the capability to capture and analyze images of the integrated circuit using techniques such as scanning electron microscopy.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements. It is more attack-oriented, so it might be more suited for CAPEC.::",{"point":"206","priority":"6","details":"207"},"CWE-ID: 1279Cryptographic Operations are run Before Supporting Units are Ready","Performing cryptographic operations without ensuring that the supporting inputs are ready to supply valid data may compromise the cryptographic result.Guidelines:",{"point":"209","priority":"6","details":"20a"},"CWE-ID: 1280Access Control Check Implemented After Asset is Accessed","A product's hardware-based access control check occurs after the asset has been accessed.Guidelines:",{"point":"20c","priority":"6","details":"20d"},"CWE-ID: 1281Sequence of Processor Instructions Leads to Unexpected Behavior","Specific combinations of processor instructions lead to undesirable behavior such as locking the processor until a hard reset performed.Guidelines:",{"point":"20f","priority":"6","details":"20g"},"CWE-ID: 1282Assumed-Immutable Data is Stored in Writable Memory","Immutable data, such as a first-stage bootloader, device identifiers, and write-once configuration settings are stored in writable memory that can be re-programmed or updated in the field.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::TYPE:Maintenance:NOTE:As of CWE 4.3, CWE-1282 and CWE-1233 are being investigated for potential duplication or overlap.::",{"point":"20i","priority":"6","details":"20j"},"CWE-ID: 1283Mutable Attestation or Measurement Reporting Data","The register contents used for attestation or measurement reporting data to verify boot flow are modifiable by an adversary.Guidelines:::TYPE:Maintenance:NOTE:This entry is still in development and will continue to see updates and content improvements.::",{"point":"20l","priority":"6","details":"20m"},"CWE-ID: 1284Improper Validation of Specified Quantity in Input","The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"20o","priority":"6","details":"20p"},"CWE-ID: 1285Improper Validation of Specified Index, Position, or Offset in Input","The product receives input that is expected to specify an index, position, or offset into an indexable resource such as a buffer or file, but it does not validate or incorrectly validates that the specified index/position/offset has the required properties.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"20r","priority":"6","details":"20s"},"CWE-ID: 1286Improper Validation of Syntactic Correctness of Input","The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"20u","priority":"6","details":"20v"},"CWE-ID: 1287Improper Validation of Specified Type of Input","The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"20x","priority":"6","details":"20y"},"CWE-ID: 1288Improper Validation of Consistency within Input","The product receives a complex input with multiple elements or fields that must be consistent with each other, but it does not validate or incorrectly validates that the input is actually consistent.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"210","priority":"6","details":"211"},"CWE-ID: 1289Improper Validation of Unsafe Equivalence in Input","The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"213","priority":"6","details":"214"},"CWE-ID: 1290Incorrect Decoding of Security Identifiers","The product implements a decoding mechanism to decode certain bus-transaction signals to security identifiers. If the decoding is implemented incorrectly, then untrusted agents can now gain unauthorized access to the asset.Guidelines:",{"point":"216","priority":"6","details":"217"},"CWE-ID: 1291Public Key Re-Use for Signing both Debug and Production Code","The same public key is used for signing both debug and production code.Guidelines:",{"point":"219","priority":"6","details":"21a"},"CWE-ID: 1292Incorrect Conversion of Security Identifiers","The product implements a conversion mechanism to map certain bus-transaction signals to security identifiers. However, if the conversion is incorrectly implemented, untrusted agents can gain unauthorized access to the asset.Guidelines:",{"point":"21c","priority":"6","details":"21d"},"CWE-ID: 1293Missing Source Correlation of Multiple Independent Data","The product relies on one source of data, preventing the ability to detect if an adversary has compromised a data source.Guidelines:",{"point":"21f","priority":"6","details":"21g"},"CWE-ID: 1294Insecure Security Identifier Mechanism","The System-on-Chip (SoC) implements a Security Identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Identifiers are not correctly implemented.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"21i","priority":"6","details":"21j"},"CWE-ID: 1295Debug Messages Revealing Unnecessary Information","The product fails to adequately prevent the revealing of unnecessary and potentially sensitive system information within debugging messages.Guidelines:",{"point":"21l","priority":"6","details":"21m"},"CWE-ID: 1296Incorrect Chaining or Granularity of Debug Components","The product's debug components contain incorrect chaining or granularity of debug components.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"21o","priority":"6","details":"21p"},"CWE-ID: 1297Unprotected Confidential Information on Device is Accessible by OSAT Vendors","The product does not adequately protect confidential information on the device from being accessed by Outsourced Semiconductor Assembly and Test (OSAT) vendors.Guidelines:::TYPE:Maintenance:NOTE:This entry might be subject to CWE Scope Exclusion SCOPE.SITUATIONS (Focus on situations in which weaknesses may appear); SCOPE.HUMANPROC (Human/organizational process; and/or SCOPE.CUSTREL (Not customer-relevant).::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"21r","priority":"6","details":"21s"},"CWE-ID: 1298Hardware Logic Contains Race Conditions","A race condition in the hardware logic results in undermining security guarantees of the system.Guidelines:",{"point":"21u","priority":"6","details":"21v"},"CWE-ID: 1299Missing Protection Mechanism for Alternate Hardware Interface","The lack of protections on alternate paths to access control-protected assets (such as unprotected shadow registers and other external facing unguarded interfaces) allows an attacker to bypass existing protections to the asset that are only performed against the primary path.Guidelines:",{"point":"21x","priority":"6","details":"21y"},"CWE-ID: 1300Improper Protection of Physical Side Channels","The device does not contain sufficient protection mechanisms to prevent physical side channels from exposing sensitive information due to patterns in physically observable phenomena such as variations in power consumption, electromagnetic emissions (EME), or acoustic emissions.Guidelines:",{"point":"220","priority":"6","details":"221"},"CWE-ID: 1301Insufficient or Incomplete Data Removal within Hardware Component","The product's data removal process does not completely delete all data and potentially sensitive information within hardware components.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"223","priority":"6","details":"224"},"CWE-ID: 1302Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)","The product implements a security identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. A transaction is sent without a security identifier.Guidelines:",{"point":"226","priority":"6","details":"227"},"CWE-ID: 1303Non-Transparent Sharing of Microarchitectural Resources","Hardware structures shared across execution contexts (e.g., caches and branch predictors) can violate the expected architecture isolation between contexts.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. Finally, this entry's demonstrative example might not be appropriate. As a result, this entry might change significantly in CWE 4.10.::",{"point":"229","priority":"6","details":"22a"},"CWE-ID: 1304Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation","The product performs a power save/restore operation, but it does not ensure that the integrity of the configuration state is maintained and/or verified between the beginning and ending of the operation.Guidelines:",{"point":"22c","priority":"6","details":"22d"},"CWE-ID: 1310Missing Ability to Patch ROM Code","Missing an ability to patch ROM code may leave a System or System-on-Chip (SoC) in a vulnerable state.Guidelines:",{"point":"22f","priority":"6","details":"22g"},"CWE-ID: 1311Improper Translation of Security Attributes by Fabric Bridge","The bridge incorrectly translates security attributes from either trusted to untrusted or from untrusted to trusted when converting from one fabric protocol to another.Guidelines:",{"point":"22i","priority":"6","details":"22j"},"CWE-ID: 1312Missing Protection for Mirrored Regions in On-Chip Fabric Firewall","The firewall in an on-chip fabric protects the main addressed region, but it does not protect any mirrored memory or memory-mapped-IO (MMIO) regions.Guidelines:",{"point":"22l","priority":"6","details":"22m"},"CWE-ID: 1313Hardware Allows Activation of Test or Debug Logic at Runtime","During runtime, the hardware allows for test or debug logic (feature) to be activated, which allows for changing the state of the hardware. This feature can alter the intended behavior of the system and allow for alteration and leakage of sensitive data by an adversary.Guidelines:",{"point":"22o","priority":"6","details":"22p"},"CWE-ID: 1314Missing Write Protection for Parametric Data Values","The device does not write-protect the parametric data values for sensors that scale the sensor value, allowing untrusted software to manipulate the apparent result and potentially damage hardware or cause operational failure.Guidelines:",{"point":"22r","priority":"6","details":"22s"},"CWE-ID: 1315Improper Setting of Bus Controlling Capability in Fabric End-point","The bus controller enables bits in the fabric end-point to allow responder devices to control transactions on the fabric.Guidelines:",{"point":"22u","priority":"6","details":"22v"},"CWE-ID: 1316Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges","The address map of the on-chip fabric has protected and unprotected regions overlapping, allowing an attacker to bypass access control to the overlapping portion of the protected region.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.6, CWE-1260 and CWE-1316 are siblings under view 1000, but CWE-1260 might be a parent of CWE-1316. More analysis is warranted.::",{"point":"22x","priority":"6","details":"22y"},"CWE-ID: 1317Improper Access Control in Fabric Bridge","The product uses a fabric bridge for transactions between two Intellectual Property (IP) blocks, but the bridge does not properly perform the expected privilege, identity, or other access control checks between those IP blocks.Guidelines:",{"point":"230","priority":"6","details":"231"},"CWE-ID: 1318Missing Support for Security Features in On-chip Fabrics or Buses","On-chip fabrics or buses either do not support or are not configured to support privilege separation or other security features, such as access control.Guidelines:",{"point":"233","priority":"6","details":"234"},"CWE-ID: 1319Improper Protection against Electromagnetic Fault Injection (EM-FI)","The device is susceptible to electromagnetic fault injection attacks, causing device internal information to be compromised or security mechanisms to be bypassed.Guidelines:::TYPE:Maintenance:NOTE:This entry is attack-oriented and may require significant modification in future versions, or even deprecation. It is not clear whether there is really a design mistake that enables such attacks, so this is not necessarily a weakness and may be more appropriate for CAPEC.::",{"point":"236","priority":"6","details":"237"},"CWE-ID: 1320Improper Protection for Outbound Error Messages and Alert Signals","Untrusted agents can disable alerts about signal conditions exceeding limits or the response mechanism that handles such alerts.Guidelines:",{"point":"239","priority":"6","details":"23a"},"CWE-ID: 1321Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')","The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.Guidelines:",{"point":"23c","priority":"6","details":"23d"},"CWE-ID: 1322Use of Blocking Code in Single-threaded, Non-blocking Context","The product uses a non-blocking model that relies on a single threaded process for features such as scalability, but it contains code that can block when it is invoked.Guidelines:",{"point":"23f","priority":"6","details":"23g"},"CWE-ID: 1323Improper Management of Sensitive Trace Data","Trace data collected from several sources on the System-on-Chip (SoC) is stored in unprotected locations or transported to untrusted agents.Guidelines:",{"point":"23i","priority":"6","details":"23j"},"CWE-ID: 1325Improperly Controlled Sequential Memory Allocation","The product manages a group of objects or resources and performs a separate memory allocation for each object, but it does not properly limit the total amount of memory that is consumed by all of the combined objects.Guidelines:",{"point":"23l","priority":"6","details":"23m"},"CWE-ID: 1326Missing Immutable Root of Trust in Hardware","A missing immutable root of trust in the hardware results in the ability to bypass secure boot or execute untrusted or adversarial boot code.Guidelines:",{"point":"23o","priority":"6","details":"23p"},"CWE-ID: 1327Binding to an Unrestricted IP Address","The product assigns the address 0.0.0.0 for a database server, a cloud service/instance, or any computing resource that communicates remotely.Guidelines:",{"point":"23r","priority":"6","details":"23s"},"CWE-ID: 1328Security Version Number Mutable to Older Versions","Security-version number in hardware is mutable, resulting in the ability to downgrade (roll-back) the boot firmware to vulnerable code versions.Guidelines:",{"point":"23u","priority":"6","details":"23v"},"CWE-ID: 1329Reliance on Component That is Not Updateable","The product contains a component that cannot be updated or patched in order to remove vulnerabilities or significant bugs.Guidelines:",{"point":"23x","priority":"6","details":"23y"},"CWE-ID: 1330Remanent Data Readable after Memory Erase","Confidential information stored in memory circuits is readable or recoverable after being cleared or erased.Guidelines:",{"point":"240","priority":"6","details":"241"},"CWE-ID: 1331Improper Isolation of Shared Resources in Network On Chip (NoC)","The Network On Chip (NoC) does not isolate or incorrectly isolates its on-chip-fabric and internal resources such that they are shared between trusted and untrusted agents, creating timing channels.Guidelines:",{"point":"243","priority":"6","details":"244"},"CWE-ID: 1332Improper Handling of Faults that Lead to Instruction Skips","The device is missing or incorrectly implements circuitry or sensors that detect and mitigate the skipping of security-critical CPU instructions when they occur.Guidelines:",{"point":"246","priority":"6","details":"247"},"CWE-ID: 1333Inefficient Regular Expression Complexity","The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.Guidelines:",{"point":"249","priority":"6","details":"24a"},"CWE-ID: 1334Unauthorized Error Injection Can Degrade Hardware Redundancy","An unauthorized agent can inject errors into a redundant block to deprive the system of redundancy or put the system in a degraded operating mode.Guidelines:",{"point":"24c","priority":"6","details":"24d"},"CWE-ID: 1335Incorrect Bitwise Shift of Integer","An integer value is specified to be shifted by a negative amount or an amount greater than or equal to the number of bits contained in the value causing an unexpected or indeterminate result.Guidelines:",{"point":"24f","priority":"6","details":"24g"},"CWE-ID: 1336Improper Neutralization of Special Elements Used in a Template Engine","The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.Guidelines:::TYPE:Relationship:NOTE:Since expression languages are often used in templating languages, there may be some overlap with CWE-917 (Expression Language Injection). XSS (CWE-79) is also co-located with template injection.::TYPE:Maintenance:NOTE:The interrelationships and differences between CWE-917 and CWE-1336 need to be further clarified.::",{"point":"24i","priority":"6","details":"24j"},"CWE-ID: 1338Improper Protections Against Hardware Overheating","A hardware device is missing or has inadequate protection features to prevent overheating.Guidelines:",{"point":"24l","priority":"6","details":"24m"},"CWE-ID: 1339Insufficient Precision or Accuracy of a Real Number","The product processes a real number with an implementation in which the number's representation does not preserve required accuracy and precision in its fractional part, causing an incorrect result.Guidelines:",{"point":"24o","priority":"6","details":"24p"},"CWE-ID: 1341Multiple Releases of Same Resource or Handle","The product attempts to close or release a resource or handle more than once, without any successful open between the close operations.Guidelines:::TYPE:Terminology:NOTE:The terms related to release may vary depending on the type of resource, programming language, specification, or framework. Close has been used synonymously for the release of resources like file descriptors and file handles. Return is sometimes used instead of Release. Free is typically used when releasing memory or buffers back into the system for reuse.::",{"point":"24r","priority":"6","details":"24s"},"CWE-ID: 1342Information Exposure through Microarchitectural State after Transient Execution","The processor does not properly clear microarchitectural state after incorrect microcode assists or speculative execution, resulting in transient execution.Guidelines:::TYPE:Relationship:NOTE:CWE-1342 differs from CWE-1303, which is related to misprediction and biasing microarchitectural components, while CWE-1342 addresses illegal data flows and retention. For example, Spectre is an instance of CWE-1303 biasing branch prediction to steer the transient execution indirectly.::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. As a result, this entry might change significantly in CWE 4.10.::",{"point":"24u","priority":"6","details":"24v"},"CWE-ID: 1351Improper Handling of Hardware Behavior in Exceptionally Cold Environments","A hardware device, or the firmware running on it, is missing or has incorrect protection features to maintain goals of security primitives when the device is cooled below standard operating temperatures.Guidelines:",{"point":"24x","priority":"6","details":"24y"},"CWE-ID: 1357Reliance on Insufficiently Trustworthy Component","The product is built from multiple separate components, but it uses a component that is not sufficiently trusted to meet expectations for security, reliability, updateability, and maintainability.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.10, the name and description for this entry has undergone significant change and is still under public discussion, especially by members of the HW SIG.::",{"point":"250","priority":"6","details":"251"},"CWE-ID: 1384Improper Handling of Physical or Environmental Conditions","The product does not properly handle unexpected physical or environmental conditions that occur naturally or are artificially induced.Guidelines:",{"point":"253","priority":"6","details":"254"},"CWE-ID: 1385Missing Origin Validation in WebSockets","The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid.Guidelines:",{"point":"256","priority":"6","details":"257"},"CWE-ID: 1386Insecure Operation on Windows Junction / Mount Point","The product opens a file or directory, but it does not properly prevent the name from being associated with a junction or mount point to a destination that is outside of the intended control sphere.Guidelines:::TYPE:Terminology:NOTE:Symbolic links, hard links, junctions, and mount points can be confusing terminology, as there are differences in how they operate between UNIX-based systems and Windows, and there are interactions between them.::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"259","priority":"6","details":"25a"},"CWE-ID: 1389Incorrect Parsing of Numbers with Different Radices","The product parses numeric input assuming base 10 (decimal) values, but it does not account for inputs that use a different base number (radix).Guidelines:",{"point":"25c","priority":"6","details":"25d"},"CWE-ID: 1390Weak Authentication","The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.Guidelines:",{"point":"25f","priority":"6","details":"25g"},"CWE-ID: 1391Use of Weak Credentials","The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker.Guidelines:",{"point":"25i","priority":"6","details":"25j"},"CWE-ID: 1392Use of Default Credentials","The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality.Guidelines:",{"point":"25l","priority":"6","details":"25m"},"CWE-ID: 1393Use of Default Password","The product uses default passwords for potentially critical functionality.Guidelines:",{"point":"25o","priority":"6","details":"25p"},"CWE-ID: 1394Use of Default Cryptographic Key","The product uses a default cryptographic key for potentially critical functionality.Guidelines:",{"point":"25r","priority":"6","details":"25s"},"CWE-ID: 1395Dependency on Vulnerable Third-Party Component","The product has a dependency on a third-party component that contains one or more known vulnerabilities.Guidelines:",{"point":"25u","priority":"6","details":"25v"},"CWE-ID: 1419Incorrect Initialization of Resource","The product attempts to initialize a resource but does not correctly do so, which might leave the resource in an unexpected, incorrect, or insecure state when it is accessed.Guidelines:",{"point":"25x","priority":"6","details":"25y"},"CWE-ID: 1420Exposure of Sensitive Information during Transient Execution","A processor event or prediction may allow incorrect operations (or correct operations with incorrect data) to execute transiently, potentially exposing data over a covert channel.Guidelines:",{"point":"260","priority":"6","details":"261"},"CWE-ID: 1421Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution","A processor event may allow transient operations to access architecturally restricted data (for example, in another address space) in a shared microarchitectural structure (for example, a CPU cache), potentially exposing the data over a covert channel.Guidelines:",{"point":"263","priority":"6","details":"264"},"CWE-ID: 1422Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution","A processor event or prediction may allow incorrect or stale data to be forwarded to transient operations, potentially exposing data over a covert channel.Guidelines:",{"point":"266","priority":"6","details":"267"},"CWE-ID: 1423Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution","Shared microarchitectural predictor state may allow code to influence transient execution across a hardware boundary, potentially exposing data that is accessible beyond the boundary over a covert channel.Guidelines:",{"point":"269","priority":"6","details":"26a"},["8","b","e","h","k","n","q","t","w","z","12","15","18","1b","1e","1h","1k","1n","1q","1t","1w","1z","22","25","28","2b","2e","2h","2k","2n","2q","2t","2w","2z","32","35","38","3b","3e","3h","3k","3n","3q","3t","3w","3z","42","45","48","4b","4e","4h","4k","4n","4q","4t","4w","4z","52","55","58","5b","5e","5h","5k","5n","5q","5t","5w","5z","62","65","68","6b","6e","6h","6k","6n","6q","6t","6w","6z","72","75","78","7b","7e","7h","7k","7n","7q","7t","7w","7z","82","85","88","8b","8e","8h","8k","8n","8q","8t","8w","8z","92","95","98","9b","9e","9h","9k","9n","9q","9t","9w","9z","a2","a5","a8","ab","ae","ah","ak","an","aq","at","aw","az","b2","b5","b8","bb","be","bh","bk","bn","bq","bt","bw","bz","c2","c5","c8","cb","ce","ch","ck","cn","cq","ct","cw","cz","d2","d5","d8","db","de","dh","dk","dn","dq","dt","dw","dz","e2","e5","e8","eb","ee","eh","ek","en","eq","et","ew","ez","f2","f5","f8","fb","fe","fh","fk","fn","fq","ft","fw","fz","g2","g5","g8","gb","ge","gh","gk","gn","gq","gt","gw","gz","h2","h5","h8","hb","he","hh","hk","hn","hq","ht","hw","hz","i2","i5","i8","ib","ie","ih","ik","in","iq","it","iw","iz","j2","j5","j8","jb","je","jh","jk","jn","jq","jt","jw","jz","k2","k5","k8","kb","ke","kh","kk","kn","kq","kt","kw","kz","l2","l5","l8","lb","le","lh","lk","ln","lq","lt","lw","lz","m2","m5","m8","mb","me","mh","mk","mn","mq","mt","mw","mz","n2","n5","n8","nb","ne","nh","nk","nn","nq","nt","nw","nz","o2","o5","o8","ob","oe","oh","ok","on","oq","ot","ow","oz","p2","p5","p8","pb","pe","ph","pk","pn","pq","pt","pw","pz","q2","q5","q8","qb","qe","qh","qk","qn","qq","qt","qw","qz","r2","r5","r8","rb","re","rh","rk","rn","rq","rt","rw","rz","s2","s5","s8","sb","se","sh","sk","sn","sq","st","sw","sz","t2","t5","t8","tb","te","th","tk","tn","tq","tt","tw","tz","u2","u5","u8","ub","ue","uh","uk","un","uq","ut","uw","uz","v2","v5","v8","vb","ve","vh","vk","vn","vq","vt","vw","vz","w2","w5","w8","wb","we","wh","wk","wn","wq","wt","ww","wz","x2","x5","x8","xb","xe","xh","xk","xn","xq","xt","xw","xz","y2","y5","y8","yb","ye","yh","yk","yn","yq","yt","yw","yz","z2","z5","z8","zb","ze","zh","zk","zn","zq","zt","zw","zz","102","105","108","10b","10e","10h","10k","10n","10q","10t","10w","10z","112","115","118","11b","11e","11h","11k","11n","11q","11t","11w","11z","122","125","128","12b","12e","12h","12k","12n","12q","12t","12w","12z","132","135","138","13b","13e","13h","13k","13n","13q","13t","13w","13z","142","145","148","14b","14e","14h","14k","14n","14q","14t","14w","14z","152","155","158","15b","15e","15h","15k","15n","15q","15t","15w","15z","162","165","168","16b","16e","16h","16k","16n","16q","16t","16w","16z","172","175","178","17b","17e","17h","17k","17n","17q","17t","17w","17z","182","185","188","18b","18e","18h","18k","18n","18q","18t","18w","18z","192","195","198","19b","19e","19h","19k","19n","19q","19t","19w","19z","1a2","1a5","1a8","1ab","1ae","1ah","1ak","1an","1aq","1at","1aw","1az","1b2","1b5","1b8","1bb","1be","1bh","1bk","1bn","1bq","1bt","1bw","1bz","1c2","1c5","1c8","1cb","1ce","1ch","1ck","1cn","1cq","1ct","1cw","1cz","1d2","1d5","1d8","1db","1de","1dh","1dk","1dn","1dq","1dt","1dw","1dz","1e2","1e5","1e8","1eb","1ee","1eh","1ek","1en","1eq","1et","1ew","1ez","1f2","1f5","1f8","1fb","1fe","1fh","1fk","1fn","1fq","1ft","1fw","1fz","1g2","1g5","1g8","1gb","1ge","1gh","1gk","1gn","1gq","1gt","1gw","1gz","1h2","1h5","1h8","1hb","1he","1hh","1hk","1hn","1hq","1ht","1hw","1hz","1i2","1i5","1i8","1ib","1ie","1ih","1ik","1in","1iq","1it","1iw","1iz","1j2","1j5","1j8","1jb","1je","1jh","1jk","1jn","1jq","1jt","1jw","1jz","1k2","1k5","1k8","1kb","1ke","1kh","1kk","1kn","1kq","1kt","1kw","1kz","1l2","1l5","1l8","1lb","1le","1lh","1lk","1ln","1lq","1lt","1lw","1lz","1m2","1m5","1m8","1mb","1me","1mh","1mk","1mn","1mq","1mt","1mw","1mz","1n2","1n5","1n8","1nb","1ne","1nh","1nk","1nn","1nq","1nt","1nw","1nz","1o2","1o5","1o8","1ob","1oe","1oh","1ok","1on","1oq","1ot","1ow","1oz","1p2","1p5","1p8","1pb","1pe","1ph","1pk","1pn","1pq","1pt","1pw","1pz","1q2","1q5","1q8","1qb","1qe","1qh","1qk","1qn","1qq","1qt","1qw","1qz","1r2","1r5","1r8","1rb","1re","1rh","1rk","1rn","1rq","1rt","1rw","1rz","1s2","1s5","1s8","1sb","1se","1sh","1sk","1sn","1sq","1st","1sw","1sz","1t2","1t5","1t8","1tb","1te","1th","1tk","1tn","1tq","1tt","1tw","1tz","1u2","1u5","1u8","1ub","1ue","1uh","1uk","1un","1uq","1ut","1uw","1uz","1v2","1v5","1v8","1vb","1ve","1vh","1vk","1vn","1vq","1vt","1vw","1vz","1w2","1w5","1w8","1wb","1we","1wh","1wk","1wn","1wq","1wt","1ww","1wz","1x2","1x5","1x8","1xb","1xe","1xh","1xk","1xn","1xq","1xt","1xw","1xz","1y2","1y5","1y8","1yb","1ye","1yh","1yk","1yn","1yq","1yt","1yw","1yz","1z2","1z5","1z8","1zb","1ze","1zh","1zk","1zn","1zq","1zt","1zw","1zz","202","205","208","20b","20e","20h","20k","20n","20q","20t","20w","20z","212","215","218","21b","21e","21h","21k","21n","21q","21t","21w","21z","222","225","228","22b","22e","22h","22k","22n","22q","22t","22w","22z","232","235","238","23b","23e","23h","23k","23n","23q","23t","23w","23z","242","245","248","24b","24e","24h","24k","24n","24q","24t","24w","24z","252","255","258","25b","25e","25h","25k","25n","25q","25t","25w","25z","262","265","268","26b"],"red",{"title":"0","slug":"1","description":"2","icon":"3","intro":"4","checklist":"26c","color":"26d"},"CWE: Weaknesses During Design","cwe-design","This view (slice) lists weaknesses that can be introduced during design.","physical","This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities.","CWE-ID:20 Improper Input Validation","::METHOD:Automated Static Analysis:DESCRIPTION:Some instances of improper input validation can be detected using automated static analysis. A static analysis tool might allow the user to specify which application-specific methods or functions perform input validation; the tool might also have built-in knowledge of validation frameworks such as Struts. The tool may then suppress or de-prioritize any associated warnings. This allows the analyst to focus on areas of the software in which input validation does not appear to be present. Except in the cases described in the previous paragraph, automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes.::METHOD:Manual Static Analysis:DESCRIPTION:When custom input validation is required, such as when enforcing business rules, manual analysis is necessary to ensure that the validation is properly implemented.::METHOD:Fuzzing:DESCRIPTION:Fuzzing techniques can be useful for detecting input validation errors. When unexpected inputs are provided to the software, the software should not crash or otherwise become unstable, and it should generate application-controlled error messages. If exceptions or interpreter-generated error messages occur, this indicates that the input was not detected and handled within the application logic itself.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer Cost effective for partial coverage: Host Application Interface Scanner Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"26k","priority":"6","details":"11","howto":"26l"},"CWE-ID:73 External Control of File Name or Path","::METHOD:Automated Static Analysis:DESCRIPTION:The external control or influence of filenames can often be detected using automated static analysis that models data flow within the product. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes.::",{"point":"26n","priority":"6","details":"4y","howto":"26o"},"CWE-ID:99 Improper Control of Resource Identifiers ('Resource Injection')","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"26q","priority":"6","details":"71","howto":"26r"},"CWE-ID:115 Misinterpretation of Input","::METHOD:Fuzzing:DESCRIPTION:Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.:EFFECTIVENESS:High::",{"point":"26t","priority":"6","details":"87","howto":"26u"},"CWE-ID:184 Incomplete List of Disallowed Inputs","::METHOD:Black Box:DESCRIPTION:Exploitation of a vulnerability with commonly-used manipulations might fail, but minor variations might succeed.::",{"point":"26w","priority":"6","details":"dd","howto":"26x"},"CWE-ID:200 Exposure of Sensitive Information to an Unauthorized Actor","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Inter-application Flow Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Source code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"26z","priority":"6","details":"ej","howto":"270"},"CWE-ID:201 Insertion of Sensitive Information Into Sent Data",{"point":"272","priority":"6","details":"em","howto":"26r"},"CWE-ID:202 Exposure of Sensitive Information Through Data Queries","",{"point":"274","priority":"6","details":"ep","howto":"275"},"CWE-ID:203 Observable Discrepancy",{"point":"277","priority":"6","details":"es","howto":"275"},"CWE-ID:204 Observable Response Discrepancy",{"point":"279","priority":"6","details":"ev","howto":"275"},"CWE-ID:205 Observable Behavioral Discrepancy",{"point":"27b","priority":"6","details":"ey","howto":"275"},"CWE-ID:208 Observable Timing Discrepancy",{"point":"27d","priority":"6","details":"f7","howto":"275"},"CWE-ID:209 Generation of Error Message Containing Sensitive Information","::METHOD:Manual Analysis:DESCRIPTION:This weakness generally requires domain-specific interpretation using manual analysis. However, the number of potential error conditions may be too large to cover completely within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Analysis:DESCRIPTION:Automated methods may be able to detect certain idioms automatically, such as exposed stack traces or pathnames, but violation of business rules or privacy requirements is not typically feasible.:EFFECTIVENESS:Moderate::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Error conditions may be triggered with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.)::",{"point":"27f","priority":"6","details":"fa","howto":"27g"},"CWE-ID:210 Self-generated Error Message Containing Sensitive Information",{"point":"27i","priority":"6","details":"fd","howto":"275"},"CWE-ID:211 Externally-Generated Error Message Containing Sensitive Information",{"point":"27k","priority":"6","details":"fg","howto":"275"},"CWE-ID:212 Improper Removal of Sensitive Information Before Storage or Transfer",{"point":"27m","priority":"6","details":"fj","howto":"275"},"CWE-ID:213 Exposure of Sensitive Information Due to Incompatible Policies",{"point":"27o","priority":"6","details":"fm","howto":"275"},"CWE-ID:214 Invocation of Process Using Visible Sensitive Information",{"point":"27q","priority":"6","details":"fp","howto":"275"},"CWE-ID:221 Information Loss or Omission",{"point":"27s","priority":"6","details":"g1","howto":"275"},"CWE-ID:223 Omission of Security-relevant Information",{"point":"27u","priority":"6","details":"g7","howto":"275"},"CWE-ID:250 Execution with Unnecessary Privileges","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and perform a login. Look for library functions and system calls that indicate when privileges are being raised or dropped. Look for accesses of resources that are restricted to normal users.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Compare binary / bytecode to application permission manifest Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker Permission Manifest Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"27w","priority":"6","details":"i4","howto":"27x"},"CWE-ID:256 Plaintext Storage of a Password",{"point":"27z","priority":"6","details":"id","howto":"26r"},"CWE-ID:257 Storing Passwords in a Recoverable Format",{"point":"281","priority":"6","details":"ig","howto":"26r"},"CWE-ID:260 Password in Configuration File",{"point":"283","priority":"6","details":"ip","howto":"26r"},"CWE-ID:261 Weak Encoding for Password",{"point":"285","priority":"6","details":"is","howto":"26r"},"CWE-ID:262 Not Using Password Aging",{"point":"287","priority":"6","details":"iv","howto":"275"},"CWE-ID:263 Password Aging with Long Expiration",{"point":"289","priority":"6","details":"iy","howto":"275"},"CWE-ID:267 Privilege Defined With Unsafe Actions",{"point":"28b","priority":"6","details":"j4","howto":"275"},"CWE-ID:268 Privilege Chaining",{"point":"28d","priority":"6","details":"j7","howto":"275"},"CWE-ID:269 Improper Privilege Management",{"point":"28f","priority":"6","details":"ja","howto":"26r"},"CWE-ID:270 Privilege Context Switching Error",{"point":"28h","priority":"6","details":"jd","howto":"275"},"CWE-ID:271 Privilege Dropping / Lowering Errors",{"point":"28j","priority":"6","details":"jg","howto":"275"},"CWE-ID:276 Incorrect Default Permissions","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Inter-application Flow Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Host Application Interface Scanner Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Forced Path Execution:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"28l","priority":"6","details":"js","howto":"28m"},"CWE-ID:282 Improper Ownership Management",{"point":"28o","priority":"6","details":"ka","howto":"26r"},"CWE-ID:283 Unverified Ownership",{"point":"28q","priority":"6","details":"kd","howto":"275"},"CWE-ID:285 Improper Authorization","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries. Generally, automated static analysis tools have difficulty detecting custom authorization schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an authorization check; an automated technique that detects the absence of authorization may report false positives.:EFFECTIVENESS:Limited::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated dynamic analysis may find many or all possible interfaces that do not require authorization, but manual analysis is required to determine if the lack of authorization violates business logic::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer Forced Path Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"28s","priority":"6","details":"kj","howto":"28t"},"CWE-ID:286 Incorrect User Management",{"point":"28v","priority":"6","details":"km","howto":"275"},"CWE-ID:287 Improper Authentication","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting certain types of authentication. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authentication libraries. Generally, automated static analysis tools have difficulty detecting custom authentication schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an established identity; an automated technique that detects the absence of authentication may report false positives.:EFFECTIVENESS:Limited::METHOD:Manual Static Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Manual static analysis is useful for evaluating the correctness of custom authentication mechanisms.:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"28x","priority":"6","details":"kp","howto":"28y"},"CWE-ID:288 Authentication Bypass Using an Alternate Path or Channel",{"point":"290","priority":"6","details":"ks","howto":"275"},"CWE-ID:289 Authentication Bypass by Alternate Name",{"point":"292","priority":"6","details":"kv","howto":"275"},"CWE-ID:294 Authentication Bypass by Capture-replay",{"point":"294","priority":"6","details":"l7","howto":"275"},"CWE-ID:295 Improper Certificate Validation","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Man-in-the-middle attack tool:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"296","priority":"6","details":"la","howto":"297"},"CWE-ID:300 Channel Accessible by Non-Endpoint",{"point":"299","priority":"6","details":"lp","howto":"26r"},"CWE-ID:301 Reflection Attack in an Authentication Protocol",{"point":"29b","priority":"6","details":"ls","howto":"275"},"CWE-ID:302 Authentication Bypass by Assumed-Immutable Data",{"point":"29d","priority":"6","details":"lv","howto":"275"},"CWE-ID:306 Missing Authentication for Critical Function","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authentication mechanisms.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting commonly-used idioms for authentication. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authentication libraries. Generally, automated static analysis tools have difficulty detecting custom authentication schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an established identity; an automated technique that detects the absence of authentication may report false positives.:EFFECTIVENESS:Limited::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"29f","priority":"6","details":"m7","howto":"29g"},"CWE-ID:307 Improper Restriction of Excessive Authentication Attempts","::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer Cost effective for partial coverage: Forced Path Execution:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"29i","priority":"6","details":"ma","howto":"29j"},"CWE-ID:308 Use of Single-factor Authentication",{"point":"29l","priority":"6","details":"md","howto":"275"},"CWE-ID:309 Use of Password System for Primary Authentication",{"point":"29n","priority":"6","details":"mg","howto":"275"},"CWE-ID:311 Missing Encryption of Sensitive Data","::METHOD:Manual Analysis:DESCRIPTION:The characterizaton of sensitive data often requires domain-specific understanding, so manual methods are useful. However, manual efforts might not achieve desired code coverage within limited time constraints. Black box methods may produce artifacts (e.g. stored data or unencrypted network transfer) that require manual evaluation.:EFFECTIVENESS:High::METHOD:Automated Analysis:DESCRIPTION:Automated measurement of the entropy of an input/output source may indicate the use or lack of encryption, but human analysis is still required to distinguish intentionally-unencrypted data (e.g. metadata) from sensitive data.::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Network Sniffer Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Man-in-the-middle attack tool:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"29p","priority":"6","details":"mj","howto":"29q"},"CWE-ID:312 Cleartext Storage of Sensitive Information",{"point":"29s","priority":"6","details":"mm","howto":"26r"},"CWE-ID:319 Cleartext Transmission of Sensitive Information","::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process, trigger the feature that sends the data, and look for the presence or absence of common cryptographic functions in the call tree. Monitor the network and determine if the data packets contain readable commands. Tools exist for detecting if certain encodings are in use. If the traffic contains high entropy, this might indicate the usage of encryption.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"29u","priority":"6","details":"n7","howto":"29v"},"CWE-ID:322 Key Exchange without Entity Authentication",{"point":"29x","priority":"6","details":"nd","howto":"275"},"CWE-ID:323 Reusing a Nonce, Key Pair in Encryption",{"point":"29z","priority":"6","details":"ng","howto":"275"},"CWE-ID:324 Use of a Key Past its Expiration Date",{"point":"2a1","priority":"6","details":"nj","howto":"275"},"CWE-ID:326 Inadequate Encryption Strength",{"point":"2a3","priority":"6","details":"np","howto":"26r"},"CWE-ID:327 Use of a Broken or Risky Cryptographic Algorithm","::METHOD:Automated Analysis:DESCRIPTION:Automated methods may be useful for recognizing commonly-used libraries or features that have become obsolete.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis Binary / Bytecode simple extractor - strings, ELF readers, etc.:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Man-in-the-middle attack tool Cost effective for partial coverage: Framework-based Fuzzer Automated Monitored Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2a5","priority":"6","details":"ns","howto":"2a6"},"CWE-ID:328 Use of Weak Hash",{"point":"2a8","priority":"6","details":"nv","howto":"26r"},"CWE-ID:330 Use of Insufficiently Random Values","::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and look for library functions that indicate when randomness is being used. Run the process multiple times to see if the seed changes. Look for accesses of devices or equivalent resources that are commonly used for strong (or weak) randomness, such as /dev/urandom on Linux. Look for library or system calls that access predictable information such as process IDs and system time.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Man-in-the-middle attack tool:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2aa","priority":"6","details":"o1","howto":"2ab"},"CWE-ID:331 Insufficient Entropy",{"point":"2ad","priority":"6","details":"o4","howto":"275"},"CWE-ID:334 Small Space of Random Values",{"point":"2af","priority":"6","details":"od","howto":"275"},"CWE-ID:338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",{"point":"2ah","priority":"6","details":"op","howto":"26r"},"CWE-ID:340 Generation of Predictable Numbers or Identifiers",{"point":"2aj","priority":"6","details":"ov","howto":"275"},"CWE-ID:341 Predictable from Observable State",{"point":"2al","priority":"6","details":"oy","howto":"275"},"CWE-ID:342 Predictable Exact Value from Previous Values",{"point":"2an","priority":"6","details":"p1","howto":"275"},"CWE-ID:343 Predictable Value Range from Previous Values",{"point":"2ap","priority":"6","details":"p4","howto":"275"},"CWE-ID:344 Use of Invariant Value in Dynamically Changing Context",{"point":"2ar","priority":"6","details":"p7","howto":"275"},"CWE-ID:345 Insufficient Verification of Data Authenticity",{"point":"2at","priority":"6","details":"pa","howto":"26r"},"CWE-ID:346 Origin Validation Error",{"point":"2av","priority":"6","details":"pd","howto":"275"},"CWE-ID:347 Improper Verification of Cryptographic Signature",{"point":"2ax","priority":"6","details":"pg","howto":"26r"},"CWE-ID:348 Use of Less Trusted Source",{"point":"2az","priority":"6","details":"pj","howto":"275"},"CWE-ID:353 Missing Support for Integrity Check",{"point":"2b1","priority":"6","details":"py","howto":"275"},"CWE-ID:354 Improper Validation of Integrity Check Value",{"point":"2b3","priority":"6","details":"q1","howto":"275"},"CWE-ID:356 Product UI does not Warn User of Unsafe Actions",{"point":"2b5","priority":"6","details":"q4","howto":"275"},"CWE-ID:357 Insufficient UI Warning of Dangerous Operations",{"point":"2b7","priority":"6","details":"q7","howto":"275"},"CWE-ID:358 Improperly Implemented Security Check for Standard",{"point":"2b9","priority":"6","details":"qa","howto":"275"},"CWE-ID:359 Exposure of Private Personal Information to an Unauthorized Actor","::METHOD:Architecture or Design Review:DESCRIPTION:Private personal data can enter a program in a variety of ways: Directly from the user in the form of a password or personal information Accessed from a database or other data store by the application Indirectly from a partner or other third party If the data is written to an external location - such as the console, file system, or network - a privacy violation may occur.:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2bb","priority":"6","details":"qd","howto":"2bc"},"CWE-ID:360 Trust of System Event Data",{"point":"2be","priority":"6","details":"qg","howto":"275"},"CWE-ID:362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')","::METHOD:Black Box:DESCRIPTION:Black box methods may be able to identify evidence of race conditions via methods such as multiple simultaneous connections, which may cause the software to become instable or crash. However, race conditions with very narrow timing windows would not be detectable.::METHOD:White Box:DESCRIPTION:Common idioms are detectable in white box analysis, such as time-of-check-time-of-use (TOCTOU) file operations (CWE-367), or double-checked locking (CWE-609).::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Race conditions may be detected with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior. Insert breakpoints or delays in between relevant code statements to artificially expand the race window so that it will be easier to detect.:EFFECTIVENESS:Moderate::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Framework-based Fuzzer Cost effective for partial coverage: Fuzz Tester Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2bg","priority":"6","details":"qj","howto":"2bh"},"CWE-ID:363 Race Condition Enabling Link Following",{"point":"2bj","priority":"6","details":"qm","howto":"275"},"CWE-ID:368 Context Switching Race Condition",{"point":"2bl","priority":"6","details":"qy","howto":"275"},"CWE-ID:385 Covert Timing Channel",{"point":"2bn","priority":"6","details":"ry","howto":"275"},"CWE-ID:386 Symbolic Name not Mapping to Correct Object",{"point":"2bp","priority":"6","details":"s1","howto":"275"},"CWE-ID:400 Uncontrolled Resource Consumption","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis typically has limited utility in recognizing resource exhaustion problems, except for program-independent system resources such as files, sockets, and processes. For system resources, automated static analysis may be able to detect circumstances in which resources are not released after they have expired. Automated analysis of configuration files may be able to detect settings that do not specify a maximum value. Automated static analysis tools will not be appropriate for detecting exhaustion of custom resources, such as an intended security policy in which a bulletin board user is only allowed to make a limited number of posts per day.:EFFECTIVENESS:Limited::METHOD:Automated Dynamic Analysis:DESCRIPTION:Certain automated dynamic analysis techniques may be effective in spotting resource exhaustion problems, especially with resources such as processes, memory, and connections. The technique may involve generating a large number of requests to the product within a short time frame.:EFFECTIVENESS:Moderate::METHOD:Fuzzing:DESCRIPTION:While fuzzing is typically geared toward finding low-level implementation bugs, it can inadvertently find resource exhaustion problems. This can occur when the fuzzer generates a large number of test cases but does not restart the targeted product in between test cases. If an individual test case produces a crash, but it does not do so reliably, then an inability to handle resource exhaustion may be the cause.:EFFECTIVENESS:Opportunistic::",{"point":"2br","priority":"6","details":"ss","howto":"2bs"},"CWE-ID:402 Transmission of Private Resources into a New Sphere ('Resource Leak')",{"point":"2bu","priority":"6","details":"sy","howto":"26r"},"CWE-ID:405 Asymmetric Resource Consumption (Amplification)",{"point":"2bw","priority":"6","details":"t7","howto":"275"},"CWE-ID:406 Insufficient Control of Network Message Volume (Network Amplification)",{"point":"2by","priority":"6","details":"ta","howto":"275"},"CWE-ID:407 Inefficient Algorithmic Complexity",{"point":"2c0","priority":"6","details":"td","howto":"275"},"CWE-ID:408 Incorrect Behavior Order: Early Amplification",{"point":"2c2","priority":"6","details":"tg","howto":"275"},"CWE-ID:409 Improper Handling of Highly Compressed Data (Data Amplification)",{"point":"2c4","priority":"6","details":"tj","howto":"275"},"CWE-ID:410 Insufficient Resource Pool",{"point":"2c6","priority":"6","details":"tm","howto":"275"},"CWE-ID:412 Unrestricted Externally Accessible Lock","::METHOD:White Box:DESCRIPTION:Automated code analysis techniques might not be able to reliably detect this weakness, since the application's behavior and general security model dictate which resource locks are critical. Interpretation of the weakness might require knowledge of the environment, e.g. if the existence of a file is used as a lock, but the file is created in a world-writable directory.::",{"point":"2c8","priority":"6","details":"tp","howto":"2c9"},"CWE-ID:413 Improper Resource Locking",{"point":"2cb","priority":"6","details":"ts","howto":"26r"},"CWE-ID:414 Missing Lock Check",{"point":"2cd","priority":"6","details":"tv","howto":"275"},"CWE-ID:419 Unprotected Primary Channel",{"point":"2cf","priority":"6","details":"u4","howto":"275"},"CWE-ID:420 Unprotected Alternate Channel",{"point":"2ch","priority":"6","details":"u7","howto":"275"},"CWE-ID:421 Race Condition During Access to Alternate Channel",{"point":"2cj","priority":"6","details":"ua","howto":"275"},"CWE-ID:424 Improper Protection of Alternate Path",{"point":"2cl","priority":"6","details":"ug","howto":"275"},"CWE-ID:434 Unrestricted Upload of File with Dangerous Type","::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2cn","priority":"6","details":"v7","howto":"2co"},"CWE-ID:436 Interpretation Conflict",{"point":"2cq","priority":"6","details":"vd","howto":"275"},"CWE-ID:437 Incomplete Model of Endpoint Features",{"point":"2cs","priority":"6","details":"vg","howto":"275"},"CWE-ID:439 Behavioral Change in New Version or Environment",{"point":"2cu","priority":"6","details":"vj","howto":"275"},"CWE-ID:440 Expected Behavior Violation",{"point":"2cw","priority":"6","details":"vm","howto":"275"},"CWE-ID:441 Unintended Proxy or Intermediary ('Confused Deputy')",{"point":"2cy","priority":"6","details":"vp","howto":"26r"},"CWE-ID:446 UI Discrepancy for Security Feature",{"point":"2d0","priority":"6","details":"vv","howto":"275"},"CWE-ID:451 User Interface (UI) Misrepresentation of Critical Information",{"point":"2d2","priority":"6","details":"wa","howto":"275"},"CWE-ID:454 External Initialization of Trusted Variables or Data Stores",{"point":"2d4","priority":"6","details":"wg","howto":"275"},"CWE-ID:470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')",{"point":"2d6","priority":"6","details":"xj","howto":"26r"},"CWE-ID:471 Modification of Assumed-Immutable Data (MAID)",{"point":"2d8","priority":"6","details":"xm","howto":"275"},"CWE-ID:475 Undefined Behavior for Input to API",{"point":"2da","priority":"6","details":"xy","howto":"26r"},"CWE-ID:494 Download of Code Without Integrity Check","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is typically required to find the behavior that triggers the download of code, and to determine whether integrity-checking methods are in use.::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and also sniff the network connection. Trigger features related to product updates or plugin installation, which is likely to force a code download. Monitor when files are downloaded and separately executed, or if they are otherwise read back into the process. Look for evidence of cryptographic library calls that use integrity checking.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2dc","priority":"6","details":"zd","howto":"2dd"},"CWE-ID:501 Trust Boundary Violation",{"point":"2df","priority":"6","details":"zy","howto":"26r"},"CWE-ID:502 Deserialization of Untrusted Data",{"point":"2dh","priority":"6","details":"101","howto":"26r"},"CWE-ID:510 Trapdoor","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Inter-application Flow Analysis Binary / Bytecode simple extractor - strings, ELF readers, etc.:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies Generated Code Inspection:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Automated Monitored Execution Forced Path Execution Debugger Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Cost effective for partial coverage: Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"2dj","priority":"6","details":"10g","howto":"2dk"},"CWE-ID:511 Logic/Time Bomb",{"point":"2dm","priority":"6","details":"10j","howto":"275"},"CWE-ID:512 Spyware",{"point":"2do","priority":"6","details":"10m","howto":"275"},"CWE-ID:521 Weak Password Requirements",{"point":"2dq","priority":"6","details":"10y","howto":"26r"},"CWE-ID:522 Insufficiently Protected Credentials",{"point":"2ds","priority":"6","details":"111","howto":"26r"},"CWE-ID:523 Unprotected Transport of Credentials",{"point":"2du","priority":"6","details":"114","howto":"26r"},"CWE-ID:532 Insertion of Sensitive Information into Log File",{"point":"2dw","priority":"6","details":"11v","howto":"26r"},"CWE-ID:544 Missing Standardized Error Handling Mechanism",{"point":"2dy","priority":"6","details":"12m","howto":"275"},"CWE-ID:552 Files or Directories Accessible to External Parties",{"point":"2e0","priority":"6","details":"137","howto":"26r"},"CWE-ID:565 Reliance on Cookies without Validation and Integrity Checking",{"point":"2e2","priority":"6","details":"144","howto":"26r"},"CWE-ID:601 URL Redirection to Untrusted Site ('Open Redirect')","::METHOD:Manual Static Analysis:DESCRIPTION:Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated black box tools that supply URLs to every input may be able to spot Location header modifications, but test case coverage is a factor, and custom redirects may not be detected.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis tools may not be able to determine whether input influences the beginning of a URL, which is important for reducing false positives.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2e4","priority":"6","details":"16v","howto":"2e5"},"CWE-ID:602 Client-Side Enforcement of Server-Side Security",{"point":"2e7","priority":"6","details":"16y","howto":"275"},"CWE-ID:603 Use of Client-Side Authentication",{"point":"2e9","priority":"6","details":"171","howto":"275"},"CWE-ID:610 Externally Controlled Reference to a Resource in Another Sphere",{"point":"2eb","priority":"6","details":"17j","howto":"275"},"CWE-ID:612 Improper Authorization of Index Containing Sensitive Information",{"point":"2ed","priority":"6","details":"17p","howto":"275"},"CWE-ID:613 Insufficient Session Expiration",{"point":"2ef","priority":"6","details":"17s","howto":"26r"},"CWE-ID:620 Unverified Password Change",{"point":"2eh","priority":"6","details":"18d","howto":"275"},"CWE-ID:636 Not Failing Securely ('Failing Open')",{"point":"2ej","priority":"6","details":"194","howto":"275"},"CWE-ID:637 Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')",{"point":"2el","priority":"6","details":"197","howto":"275"},"CWE-ID:639 Authorization Bypass Through User-Controlled Key",{"point":"2en","priority":"6","details":"19d","howto":"26r"},"CWE-ID:640 Weak Password Recovery Mechanism for Forgotten Password",{"point":"2ep","priority":"6","details":"19g","howto":"275"},"CWE-ID:641 Improper Restriction of Names for Files and Other Resources",{"point":"2er","priority":"6","details":"19j","howto":"275"},"CWE-ID:642 External Control of Critical State Data",{"point":"2et","priority":"6","details":"19m","howto":"26r"},"CWE-ID:645 Overly Restrictive Account Lockout Mechanism",{"point":"2ev","priority":"6","details":"19v","howto":"275"},"CWE-ID:648 Incorrect Use of Privileged APIs",{"point":"2ex","priority":"6","details":"1a4","howto":"275"},"CWE-ID:649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking",{"point":"2ez","priority":"6","details":"1a7","howto":"275"},"CWE-ID:653 Improper Isolation or Compartmentalization","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Compare binary / bytecode to application permission manifest:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"2f1","priority":"6","details":"1aj","howto":"2f2"},"CWE-ID:654 Reliance on a Single Factor in a Security Decision",{"point":"2f4","priority":"6","details":"1am","howto":"275"},"CWE-ID:655 Insufficient Psychological Acceptability",{"point":"2f6","priority":"6","details":"1ap","howto":"275"},"CWE-ID:656 Reliance on Security Through Obscurity",{"point":"2f8","priority":"6","details":"1as","howto":"275"},"CWE-ID:657 Violation of Secure Design Principles",{"point":"2fa","priority":"6","details":"1av","howto":"275"},"CWE-ID:662 Improper Synchronization",{"point":"2fc","priority":"6","details":"1ay","howto":"275"},"CWE-ID:667 Improper Locking",{"point":"2fe","priority":"6","details":"1bd","howto":"26r"},"CWE-ID:668 Exposure of Resource to Wrong Sphere",{"point":"2fg","priority":"6","details":"1bg","howto":"275"},"CWE-ID:669 Incorrect Resource Transfer Between Spheres",{"point":"2fi","priority":"6","details":"1bj","howto":"275"},"CWE-ID:671 Lack of Administrator Control over Security",{"point":"2fk","priority":"6","details":"1bp","howto":"275"},"CWE-ID:673 External Influence of Sphere Definition",{"point":"2fm","priority":"6","details":"1bv","howto":"275"},"CWE-ID:694 Use of Multiple Resources with Duplicate Identifier",{"point":"2fo","priority":"6","details":"1dd","howto":"275"},"CWE-ID:696 Incorrect Behavior Order",{"point":"2fq","priority":"6","details":"1dj","howto":"275"},"CWE-ID:706 Use of Incorrectly-Resolved Name or Reference",{"point":"2fs","priority":"6","details":"1e1","howto":"275"},"CWE-ID:708 Incorrect Ownership Assignment",{"point":"2fu","priority":"6","details":"1e7","howto":"275"},"CWE-ID:732 Incorrect Permission Assignment for Critical Resource","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis may be effective in detecting permission problems for system resources such as files, directories, shared memory, device interfaces, etc. Automated techniques may be able to detect the use of library functions that modify permissions, then analyze function calls for arguments that contain potentially insecure values. However, since the software's intended security policy might allow loose permissions for certain operations (such as publishing a file on a web server), automated static analysis may produce some false positives - i.e., warnings that do not have any security consequences or require any code changes. When custom permissions models are used - such as defining who can read messages in a particular forum in a bulletin board system - these can be difficult to detect using automated static analysis. It may be possible to define custom signatures that identify any custom functions that implement the permission checks and assignments.::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated dynamic analysis may be effective in detecting permission problems for system resources such as files, directories, shared memory, device interfaces, etc. However, since the software's intended security policy might allow loose permissions for certain operations (such as publishing a file on a web server), automated dynamic analysis may produce some false positives - i.e., warnings that do not have any security consequences or require any code changes. When custom permissions models are used - such as defining who can read messages in a particular forum in a bulletin board system - these can be difficult to detect using automated dynamic analysis. It may be possible to define custom signatures that identify any custom functions that implement the permission checks and assignments.::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.::METHOD:Manual Static Analysis:DESCRIPTION:Manual static analysis may be effective in detecting the use of custom permissions models and functions. The code could then be examined to identifying usage of the related functions. Then the human analyst could evaluate permission assignments in the context of the intended security model of the software.::METHOD:Manual Dynamic Analysis:DESCRIPTION:Manual dynamic analysis may be effective in detecting the use of custom permissions models and functions. The program could then be executed with a focus on exercising code paths that are related to the custom permissions. Then the human analyst could evaluate permission assignments in the context of the intended security model of the software.::METHOD:Fuzzing:DESCRIPTION:Fuzzing is not effective in detecting this weakness.::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and watch for library functions or system calls on OS resources such as files, directories, and shared memory. Examine the arguments to these calls to infer which permissions are being used.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Inter-application Flow Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Host Application Interface Scanner Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Forced Path Execution:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2fw","priority":"6","details":"1ed","howto":"2fx"},"CWE-ID:749 Exposed Dangerous Method or Function",{"point":"2fz","priority":"6","details":"1ej","howto":"26r"},"CWE-ID:757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')",{"point":"2g1","priority":"6","details":"1ev","howto":"26r"},"CWE-ID:770 Allocation of Resources Without Limits or Throttling","::METHOD:Manual Static Analysis:DESCRIPTION:Manual static analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. If denial-of-service is not considered a significant risk, or if there is strong emphasis on consequences such as code execution, then manual analysis may not focus on this weakness at all.::METHOD:Fuzzing:DESCRIPTION:While fuzzing is typically geared toward finding low-level implementation bugs, it can inadvertently find uncontrolled resource allocation problems. This can occur when the fuzzer generates a large number of test cases but does not restart the targeted product in between test cases. If an individual test case produces a crash, but it does not do so reliably, then an inability to limit resource allocation may be the cause. When the allocation is directly affected by numeric inputs, then fuzzing may produce indications of this weakness.:EFFECTIVENESS:Opportunistic::METHOD:Automated Dynamic Analysis:DESCRIPTION:Certain automated dynamic analysis techniques may be effective in producing side effects of uncontrolled resource allocation problems, especially with resources such as processes, memory, and connections. The technique may involve generating a large number of requests to the product within a short time frame. Manual analysis is likely required to interpret the results.::METHOD:Automated Static Analysis:DESCRIPTION:Specialized configuration or tuning may be required to train automated tools to recognize this weakness. Automated static analysis typically has limited utility in recognizing unlimited allocation problems, except for the missing release of program-independent system resources such as files, sockets, and processes, or unchecked arguments to memory. For system resources, automated static analysis may be able to detect circumstances in which resources are not released after they have expired, or if too much of a resource is requested at once, as can occur with memory. Automated analysis of configuration files may be able to detect settings that do not specify a maximum value. Automated static analysis tools will not be appropriate for detecting exhaustion of custom resources, such as an intended security policy in which a bulletin board user is only allowed to make a limited number of posts per day.::",{"point":"2g3","priority":"6","details":"1fv","howto":"2g4"},"CWE-ID:798 Use of Hard-coded Credentials","::METHOD:Black Box:DESCRIPTION:Credential storage in configuration files is findable using black box methods, but the use of hard-coded credentials for an incoming authentication routine typically involves an account that is not visible outside of the code.:EFFECTIVENESS:Moderate::METHOD:Automated Static Analysis:DESCRIPTION:Automated white box techniques have been published for detecting hard-coded credentials for incoming authentication, but there is some expert disagreement regarding their effectiveness and applicability to a broad range of methods.::METHOD:Manual Static Analysis:DESCRIPTION:This weakness may be detectable using manual code analysis. Unless authentication is decentralized and applied throughout the product, there can be sufficient time for the analyst to find incoming authentication routines and examine the program logic looking for usage of hard-coded credentials. Configuration files could also be analyzed.::METHOD:Manual Dynamic Analysis:DESCRIPTION:For hard-coded credentials in incoming authentication: use monitoring tools that examine the product's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the product was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and perform a login. Using call trees or similar artifacts from the output, examine the associated behaviors and see if any of them appear to be comparing the input to a fixed string or value.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Network Sniffer Forced Path Execution:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"2g6","priority":"6","details":"1i7","howto":"2g7"},"CWE-ID:799 Improper Control of Interaction Frequency",{"point":"2g9","priority":"6","details":"1ia","howto":"275"},"CWE-ID:804 Guessable CAPTCHA",{"point":"2gb","priority":"6","details":"1id","howto":"275"},"CWE-ID:807 Reliance on Untrusted Inputs in a Security Decision","::METHOD:Manual Static Analysis:DESCRIPTION:Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"2gd","priority":"6","details":"1im","howto":"2ge"},"CWE-ID:862 Missing Authorization","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries. Generally, automated static analysis tools have difficulty detecting custom authorization schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an authorization check; an automated technique that detects the absence of authorization may report false positives.:EFFECTIVENESS:Limited::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated dynamic analysis may find many or all possible interfaces that do not require authorization, but manual analysis is required to determine if the lack of authorization violates business logic.::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"2gg","priority":"6","details":"1km","howto":"2gh"},"CWE-ID:863 Incorrect Authorization","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries. Generally, automated static analysis tools have difficulty detecting custom authorization schemes. Even if they can be customized to recognize these schemes, they might not be able to tell whether the scheme correctly performs the authorization in a way that cannot be bypassed or subverted by an attacker.:EFFECTIVENESS:Limited::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated dynamic analysis may not be able to find interfaces that are protected by authorization checks, even if those checks contain weaknesses.::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer Forced Path Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2gj","priority":"6","details":"1kp","howto":"2gk"},"CWE-ID:912 Hidden Functionality",{"point":"2gm","priority":"6","details":"1l4","howto":"275"},"CWE-ID:913 Improper Control of Dynamically-Managed Code Resources",{"point":"2go","priority":"6","details":"1l7","howto":"26u"},"CWE-ID:915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",{"point":"2gq","priority":"6","details":"1ld","howto":"26r"},"CWE-ID:916 Use of Password Hash With Insufficient Computational Effort","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2gs","priority":"6","details":"1lg","howto":"2gt"},"CWE-ID:917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')",{"point":"2gv","priority":"6","details":"1lj","howto":"26r"},"CWE-ID:918 Server-Side Request Forgery (SSRF)",{"point":"2gx","priority":"6","details":"1lm","howto":"26r"},"CWE-ID:920 Improper Restriction of Power Consumption",{"point":"2gz","priority":"6","details":"1lp","howto":"275"},"CWE-ID:921 Storage of Sensitive Data in a Mechanism without Access Control",{"point":"2h1","priority":"6","details":"1ls","howto":"275"},"CWE-ID:922 Insecure Storage of Sensitive Information",{"point":"2h3","priority":"6","details":"1lv","howto":"26r"},"CWE-ID:923 Improper Restriction of Communication Channel to Intended Endpoints",{"point":"2h5","priority":"6","details":"1ly","howto":"26r"},"CWE-ID:924 Improper Enforcement of Message Integrity During Transmission in a Communication Channel",{"point":"2h7","priority":"6","details":"1m1","howto":"275"},"CWE-ID:940 Improper Verification of Source of a Communication Channel",{"point":"2h9","priority":"6","details":"1mg","howto":"275"},"CWE-ID:941 Incorrectly Specified Destination in a Communication Channel",{"point":"2hb","priority":"6","details":"1mj","howto":"275"},"CWE-ID:1007 Insufficient Visual Distinction of Homoglyphs Presented to User","::METHOD:Manual Dynamic Analysis:DESCRIPTION:If utilizing user accounts, attempt to submit a username that contains homoglyphs. Similarly, check to see if links containing homoglyphs can be sent via email, web browsers, or other mechanisms.:EFFECTIVENESS:Moderate::",{"point":"2hd","priority":"6","details":"1mv","howto":"2he"},"CWE-ID:1037 Processor Optimization Removal or Modification of Security-critical Code","::METHOD:White Box:DESCRIPTION:In theory this weakness can be detected through the use of white box testing techniques where specifically crafted test cases are used in conjunction with debuggers to verify the order of statements being executed.:EFFECTIVENESS:Opportunistic::",{"point":"2hg","priority":"6","details":"1nd","howto":"2hh"},"CWE-ID:1038 Insecure Automated Optimizations",{"point":"2hj","priority":"6","details":"1ng","howto":"275"},"CWE-ID:1039 Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations",{"point":"2hl","priority":"6","details":"1nj","howto":"275"},"CWE-ID:1044 Architecture with Number of Horizontal Layers Outside of Expected Range",{"point":"2hn","priority":"6","details":"1nv","howto":"275"},"CWE-ID:1059 Insufficient Technical Documentation",{"point":"2hp","priority":"6","details":"1p4","howto":"275"},"CWE-ID:1173 Improper Use of Validation Framework","::METHOD:Automated Static Analysis:DESCRIPTION:Some instances of improper input validation can be detected using automated static analysis. A static analysis tool might allow the user to specify which application-specific methods or functions perform input validation; the tool might also have built-in knowledge of validation frameworks such as Struts. The tool may then suppress or de-prioritize any associated warnings. This allows the analyst to focus on areas of the software in which input validation does not appear to be present. Except in the cases described in the previous paragraph, automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes.::",{"point":"2hr","priority":"6","details":"1uv","howto":"2hs"},"CWE-ID:1176 Inefficient CPU Computation",{"point":"2hu","priority":"6","details":"1v1","howto":"275"},"CWE-ID:1189 Improper Isolation of Shared Resources on System-on-a-Chip (SoC)","::METHOD:Automated Dynamic Analysis:DESCRIPTION:Pre-silicon / post-silicon: Test access to shared systems resources (memory ranges, control registers, etc.) from untrusted software to verify that the assets are not incorrectly exposed to untrusted agents. Note that access to shared resources can be dynamically allowed or revoked based on system flows. Security testing should cover such dynamic shared resource allocation and access control modification flows.:EFFECTIVENESS:High::",{"point":"2hw","priority":"6","details":"1va","howto":"2hx"},"CWE-ID:1190 DMA Device Enabled Too Early in Boot Phase",{"point":"2hz","priority":"6","details":"1vd","howto":"275"},"CWE-ID:1191 On-Chip Debug and Test Interface With Improper Access Control","::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Authentication and authorization of debug and test interfaces should be part of the architecture and design review process. Withholding of private register documentation from the debug and test interface public specification (Security by obscurity) should not be considered as sufficient security.::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Dynamic tests should be done in the pre-silicon and post-silicon stages to verify that the debug and test interfaces are not open by default.::METHOD:Fuzzing:DESCRIPTION:Tests that fuzz Debug and Test Interfaces should ensure that no access without appropriate authentication and authorization is possible.:EFFECTIVENESS:Moderate::",{"point":"2i1","priority":"6","details":"1vg","howto":"2i2"},"CWE-ID:1192 Improper Identifier for IP Block used in System-On-Chip (SOC)",{"point":"2i4","priority":"6","details":"1vj","howto":"275"},"CWE-ID:1209 Failure to Disable Reserved Bits",{"point":"2i6","priority":"6","details":"1vs","howto":"275"},"CWE-ID:1220 Insufficient Granularity of Access Control",{"point":"2i8","priority":"6","details":"1vv","howto":"275"},"CWE-ID:1223 Race Condition for Write-Once Attributes",{"point":"2ia","priority":"6","details":"1w4","howto":"275"},"CWE-ID:1224 Improper Restriction of Write-Once Bit Fields",{"point":"2ic","priority":"6","details":"1w7","howto":"275"},"CWE-ID:1230 Exposure of Sensitive Information Through Metadata",{"point":"2ie","priority":"6","details":"1wd","howto":"275"},"CWE-ID:1231 Improper Prevention of Lock Bit Modification","::METHOD:Manual Analysis:DESCRIPTION:Set the lock bit. Power cycle the device. Attempt to clear the lock bit. If the information is changed, implement a design fix. Retest. Also, attempt to indirectly clear the lock bit or bypass it.:EFFECTIVENESS:High::",{"point":"2ig","priority":"6","details":"1wg","howto":"2ih"},"CWE-ID:1232 Improper Lock Behavior After Power State Transition",{"point":"2ij","priority":"6","details":"1wj","howto":"275"},"CWE-ID:1233 Security-Sensitive Hardware Controls with Missing Lock Bit Protection","::METHOD:Manual Analysis:DESCRIPTION:Set the lock bit. Attempt to modify the information protected by the lock bit. If the information is changed, implement a design fix. Retest. Also, attempt to indirectly clear the lock bit or bypass it.:EFFECTIVENESS:High::",{"point":"2il","priority":"6","details":"1wm","howto":"2im"},"CWE-ID:1234 Hardware Internal or Debug Modes Allow Override of Locks",{"point":"2io","priority":"6","details":"1wp","howto":"275"},"CWE-ID:1240 Use of a Cryptographic Primitive with a Risky Implementation","::METHOD:Architecture or Design Review:DESCRIPTION:Review requirements, documentation, and product design to ensure that primitives are consistent with the strongest-available recommendations from trusted parties. If the product appears to be using custom or proprietary implementations that have not had sufficient public review and approval, then this is a significant concern.:EFFECTIVENESS:High::METHOD:Manual Analysis:DESCRIPTION:Analyze the product to ensure that implementations for each primitive do not contain any known vulnerabilities and are not using any known-weak algorithms, including MD4, MD5, SHA1, DES, etc.:EFFECTIVENESS:Moderate::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:For hardware, during the implementation (pre-Silicon / post-Silicon) phase, dynamic tests should be done to ensure that outputs from cryptographic routines are indeed working properly, such as test vectors provided by NIST [REF-1236].:EFFECTIVENESS:Moderate::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:It needs to be determined if the output of a cryptographic primitive is lacking entropy, which is one clear sign that something went wrong with the crypto implementation. There exist many methods of measuring the entropy of a bytestream, from sophisticated ones (like calculating Shannon's entropy of a sequence of characters) to crude ones (by compressing it and comparing the size of the original bytestream vs. the compressed - a truly random byte stream should not be compressible and hence the uncompressed and compressed bytestreams should be nearly identical in size).:EFFECTIVENESS:Moderate::",{"point":"2iq","priority":"6","details":"1x1","howto":"2ir"},"CWE-ID:1241 Use of Predictable Algorithm in Random Number Generator",{"point":"2it","priority":"6","details":"1x4","howto":"275"},"CWE-ID:1242 Inclusion of Undocumented Features or Chicken Bits",{"point":"2iv","priority":"6","details":"1x7","howto":"275"},"CWE-ID:1243 Sensitive Non-Volatile Information Not Protected During Debug",{"point":"2ix","priority":"6","details":"1xa","howto":"275"},"CWE-ID:1244 Internal Asset Exposed to Unsafe Debug Access Level or State","::METHOD:Manual Analysis:DESCRIPTION:Check 2 devices for their passcode to authenticate access to JTAG/debugging ports. If the passcodes are missing or the same, update the design to fix and retest. Check communications over JTAG/debugging ports for encryption. If the communications are not encrypted, fix the design and retest.:EFFECTIVENESS:Moderate::",{"point":"2iz","priority":"6","details":"1xd","howto":"2j0"},"CWE-ID:1245 Improper Finite State Machines (FSMs) in Hardware Logic",{"point":"2j2","priority":"6","details":"1xg","howto":"275"},"CWE-ID:1246 Improper Write Handling in Limited-write Non-Volatile Memories",{"point":"2j4","priority":"6","details":"1xj","howto":"275"},"CWE-ID:1249 Application-Level Admin Tool with Inconsistent View of Underlying Operating System",{"point":"2j6","priority":"6","details":"1xs","howto":"275"},"CWE-ID:1252 CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations",{"point":"2j8","priority":"6","details":"1y1","howto":"275"},"CWE-ID:1253 Incorrect Selection of Fuse Values",{"point":"2ja","priority":"6","details":"1y4","howto":"275"},"CWE-ID:1254 Incorrect Comparison Logic Granularity",{"point":"2jc","priority":"6","details":"1y7","howto":"275"},"CWE-ID:1256 Improper Restriction of Software Interfaces to Hardware Features","::METHOD:Manual Analysis:DESCRIPTION:Perform a security evaluation of system-level architecture and design with software-aided physical attacks in scope.::METHOD:Automated Dynamic Analysis:DESCRIPTION:Use custom software to change registers that control clock settings or power settings to try to bypass security locks, or repeatedly write DRAM to try to change adjacent locations. This can be effective in extracting or changing data. The drawback is that it cannot be run before manufacturing, and it may require specialized software.:EFFECTIVENESS:Moderate::",{"point":"2je","priority":"6","details":"1yd","howto":"2jf"},"CWE-ID:1257 Improper Access Control Applied to Mirrored or Aliased Memory Regions",{"point":"2jh","priority":"6","details":"1yg","howto":"275"},"CWE-ID:1258 Exposure of Sensitive System Information Due to Uncleared Debug Information",{"point":"2jj","priority":"6","details":"1yj","howto":"275"},"CWE-ID:1259 Improper Restriction of Security Token Assignment",{"point":"2jl","priority":"6","details":"1ym","howto":"275"},"CWE-ID:1260 Improper Handling of Overlap Between Protected Memory Ranges","::METHOD:Manual Analysis:DESCRIPTION:Create a high privilege memory block of any arbitrary size. Attempt to create a lower privilege memory block with an overlap of the high privilege memory block. If the creation attempt works, fix the hardware. Repeat the test.:EFFECTIVENESS:High::",{"point":"2jn","priority":"6","details":"1yp","howto":"2jo"},"CWE-ID:1261 Improper Handling of Single Event Upsets",{"point":"2jq","priority":"6","details":"1ys","howto":"275"},"CWE-ID:1262 Improper Access Control for Register Interface","::METHOD:Manual Analysis:DESCRIPTION:This is applicable in the Architecture phase before implementation started. Make sure access policy is specified for the entire memory map. Manual analysis may not ensure the implementation is correct.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Registers controlling hardware should have access control implemented. This access control may be checked manually for correct implementation. Items to check consist of how are trusted parties set, how are trusted parties verified, how are accesses verified, etc. Effectiveness of a manual analysis will vary depending upon how complicated the interface is constructed.:EFFECTIVENESS:Moderate::METHOD:Simulation / Emulation:DESCRIPTION:Functional simulation is applicable during the Implementation Phase. Testcases must be created and executed for memory mapped registers to verify adherence to the access control policy. This method can be effective, since functional verification needs to be performed on the design, and verification for this weakness will be included. There can be difficulty covering the entire memory space during the test.:EFFECTIVENESS:Moderate::METHOD:Formal Verification:DESCRIPTION:Formal verification is applicable during the Implementation phase. Assertions need to be created in order to capture illegal register access scenarios and prove that they cannot occur. Formal methods are exhaustive and can be very effective, but creating the cases for large designs may be complex and difficult.:EFFECTIVENESS:High::METHOD:Automated Analysis:DESCRIPTION:Information flow tracking can be applicable during the Implementation phase. Security sensitive data (assets) - for example, as stored in registers - is automatically tracked over time through the design to verify the data doesn't reach illegal destinations that violate the access policies for the memory map. This method can be very effective when used together with simulation and emulation, since detecting violations doesn't rely on specific scenarios or data values. This method does rely on simulation and emulation, so testcases must exist in order to use this method.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Manual documentation review of the system memory map, register specification, and permissions associated with accessing security-relevant functionality exposed via memory-mapped registers.:EFFECTIVENESS:Moderate::METHOD:Fuzzing:DESCRIPTION:Perform penetration testing (either manual or semi-automated with fuzzing) to verify that access control mechanisms such as the memory protection units or on-chip bus firewall settings adequately protect critical hardware registers from software access.:EFFECTIVENESS:Moderate::",{"point":"2js","priority":"6","details":"1yv","howto":"2jt"},"CWE-ID:1263 Improper Physical Access Control",{"point":"2jv","priority":"6","details":"1yy","howto":"275"},"CWE-ID:1264 Hardware Logic with Insecure De-Synchronization between Control and Data Channels",{"point":"2jx","priority":"6","details":"1z1","howto":"275"},"CWE-ID:1266 Improper Scrubbing of Sensitive Data from Decommissioned Device",{"point":"2jz","priority":"6","details":"1z7","howto":"275"},"CWE-ID:1267 Policy Uses Obsolete Encoding",{"point":"2k1","priority":"6","details":"1za","howto":"275"},"CWE-ID:1268 Policy Privileges are not Assigned Consistently Between Control and Data Agents",{"point":"2k3","priority":"6","details":"1zd","howto":"275"},"CWE-ID:1270 Generation of Incorrect Security Tokens",{"point":"2k5","priority":"6","details":"1zj","howto":"275"},"CWE-ID:1272 Sensitive Information Uncleared Before Debug/Power State Transition","::METHOD:Manual Analysis:DESCRIPTION:Write a known pattern into each sensitive location. Enter the power/debug state in question. Read data back from the sensitive locations. If the reads are successful, and the data is the same as the pattern that was originally written, the test fails and the device needs to be fixed. Note that this test can likely be automated.:EFFECTIVENESS:High::",{"point":"2k7","priority":"6","details":"1zp","howto":"2k8"},"CWE-ID:1274 Improper Access Control for Volatile Memory Containing Boot Code","::METHOD:Manual Analysis:DESCRIPTION:Ensure the volatile memory is lockable or has locks. Ensure the volatile memory is locked for writes from untrusted agents or adversaries. Try modifying the volatile memory from an untrusted agent, and ensure these writes are dropped.:EFFECTIVENESS:High::METHOD:Manual Analysis:DESCRIPTION:Analyze the device using the following steps: Identify all fabric master agents that are active during system Boot Flow when initial code is loaded from Non-volatile storage to volatile memory. Identify the volatile memory regions that are used for storing loaded system executable program. During system boot, test programming the identified memory regions in step 2 from all the masters identified in step 1. Only trusted masters should be allowed to write to the memory regions. For example, pluggable device peripherals should not have write access to program load memory regions.:EFFECTIVENESS:Moderate::",{"point":"2ka","priority":"6","details":"1zv","howto":"2kb"},"CWE-ID:1277 Firmware Not Updateable","::METHOD:Manual Analysis:DESCRIPTION:Create a new installable boot image of the current build with a minor version number change. Use the standard installation method to update the boot image. Verify that the minor version number has changed. Create a fake image. Verify that the boot updater will not install the fake image and generates an invalid image error message or equivalent.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Check the consumer or maintainer documentation, the architecture/design documentation, or the original requirements to ensure that the documentation includes details for how to update the firmware.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Determine if there is a lack of a capability to update read-only memory (ROM) structure. This could manifest as a difference between the latest firmware version and the current version within the device.:EFFECTIVENESS:High::",{"point":"2kd","priority":"6","details":"204","howto":"2ke"},"CWE-ID:1278 Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques",{"point":"2kg","priority":"6","details":"207","howto":"275"},"CWE-ID:1279 Cryptographic Operations are run Before Supporting Units are Ready",{"point":"2ki","priority":"6","details":"20a","howto":"275"},"CWE-ID:1281 Sequence of Processor Instructions Leads to Unexpected Behavior",{"point":"2kk","priority":"6","details":"20g","howto":"275"},"CWE-ID:1283 Mutable Attestation or Measurement Reporting Data",{"point":"2km","priority":"6","details":"20m","howto":"275"},"CWE-ID:1290 Incorrect Decoding of Security Identifiers ",{"point":"2ko","priority":"6","details":"217","howto":"275"},"CWE-ID:1292 Incorrect Conversion of Security Identifiers",{"point":"2kq","priority":"6","details":"21d","howto":"275"},"CWE-ID:1293 Missing Source Correlation of Multiple Independent Data",{"point":"2ks","priority":"6","details":"21g","howto":"275"},"CWE-ID:1294 Insecure Security Identifier Mechanism",{"point":"2ku","priority":"6","details":"21j","howto":"275"},"CWE-ID:1298 Hardware Logic Contains Race Conditions",{"point":"2kw","priority":"6","details":"21v","howto":"275"},"CWE-ID:1299 Missing Protection Mechanism for Alternate Hardware Interface",{"point":"2ky","priority":"6","details":"21y","howto":"275"},"CWE-ID:1302 Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)",{"point":"2l0","priority":"6","details":"227","howto":"275"},"CWE-ID:1303 Non-Transparent Sharing of Microarchitectural Resources",{"point":"2l2","priority":"6","details":"22a","howto":"275"},"CWE-ID:1304 Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation",{"point":"2l4","priority":"6","details":"22d","howto":"275"},"CWE-ID:1310 Missing Ability to Patch ROM Code",{"point":"2l6","priority":"6","details":"22g","howto":"275"},"CWE-ID:1311 Improper Translation of Security Attributes by Fabric Bridge",{"point":"2l8","priority":"6","details":"22j","howto":"275"},"CWE-ID:1312 Missing Protection for Mirrored Regions in On-Chip Fabric Firewall","::METHOD:Manual Dynamic Analysis:DESCRIPTION:Using an external debugger, send write transactions to mirrored regions to test if original, write-protected regions are modified. Similarly, send read transactions to mirrored regions to test if the original, read-protected signals can be read.:EFFECTIVENESS:High::",{"point":"2la","priority":"6","details":"22m","howto":"2lb"},"CWE-ID:1313 Hardware Allows Activation of Test or Debug Logic at Runtime",{"point":"2ld","priority":"6","details":"22p","howto":"275"},"CWE-ID:1314 Missing Write Protection for Parametric Data Values",{"point":"2lf","priority":"6","details":"22s","howto":"275"},"CWE-ID:1315 Improper Setting of Bus Controlling Capability in Fabric End-point",{"point":"2lh","priority":"6","details":"22v","howto":"275"},"CWE-ID:1316 Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges","::METHOD:Automated Dynamic Analysis:DESCRIPTION:Review address map in specification to see if there are any overlapping ranges.:EFFECTIVENESS:High::METHOD:Manual Static Analysis:DESCRIPTION:Negative testing of access control on overlapped ranges.:EFFECTIVENESS:High::",{"point":"2lj","priority":"6","details":"22y","howto":"2lk"},"CWE-ID:1317 Improper Access Control in Fabric Bridge","::METHOD:Simulation / Emulation:DESCRIPTION:RTL simulation to ensure that bridge-access controls are implemented properly.:EFFECTIVENESS:High::METHOD:Formal Verification:DESCRIPTION:Formal verification of bridge RTL to ensure that access control cannot be bypassed.:EFFECTIVENESS:High::",{"point":"2lm","priority":"6","details":"231","howto":"2ln"},"CWE-ID:1318 Missing Support for Security Features in On-chip Fabrics or Buses","::METHOD:Architecture or Design Review:DESCRIPTION:Review the fabric specification and ensure that it contains signals to transfer security-sensitive signals.:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:Lack of security features can also be confirmed through manual RTL review of the fabric RTL.:EFFECTIVENESS:High::",{"point":"2lp","priority":"6","details":"234","howto":"2lq"},"CWE-ID:1319 Improper Protection against Electromagnetic Fault Injection (EM-FI)",{"point":"2ls","priority":"6","details":"237","howto":"275"},"CWE-ID:1320 Improper Protection for Outbound Error Messages and Alert Signals",{"point":"2lu","priority":"6","details":"23a","howto":"275"},"CWE-ID:1323 Improper Management of Sensitive Trace Data",{"point":"2lw","priority":"6","details":"23j","howto":"275"},"CWE-ID:1326 Missing Immutable Root of Trust in Hardware","::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated testing can verify that RoT components are immutable.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Root of trust elements and memory should be part of architecture and design reviews.:EFFECTIVENESS:High::",{"point":"2ly","priority":"6","details":"23p","howto":"2lz"},"CWE-ID:1328 Security Version Number Mutable to Older Versions","::METHOD:Automated Dynamic Analysis:DESCRIPTION:Mutability of stored security version numbers and programming with older firmware images should be part of automated testing.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Anti-roll-back features should be reviewed as part of Architecture or Design review.:EFFECTIVENESS:High::",{"point":"2m1","priority":"6","details":"23v","howto":"2m2"},"CWE-ID:1329 Reliance on Component That is Not Updateable","::METHOD:Architecture or Design Review:DESCRIPTION:Check the consumer or maintainer documentation, the architecture/design documentation, or the original requirements to ensure that the documentation includes details for how to update the firmware.:EFFECTIVENESS:Moderate::",{"point":"2m4","priority":"6","details":"23y","howto":"2m5"},"CWE-ID:1331 Improper Isolation of Shared Resources in Network On Chip (NoC)","::METHOD:Manual Analysis:DESCRIPTION:Providing marker flags to send through the interfaces coupled with examination of which users are able to read or manipulate the flags will help verify that the proper isolation has been achieved and is effective.:EFFECTIVENESS:Moderate::",{"point":"2m7","priority":"6","details":"244","howto":"2m8"},"CWE-ID:1332 Improper Handling of Faults that Lead to Instruction Skips","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can be found using automated static analysis once a developer has indicated which code paths are critical to protect.:EFFECTIVENESS:Moderate::METHOD:Simulation / Emulation:DESCRIPTION:This weakness can be found using automated dynamic analysis. Both emulation of a CPU with instruction skips, as well as RTL simulation of a CPU IP, can indicate parts of the code that are sensitive to faults due to instruction skips.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:This weakness can be found using manual (static) analysis. The analyst has security objectives that are matched against the high-level code. This method is less precise than emulation, especially if the analysis is done at the higher level language rather than at assembly level.:EFFECTIVENESS:Moderate::",{"point":"2ma","priority":"6","details":"247","howto":"2mb"},"CWE-ID:1334 Unauthorized Error Injection Can Degrade Hardware Redundancy",{"point":"2md","priority":"6","details":"24d","howto":"275"},"CWE-ID:1336 Improper Neutralization of Special Elements Used in a Template Engine",{"point":"2mf","priority":"6","details":"24j","howto":"275"},"CWE-ID:1338 Improper Protections Against Hardware Overheating","::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Dynamic tests should be performed to stress-test temperature controls.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Power management controls should be part of Architecture and Design reviews.:EFFECTIVENESS:High::",{"point":"2mh","priority":"6","details":"24m","howto":"2mi"},"CWE-ID:1342 Information Exposure through Microarchitectural State after Transient Execution",{"point":"2mk","priority":"6","details":"24v","howto":"275"},"CWE-ID:1351 Improper Handling of Hardware Behavior in Exceptionally Cold Environments",{"point":"2mm","priority":"6","details":"24y","howto":"275"},"CWE-ID:1357 Reliance on Insufficiently Trustworthy Component",{"point":"2mo","priority":"6","details":"251","howto":"275"},"CWE-ID:1384 Improper Handling of Physical or Environmental Conditions",{"point":"2mq","priority":"6","details":"254","howto":"275"},"CWE-ID:1390 Weak Authentication",{"point":"2ms","priority":"6","details":"25g","howto":"275"},"CWE-ID:1391 Use of Weak Credentials",{"point":"2mu","priority":"6","details":"25j","howto":"275"},"CWE-ID:1392 Use of Default Credentials",{"point":"2mw","priority":"6","details":"25m","howto":"275"},"CWE-ID:1393 Use of Default Password",{"point":"2my","priority":"6","details":"25p","howto":"275"},"CWE-ID:1394 Use of Default Cryptographic Key",{"point":"2n0","priority":"6","details":"25s","howto":"275"},"CWE-ID:1395 Dependency on Vulnerable Third-Party Component","::METHOD:Automated Analysis:DESCRIPTION:For software, use Software Composition Analysis (SCA) tools, which automatically analyze products to identify third-party dependencies. Often, SCA tools can be used to link with known vulnerabilities in the dependencies that they detect. There are commercial and open-source alternatives, such as OWASP Dependency-Check [REF-1312]. Many languages or frameworks have package managers with similar capabilities, such as npm audit for JavaScript, pip-audit for Python, govulncheck for Go, and many others. Dynamic methods can detect loading of third-party components.:EFFECTIVENESS:High::",{"point":"2n2","priority":"6","details":"25v","howto":"2n3"},"CWE-ID:1420 Exposure of Sensitive Information during Transient Execution","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected in hardware by manually inspecting processor specifications. Features that exhibit this weakness may include microarchitectural predictors, access control checks that occur out-of-order, or any other features that can allow operations to execute without committing to architectural state. Academic researchers have demonstrated that new hardware weaknesses can be discovered by exhaustively analyzing a processor's machine clear (or nuke) conditions ([REF-1427]).:EFFECTIVENESS:Moderate::METHOD:Fuzzing:DESCRIPTION:Academic researchers have demonstrated that this weakness can be detected in hardware using software fuzzing tools that treat the underlying hardware as a black box ([REF-1428]).:EFFECTIVENESS:Opportunistic::METHOD:Fuzzing:DESCRIPTION:Academic researchers have demonstrated that this weakness can be detected in software using software fuzzing tools ([REF-1429]).:EFFECTIVENESS:Opportunistic::METHOD:Automated Static Analysis:DESCRIPTION:A variety of automated static analysis tools can identify potentially exploitable code sequences in software. These tools may perform the analysis on source code, on binary code, or on an intermediate code representation (for example, during compilation).:EFFECTIVENESS:Limited::METHOD:Automated Analysis:DESCRIPTION:Software vendors can release tools that detect presence of known weaknesses on a processor. For example, some of these tools can attempt to transiently execute a vulnerable code sequence and detect whether code successfully leaks data in a manner consistent with the weakness under test. Alternatively, some hardware vendors provide enumeration for the presence of a weakness (or lack of a weakness). These enumeration bits can be checked and reported by system software. For example, Linux supports these checks for many commodity processors: $ cat /proc/cpuinfo | grep bugs | head -n 1 bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit srbds mmio_stale_data retbleed:EFFECTIVENESS:High::",{"point":"2n5","priority":"6","details":"261","howto":"2n6"},"CWE-ID:1421 Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected in hardware by manually inspecting processor specifications. Features that exhibit this weakness may include microarchitectural predictors, access control checks that occur out-of-order, or any other features that can allow operations to execute without committing to architectural state. Academic researchers have demonstrated that new hardware weaknesses can be discovered by examining publicly available patent filings, for example [REF-1405] and [REF-1406]. Hardware designers can also scrutinize aspects of the instruction set architecture that have undefined behavior; these can become a focal point when applying other detection methods.:EFFECTIVENESS:Moderate::METHOD:Automated Analysis:DESCRIPTION:This weakness can be detected (pre-discovery) in hardware by employing static or dynamic taint analysis methods [REF-1401]. These methods can label data in one context (for example, kernel data) and perform information flow analysis (or a simulation, etc.) to determine whether tainted data can appear in another context (for example, user mode). Alternatively, stale or invalid data in shared microarchitectural resources can be marked as tainted, and the taint analysis framework can identify when transient operations encounter tainted data.:EFFECTIVENESS:Moderate::METHOD:Automated Analysis:DESCRIPTION:Software vendors can release tools that detect presence of known weaknesses (post-discovery) on a processor. For example, some of these tools can attempt to transiently execute a vulnerable code sequence and detect whether code successfully leaks data in a manner consistent with the weakness under test. Alternatively, some hardware vendors provide enumeration for the presence of a weakness (or lack of a weakness). These enumeration bits can be checked and reported by system software. For example, Linux supports these checks for many commodity processors: $ cat /proc/cpuinfo | grep bugs | head -n 1 bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit srbds mmio_stale_data retbleed:EFFECTIVENESS:High::METHOD:Fuzzing:DESCRIPTION:Academic researchers have demonstrated that this weakness can be detected in hardware using software fuzzing tools that treat the underlying hardware as a black box ([REF-1406], [REF-1430]):EFFECTIVENESS:Opportunistic::",{"point":"2n8","priority":"6","details":"264","howto":"2n9"},"CWE-ID:1422 Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution","::METHOD:Automated Static Analysis:DESCRIPTION:A variety of automated static analysis tools can identify potentially exploitable code sequences in software. These tools may perform the analysis on source code, on binary code, or on an intermediate code representation (for example, during compilation).:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected in hardware by manually inspecting processor specifications. Features that exhibit this weakness may include microarchitectural predictors, access control checks that occur out-of-order, or any other features that can allow operations to execute without committing to architectural state.Hardware designers can also scrutinize aspects of the instruction set architecture that have undefined behavior; these can become a focal point when applying other detection methods.:EFFECTIVENESS:Moderate::METHOD:Automated Analysis:DESCRIPTION:Software vendors can release tools that detect presence of known weaknesses on a processor. For example, some of these tools can attempt to transiently execute a vulnerable code sequence and detect whether code successfully leaks data in a manner consistent with the weakness under test. Alternatively, some hardware vendors provide enumeration for the presence of a weakness (or lack of a weakness). These enumeration bits can be checked and reported by system software. For example, Linux supports these checks for many commodity processors: $ cat /proc/cpuinfo | grep bugs | head -n 1 bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit srbds mmio_stale_data retbleed:EFFECTIVENESS:High::",{"point":"2nb","priority":"6","details":"267","howto":"2nc"},"CWE-ID:1423 Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected in hardware by manually inspecting processor specifications. Features that exhibit this weakness may have microarchitectural predictor state that is shared between hardware threads, execution contexts (for example, user and kernel), or other components that may host mutually distrusting software (or firmware, etc.).:EFFECTIVENESS:Moderate::METHOD:Automated Analysis:DESCRIPTION:Software vendors can release tools that detect presence of known weaknesses on a processor. For example, some of these tools can attempt to transiently execute a vulnerable code sequence and detect whether code successfully leaks data in a manner consistent with the weakness under test. Alternatively, some hardware vendors provide enumeration for the presence of a weakness (or lack of a weakness). These enumeration bits can be checked and reported by system software. For example, Linux supports these checks for many commodity processors: $ cat /proc/cpuinfo | grep bugs | head -n 1 bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit srbds mmio_stale_data retbleed:EFFECTIVENESS:High::METHOD:Automated Analysis:DESCRIPTION:This weakness can be detected in hardware by employing static or dynamic taint analysis methods [REF-1401]. These methods can label each predictor entry (or prediction history, etc.) according to the processor context that created it. Taint analysis or information flow analysis can then be applied to detect when predictor state created in one context can influence predictions made in another context.:EFFECTIVENESS:Moderate::",{"point":"2ne","priority":"6","details":"26a","howto":"2nf"},["26m","26p","26s","26v","26y","271","273","276","278","27a","27c","27e","27h","27j","27l","27n","27p","27r","27t","27v","27y","280","282","284","286","288","28a","28c","28e","28g","28i","28k","28n","28p","28r","28u","28w","28z","291","293","295","298","29a","29c","29e","29h","29k","29m","29o","29r","29t","29w","29y","2a0","2a2","2a4","2a7","2a9","2ac","2ae","2ag","2ai","2ak","2am","2ao","2aq","2as","2au","2aw","2ay","2b0","2b2","2b4","2b6","2b8","2ba","2bd","2bf","2bi","2bk","2bm","2bo","2bq","2bt","2bv","2bx","2bz","2c1","2c3","2c5","2c7","2ca","2cc","2ce","2cg","2ci","2ck","2cm","2cp","2cr","2ct","2cv","2cx","2cz","2d1","2d3","2d5","2d7","2d9","2db","2de","2dg","2di","2dl","2dn","2dp","2dr","2dt","2dv","2dx","2dz","2e1","2e3","2e6","2e8","2ea","2ec","2ee","2eg","2ei","2ek","2em","2eo","2eq","2es","2eu","2ew","2ey","2f0","2f3","2f5","2f7","2f9","2fb","2fd","2ff","2fh","2fj","2fl","2fn","2fp","2fr","2ft","2fv","2fy","2g0","2g2","2g5","2g8","2ga","2gc","2gf","2gi","2gl","2gn","2gp","2gr","2gu","2gw","2gy","2h0","2h2","2h4","2h6","2h8","2ha","2hc","2hf","2hi","2hk","2hm","2ho","2hq","2ht","2hv","2hy","2i0","2i3","2i5","2i7","2i9","2ib","2id","2if","2ii","2ik","2in","2ip","2is","2iu","2iw","2iy","2j1","2j3","2j5","2j7","2j9","2jb","2jd","2jg","2ji","2jk","2jm","2jp","2jr","2ju","2jw","2jy","2k0","2k2","2k4","2k6","2k9","2kc","2kf","2kh","2kj","2kl","2kn","2kp","2kr","2kt","2kv","2kx","2kz","2l1","2l3","2l5","2l7","2l9","2lc","2le","2lg","2li","2ll","2lo","2lr","2lt","2lv","2lx","2m0","2m3","2m6","2m9","2mc","2me","2mg","2mj","2ml","2mn","2mp","2mr","2mt","2mv","2mx","2mz","2n1","2n4","2n7","2na","2nd","2ng"],"magenta",{"title":"26f","slug":"26g","description":"26h","icon":"26i","intro":"26j","checklist":"2nh","color":"2ni"},"CWE :Weaknesses During Implementation","implementation-security","This view (slice) lists weaknesses that can be introduced during implementation.","shield","CWE-ID:5 J2EE Misconfiguration: Data Transmission Without Encryption",{"point":"2no","priority":"6","details":"7","howto":"275"},"CWE-ID:6 J2EE Misconfiguration: Insufficient Session-ID Length",{"point":"2nq","priority":"6","details":"a","howto":"275"},"CWE-ID:7 J2EE Misconfiguration: Missing Custom Error Page",{"point":"2ns","priority":"6","details":"d","howto":"275"},"CWE-ID:8 J2EE Misconfiguration: Entity Bean Declared Remote",{"point":"2nu","priority":"6","details":"g","howto":"275"},"CWE-ID:9 J2EE Misconfiguration: Weak Access Permissions for EJB Methods",{"point":"2nw","priority":"6","details":"j","howto":"275"},"CWE-ID:11 ASP.NET Misconfiguration: Creating Debug Binary",{"point":"2ny","priority":"6","details":"m","howto":"26r"},"CWE-ID:12 ASP.NET Misconfiguration: Missing Custom Error Page",{"point":"2o0","priority":"6","details":"p","howto":"275"},"CWE-ID:13 ASP.NET Misconfiguration: Password in Configuration File",{"point":"2o2","priority":"6","details":"s","howto":"275"},"CWE-ID:14 Compiler Removal of Code to Clear Buffers","::METHOD:Black Box:DESCRIPTION:This specific weakness is impossible to detect using black box methods. While an analyst could examine memory to see that it has not been scrubbed, an analysis of the executable would not be successful. This is because the compiler has already removed the relevant code. Only the source code shows whether the programmer intended to clear the memory or not, so this weakness is indistinguishable from others.::METHOD:White Box:DESCRIPTION:This weakness is only detectable using white box methods (see black box detection factor). Careful analysis is required to determine if the code is likely to be removed by the compiler.::",{"point":"2o4","priority":"6","details":"v","howto":"2o5"},"CWE-ID:15 External Control of System or Configuration Setting",{"point":"2o7","priority":"6","details":"y","howto":"26r"},{"point":"26k","priority":"6","details":"11","howto":"26l"},"CWE-ID:22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","::METHOD:Automated Static Analysis:DESCRIPTION:Automated techniques can find areas where path traversal weaknesses exist. However, tuning or customization may be required to remove or de-prioritize path-traversal problems that are only exploitable by the product's administrator - or other privileged users - and thus potentially valid behavior or, at worst, a bug instead of a vulnerability.:EFFECTIVENESS:High::METHOD:Manual Static Analysis:DESCRIPTION:Manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all file access operations can be assessed within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2oa","priority":"6","details":"14","howto":"2ob"},"CWE-ID:23 Relative Path Traversal",{"point":"2od","priority":"6","details":"17","howto":"26r"},"CWE-ID:24 Path Traversal: '../filedir'",{"point":"2of","priority":"6","details":"1a","howto":"275"},"CWE-ID:25 Path Traversal: '/../filedir'",{"point":"2oh","priority":"6","details":"1d","howto":"275"},"CWE-ID:26 Path Traversal: '/dir/../filename'",{"point":"2oj","priority":"6","details":"1g","howto":"275"},"CWE-ID:27 Path Traversal: 'dir/../../filename'",{"point":"2ol","priority":"6","details":"1j","howto":"275"},"CWE-ID:28 Path Traversal: '..filedir'",{"point":"2on","priority":"6","details":"1m","howto":"275"},"CWE-ID:29 Path Traversal: '..filename'",{"point":"2op","priority":"6","details":"1p","howto":"275"},"CWE-ID:30 Path Traversal: 'dir..filename'",{"point":"2or","priority":"6","details":"1s","howto":"275"},"CWE-ID:31 Path Traversal: 'dir....filename'",{"point":"2ot","priority":"6","details":"1v","howto":"275"},"CWE-ID:32 Path Traversal: '...' (Triple Dot)",{"point":"2ov","priority":"6","details":"1y","howto":"275"},"CWE-ID:33 Path Traversal: '....' (Multiple Dot)",{"point":"2ox","priority":"6","details":"21","howto":"275"},"CWE-ID:34 Path Traversal: '....//'","::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"2oz","priority":"6","details":"24","howto":"2p0"},"CWE-ID:35 Path Traversal: '.../...//'",{"point":"2p2","priority":"6","details":"27","howto":"275"},"CWE-ID:36 Absolute Path Traversal",{"point":"2p4","priority":"6","details":"2a","howto":"26r"},"CWE-ID:37 Path Traversal: '/absolute/pathname/here'",{"point":"2p6","priority":"6","details":"2d","howto":"275"},"CWE-ID:38 Path Traversal: 'absolutepathnamehere'",{"point":"2p8","priority":"6","details":"2g","howto":"275"},"CWE-ID:39 Path Traversal: 'C:dirname'",{"point":"2pa","priority":"6","details":"2j","howto":"275"},"CWE-ID:40 Path Traversal: 'UNCsharename' (Windows UNC Share)",{"point":"2pc","priority":"6","details":"2m","howto":"275"},"CWE-ID:41 Improper Resolution of Path Equivalence","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2pe","priority":"6","details":"2p","howto":"2pf"},"CWE-ID:42 Path Equivalence: 'filename.' (Trailing Dot)",{"point":"2ph","priority":"6","details":"2s","howto":"275"},"CWE-ID:43 Path Equivalence: 'filename....' (Multiple Trailing Dot)",{"point":"2pj","priority":"6","details":"2v","howto":"275"},"CWE-ID:44 Path Equivalence: 'file.name' (Internal Dot)",{"point":"2pl","priority":"6","details":"2y","howto":"275"},"CWE-ID:45 Path Equivalence: 'file...name' (Multiple Internal Dot)",{"point":"2pn","priority":"6","details":"31","howto":"275"},"CWE-ID:46 Path Equivalence: 'filename ' (Trailing Space)",{"point":"2pp","priority":"6","details":"34","howto":"275"},"CWE-ID:47 Path Equivalence: ' filename' (Leading Space)",{"point":"2pr","priority":"6","details":"37","howto":"275"},"CWE-ID:48 Path Equivalence: 'file name' (Internal Whitespace)",{"point":"2pt","priority":"6","details":"3a","howto":"275"},"CWE-ID:49 Path Equivalence: 'filename/' (Trailing Slash)",{"point":"2pv","priority":"6","details":"3d","howto":"275"},"CWE-ID:50 Path Equivalence: '//multiple/leading/slash'",{"point":"2px","priority":"6","details":"3g","howto":"275"},"CWE-ID:51 Path Equivalence: '/multiple//internal/slash'",{"point":"2pz","priority":"6","details":"3j","howto":"275"},"CWE-ID:52 Path Equivalence: '/multiple/trailing/slash//'",{"point":"2q1","priority":"6","details":"3m","howto":"275"},"CWE-ID:53 Path Equivalence: 'multipleinternalbackslash'",{"point":"2q3","priority":"6","details":"3p","howto":"275"},"CWE-ID:54 Path Equivalence: 'filedir' (Trailing Backslash)",{"point":"2q5","priority":"6","details":"3s","howto":"275"},"CWE-ID:55 Path Equivalence: '/./' (Single Dot Directory)",{"point":"2q7","priority":"6","details":"3v","howto":"275"},"CWE-ID:56 Path Equivalence: 'filedir*' (Wildcard)",{"point":"2q9","priority":"6","details":"3y","howto":"275"},"CWE-ID:57 Path Equivalence: 'fakedir/../realdir/filename'",{"point":"2qb","priority":"6","details":"41","howto":"275"},"CWE-ID:58 Path Equivalence: Windows 8.3 Filename",{"point":"2qd","priority":"6","details":"44","howto":"275"},"CWE-ID:59 Improper Link Resolution Before File Access ('Link Following')",{"point":"2qf","priority":"6","details":"47","howto":"2pf"},"CWE-ID:61 UNIX Symbolic Link (Symlink) Following",{"point":"2qh","priority":"6","details":"4a","howto":"275"},"CWE-ID:62 UNIX Hard Link",{"point":"2qj","priority":"6","details":"4d","howto":"275"},"CWE-ID:65 Windows Hard Link",{"point":"2ql","priority":"6","details":"4j","howto":"275"},"CWE-ID:66 Improper Handling of File Names that Identify Virtual Resources",{"point":"2qn","priority":"6","details":"4m","howto":"2pf"},"CWE-ID:67 Improper Handling of Windows Device Names",{"point":"2qp","priority":"6","details":"4p","howto":"275"},"CWE-ID:69 Improper Handling of Windows ::DATA Alternate Data Stream",{"point":"2qr","priority":"6","details":"4s","howto":"275"},"CWE-ID:72 Improper Handling of Apple HFS+ Alternate Data Stream Path",{"point":"2qt","priority":"6","details":"4v","howto":"275"},{"point":"26n","priority":"6","details":"4y","howto":"26o"},"CWE-ID:74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')",{"point":"2qw","priority":"6","details":"51","howto":"26r"},"CWE-ID:75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)",{"point":"2qy","priority":"6","details":"54","howto":"275"},"CWE-ID:76 Improper Neutralization of Equivalent Special Elements",{"point":"2r0","priority":"6","details":"57","howto":"275"},"CWE-ID:77 Improper Neutralization of Special Elements used in a Command ('Command Injection')",{"point":"2r2","priority":"6","details":"5a","howto":"26r"},"CWE-ID:78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes. Automated static analysis might not be able to detect the usage of custom API functions or third-party libraries that indirectly invoke OS commands, leading to false negatives - especially if the API/library code is not available for analysis.::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis:DESCRIPTION:Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2r4","priority":"6","details":"5d","howto":"2r5"},"CWE-ID:79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","::METHOD:Automated Static Analysis:DESCRIPTION:Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible, especially when multiple components are involved.:EFFECTIVENESS:Moderate::METHOD:Black Box:DESCRIPTION:Use the XSS Cheat Sheet [REF-714] or automated test-generation tools to help launch a wide variety of attacks against your web application. The Cheat Sheet contains many subtle XSS variations that are specifically targeted against weak XSS defenses.:EFFECTIVENESS:Moderate::",{"point":"2r7","priority":"6","details":"5g","howto":"2r8"},"CWE-ID:80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",{"point":"2ra","priority":"6","details":"5j","howto":"26r"},"CWE-ID:81 Improper Neutralization of Script in an Error Message Web Page",{"point":"2rc","priority":"6","details":"5m","howto":"275"},"CWE-ID:82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page",{"point":"2re","priority":"6","details":"5p","howto":"275"},"CWE-ID:83 Improper Neutralization of Script in Attributes in a Web Page",{"point":"2rg","priority":"6","details":"5s","howto":"26r"},"CWE-ID:84 Improper Neutralization of Encoded URI Schemes in a Web Page",{"point":"2ri","priority":"6","details":"5v","howto":"275"},"CWE-ID:85 Doubled Character XSS Manipulations",{"point":"2rk","priority":"6","details":"5y","howto":"275"},"CWE-ID:86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages",{"point":"2rm","priority":"6","details":"61","howto":"26r"},"CWE-ID:87 Improper Neutralization of Alternate XSS Syntax",{"point":"2ro","priority":"6","details":"64","howto":"275"},"CWE-ID:88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')",{"point":"2rq","priority":"6","details":"67","howto":"26r"},"CWE-ID:89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or do not require any code changes. Automated static analysis might not be able to detect the usage of custom API functions or third-party libraries that indirectly invoke SQL commands, leading to false negatives - especially if the API/library code is not available for analysis.::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Database Scanners Cost effective for partial coverage: Web Application Scanner Web Services Scanner:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2rs","priority":"6","details":"6a","howto":"2rt"},"CWE-ID:90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')",{"point":"2rv","priority":"6","details":"6d","howto":"26r"},"CWE-ID:91 XML Injection (aka Blind XPath Injection)",{"point":"2rx","priority":"6","details":"6g","howto":"26r"},"CWE-ID:93 Improper Neutralization of CRLF Sequences ('CRLF Injection')",{"point":"2rz","priority":"6","details":"6j","howto":"26r"},"CWE-ID:94 Improper Control of Generation of Code ('Code Injection')",{"point":"2s1","priority":"6","details":"6m","howto":"26r"},"CWE-ID:95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')",{"point":"2s3","priority":"6","details":"6p","howto":"26r"},"CWE-ID:96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')",{"point":"2s5","priority":"6","details":"6s","howto":"275"},"CWE-ID:97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page",{"point":"2s7","priority":"6","details":"6v","howto":"275"},"CWE-ID:98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')","::METHOD:Manual Analysis:DESCRIPTION:Manual white-box analysis can be very effective for finding this issue, since there is typically a relatively small number of include or require statements in each program.:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:The external control or influence of filenames can often be detected using automated static analysis that models data flow within the product. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes. If the program uses a customized input validation library, then some tools may allow the analyst to create custom signatures to detect usage of those routines.::",{"point":"2s9","priority":"6","details":"6y","howto":"2sa"},{"point":"26q","priority":"6","details":"71","howto":"26r"},"CWE-ID:102 Struts: Duplicate Validation Forms",{"point":"2sd","priority":"6","details":"74","howto":"275"},"CWE-ID:103 Struts: Incomplete validate() Method Definition",{"point":"2sf","priority":"6","details":"77","howto":"26r"},"CWE-ID:104 Struts: Form Bean Does Not Extend Validation Class",{"point":"2sh","priority":"6","details":"7a","howto":"26r"},"CWE-ID:105 Struts: Form Field Without Validator",{"point":"2sj","priority":"6","details":"7d","howto":"275"},"CWE-ID:106 Struts: Plug-in Framework not in Use",{"point":"2sl","priority":"6","details":"7g","howto":"275"},"CWE-ID:107 Struts: Unused Validation Form",{"point":"2sn","priority":"6","details":"7j","howto":"275"},"CWE-ID:108 Struts: Unvalidated Action Form",{"point":"2sp","priority":"6","details":"7m","howto":"275"},"CWE-ID:109 Struts: Validator Turned Off",{"point":"2sr","priority":"6","details":"7p","howto":"275"},"CWE-ID:110 Struts: Validator Without Form Field","::METHOD:Automated Static Analysis:DESCRIPTION:To find the issue in the implementation, manual checks or automated static analysis could be applied to the XML configuration files.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis:DESCRIPTION:To find the issue in the implementation, manual checks or automated static analysis could be applied to the XML configuration files.:EFFECTIVENESS:Moderate::",{"point":"2st","priority":"6","details":"7s","howto":"2su"},"CWE-ID:111 Direct Use of Unsafe JNI",{"point":"2sw","priority":"6","details":"7v","howto":"26r"},"CWE-ID:112 Missing XML Validation",{"point":"2sy","priority":"6","details":"7y","howto":"26r"},"CWE-ID:113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')",{"point":"2t0","priority":"6","details":"81","howto":"26r"},"CWE-ID:114 Process Control",{"point":"2t2","priority":"6","details":"84","howto":"26r"},{"point":"26t","priority":"6","details":"87","howto":"26u"},"CWE-ID:116 Improper Encoding or Escaping of Output","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.:EFFECTIVENESS:Moderate::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::",{"point":"2t5","priority":"6","details":"8a","howto":"2t6"},"CWE-ID:117 Improper Output Neutralization for Logs",{"point":"2t8","priority":"6","details":"8d","howto":"26r"},"CWE-ID:118 Incorrect Access of Indexable Resource ('Range Error')",{"point":"2ta","priority":"6","details":"8g","howto":"275"},"CWE-ID:119 Improper Restriction of Operations within the Bounds of a Memory Buffer","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode Quality Analysis Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Source Code Quality Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2tc","priority":"6","details":"8j","howto":"2td"},"CWE-ID:120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::METHOD:Manual Analysis:DESCRIPTION:Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2tf","priority":"6","details":"8m","howto":"2tg"},"CWE-ID:121 Stack-based Buffer Overflow","::METHOD:Fuzzing:DESCRIPTION:Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2ti","priority":"6","details":"8p","howto":"2tj"},"CWE-ID:122 Heap-based Buffer Overflow",{"point":"2tl","priority":"6","details":"8s","howto":"26u"},"CWE-ID:123 Write-what-where Condition",{"point":"2tn","priority":"6","details":"8v","howto":"275"},"CWE-ID:124 Buffer Underwrite ('Buffer Underflow')",{"point":"2tp","priority":"6","details":"8y","howto":"275"},"CWE-ID:125 Out-of-bounds Read",{"point":"2tr","priority":"6","details":"91","howto":"2tj"},"CWE-ID:126 Buffer Over-read",{"point":"2tt","priority":"6","details":"94","howto":"26r"},"CWE-ID:127 Buffer Under-read",{"point":"2tv","priority":"6","details":"97","howto":"275"},"CWE-ID:128 Wrap-around Error",{"point":"2tx","priority":"6","details":"9a","howto":"275"},"CWE-ID:129 Improper Validation of Array Index","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report array index errors that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::METHOD:Black Box:DESCRIPTION:Black box methods might not get the needed code coverage within limited time constraints, and a dynamic test might not produce any noticeable side effects even if it is successful.::",{"point":"2tz","priority":"6","details":"9d","howto":"2u0"},"CWE-ID:130 Improper Handling of Length Parameter Inconsistency",{"point":"2u2","priority":"6","details":"9g","howto":"275"},"CWE-ID:131 Incorrect Calculation of Buffer Size","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting potential errors in buffer calculations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of allocation calculations. This can be useful for detecting overflow conditions (CWE-190) or similar weaknesses that might have serious security impacts on the program.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Source Code Quality Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2u4","priority":"6","details":"9j","howto":"2u5"},"CWE-ID:134 Use of Externally-Controlled Format String","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.::METHOD:Black Box:DESCRIPTION:Since format strings often occur in rarely-occurring erroneous conditions (e.g. for error message logging), they can be difficult to detect using black box methods. It is highly likely that many latent issues exist in executables that do not have associated source code (or equivalent source.:EFFECTIVENESS:Limited::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary / Bytecode simple extractor - strings, ELF readers, etc.:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Warning Flags:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2u7","priority":"6","details":"9m","howto":"2u8"},"CWE-ID:135 Incorrect Calculation of Multi-Byte String Length",{"point":"2ua","priority":"6","details":"9p","howto":"26r"},"CWE-ID:138 Improper Neutralization of Special Elements",{"point":"2uc","priority":"6","details":"9s","howto":"275"},"CWE-ID:140 Improper Neutralization of Delimiters",{"point":"2ue","priority":"6","details":"9v","howto":"275"},"CWE-ID:141 Improper Neutralization of Parameter/Argument Delimiters",{"point":"2ug","priority":"6","details":"9y","howto":"275"},"CWE-ID:142 Improper Neutralization of Value Delimiters",{"point":"2ui","priority":"6","details":"a1","howto":"275"},"CWE-ID:143 Improper Neutralization of Record Delimiters",{"point":"2uk","priority":"6","details":"a4","howto":"275"},"CWE-ID:144 Improper Neutralization of Line Delimiters",{"point":"2um","priority":"6","details":"a7","howto":"275"},"CWE-ID:145 Improper Neutralization of Section Delimiters",{"point":"2uo","priority":"6","details":"aa","howto":"275"},"CWE-ID:146 Improper Neutralization of Expression/Command Delimiters",{"point":"2uq","priority":"6","details":"ad","howto":"275"},"CWE-ID:147 Improper Neutralization of Input Terminators",{"point":"2us","priority":"6","details":"ag","howto":"275"},"CWE-ID:148 Improper Neutralization of Input Leaders",{"point":"2uu","priority":"6","details":"aj","howto":"275"},"CWE-ID:149 Improper Neutralization of Quoting Syntax",{"point":"2uw","priority":"6","details":"am","howto":"275"},"CWE-ID:150 Improper Neutralization of Escape, Meta, or Control Sequences",{"point":"2uy","priority":"6","details":"ap","howto":"275"},"CWE-ID:151 Improper Neutralization of Comment Delimiters",{"point":"2v0","priority":"6","details":"as","howto":"275"},"CWE-ID:152 Improper Neutralization of Macro Symbols",{"point":"2v2","priority":"6","details":"av","howto":"275"},"CWE-ID:153 Improper Neutralization of Substitution Characters",{"point":"2v4","priority":"6","details":"ay","howto":"275"},"CWE-ID:154 Improper Neutralization of Variable Name Delimiters",{"point":"2v6","priority":"6","details":"b1","howto":"275"},"CWE-ID:155 Improper Neutralization of Wildcards or Matching Symbols",{"point":"2v8","priority":"6","details":"b4","howto":"275"},"CWE-ID:156 Improper Neutralization of Whitespace",{"point":"2va","priority":"6","details":"b7","howto":"275"},"CWE-ID:157 Failure to Sanitize Paired Delimiters",{"point":"2vc","priority":"6","details":"ba","howto":"275"},"CWE-ID:158 Improper Neutralization of Null Byte or NUL Character",{"point":"2ve","priority":"6","details":"bd","howto":"275"},"CWE-ID:159 Improper Handling of Invalid Use of Special Elements",{"point":"2vg","priority":"6","details":"bg","howto":"275"},"CWE-ID:160 Improper Neutralization of Leading Special Elements",{"point":"2vi","priority":"6","details":"bj","howto":"275"},"CWE-ID:161 Improper Neutralization of Multiple Leading Special Elements",{"point":"2vk","priority":"6","details":"bm","howto":"275"},"CWE-ID:162 Improper Neutralization of Trailing Special Elements",{"point":"2vm","priority":"6","details":"bp","howto":"275"},"CWE-ID:163 Improper Neutralization of Multiple Trailing Special Elements",{"point":"2vo","priority":"6","details":"bs","howto":"275"},"CWE-ID:164 Improper Neutralization of Internal Special Elements",{"point":"2vq","priority":"6","details":"bv","howto":"275"},"CWE-ID:165 Improper Neutralization of Multiple Internal Special Elements",{"point":"2vs","priority":"6","details":"by","howto":"275"},"CWE-ID:166 Improper Handling of Missing Special Element",{"point":"2vu","priority":"6","details":"c1","howto":"275"},"CWE-ID:167 Improper Handling of Additional Special Element",{"point":"2vw","priority":"6","details":"c4","howto":"275"},"CWE-ID:168 Improper Handling of Inconsistent Special Elements",{"point":"2vy","priority":"6","details":"c7","howto":"275"},"CWE-ID:170 Improper Null Termination",{"point":"2w0","priority":"6","details":"ca","howto":"26r"},"CWE-ID:172 Encoding Error",{"point":"2w2","priority":"6","details":"cd","howto":"275"},"CWE-ID:173 Improper Handling of Alternate Encoding",{"point":"2w4","priority":"6","details":"cg","howto":"275"},"CWE-ID:174 Double Decoding of the Same Data",{"point":"2w6","priority":"6","details":"cj","howto":"275"},"CWE-ID:175 Improper Handling of Mixed Encoding",{"point":"2w8","priority":"6","details":"cm","howto":"275"},"CWE-ID:176 Improper Handling of Unicode Encoding",{"point":"2wa","priority":"6","details":"cp","howto":"275"},"CWE-ID:177 Improper Handling of URL Encoding (Hex Encoding)",{"point":"2wc","priority":"6","details":"cs","howto":"275"},"CWE-ID:178 Improper Handling of Case Sensitivity",{"point":"2we","priority":"6","details":"cv","howto":"275"},"CWE-ID:179 Incorrect Behavior Order: Early Validation",{"point":"2wg","priority":"6","details":"cy","howto":"275"},"CWE-ID:180 Incorrect Behavior Order: Validate Before Canonicalize",{"point":"2wi","priority":"6","details":"d1","howto":"275"},"CWE-ID:181 Incorrect Behavior Order: Validate Before Filter",{"point":"2wk","priority":"6","details":"d4","howto":"275"},"CWE-ID:182 Collapse of Data into Unsafe Value",{"point":"2wm","priority":"6","details":"d7","howto":"26r"},"CWE-ID:183 Permissive List of Allowed Inputs",{"point":"2wo","priority":"6","details":"da","howto":"26r"},{"point":"26w","priority":"6","details":"dd","howto":"26x"},"CWE-ID:185 Incorrect Regular Expression",{"point":"2wr","priority":"6","details":"dg","howto":"26r"},"CWE-ID:186 Overly Restrictive Regular Expression",{"point":"2wt","priority":"6","details":"dj","howto":"275"},"CWE-ID:187 Partial String Comparison",{"point":"2wv","priority":"6","details":"dm","howto":"275"},"CWE-ID:188 Reliance on Data/Memory Layout",{"point":"2wx","priority":"6","details":"dp","howto":"26u"},"CWE-ID:190 Integer Overflow or Wraparound","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.:EFFECTIVENESS:High::METHOD:Black Box:DESCRIPTION:Sometimes, evidence of this weakness can be detected using dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of allocation calculations. This can be useful for detecting overflow conditions (CWE-190) or similar weaknesses that might have serious security impacts on the program.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2wz","priority":"6","details":"ds","howto":"2x0"},"CWE-ID:191 Integer Underflow (Wrap or Wraparound)",{"point":"2x2","priority":"6","details":"dv","howto":"26r"},"CWE-ID:192 Integer Coercion Error",{"point":"2x4","priority":"6","details":"dy","howto":"26r"},"CWE-ID:193 Off-by-one Error",{"point":"2x6","priority":"6","details":"e1","howto":"26r"},"CWE-ID:194 Unexpected Sign Extension",{"point":"2x8","priority":"6","details":"e4","howto":"275"},"CWE-ID:195 Signed to Unsigned Conversion Error",{"point":"2xa","priority":"6","details":"e7","howto":"26r"},"CWE-ID:196 Unsigned to Signed Conversion Error",{"point":"2xc","priority":"6","details":"ea","howto":"275"},"CWE-ID:197 Numeric Truncation Error",{"point":"2xe","priority":"6","details":"ed","howto":"2tj"},"CWE-ID:198 Use of Incorrect Byte Ordering","::METHOD:Black Box:DESCRIPTION:Because byte ordering bugs are usually very noticeable even with normal inputs, this bug is more likely to occur in rarely triggered error conditions, making them difficult to detect using black box methods.::",{"point":"2xg","priority":"6","details":"eg","howto":"2xh"},{"point":"26z","priority":"6","details":"ej","howto":"270"},{"point":"272","priority":"6","details":"em","howto":"26r"},{"point":"274","priority":"6","details":"ep","howto":"275"},{"point":"277","priority":"6","details":"es","howto":"275"},{"point":"279","priority":"6","details":"ev","howto":"275"},{"point":"27b","priority":"6","details":"ey","howto":"275"},"CWE-ID:206 Observable Internal Behavioral Discrepancy",{"point":"2xp","priority":"6","details":"f1","howto":"275"},"CWE-ID:207 Observable Behavioral Discrepancy With Equivalent Products",{"point":"2xr","priority":"6","details":"f4","howto":"275"},{"point":"27d","priority":"6","details":"f7","howto":"275"},{"point":"27f","priority":"6","details":"fa","howto":"27g"},{"point":"27i","priority":"6","details":"fd","howto":"275"},{"point":"27k","priority":"6","details":"fg","howto":"275"},{"point":"27m","priority":"6","details":"fj","howto":"275"},{"point":"27o","priority":"6","details":"fm","howto":"275"},{"point":"27q","priority":"6","details":"fp","howto":"275"},"CWE-ID:215 Insertion of Sensitive Information Into Debugging Code",{"point":"2y0","priority":"6","details":"fs","howto":"26r"},"CWE-ID:219 Storage of File with Sensitive Data Under Web Root",{"point":"2y2","priority":"6","details":"fv","howto":"275"},{"point":"27s","priority":"6","details":"g1","howto":"275"},"CWE-ID:222 Truncation of Security-relevant Information",{"point":"2y5","priority":"6","details":"g4","howto":"275"},{"point":"27u","priority":"6","details":"g7","howto":"275"},"CWE-ID:224 Obscured Security-relevant Information by Alternate Name",{"point":"2y8","priority":"6","details":"ga","howto":"275"},"CWE-ID:226 Sensitive Information in Resource Not Removed Before Reuse","::METHOD:Manual Analysis:DESCRIPTION:Write a known pattern into each sensitive location. Trigger the release of the resource or cause the desired state transition to occur. Read data back from the sensitive locations. If the reads are successful, and the data is the same as the pattern that was originally written, the test fails and the product needs to be fixed. Note that this test can likely be automated.:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2ya","priority":"6","details":"gd","howto":"2yb"},"CWE-ID:228 Improper Handling of Syntactically Invalid Structure",{"point":"2yd","priority":"6","details":"gg","howto":"26r"},"CWE-ID:229 Improper Handling of Values",{"point":"2yf","priority":"6","details":"gj","howto":"275"},"CWE-ID:230 Improper Handling of Missing Values",{"point":"2yh","priority":"6","details":"gm","howto":"275"},"CWE-ID:231 Improper Handling of Extra Values",{"point":"2yj","priority":"6","details":"gp","howto":"275"},"CWE-ID:232 Improper Handling of Undefined Values",{"point":"2yl","priority":"6","details":"gs","howto":"275"},"CWE-ID:233 Improper Handling of Parameters",{"point":"2yn","priority":"6","details":"gv","howto":"2tj"},"CWE-ID:234 Failure to Handle Missing Parameter",{"point":"2yp","priority":"6","details":"gy","howto":"275"},"CWE-ID:235 Improper Handling of Extra Parameters",{"point":"2yr","priority":"6","details":"h1","howto":"275"},"CWE-ID:236 Improper Handling of Undefined Parameters",{"point":"2yt","priority":"6","details":"h4","howto":"275"},"CWE-ID:238 Improper Handling of Incomplete Structural Elements",{"point":"2yv","priority":"6","details":"ha","howto":"275"},"CWE-ID:239 Failure to Handle Incomplete Element",{"point":"2yx","priority":"6","details":"hd","howto":"275"},"CWE-ID:240 Improper Handling of Inconsistent Structural Elements",{"point":"2yz","priority":"6","details":"hg","howto":"275"},"CWE-ID:241 Improper Handling of Unexpected Data Type",{"point":"2z1","priority":"6","details":"hj","howto":"275"},"CWE-ID:242 Use of Inherently Dangerous Function",{"point":"2z3","priority":"6","details":"hm","howto":"26r"},"CWE-ID:243 Creation of chroot Jail Without Changing Working Directory",{"point":"2z5","priority":"6","details":"hp","howto":"26r"},"CWE-ID:244 Improper Clearing of Heap Memory Before Release ('Heap Inspection')",{"point":"2z7","priority":"6","details":"hs","howto":"275"},"CWE-ID:245 J2EE Bad Practices: Direct Management of Connections",{"point":"2z9","priority":"6","details":"hv","howto":"26r"},"CWE-ID:246 J2EE Bad Practices: Direct Use of Sockets",{"point":"2zb","priority":"6","details":"hy","howto":"26r"},"CWE-ID:248 Uncaught Exception",{"point":"2zd","priority":"6","details":"i1","howto":"26r"},{"point":"27w","priority":"6","details":"i4","howto":"27x"},"CWE-ID:252 Unchecked Return Value",{"point":"2zg","priority":"6","details":"i7","howto":"26r"},"CWE-ID:253 Incorrect Check of Function Return Value",{"point":"2zi","priority":"6","details":"ia","howto":"275"},"CWE-ID:258 Empty Password in Configuration File",{"point":"2zk","priority":"6","details":"ij","howto":"275"},"CWE-ID:259 Use of Hard-coded Password","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and perform a login. Using disassembled code, look at the associated instructions and see if any of them appear to be comparing the input to a fixed string or value.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2zm","priority":"6","details":"im","howto":"2zn"},{"point":"283","priority":"6","details":"ip","howto":"26r"},"CWE-ID:266 Incorrect Privilege Assignment",{"point":"2zq","priority":"6","details":"j1","howto":"275"},{"point":"28b","priority":"6","details":"j4","howto":"275"},{"point":"28d","priority":"6","details":"j7","howto":"275"},{"point":"28f","priority":"6","details":"ja","howto":"26r"},{"point":"28h","priority":"6","details":"jd","howto":"275"},{"point":"28j","priority":"6","details":"jg","howto":"275"},"CWE-ID:272 Least Privilege Violation","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Compare binary / bytecode to application permission manifest:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Permission Manifest Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"2zx","priority":"6","details":"jj","howto":"2zy"},"CWE-ID:273 Improper Check for Dropped Privileges",{"point":"300","priority":"6","details":"jm","howto":"26r"},"CWE-ID:274 Improper Handling of Insufficient Privileges",{"point":"302","priority":"6","details":"jp","howto":"26r"},{"point":"28l","priority":"6","details":"js","howto":"28m"},"CWE-ID:277 Insecure Inherited Permissions",{"point":"305","priority":"6","details":"jv","howto":"275"},"CWE-ID:279 Incorrect Execution-Assigned Permissions",{"point":"307","priority":"6","details":"k1","howto":"275"},"CWE-ID:280 Improper Handling of Insufficient Permissions or Privileges ",{"point":"309","priority":"6","details":"k4","howto":"275"},"CWE-ID:281 Improper Preservation of Permissions",{"point":"30b","priority":"6","details":"k7","howto":"275"},"CWE-ID:284 Improper Access Control",{"point":"30d","priority":"6","details":"kg","howto":"275"},{"point":"28s","priority":"6","details":"kj","howto":"28t"},{"point":"28v","priority":"6","details":"km","howto":"275"},{"point":"28x","priority":"6","details":"kp","howto":"28y"},{"point":"292","priority":"6","details":"kv","howto":"275"},"CWE-ID:290 Authentication Bypass by Spoofing",{"point":"30j","priority":"6","details":"ky","howto":"275"},{"point":"296","priority":"6","details":"la","howto":"297"},"CWE-ID:296 Improper Following of a Certificate's Chain of Trust",{"point":"30m","priority":"6","details":"ld","howto":"26r"},"CWE-ID:297 Improper Validation of Certificate with Host Mismatch","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Set up an untrusted endpoint (e.g. a server) with which the product will connect. Create a test certificate that uses an invalid hostname but is signed by a trusted CA and provide this certificate from the untrusted endpoint. If the product performs any operations instead of disconnecting and reporting an error, then this indicates that the hostname is not being checked and the test certificate has been accepted.::METHOD:Black Box:DESCRIPTION:When Certificate Pinning is being used in a mobile application, consider using a tool such as Spinner [REF-955]. This methodology might be extensible to other technologies.::",{"point":"30o","priority":"6","details":"lg","howto":"30p"},"CWE-ID:298 Improper Validation of Certificate Expiration",{"point":"30r","priority":"6","details":"lj","howto":"275"},"CWE-ID:299 Improper Check for Certificate Revocation",{"point":"30t","priority":"6","details":"lm","howto":"26r"},{"point":"29d","priority":"6","details":"lv","howto":"275"},"CWE-ID:303 Incorrect Implementation of Authentication Algorithm",{"point":"30w","priority":"6","details":"ly","howto":"275"},"CWE-ID:304 Missing Critical Step in Authentication",{"point":"30y","priority":"6","details":"m1","howto":"26r"},"CWE-ID:305 Authentication Bypass by Primary Weakness",{"point":"310","priority":"6","details":"m4","howto":"275"},"CWE-ID:318 Cleartext Storage of Sensitive Information in Executable",{"point":"312","priority":"6","details":"n4","howto":"275"},"CWE-ID:325 Missing Cryptographic Step",{"point":"314","priority":"6","details":"nm","howto":"275"},{"point":"2a5","priority":"6","details":"ns","howto":"2a6"},"CWE-ID:329 Generation of Predictable IV with CBC Mode",{"point":"317","priority":"6","details":"ny","howto":"26r"},{"point":"2aa","priority":"6","details":"o1","howto":"2ab"},{"point":"2ad","priority":"6","details":"o4","howto":"275"},"CWE-ID:332 Insufficient Entropy in PRNG",{"point":"31b","priority":"6","details":"o7","howto":"275"},"CWE-ID:333 Improper Handling of Insufficient Entropy in TRNG",{"point":"31d","priority":"6","details":"oa","howto":"275"},{"point":"2af","priority":"6","details":"od","howto":"275"},"CWE-ID:335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)",{"point":"31g","priority":"6","details":"og","howto":"275"},"CWE-ID:336 Same Seed in Pseudo-Random Number Generator (PRNG)",{"point":"31i","priority":"6","details":"oj","howto":"26r"},"CWE-ID:337 Predictable Seed in Pseudo-Random Number Generator (PRNG)",{"point":"31k","priority":"6","details":"om","howto":"275"},{"point":"2ah","priority":"6","details":"op","howto":"26r"},"CWE-ID:339 Small Seed Space in PRNG",{"point":"31n","priority":"6","details":"os","howto":"275"},{"point":"2aj","priority":"6","details":"ov","howto":"275"},{"point":"2al","priority":"6","details":"oy","howto":"275"},{"point":"2an","priority":"6","details":"p1","howto":"275"},{"point":"2ap","priority":"6","details":"p4","howto":"275"},{"point":"2ar","priority":"6","details":"p7","howto":"275"},{"point":"2at","priority":"6","details":"pa","howto":"26r"},{"point":"2av","priority":"6","details":"pd","howto":"275"},{"point":"2ax","priority":"6","details":"pg","howto":"26r"},{"point":"2az","priority":"6","details":"pj","howto":"275"},"CWE-ID:349 Acceptance of Extraneous Untrusted Data With Trusted Data",{"point":"31y","priority":"6","details":"pm","howto":"275"},"CWE-ID:351 Insufficient Type Distinction",{"point":"320","priority":"6","details":"ps","howto":"275"},{"point":"2b1","priority":"6","details":"py","howto":"275"},{"point":"2b3","priority":"6","details":"q1","howto":"275"},{"point":"2b5","priority":"6","details":"q4","howto":"275"},{"point":"2b7","priority":"6","details":"q7","howto":"275"},{"point":"2b9","priority":"6","details":"qa","howto":"275"},{"point":"2bb","priority":"6","details":"qd","howto":"2bc"},{"point":"2be","priority":"6","details":"qg","howto":"275"},{"point":"2bg","priority":"6","details":"qj","howto":"2bh"},{"point":"2bj","priority":"6","details":"qm","howto":"275"},"CWE-ID:364 Signal Handler Race Condition",{"point":"32b","priority":"6","details":"qp","howto":"275"},"CWE-ID:366 Race Condition within a Thread",{"point":"32d","priority":"6","details":"qs","howto":"26r"},"CWE-ID:367 Time-of-check Time-of-use (TOCTOU) Race Condition",{"point":"32f","priority":"6","details":"qv","howto":"26r"},{"point":"2bl","priority":"6","details":"qy","howto":"275"},"CWE-ID:369 Divide By Zero","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::METHOD:Fuzzing:DESCRIPTION:Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.:EFFECTIVENESS:High::",{"point":"32i","priority":"6","details":"r1","howto":"32j"},"CWE-ID:370 Missing Check for Certificate Revocation after Initial Check",{"point":"32l","priority":"6","details":"r4","howto":"275"},"CWE-ID:372 Incomplete Internal State Distinction",{"point":"32n","priority":"6","details":"r7","howto":"275"},"CWE-ID:374 Passing Mutable Objects to an Untrusted Method",{"point":"32p","priority":"6","details":"ra","howto":"275"},"CWE-ID:375 Returning a Mutable Object to an Untrusted Caller",{"point":"32r","priority":"6","details":"rd","howto":"275"},"CWE-ID:377 Insecure Temporary File",{"point":"32t","priority":"6","details":"rg","howto":"26r"},"CWE-ID:378 Creation of Temporary File With Insecure Permissions",{"point":"32v","priority":"6","details":"rj","howto":"275"},"CWE-ID:379 Creation of Temporary File in Directory with Insecure Permissions",{"point":"32x","priority":"6","details":"rm","howto":"26r"},"CWE-ID:382 J2EE Bad Practices: Use of System.exit()",{"point":"32z","priority":"6","details":"rp","howto":"26r"},"CWE-ID:383 J2EE Bad Practices: Direct Use of Threads",{"point":"331","priority":"6","details":"rs","howto":"26r"},"CWE-ID:384 Session Fixation",{"point":"333","priority":"6","details":"rv","howto":"275"},{"point":"2bn","priority":"6","details":"ry","howto":"275"},{"point":"2bp","priority":"6","details":"s1","howto":"275"},"CWE-ID:390 Detection of Error Condition Without Action",{"point":"337","priority":"6","details":"s4","howto":"26r"},"CWE-ID:391 Unchecked Error Condition",{"point":"339","priority":"6","details":"s7","howto":"26r"},"CWE-ID:392 Missing Report of Error Condition",{"point":"33b","priority":"6","details":"sa","howto":"275"},"CWE-ID:393 Return of Wrong Status Code",{"point":"33d","priority":"6","details":"sd","howto":"26u"},"CWE-ID:394 Unexpected Status Code or Return Value",{"point":"33f","priority":"6","details":"sg","howto":"275"},"CWE-ID:395 Use of NullPointerException Catch to Detect NULL Pointer Dereference","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"33h","priority":"6","details":"sj","howto":"33i"},"CWE-ID:396 Declaration of Catch for Generic Exception",{"point":"33k","priority":"6","details":"sm","howto":"26r"},"CWE-ID:397 Declaration of Throws for Generic Exception",{"point":"33m","priority":"6","details":"sp","howto":"26r"},{"point":"2br","priority":"6","details":"ss","howto":"2bs"},"CWE-ID:401 Missing Release of Memory after Effective Lifetime",{"point":"33p","priority":"6","details":"sv","howto":"2tj"},{"point":"2bu","priority":"6","details":"sy","howto":"26r"},"CWE-ID:403 Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')",{"point":"33s","priority":"6","details":"t1","howto":"275"},"CWE-ID:404 Improper Resource Shutdown or Release","::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Resource clean up errors might be detected with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the product under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"33u","priority":"6","details":"t4","howto":"33v"},{"point":"2bw","priority":"6","details":"t7","howto":"275"},{"point":"2by","priority":"6","details":"ta","howto":"275"},{"point":"2c0","priority":"6","details":"td","howto":"275"},{"point":"2c2","priority":"6","details":"tg","howto":"275"},{"point":"2c4","priority":"6","details":"tj","howto":"275"},{"point":"2c6","priority":"6","details":"tm","howto":"275"},{"point":"2c8","priority":"6","details":"tp","howto":"2c9"},{"point":"2cb","priority":"6","details":"ts","howto":"26r"},{"point":"2cd","priority":"6","details":"tv","howto":"275"},"CWE-ID:415 Double Free",{"point":"346","priority":"6","details":"ty","howto":"2tj"},"CWE-ID:416 Use After Free",{"point":"348","priority":"6","details":"u1","howto":"2tj"},{"point":"2cf","priority":"6","details":"u4","howto":"275"},{"point":"2ch","priority":"6","details":"u7","howto":"275"},"CWE-ID:425 Direct Request ('Forced Browsing')",{"point":"34c","priority":"6","details":"uj","howto":"275"},"CWE-ID:426 Untrusted Search Path","::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and look for library functions and system calls that suggest when a search path is being used. One pattern is when the program performs multiple accesses of the same file but in different directories, with repeated failures until the proper filename is found. Library calls such as getenv() or their equivalent can be checked to see if any path-related variables are being accessed.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::METHOD:Manual Analysis:DESCRIPTION:Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.::",{"point":"34e","priority":"6","details":"um","howto":"34f"},"CWE-ID:427 Uncontrolled Search Path Element",{"point":"34h","priority":"6","details":"up","howto":"26r"},"CWE-ID:428 Unquoted Search Path or Element",{"point":"34j","priority":"6","details":"us","howto":"275"},"CWE-ID:430 Deployment of Wrong Handler",{"point":"34l","priority":"6","details":"uv","howto":"275"},"CWE-ID:431 Missing Handler",{"point":"34n","priority":"6","details":"uy","howto":"275"},"CWE-ID:432 Dangerous Signal Handler not Disabled During Sensitive Operations",{"point":"34p","priority":"6","details":"v1","howto":"275"},"CWE-ID:433 Unparsed Raw Web Content Delivery",{"point":"34r","priority":"6","details":"v4","howto":"275"},{"point":"2cn","priority":"6","details":"v7","howto":"2co"},"CWE-ID:435 Improper Interaction Between Multiple Correctly-Behaving Entities",{"point":"34u","priority":"6","details":"va","howto":"275"},{"point":"2cq","priority":"6","details":"vd","howto":"275"},{"point":"2cs","priority":"6","details":"vg","howto":"275"},{"point":"2cu","priority":"6","details":"vj","howto":"275"},{"point":"2cw","priority":"6","details":"vm","howto":"275"},"CWE-ID:444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')",{"point":"350","priority":"6","details":"vs","howto":"275"},{"point":"2d0","priority":"6","details":"vv","howto":"275"},"CWE-ID:447 Unimplemented or Unsupported Feature in UI",{"point":"353","priority":"6","details":"vy","howto":"275"},"CWE-ID:448 Obsolete Feature in UI",{"point":"355","priority":"6","details":"w1","howto":"275"},"CWE-ID:449 The UI Performs the Wrong Action",{"point":"357","priority":"6","details":"w4","howto":"275"},"CWE-ID:450 Multiple Interpretations of UI Input",{"point":"359","priority":"6","details":"w7","howto":"275"},{"point":"2d2","priority":"6","details":"wa","howto":"275"},"CWE-ID:453 Insecure Default Variable Initialization",{"point":"35c","priority":"6","details":"wd","howto":"275"},{"point":"2d4","priority":"6","details":"wg","howto":"275"},"CWE-ID:455 Non-exit on Failed Initialization",{"point":"35f","priority":"6","details":"wj","howto":"275"},"CWE-ID:456 Missing Initialization of a Variable",{"point":"35h","priority":"6","details":"wm","howto":"26r"},"CWE-ID:457 Use of Uninitialized Variable",{"point":"35j","priority":"6","details":"wp","howto":"2tj"},"CWE-ID:459 Incomplete Cleanup",{"point":"35l","priority":"6","details":"ws","howto":"26r"},"CWE-ID:460 Improper Cleanup on Thrown Exception",{"point":"35n","priority":"6","details":"wv","howto":"26r"},"CWE-ID:462 Duplicate Key in Associative List (Alist)",{"point":"35p","priority":"6","details":"wy","howto":"275"},"CWE-ID:463 Deletion of Data Structure Sentinel",{"point":"35r","priority":"6","details":"x1","howto":"275"},"CWE-ID:464 Addition of Data Structure Sentinel",{"point":"35t","priority":"6","details":"x4","howto":"275"},"CWE-ID:466 Return of Pointer Value Outside of Expected Range",{"point":"35v","priority":"6","details":"x7","howto":"275"},"CWE-ID:467 Use of sizeof() on a Pointer Type",{"point":"35x","priority":"6","details":"xa","howto":"26r"},"CWE-ID:468 Incorrect Pointer Scaling",{"point":"35z","priority":"6","details":"xd","howto":"275"},"CWE-ID:469 Use of Pointer Subtraction to Determine Size",{"point":"361","priority":"6","details":"xg","howto":"2tj"},{"point":"2d6","priority":"6","details":"xj","howto":"26r"},{"point":"2d8","priority":"6","details":"xm","howto":"275"},"CWE-ID:472 External Control of Assumed-Immutable Web Parameter",{"point":"365","priority":"6","details":"xp","howto":"26r"},"CWE-ID:473 PHP External Variable Modification",{"point":"367","priority":"6","details":"xs","howto":"275"},"CWE-ID:474 Use of Function with Inconsistent Implementations",{"point":"369","priority":"6","details":"xv","howto":"26r"},{"point":"2da","priority":"6","details":"xy","howto":"26r"},"CWE-ID:476 NULL Pointer Dereference","::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"36c","priority":"6","details":"y1","howto":"36d"},"CWE-ID:477 Use of Obsolete Function","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Binary / Bytecode Quality Analysis Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Debugger:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source Code Quality Analyzer Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Origin Analysis:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"36f","priority":"6","details":"y4","howto":"36g"},"CWE-ID:478 Missing Default Case in Multiple Condition Expression",{"point":"36i","priority":"6","details":"y7","howto":"26r"},"CWE-ID:479 Signal Handler Use of a Non-reentrant Function",{"point":"36k","priority":"6","details":"ya","howto":"26r"},"CWE-ID:480 Use of Incorrect Operator","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can be found easily using static analysis. However in some cases an operator might appear to be incorrect, but is actually correct and reflects unusual logic within the program.::METHOD:Manual Static Analysis:DESCRIPTION:This weakness can be found easily using static analysis. However in some cases an operator might appear to be incorrect, but is actually correct and reflects unusual logic within the program.::",{"point":"36m","priority":"6","details":"yd","howto":"36n"},"CWE-ID:481 Assigning instead of Comparing",{"point":"36p","priority":"6","details":"yg","howto":"26r"},"CWE-ID:482 Comparing instead of Assigning",{"point":"36r","priority":"6","details":"yj","howto":"26r"},"CWE-ID:483 Incorrect Block Delimitation",{"point":"36t","priority":"6","details":"ym","howto":"26r"},"CWE-ID:484 Omitted Break Statement in Switch","::METHOD:White Box:DESCRIPTION:Omission of a break statement might be intentional, in order to support fallthrough. Automated detection methods might therefore be erroneous. Semantic understanding of expected product behavior is required to interpret whether the code is correct.::METHOD:Black Box:DESCRIPTION:Since this weakness is associated with a code construct, it would be indistinguishable from other errors that produce the same behavior.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"36v","priority":"6","details":"yp","howto":"36w"},"CWE-ID:486 Comparison of Classes by Name",{"point":"36y","priority":"6","details":"ys","howto":"26r"},"CWE-ID:487 Reliance on Package-level Scope",{"point":"370","priority":"6","details":"yv","howto":"275"},"CWE-ID:488 Exposure of Data Element to Wrong Session",{"point":"372","priority":"6","details":"yy","howto":"26r"},"CWE-ID:489 Active Debug Code",{"point":"374","priority":"6","details":"z1","howto":"26r"},"CWE-ID:491 Public cloneable() Method Without Final ('Object Hijack')",{"point":"376","priority":"6","details":"z4","howto":"275"},"CWE-ID:492 Use of Inner Class Containing Sensitive Data",{"point":"378","priority":"6","details":"z7","howto":"26r"},"CWE-ID:493 Critical Public Variable Without Final Modifier",{"point":"37a","priority":"6","details":"za","howto":"26r"},{"point":"2dc","priority":"6","details":"zd","howto":"2dd"},"CWE-ID:495 Private Data Structure Returned From A Public Method",{"point":"37d","priority":"6","details":"zg","howto":"26r"},"CWE-ID:496 Public Data Assigned to Private Array-Typed Field",{"point":"37f","priority":"6","details":"zj","howto":"26r"},"CWE-ID:497 Exposure of Sensitive System Information to an Unauthorized Control Sphere",{"point":"37h","priority":"6","details":"zm","howto":"26r"},"CWE-ID:498 Cloneable Class Containing Sensitive Information",{"point":"37j","priority":"6","details":"zp","howto":"275"},"CWE-ID:499 Serializable Class Containing Sensitive Data",{"point":"37l","priority":"6","details":"zs","howto":"26r"},"CWE-ID:500 Public Static Field Not Marked Final",{"point":"37n","priority":"6","details":"zv","howto":"26r"},{"point":"2dh","priority":"6","details":"101","howto":"26r"},"CWE-ID:506 Embedded Malicious Code","::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies Generated Code Inspection:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Automated Monitored Execution:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Origin Analysis:EFFECTIVENESS:SOAR Partial::",{"point":"37q","priority":"6","details":"104","howto":"37r"},"CWE-ID:507 Trojan Horse",{"point":"37t","priority":"6","details":"107","howto":"275"},"CWE-ID:508 Non-Replicating Malicious Code",{"point":"37v","priority":"6","details":"10a","howto":"275"},"CWE-ID:509 Replicating Malicious Code (Virus or Worm)",{"point":"37x","priority":"6","details":"10d","howto":"275"},{"point":"2dj","priority":"6","details":"10g","howto":"2dk"},{"point":"2dm","priority":"6","details":"10j","howto":"275"},{"point":"2do","priority":"6","details":"10m","howto":"275"},"CWE-ID:514 Covert Channel","::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:SOAR Partial::",{"point":"382","priority":"6","details":"10p","howto":"383"},"CWE-ID:515 Covert Storage Channel",{"point":"385","priority":"6","details":"10s","howto":"275"},"CWE-ID:520 .NET Misconfiguration: Use of Impersonation",{"point":"387","priority":"6","details":"10v","howto":"275"},{"point":"2dq","priority":"6","details":"10y","howto":"26r"},{"point":"2ds","priority":"6","details":"111","howto":"26r"},"CWE-ID:524 Use of Cache Containing Sensitive Information",{"point":"38b","priority":"6","details":"117","howto":"26r"},"CWE-ID:525 Use of Web Browser Cache Containing Sensitive Information",{"point":"38d","priority":"6","details":"11a","howto":"275"},"CWE-ID:526 Cleartext Storage of Sensitive Information in an Environment Variable",{"point":"38f","priority":"6","details":"11d","howto":"26r"},{"point":"2dw","priority":"6","details":"11v","howto":"26r"},"CWE-ID:535 Exposure of Information Through Shell Error Message",{"point":"38i","priority":"6","details":"11y","howto":"26r"},"CWE-ID:536 Servlet Runtime Error Message Containing Sensitive Information",{"point":"38k","priority":"6","details":"121","howto":"275"},"CWE-ID:537 Java Runtime Error Message Containing Sensitive Information",{"point":"38m","priority":"6","details":"124","howto":"275"},"CWE-ID:538 Insertion of Sensitive Information into Externally-Accessible File or Directory",{"point":"38o","priority":"6","details":"127","howto":"26r"},"CWE-ID:539 Use of Persistent Cookies Containing Sensitive Information",{"point":"38q","priority":"6","details":"12a","howto":"26r"},"CWE-ID:540 Inclusion of Sensitive Information in Source Code",{"point":"38s","priority":"6","details":"12d","howto":"275"},"CWE-ID:541 Inclusion of Sensitive Information in an Include File",{"point":"38u","priority":"6","details":"12g","howto":"275"},"CWE-ID:543 Use of Singleton Pattern Without Synchronization in a Multithreaded Context",{"point":"38w","priority":"6","details":"12j","howto":"275"},"CWE-ID:546 Suspicious Comment",{"point":"38y","priority":"6","details":"12p","howto":"275"},"CWE-ID:547 Use of Hard-coded, Security-relevant Constants",{"point":"390","priority":"6","details":"12s","howto":"26r"},"CWE-ID:548 Exposure of Information Through Directory Listing",{"point":"392","priority":"6","details":"12v","howto":"26r"},"CWE-ID:549 Missing Password Field Masking",{"point":"394","priority":"6","details":"12y","howto":"26r"},"CWE-ID:550 Server-generated Error Message Containing Sensitive Information",{"point":"396","priority":"6","details":"131","howto":"275"},"CWE-ID:551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization",{"point":"398","priority":"6","details":"134","howto":"275"},{"point":"2e0","priority":"6","details":"137","howto":"26r"},"CWE-ID:553 Command Shell in Externally Accessible Directory",{"point":"39b","priority":"6","details":"13a","howto":"275"},"CWE-ID:554 ASP.NET Misconfiguration: Not Using Input Validation Framework",{"point":"39d","priority":"6","details":"13d","howto":"275"},"CWE-ID:555 J2EE Misconfiguration: Plaintext Password in Configuration File",{"point":"39f","priority":"6","details":"13g","howto":"275"},"CWE-ID:556 ASP.NET Misconfiguration: Use of Identity Impersonation",{"point":"39h","priority":"6","details":"13j","howto":"275"},"CWE-ID:558 Use of getlogin() in Multithreaded Application",{"point":"39j","priority":"6","details":"13m","howto":"275"},"CWE-ID:560 Use of umask() with chmod-style Argument",{"point":"39l","priority":"6","details":"13p","howto":"275"},"CWE-ID:561 Dead Code","::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Binary / Bytecode Quality Analysis Compare binary / bytecode to application permission manifest:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Automated Monitored Execution:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Permission Manifest Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source Code Quality Analyzer Cost effective for partial coverage: Warning Flags Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::",{"point":"39n","priority":"6","details":"13s","howto":"39o"},"CWE-ID:562 Return of Stack Variable Address",{"point":"39q","priority":"6","details":"13v","howto":"2tj"},"CWE-ID:563 Assignment to Variable without Use",{"point":"39s","priority":"6","details":"13y","howto":"26r"},"CWE-ID:564 SQL Injection: Hibernate",{"point":"39u","priority":"6","details":"141","howto":"275"},{"point":"2e2","priority":"6","details":"144","howto":"26r"},"CWE-ID:566 Authorization Bypass Through User-Controlled SQL Primary Key",{"point":"39x","priority":"6","details":"147","howto":"26r"},"CWE-ID:567 Unsynchronized Access to Shared Data in a Multithreaded Context",{"point":"39z","priority":"6","details":"14a","howto":"26r"},"CWE-ID:568 finalize() Method Without super.finalize()",{"point":"3a1","priority":"6","details":"14d","howto":"26r"},"CWE-ID:570 Expression is Always False",{"point":"3a3","priority":"6","details":"14g","howto":"26r"},"CWE-ID:571 Expression is Always True",{"point":"3a5","priority":"6","details":"14j","howto":"26r"},"CWE-ID:572 Call to Thread run() instead of start()",{"point":"3a7","priority":"6","details":"14m","howto":"26r"},"CWE-ID:573 Improper Following of Specification by Caller",{"point":"3a9","priority":"6","details":"14p","howto":"275"},"CWE-ID:574 EJB Bad Practices: Use of Synchronization Primitives",{"point":"3ab","priority":"6","details":"14s","howto":"275"},"CWE-ID:575 EJB Bad Practices: Use of AWT Swing",{"point":"3ad","priority":"6","details":"14v","howto":"275"},"CWE-ID:576 EJB Bad Practices: Use of Java I/O",{"point":"3af","priority":"6","details":"14y","howto":"275"},"CWE-ID:577 EJB Bad Practices: Use of Sockets",{"point":"3ah","priority":"6","details":"151","howto":"275"},"CWE-ID:578 EJB Bad Practices: Use of Class Loader",{"point":"3aj","priority":"6","details":"154","howto":"275"},"CWE-ID:579 J2EE Bad Practices: Non-serializable Object Stored in Session",{"point":"3al","priority":"6","details":"157","howto":"26r"},"CWE-ID:580 clone() Method Without super.clone()",{"point":"3an","priority":"6","details":"15a","howto":"26r"},"CWE-ID:581 Object Model Violation: Just One of Equals and Hashcode Defined",{"point":"3ap","priority":"6","details":"15d","howto":"26r"},"CWE-ID:582 Array Declared Public, Final, and Static",{"point":"3ar","priority":"6","details":"15g","howto":"275"},"CWE-ID:583 finalize() Method Declared Public",{"point":"3at","priority":"6","details":"15j","howto":"26r"},"CWE-ID:584 Return Inside Finally Block",{"point":"3av","priority":"6","details":"15m","howto":"26r"},"CWE-ID:585 Empty Synchronized Block",{"point":"3ax","priority":"6","details":"15p","howto":"26r"},"CWE-ID:586 Explicit Call to Finalize()",{"point":"3az","priority":"6","details":"15s","howto":"26r"},"CWE-ID:587 Assignment of a Fixed Address to a Pointer",{"point":"3b1","priority":"6","details":"15v","howto":"275"},"CWE-ID:588 Attempt to Access Child of a Non-structure Pointer",{"point":"3b3","priority":"6","details":"15y","howto":"275"},"CWE-ID:589 Call to Non-ubiquitous API",{"point":"3b5","priority":"6","details":"161","howto":"26r"},"CWE-ID:590 Free of Memory not on the Heap",{"point":"3b7","priority":"6","details":"164","howto":"2tj"},"CWE-ID:591 Sensitive Data Storage in Improperly Locked Memory",{"point":"3b9","priority":"6","details":"167","howto":"275"},"CWE-ID:593 Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created",{"point":"3bb","priority":"6","details":"16a","howto":"275"},"CWE-ID:594 J2EE Framework: Saving Unserializable Objects to Disk",{"point":"3bd","priority":"6","details":"16d","howto":"275"},"CWE-ID:595 Comparison of Object References Instead of Object Contents",{"point":"3bf","priority":"6","details":"16g","howto":"26r"},"CWE-ID:597 Use of Wrong Operator in String Comparison",{"point":"3bh","priority":"6","details":"16j","howto":"26r"},"CWE-ID:598 Use of GET Request Method With Sensitive Query Strings",{"point":"3bj","priority":"6","details":"16m","howto":"26r"},"CWE-ID:599 Missing Validation of OpenSSL Certificate",{"point":"3bl","priority":"6","details":"16p","howto":"275"},"CWE-ID:600 Uncaught Exception in Servlet ",{"point":"3bn","priority":"6","details":"16s","howto":"275"},{"point":"2e4","priority":"6","details":"16v","howto":"2e5"},{"point":"2e9","priority":"6","details":"171","howto":"275"},"CWE-ID:605 Multiple Binds to the Same Port",{"point":"3br","priority":"6","details":"174","howto":"275"},"CWE-ID:606 Unchecked Input for Loop Condition",{"point":"3bt","priority":"6","details":"177","howto":"26r"},"CWE-ID:607 Public Static Final Field References Mutable Object",{"point":"3bv","priority":"6","details":"17a","howto":"26r"},"CWE-ID:608 Struts: Non-private Field in ActionForm Class",{"point":"3bx","priority":"6","details":"17d","howto":"275"},"CWE-ID:609 Double-Checked Locking",{"point":"3bz","priority":"6","details":"17g","howto":"275"},"CWE-ID:611 Improper Restriction of XML External Entity Reference",{"point":"3c1","priority":"6","details":"17m","howto":"26r"},{"point":"2ed","priority":"6","details":"17p","howto":"275"},{"point":"2ef","priority":"6","details":"17s","howto":"26r"},"CWE-ID:614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute",{"point":"3c5","priority":"6","details":"17v","howto":"26r"},"CWE-ID:615 Inclusion of Sensitive Information in Source Code Comments",{"point":"3c7","priority":"6","details":"17y","howto":"26r"},"CWE-ID:616 Incomplete Identification of Uploaded File Variables (PHP)",{"point":"3c9","priority":"6","details":"181","howto":"275"},"CWE-ID:617 Reachable Assertion",{"point":"3cb","priority":"6","details":"184","howto":"26r"},"CWE-ID:618 Exposed Unsafe ActiveX Method",{"point":"3cd","priority":"6","details":"187","howto":"26r"},"CWE-ID:619 Dangling Database Cursor ('Cursor Injection')",{"point":"3cf","priority":"6","details":"18a","howto":"275"},{"point":"2eh","priority":"6","details":"18d","howto":"275"},"CWE-ID:621 Variable Extraction Error",{"point":"3ci","priority":"6","details":"18g","howto":"275"},"CWE-ID:622 Improper Validation of Function Hook Arguments",{"point":"3ck","priority":"6","details":"18j","howto":"275"},"CWE-ID:623 Unsafe ActiveX Control Marked Safe For Scripting",{"point":"3cm","priority":"6","details":"18m","howto":"275"},"CWE-ID:624 Executable Regular Expression Error",{"point":"3co","priority":"6","details":"18p","howto":"275"},"CWE-ID:625 Permissive Regular Expression",{"point":"3cq","priority":"6","details":"18s","howto":"26r"},"CWE-ID:626 Null Byte Interaction Error (Poison Null Byte)",{"point":"3cs","priority":"6","details":"18v","howto":"275"},"CWE-ID:627 Dynamic Variable Evaluation",{"point":"3cu","priority":"6","details":"18y","howto":"275"},"CWE-ID:628 Function Call with Incorrectly Specified Arguments","::METHOD:Other:DESCRIPTION:Since these bugs typically introduce incorrect behavior that is obvious to users, they are found quickly, unless they occur in rarely-tested code paths. Managing the correct number of arguments can be made more difficult in cases where format strings are used, or when variable numbers of arguments are supported.::",{"point":"3cw","priority":"6","details":"191","howto":"3cx"},{"point":"2ej","priority":"6","details":"194","howto":"275"},{"point":"2el","priority":"6","details":"197","howto":"275"},"CWE-ID:638 Not Using Complete Mediation",{"point":"3d1","priority":"6","details":"19a","howto":"275"},{"point":"2ep","priority":"6","details":"19g","howto":"275"},{"point":"2er","priority":"6","details":"19j","howto":"275"},{"point":"2et","priority":"6","details":"19m","howto":"26r"},"CWE-ID:643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')",{"point":"3d6","priority":"6","details":"19p","howto":"26r"},"CWE-ID:644 Improper Neutralization of HTTP Headers for Scripting Syntax",{"point":"3d8","priority":"6","details":"19s","howto":"275"},"CWE-ID:646 Reliance on File Name or Extension of Externally-Supplied File",{"point":"3da","priority":"6","details":"19y","howto":"275"},"CWE-ID:647 Use of Non-Canonical URL Paths for Authorization Decisions",{"point":"3dc","priority":"6","details":"1a1","howto":"26r"},{"point":"2ex","priority":"6","details":"1a4","howto":"275"},{"point":"2ez","priority":"6","details":"1a7","howto":"275"},"CWE-ID:650 Trusting HTTP Permission Methods on the Server Side",{"point":"3dg","priority":"6","details":"1aa","howto":"275"},"CWE-ID:651 Exposure of WSDL File Containing Sensitive Information",{"point":"3di","priority":"6","details":"1ad","howto":"275"},"CWE-ID:652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')",{"point":"3dk","priority":"6","details":"1ag","howto":"275"},{"point":"2f1","priority":"6","details":"1aj","howto":"2f2"},{"point":"2f4","priority":"6","details":"1am","howto":"275"},{"point":"2f8","priority":"6","details":"1as","howto":"275"},{"point":"2fa","priority":"6","details":"1av","howto":"275"},{"point":"2fc","priority":"6","details":"1ay","howto":"275"},"CWE-ID:663 Use of a Non-reentrant Function in a Concurrent Context",{"point":"3dr","priority":"6","details":"1b1","howto":"275"},"CWE-ID:664 Improper Control of a Resource Through its Lifetime",{"point":"3dt","priority":"6","details":"1b4","howto":"275"},"CWE-ID:665 Improper Initialization","::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Initialization problems may be detected with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"3dv","priority":"6","details":"1b7","howto":"3dw"},"CWE-ID:666 Operation on Resource in Wrong Phase of Lifetime",{"point":"3dy","priority":"6","details":"1ba","howto":"275"},{"point":"2fe","priority":"6","details":"1bd","howto":"26r"},{"point":"2fg","priority":"6","details":"1bg","howto":"275"},{"point":"2fi","priority":"6","details":"1bj","howto":"275"},"CWE-ID:670 Always-Incorrect Control Flow Implementation",{"point":"3e3","priority":"6","details":"1bm","howto":"275"},{"point":"2fk","priority":"6","details":"1bp","howto":"275"},"CWE-ID:672 Operation on a Resource after Expiration or Release",{"point":"3e6","priority":"6","details":"1bs","howto":"275"},{"point":"2fm","priority":"6","details":"1bv","howto":"275"},"CWE-ID:674 Uncontrolled Recursion",{"point":"3e9","priority":"6","details":"1by","howto":"26r"},"CWE-ID:675 Multiple Operations on Resource in Single-Operation Context",{"point":"3eb","priority":"6","details":"1c1","howto":"275"},"CWE-ID:676 Use of Potentially Dangerous Function","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary / Bytecode Quality Analysis Binary / Bytecode simple extractor - strings, ELF readers, etc.:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Debugger Cost effective for partial coverage: Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Warning Flags Source Code Quality Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Origin Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"3ed","priority":"6","details":"1c4","howto":"3ee"},"CWE-ID:681 Incorrect Conversion between Numeric Types",{"point":"3eg","priority":"6","details":"1ca","howto":"275"},"CWE-ID:682 Incorrect Calculation","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of allocation calculations. This can be useful for detecting overflow conditions (CWE-190) or similar weaknesses that might have serious security impacts on the program.:EFFECTIVENESS:High::",{"point":"3ei","priority":"6","details":"1cd","howto":"3ej"},"CWE-ID:683 Function Call With Incorrect Order of Arguments",{"point":"3el","priority":"6","details":"1cg","howto":"275"},"CWE-ID:684 Incorrect Provision of Specified Functionality",{"point":"3en","priority":"6","details":"1cj","howto":"275"},"CWE-ID:685 Function Call With Incorrect Number of Arguments","::METHOD:Other:DESCRIPTION:While this weakness might be caught by the compiler in some languages, it can occur more frequently in cases in which the called function accepts variable numbers of arguments, such as format strings in C. It also can occur in languages or environments that do not require that functions always be called with the correct number of arguments, such as Perl.::",{"point":"3ep","priority":"6","details":"1cm","howto":"3eq"},"CWE-ID:686 Function Call With Incorrect Argument Type",{"point":"3es","priority":"6","details":"1cp","howto":"275"},"CWE-ID:687 Function Call With Incorrectly Specified Argument Value","::METHOD:Manual Static Analysis:DESCRIPTION:This might require an understanding of intended program behavior or design to determine whether the value is incorrect.::",{"point":"3eu","priority":"6","details":"1cs","howto":"3ev"},"CWE-ID:688 Function Call With Incorrect Variable or Reference as Argument","::METHOD:Other:DESCRIPTION:While this weakness might be caught by the compiler in some languages, it can occur more frequently in cases in which the called function accepts variable numbers of arguments, such as format strings in C. It also can occur in loosely typed languages or environments. This might require an understanding of intended program behavior or design to determine whether the value is incorrect.::",{"point":"3ex","priority":"6","details":"1cv","howto":"3ey"},"CWE-ID:689 Permission Race Condition During Resource Copy",{"point":"3f0","priority":"6","details":"1cy","howto":"275"},"CWE-ID:690 Unchecked Return Value to NULL Pointer Dereference","::METHOD:Black Box:DESCRIPTION:This typically occurs in rarely-triggered error conditions, reducing the chances of detection during black box testing.::METHOD:White Box:DESCRIPTION:Code analysis can require knowledge of API behaviors for library functions that might return NULL, reducing the chances of detection when unknown libraries are used.::",{"point":"3f2","priority":"6","details":"1d1","howto":"3f3"},"CWE-ID:691 Insufficient Control Flow Management",{"point":"3f5","priority":"6","details":"1d4","howto":"275"},"CWE-ID:693 Protection Mechanism Failure",{"point":"3f7","priority":"6","details":"1da","howto":"275"},{"point":"2fo","priority":"6","details":"1dd","howto":"275"},"CWE-ID:695 Use of Low-Level Functionality",{"point":"3fa","priority":"6","details":"1dg","howto":"26r"},{"point":"2fq","priority":"6","details":"1dj","howto":"275"},"CWE-ID:697 Incorrect Comparison",{"point":"3fd","priority":"6","details":"1dm","howto":"275"},"CWE-ID:698 Execution After Redirect (EAR)","::METHOD:Black Box:DESCRIPTION:This issue might not be detected if testing is performed using a web browser, because the browser might obey the redirect and move the user to a different page before the application has produced outputs that indicate something is amiss.::",{"point":"3ff","priority":"6","details":"1dp","howto":"3fg"},"CWE-ID:703 Improper Check or Handling of Exceptional Conditions","::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fault Injection - source code Fault Injection - binary Cost effective for partial coverage: Forced Path Execution:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"3fi","priority":"6","details":"1ds","howto":"3fj"},"CWE-ID:704 Incorrect Type Conversion or Cast",{"point":"3fl","priority":"6","details":"1dv","howto":"26u"},"CWE-ID:705 Incorrect Control Flow Scoping",{"point":"3fn","priority":"6","details":"1dy","howto":"275"},{"point":"2fs","priority":"6","details":"1e1","howto":"275"},"CWE-ID:707 Improper Neutralization",{"point":"3fq","priority":"6","details":"1e4","howto":"275"},{"point":"2fu","priority":"6","details":"1e7","howto":"275"},"CWE-ID:710 Improper Adherence to Coding Standards",{"point":"3ft","priority":"6","details":"1ea","howto":"275"},{"point":"2fw","priority":"6","details":"1ed","howto":"2fx"},{"point":"2fz","priority":"6","details":"1ej","howto":"26r"},"CWE-ID:754 Improper Check for Unusual or Exceptional Conditions","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis may be useful for detecting unusual conditions involving system resources or common programming idioms, but not for violations of business rules.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::",{"point":"3fx","priority":"6","details":"1em","howto":"3fy"},"CWE-ID:755 Improper Handling of Exceptional Conditions",{"point":"3g0","priority":"6","details":"1ep","howto":"275"},"CWE-ID:759 Use of a One-Way Hash without a Salt",{"point":"3g2","priority":"6","details":"1f1","howto":"2gt"},"CWE-ID:760 Use of a One-Way Hash with a Predictable Salt",{"point":"3g4","priority":"6","details":"1f4","howto":"26r"},"CWE-ID:761 Free of Pointer not at Start of Buffer",{"point":"3g6","priority":"6","details":"1f7","howto":"275"},"CWE-ID:762 Mismatched Memory Management Routines",{"point":"3g8","priority":"6","details":"1fa","howto":"275"},"CWE-ID:763 Release of Invalid Pointer or Reference",{"point":"3ga","priority":"6","details":"1fd","howto":"26u"},"CWE-ID:764 Multiple Locks of a Critical Resource",{"point":"3gc","priority":"6","details":"1fg","howto":"275"},"CWE-ID:765 Multiple Unlocks of a Critical Resource",{"point":"3ge","priority":"6","details":"1fj","howto":"275"},"CWE-ID:766 Critical Data Element Declared Public",{"point":"3gg","priority":"6","details":"1fm","howto":"26r"},"CWE-ID:767 Access to Critical Private Variable via Public Method",{"point":"3gi","priority":"6","details":"1fp","howto":"275"},"CWE-ID:768 Incorrect Short Circuit Evaluation",{"point":"3gk","priority":"6","details":"1fs","howto":"275"},{"point":"2g3","priority":"6","details":"1fv","howto":"2g4"},"CWE-ID:771 Missing Reference to Active Allocated Resource",{"point":"3gn","priority":"6","details":"1fy","howto":"275"},"CWE-ID:772 Missing Release of Resource after Effective Lifetime",{"point":"3gp","priority":"6","details":"1g1","howto":"275"},"CWE-ID:773 Missing Reference to Active File Descriptor or Handle",{"point":"3gr","priority":"6","details":"1g4","howto":"275"},"CWE-ID:774 Allocation of File Descriptors or Handles Without Limits or Throttling",{"point":"3gt","priority":"6","details":"1g7","howto":"275"},"CWE-ID:775 Missing Release of File Descriptor or Handle after Effective Lifetime",{"point":"3gv","priority":"6","details":"1ga","howto":"275"},"CWE-ID:776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')",{"point":"3gx","priority":"6","details":"1gd","howto":"26r"},"CWE-ID:777 Regular Expression without Anchors",{"point":"3gz","priority":"6","details":"1gg","howto":"275"},"CWE-ID:780 Use of RSA Algorithm without OAEP",{"point":"3h1","priority":"6","details":"1gp","howto":"26r"},"CWE-ID:781 Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code",{"point":"3h3","priority":"6","details":"1gs","howto":"275"},"CWE-ID:782 Exposed IOCTL with Insufficient Access Control",{"point":"3h5","priority":"6","details":"1gv","howto":"275"},"CWE-ID:783 Operator Precedence Logic Error",{"point":"3h7","priority":"6","details":"1gy","howto":"275"},"CWE-ID:784 Reliance on Cookies without Validation and Integrity Checking in a Security Decision",{"point":"3h9","priority":"6","details":"1h1","howto":"275"},"CWE-ID:785 Use of Path Manipulation Function without Maximum-sized Buffer",{"point":"3hb","priority":"6","details":"1h4","howto":"275"},"CWE-ID:787 Out-of-bounds Write","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::",{"point":"3hd","priority":"6","details":"1ha","howto":"3he"},"CWE-ID:789 Memory Allocation with Excessive Size Value",{"point":"3hg","priority":"6","details":"1hg","howto":"2tj"},"CWE-ID:790 Improper Filtering of Special Elements",{"point":"3hi","priority":"6","details":"1hj","howto":"275"},"CWE-ID:791 Incomplete Filtering of Special Elements",{"point":"3hk","priority":"6","details":"1hm","howto":"275"},"CWE-ID:792 Incomplete Filtering of One or More Instances of Special Elements",{"point":"3hm","priority":"6","details":"1hp","howto":"275"},"CWE-ID:793 Only Filtering One Instance of a Special Element",{"point":"3ho","priority":"6","details":"1hs","howto":"275"},"CWE-ID:794 Incomplete Filtering of Multiple Instances of Special Elements",{"point":"3hq","priority":"6","details":"1hv","howto":"275"},"CWE-ID:795 Only Filtering Special Elements at a Specified Location",{"point":"3hs","priority":"6","details":"1hy","howto":"275"},"CWE-ID:796 Only Filtering Special Elements Relative to a Marker",{"point":"3hu","priority":"6","details":"1i1","howto":"275"},"CWE-ID:797 Only Filtering Special Elements at an Absolute Position",{"point":"3hw","priority":"6","details":"1i4","howto":"275"},{"point":"2g9","priority":"6","details":"1ia","howto":"275"},{"point":"2gb","priority":"6","details":"1id","howto":"275"},"CWE-ID:805 Buffer Access with Incorrect Length Value","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.::",{"point":"3i0","priority":"6","details":"1ig","howto":"3i1"},"CWE-ID:806 Buffer Access Using Size of Source Buffer",{"point":"3i3","priority":"6","details":"1ij","howto":"275"},{"point":"2gd","priority":"6","details":"1im","howto":"2ge"},"CWE-ID:827 Improper Control of Document Type Definition",{"point":"3i6","priority":"6","details":"1ja","howto":"275"},"CWE-ID:829 Inclusion of Functionality from Untrusted Control Sphere","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Forced Path Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"3i8","priority":"6","details":"1jg","howto":"3i9"},"CWE-ID:830 Inclusion of Web Functionality from an Untrusted Source",{"point":"3ib","priority":"6","details":"1jj","howto":"275"},"CWE-ID:836 Use of Password Hash Instead of Password for Authentication",{"point":"3id","priority":"6","details":"1k1","howto":"275"},"CWE-ID:841 Improper Enforcement of Behavioral Workflow",{"point":"3if","priority":"6","details":"1kd","howto":"275"},"CWE-ID:842 Placement of User into Incorrect Group",{"point":"3ih","priority":"6","details":"1kg","howto":"275"},"CWE-ID:843 Access of Resource Using Incompatible Type ('Type Confusion')",{"point":"3ij","priority":"6","details":"1kj","howto":"275"},{"point":"2gg","priority":"6","details":"1km","howto":"2gh"},{"point":"2gj","priority":"6","details":"1kp","howto":"2gk"},"CWE-ID:908 Use of Uninitialized Resource",{"point":"3in","priority":"6","details":"1ks","howto":"275"},"CWE-ID:909 Missing Initialization of Resource",{"point":"3ip","priority":"6","details":"1kv","howto":"275"},"CWE-ID:910 Use of Expired File Descriptor",{"point":"3ir","priority":"6","details":"1ky","howto":"275"},"CWE-ID:911 Improper Update of Reference Count",{"point":"3it","priority":"6","details":"1l1","howto":"275"},{"point":"2gm","priority":"6","details":"1l4","howto":"275"},{"point":"2go","priority":"6","details":"1l7","howto":"26u"},"CWE-ID:914 Improper Control of Dynamically-Identified Variables",{"point":"3ix","priority":"6","details":"1la","howto":"275"},{"point":"2gq","priority":"6","details":"1ld","howto":"26r"},{"point":"2gv","priority":"6","details":"1lj","howto":"26r"},{"point":"2gx","priority":"6","details":"1lm","howto":"26r"},{"point":"2h3","priority":"6","details":"1lv","howto":"26r"},"CWE-ID:939 Improper Authorization in Handler for Custom URL Scheme",{"point":"3j3","priority":"6","details":"1md","howto":"275"},{"point":"2h9","priority":"6","details":"1mg","howto":"275"},{"point":"2hb","priority":"6","details":"1mj","howto":"275"},"CWE-ID:942 Permissive Cross-domain Policy with Untrusted Domains",{"point":"3j7","priority":"6","details":"1mm","howto":"26r"},"CWE-ID:943 Improper Neutralization of Special Elements in Data Query Logic",{"point":"3j9","priority":"6","details":"1mp","howto":"26r"},"CWE-ID:1004 Sensitive Cookie Without 'HttpOnly' Flag",{"point":"3jb","priority":"6","details":"1ms","howto":"26r"},{"point":"2hd","priority":"6","details":"1mv","howto":"2he"},"CWE-ID:1021 Improper Restriction of Rendered UI Layers or Frames",{"point":"3je","priority":"6","details":"1my","howto":"26r"},"CWE-ID:1022 Use of Web Link to Untrusted Target with window.opener Access",{"point":"3jg","priority":"6","details":"1n1","howto":"26r"},"CWE-ID:1023 Incomplete Comparison with Missing Factors",{"point":"3ji","priority":"6","details":"1n4","howto":"275"},"CWE-ID:1024 Comparison of Incompatible Types",{"point":"3jk","priority":"6","details":"1n7","howto":"275"},"CWE-ID:1025 Comparison Using Wrong Factors",{"point":"3jm","priority":"6","details":"1na","howto":"275"},"CWE-ID:1068 Inconsistency Between Implementation and Documented Design",{"point":"3jo","priority":"6","details":"1pv","howto":"275"},{"point":"2hr","priority":"6","details":"1uv","howto":"2hs"},"CWE-ID:1174 ASP.NET Misconfiguration: Improper Model Validation",{"point":"3jr","priority":"6","details":"1uy","howto":"275"},{"point":"2hu","priority":"6","details":"1v1","howto":"275"},"CWE-ID:1177 Use of Prohibited Code",{"point":"3ju","priority":"6","details":"1v4","howto":"275"},{"point":"2hw","priority":"6","details":"1va","howto":"2hx"},{"point":"2i1","priority":"6","details":"1vg","howto":"2i2"},{"point":"2i4","priority":"6","details":"1vj","howto":"275"},"CWE-ID:1204 Generation of Weak Initialization Vector (IV)",{"point":"3jz","priority":"6","details":"1vp","howto":"275"},{"point":"2i6","priority":"6","details":"1vs","howto":"275"},{"point":"2i8","priority":"6","details":"1vv","howto":"275"},"CWE-ID:1221 Incorrect Register Defaults or Module Parameters",{"point":"3k3","priority":"6","details":"1vy","howto":"275"},{"point":"2ic","priority":"6","details":"1w7","howto":"275"},{"point":"2ig","priority":"6","details":"1wg","howto":"2ih"},{"point":"2ij","priority":"6","details":"1wj","howto":"275"},{"point":"2il","priority":"6","details":"1wm","howto":"2im"},{"point":"2io","priority":"6","details":"1wp","howto":"275"},"CWE-ID:1235 Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations",{"point":"3ka","priority":"6","details":"1ws","howto":"275"},"CWE-ID:1236 Improper Neutralization of Formula Elements in a CSV File",{"point":"3kc","priority":"6","details":"1wv","howto":"275"},"CWE-ID:1239 Improper Zeroization of Hardware Register",{"point":"3ke","priority":"6","details":"1wy","howto":"275"},{"point":"2iq","priority":"6","details":"1x1","howto":"2ir"},{"point":"2it","priority":"6","details":"1x4","howto":"275"},{"point":"2iv","priority":"6","details":"1x7","howto":"275"},{"point":"2ix","priority":"6","details":"1xa","howto":"275"},{"point":"2iz","priority":"6","details":"1xd","howto":"2j0"},{"point":"2j2","priority":"6","details":"1xg","howto":"275"},{"point":"2j4","priority":"6","details":"1xj","howto":"275"},{"point":"2j6","priority":"6","details":"1xs","howto":"275"},{"point":"2ja","priority":"6","details":"1y4","howto":"275"},{"point":"2jc","priority":"6","details":"1y7","howto":"275"},"CWE-ID:1255 Comparison Logic is Vulnerable to Power Side-Channel Attacks",{"point":"3kq","priority":"6","details":"1ya","howto":"275"},{"point":"2je","priority":"6","details":"1yd","howto":"2jf"},{"point":"2jh","priority":"6","details":"1yg","howto":"275"},{"point":"2jj","priority":"6","details":"1yj","howto":"275"},{"point":"2jl","priority":"6","details":"1ym","howto":"275"},{"point":"2jn","priority":"6","details":"1yp","howto":"2jo"},{"point":"2jq","priority":"6","details":"1ys","howto":"275"},{"point":"2js","priority":"6","details":"1yv","howto":"2jt"},{"point":"2jx","priority":"6","details":"1z1","howto":"275"},{"point":"2jz","priority":"6","details":"1z7","howto":"275"},{"point":"2k1","priority":"6","details":"1za","howto":"275"},{"point":"2k3","priority":"6","details":"1zd","howto":"275"},"CWE-ID:1269 Product Released in Non-Release Configuration",{"point":"3l3","priority":"6","details":"1zg","howto":"275"},{"point":"2k5","priority":"6","details":"1zj","howto":"275"},"CWE-ID:1271 Uninitialized Value on Reset for Registers Holding Security Settings",{"point":"3l6","priority":"6","details":"1zm","howto":"275"},"CWE-ID:1275 Sensitive Cookie with Improper SameSite Attribute",{"point":"3l8","priority":"6","details":"1zy","howto":"26r"},"CWE-ID:1276 Hardware Child Block Incorrectly Connected to Parent System",{"point":"3la","priority":"6","details":"201","howto":"275"},{"point":"2kd","priority":"6","details":"204","howto":"2ke"},{"point":"2ki","priority":"6","details":"20a","howto":"275"},"CWE-ID:1280 Access Control Check Implemented After Asset is Accessed",{"point":"3le","priority":"6","details":"20d","howto":"275"},{"point":"2kk","priority":"6","details":"20g","howto":"275"},"CWE-ID:1282 Assumed-Immutable Data is Stored in Writable Memory",{"point":"3lh","priority":"6","details":"20j","howto":"275"},{"point":"2km","priority":"6","details":"20m","howto":"275"},"CWE-ID:1284 Improper Validation of Specified Quantity in Input",{"point":"3lk","priority":"6","details":"20p","howto":"275"},"CWE-ID:1285 Improper Validation of Specified Index, Position, or Offset in Input",{"point":"3lm","priority":"6","details":"20s","howto":"275"},"CWE-ID:1286 Improper Validation of Syntactic Correctness of Input",{"point":"3lo","priority":"6","details":"20v","howto":"275"},"CWE-ID:1287 Improper Validation of Specified Type of Input",{"point":"3lq","priority":"6","details":"20y","howto":"275"},"CWE-ID:1288 Improper Validation of Consistency within Input",{"point":"3ls","priority":"6","details":"211","howto":"275"},"CWE-ID:1289 Improper Validation of Unsafe Equivalence in Input",{"point":"3lu","priority":"6","details":"214","howto":"275"},{"point":"2ko","priority":"6","details":"217","howto":"275"},"CWE-ID:1291 Public Key Re-Use for Signing both Debug and Production Code","::METHOD:Architecture or Design Review:DESCRIPTION:Compare the debug key with the production key to make sure that they are not the same.:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Compare the debug key with the production key to make sure that they are not the same.:EFFECTIVENESS:High::",{"point":"3lx","priority":"6","details":"21a","howto":"3ly"},{"point":"2kq","priority":"6","details":"21d","howto":"275"},{"point":"2ks","priority":"6","details":"21g","howto":"275"},{"point":"2ku","priority":"6","details":"21j","howto":"275"},"CWE-ID:1295 Debug Messages Revealing Unnecessary Information",{"point":"3m3","priority":"6","details":"21m","howto":"275"},"CWE-ID:1296 Incorrect Chaining or Granularity of Debug Components","::METHOD:Architecture or Design Review:DESCRIPTION:Appropriate Post-Si tests should be carried out at various authorization levels to ensure that debug components are properly chained and accessible only to users with appropriate credentials.:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Appropriate Post-Si tests should be carried out at various authorization levels to ensure that debug components are properly chained and accessible only to users with appropriate credentials.:EFFECTIVENESS:High::",{"point":"3m5","priority":"6","details":"21p","howto":"3m6"},"CWE-ID:1297 Unprotected Confidential Information on Device is Accessible by OSAT Vendors","::METHOD:Architecture or Design Review:DESCRIPTION:Appropriate Post-Si tests should be carried out to ensure that residual confidential information is not left on parts leaving one facility for another facility.:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Appropriate Post-Si tests should be carried out to ensure that residual confidential information is not left on parts leaving one facility for another facility.:EFFECTIVENESS:Moderate::",{"point":"3m8","priority":"6","details":"21s","howto":"3m9"},{"point":"2kw","priority":"6","details":"21v","howto":"275"},{"point":"2ky","priority":"6","details":"21y","howto":"275"},"CWE-ID:1300 Improper Protection of Physical Side Channels","::METHOD:Manual Analysis:DESCRIPTION:Perform a set of leakage detection tests such as the procedure outlined in the Test Vector Leakage Assessment (TVLA) test requirements for AES [REF-1230]. TVLA is the basis for the ISO standard 17825 [REF-1229]. A separate methodology is provided by [REF-1228]. Note that sole reliance on this method might not yield expected results [REF-1239] [REF-1240].:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Post-silicon, perform full side-channel attacks (penetration testing) covering as many known leakage models as possible against test code.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Pre-silicon - while the aforementioned TVLA methods can be performed post-silicon, models of device power consumption or other physical emanations can be built from information present at various stages of the hardware design process before fabrication. TVLA or known side-channel attacks can be applied to these simulated traces and countermeasures applied before tape-out. Academic research in this field includes [REF-1231] [REF-1232] [REF-1233].:EFFECTIVENESS:Moderate::",{"point":"3md","priority":"6","details":"221","howto":"3me"},"CWE-ID:1301 Insufficient or Incomplete Data Removal within Hardware Component",{"point":"3mg","priority":"6","details":"224","howto":"275"},{"point":"2l0","priority":"6","details":"227","howto":"275"},{"point":"2l2","priority":"6","details":"22a","howto":"275"},{"point":"2l6","priority":"6","details":"22g","howto":"275"},{"point":"2l8","priority":"6","details":"22j","howto":"275"},{"point":"2la","priority":"6","details":"22m","howto":"2lb"},{"point":"2ld","priority":"6","details":"22p","howto":"275"},{"point":"2lf","priority":"6","details":"22s","howto":"275"},{"point":"2lh","priority":"6","details":"22v","howto":"275"},{"point":"2lj","priority":"6","details":"22y","howto":"2lk"},{"point":"2lm","priority":"6","details":"231","howto":"2ln"},{"point":"2lp","priority":"6","details":"234","howto":"2lq"},{"point":"2ls","priority":"6","details":"237","howto":"275"},{"point":"2lu","priority":"6","details":"23a","howto":"275"},"CWE-ID:1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')",{"point":"3mv","priority":"6","details":"23d","howto":"275"},"CWE-ID:1322 Use of Blocking Code in Single-threaded, Non-blocking Context",{"point":"3mx","priority":"6","details":"23g","howto":"275"},{"point":"2lw","priority":"6","details":"23j","howto":"275"},"CWE-ID:1325 Improperly Controlled Sequential Memory Allocation",{"point":"3n0","priority":"6","details":"23m","howto":"275"},{"point":"2ly","priority":"6","details":"23p","howto":"2lz"},{"point":"2m1","priority":"6","details":"23v","howto":"2m2"},{"point":"2m4","priority":"6","details":"23y","howto":"2m5"},"CWE-ID:1330 Remanent Data Readable after Memory Erase","::METHOD:Architecture or Design Review:DESCRIPTION:Testing of memory-device contents after clearing or erase commands. Dynamic analysis of memory contents during device operation to detect specific, confidential assets. Architecture and design analysis of memory clear and erase operations.::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Testing of memory-device contents after clearing or erase commands. Dynamic analysis of memory contents during device operation to detect specific, confidential assets. Architecture and design analysis of memory clear and erase operations.::",{"point":"3n5","priority":"6","details":"241","howto":"3n6"},{"point":"2m7","priority":"6","details":"244","howto":"2m8"},{"point":"2ma","priority":"6","details":"247","howto":"2mb"},"CWE-ID:1333 Inefficient Regular Expression Complexity",{"point":"3na","priority":"6","details":"24a","howto":"275"},{"point":"2md","priority":"6","details":"24d","howto":"275"},"CWE-ID:1335 Incorrect Bitwise Shift of Integer",{"point":"3nd","priority":"6","details":"24g","howto":"275"},{"point":"2mf","priority":"6","details":"24j","howto":"275"},{"point":"2mh","priority":"6","details":"24m","howto":"2mi"},"CWE-ID:1339 Insufficient Precision or Accuracy of a Real Number",{"point":"3nh","priority":"6","details":"24p","howto":"275"},"CWE-ID:1341 Multiple Releases of Same Resource or Handle","::METHOD:Automated Static Analysis:DESCRIPTION:For commonly-used APIs and resource types, automated tools often have signatures that can spot this issue.::METHOD:Automated Dynamic Analysis:DESCRIPTION:Some compiler instrumentation tools such as AddressSanitizer (ASan) can indirectly detect some instances of this weakness.::",{"point":"3nj","priority":"6","details":"24s","howto":"3nk"},{"point":"2mm","priority":"6","details":"24y","howto":"275"},"CWE-ID:1385 Missing Origin Validation in WebSockets",{"point":"3nn","priority":"6","details":"257","howto":"275"},"CWE-ID:1386 Insecure Operation on Windows Junction / Mount Point",{"point":"3np","priority":"6","details":"25a","howto":"275"},"CWE-ID:1389 Incorrect Parsing of Numbers with Different Radices",{"point":"3nr","priority":"6","details":"25d","howto":"275"},{"point":"2ms","priority":"6","details":"25g","howto":"275"},{"point":"2n2","priority":"6","details":"25v","howto":"2n3"},"CWE-ID:1419 Incorrect Initialization of Resource",{"point":"3nv","priority":"6","details":"25y","howto":"275"},{"point":"2n5","priority":"6","details":"261","howto":"2n6"},{"point":"2n8","priority":"6","details":"264","howto":"2n9"},{"point":"2ne","priority":"6","details":"26a","howto":"2nf"},["2np","2nr","2nt","2nv","2nx","2nz","2o1","2o3","2o6","2o8","2o9","2oc","2oe","2og","2oi","2ok","2om","2oo","2oq","2os","2ou","2ow","2oy","2p1","2p3","2p5","2p7","2p9","2pb","2pd","2pg","2pi","2pk","2pm","2po","2pq","2ps","2pu","2pw","2py","2q0","2q2","2q4","2q6","2q8","2qa","2qc","2qe","2qg","2qi","2qk","2qm","2qo","2qq","2qs","2qu","2qv","2qx","2qz","2r1","2r3","2r6","2r9","2rb","2rd","2rf","2rh","2rj","2rl","2rn","2rp","2rr","2ru","2rw","2ry","2s0","2s2","2s4","2s6","2s8","2sb","2sc","2se","2sg","2si","2sk","2sm","2so","2sq","2ss","2sv","2sx","2sz","2t1","2t3","2t4","2t7","2t9","2tb","2te","2th","2tk","2tm","2to","2tq","2ts","2tu","2tw","2ty","2u1","2u3","2u6","2u9","2ub","2ud","2uf","2uh","2uj","2ul","2un","2up","2ur","2ut","2uv","2ux","2uz","2v1","2v3","2v5","2v7","2v9","2vb","2vd","2vf","2vh","2vj","2vl","2vn","2vp","2vr","2vt","2vv","2vx","2vz","2w1","2w3","2w5","2w7","2w9","2wb","2wd","2wf","2wh","2wj","2wl","2wn","2wp","2wq","2ws","2wu","2ww","2wy","2x1","2x3","2x5","2x7","2x9","2xb","2xd","2xf","2xi","2xj","2xk","2xl","2xm","2xn","2xo","2xq","2xs","2xt","2xu","2xv","2xw","2xx","2xy","2xz","2y1","2y3","2y4","2y6","2y7","2y9","2yc","2ye","2yg","2yi","2yk","2ym","2yo","2yq","2ys","2yu","2yw","2yy","2z0","2z2","2z4","2z6","2z8","2za","2zc","2ze","2zf","2zh","2zj","2zl","2zo","2zp","2zr","2zs","2zt","2zu","2zv","2zw","2zz","301","303","304","306","308","30a","30c","30e","30f","30g","30h","30i","30k","30l","30n","30q","30s","30u","30v","30x","30z","311","313","315","316","318","319","31a","31c","31e","31f","31h","31j","31l","31m","31o","31p","31q","31r","31s","31t","31u","31v","31w","31x","31z","321","322","323","324","325","326","327","328","329","32a","32c","32e","32g","32h","32k","32m","32o","32q","32s","32u","32w","32y","330","332","334","335","336","338","33a","33c","33e","33g","33j","33l","33n","33o","33q","33r","33t","33w","33x","33y","33z","340","341","342","343","344","345","347","349","34a","34b","34d","34g","34i","34k","34m","34o","34q","34s","34t","34v","34w","34x","34y","34z","351","352","354","356","358","35a","35b","35d","35e","35g","35i","35k","35m","35o","35q","35s","35u","35w","35y","360","362","363","364","366","368","36a","36b","36e","36h","36j","36l","36o","36q","36s","36u","36x","36z","371","373","375","377","379","37b","37c","37e","37g","37i","37k","37m","37o","37p","37s","37u","37w","37y","37z","380","381","384","386","388","389","38a","38c","38e","38g","38h","38j","38l","38n","38p","38r","38t","38v","38x","38z","391","393","395","397","399","39a","39c","39e","39g","39i","39k","39m","39p","39r","39t","39v","39w","39y","3a0","3a2","3a4","3a6","3a8","3aa","3ac","3ae","3ag","3ai","3ak","3am","3ao","3aq","3as","3au","3aw","3ay","3b0","3b2","3b4","3b6","3b8","3ba","3bc","3be","3bg","3bi","3bk","3bm","3bo","3bp","3bq","3bs","3bu","3bw","3by","3c0","3c2","3c3","3c4","3c6","3c8","3ca","3cc","3ce","3cg","3ch","3cj","3cl","3cn","3cp","3cr","3ct","3cv","3cy","3cz","3d0","3d2","3d3","3d4","3d5","3d7","3d9","3db","3dd","3de","3df","3dh","3dj","3dl","3dm","3dn","3do","3dp","3dq","3ds","3du","3dx","3dz","3e0","3e1","3e2","3e4","3e5","3e7","3e8","3ea","3ec","3ef","3eh","3ek","3em","3eo","3er","3et","3ew","3ez","3f1","3f4","3f6","3f8","3f9","3fb","3fc","3fe","3fh","3fk","3fm","3fo","3fp","3fr","3fs","3fu","3fv","3fw","3fz","3g1","3g3","3g5","3g7","3g9","3gb","3gd","3gf","3gh","3gj","3gl","3gm","3go","3gq","3gs","3gu","3gw","3gy","3h0","3h2","3h4","3h6","3h8","3ha","3hc","3hf","3hh","3hj","3hl","3hn","3hp","3hr","3ht","3hv","3hx","3hy","3hz","3i2","3i4","3i5","3i7","3ia","3ic","3ie","3ig","3ii","3ik","3il","3im","3io","3iq","3is","3iu","3iv","3iw","3iy","3iz","3j0","3j1","3j2","3j4","3j5","3j6","3j8","3ja","3jc","3jd","3jf","3jh","3jj","3jl","3jn","3jp","3jq","3js","3jt","3jv","3jw","3jx","3jy","3k0","3k1","3k2","3k4","3k5","3k6","3k7","3k8","3k9","3kb","3kd","3kf","3kg","3kh","3ki","3kj","3kk","3kl","3km","3kn","3ko","3kp","3kr","3ks","3kt","3ku","3kv","3kw","3kx","3ky","3kz","3l0","3l1","3l2","3l4","3l5","3l7","3l9","3lb","3lc","3ld","3lf","3lg","3li","3lj","3ll","3ln","3lp","3lr","3lt","3lv","3lw","3lz","3m0","3m1","3m2","3m4","3m7","3ma","3mb","3mc","3mf","3mh","3mi","3mj","3mk","3ml","3mm","3mn","3mo","3mp","3mq","3mr","3ms","3mt","3mu","3mw","3my","3mz","3n1","3n2","3n3","3n4","3n7","3n8","3n9","3nb","3nc","3ne","3nf","3ng","3ni","3nl","3nm","3no","3nq","3ns","3nt","3nu","3nw","3nx","3ny","3nz"],"pink",{"title":"2nk","slug":"2nl","description":"2nm","icon":"2nn","intro":"2nm","checklist":"3o0","color":"3o1"},["26e","2nj","3o2"],{"uzXTlLKitXg":"3o3"},"\u0001",200,"/about/",{"loaders":"3o4","action":"3o5","status":"3o6","href":"3o7"}]} \ No newline at end of file +{"_entry":"3o8","_objs":["CWE: Categorization for Assurance","cwe-security","Researchers can use this view to evaluate the breadth and depth of software assurance with respect to mitigating and managing weaknesses before they become vulnerabilities","dev","This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.","CWE-ID: 5J2EE Misconfiguration: Data Transmission Without Encryption","Essential","Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.Guidelines:::TYPE:Other:NOTE:If an application uses SSL to guarantee confidential communication with client browsers, the application configuration should make it impossible to view any access controlled page without SSL. There are three common ways for SSL to be bypassed: A user manually enters URL and types HTTP rather than HTTPS. Attackers intentionally send a user to an insecure URL. A programmer erroneously creates a relative link to a page in the application, which does not switch from HTTP to HTTPS. (This is particularly easy to do when the link moves between public and secured areas on a web site.)::",{"point":"5","priority":"6","details":"7"},"CWE-ID: 6J2EE Misconfiguration: Insufficient Session-ID Length","The J2EE application is configured to use an insufficient session ID length.Guidelines:",{"point":"9","priority":"6","details":"a"},"CWE-ID: 7J2EE Misconfiguration: Missing Custom Error Page","The default error page of a web application should not display sensitive information about the product.Guidelines:",{"point":"c","priority":"6","details":"d"},"CWE-ID: 8J2EE Misconfiguration: Entity Bean Declared Remote","When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean's data. These methods could be leveraged to read sensitive information, or to change data in ways that violate the application's expectations, potentially leading to other vulnerabilities.Guidelines:::TYPE:Other:NOTE:Entity beans that expose a remote interface become part of an application's attack surface. For performance reasons, an application should rarely use remote entity beans, so there is a good chance that a remote entity bean declaration is an error.::",{"point":"f","priority":"6","details":"g"},"CWE-ID: 9J2EE Misconfiguration: Weak Access Permissions for EJB Methods","If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the product.Guidelines:",{"point":"i","priority":"6","details":"j"},"CWE-ID: 11ASP.NET Misconfiguration: Creating Debug Binary","Debugging messages help attackers learn about the system and plan a form of attack.Guidelines:",{"point":"l","priority":"6","details":"m"},"CWE-ID: 12ASP.NET Misconfiguration: Missing Custom Error Page","An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses.Guidelines:",{"point":"o","priority":"6","details":"p"},"CWE-ID: 13ASP.NET Misconfiguration: Password in Configuration File","Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers.Guidelines:",{"point":"r","priority":"6","details":"s"},"CWE-ID: 14Compiler Removal of Code to Clear Buffers","Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka dead store removal.Guidelines:",{"point":"u","priority":"6","details":"v"},"CWE-ID: 15External Control of System or Configuration Setting","One or more system settings or configuration elements can be externally controlled by a user.Guidelines:",{"point":"x","priority":"6","details":"y"},"CWE-ID: 20Improper Input Validation","The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Guidelines:::TYPE:Relationship:NOTE:CWE-116 and CWE-20 have a close association because, depending on the nature of the structured message, proper input validation can indirectly prevent special characters from changing the meaning of a structured message. For example, by validating that a numeric ID field should only contain the 0-9 characters, the programmer effectively prevents injection attacks.::TYPE:Maintenance:NOTE:As of 2020, this entry is used more often than preferred, and it is a source of frequent confusion. It is being actively modified for CWE 4.1 and subsequent versions.::TYPE:Maintenance:NOTE:Concepts such as validation, data transformation, and neutralization are being refined, so relationships between CWE-20 and other entries such as CWE-707 may change in future versions, along with an update to the Vulnerability Theory document.::TYPE:Maintenance:NOTE:Input validation - whether missing or incorrect - is such an essential and widespread part of secure development that it is implicit in many different weaknesses. Traditionally, problems such as buffer overflows and XSS have been classified as input validation problems by many security professionals. However, input validation is not necessarily the only protection mechanism available for avoiding such problems, and in some cases it is not even sufficient. The CWE team has begun capturing these subtleties in chains within the Research Concepts view (CWE-1000), but more work is needed.::TYPE:Terminology:NOTE:The input validation term is extremely common, but it is used in many different ways. In some cases its usage can obscure the real underlying weakness or otherwise hide chaining and composite relationships. Some people use input validation as a general term that covers many different neutralization techniques for ensuring that input is appropriate, such as filtering, canonicalization, and escaping. Others use the term in a more narrow context to simply mean checking if an input conforms to expectations without changing it. CWE uses this more narrow interpretation.::",{"point":"10","priority":"6","details":"11"},"CWE-ID: 22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Guidelines:::TYPE:Relationship:NOTE:Pathname equivalence can be regarded as a type of canonicalization error.::TYPE:Relationship:NOTE:Some pathname equivalence issues are not directly related to directory traversal, rather are used to bypass security-relevant checks for whether a file/directory can be accessed by the attacker (e.g. a trailing / on a filename could bypass access rules that don't expect a trailing /, causing a server to provide the file when it normally would not).::TYPE:Terminology:NOTE:Like other weaknesses, terminology is often based on the types of manipulations used, instead of the underlying weaknesses. Some people use directory traversal only to refer to the injection of .. and equivalent sequences whose specific meaning is to traverse directories. Other variants like absolute pathname and drive letter have the *effect* of directory traversal, but some people may not call it such, since it doesn't involve .. or equivalent.::TYPE:Research Gap:NOTE:Many variants of path traversal attacks are probably under-studied with respect to root cause. CWE-790 and CWE-182 begin to cover part of this gap.::TYPE:Research Gap:NOTE:Incomplete diagnosis or reporting of vulnerabilities can make it difficult to know which variant is affected. For example, a researcher might say that .. is vulnerable, but not test ../ which may also be vulnerable. Any combination of directory separators (/, , etc.) and numbers of . (e.g. ....) can produce unique variants; for example, the //../ variant is not listed (CVE-2004-0325). See this entry's children and lower-level descendants.::",{"point":"13","priority":"6","details":"14"},"CWE-ID: 23Relative Path Traversal","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as .. that can resolve to a location that is outside of that directory.Guidelines:",{"point":"16","priority":"6","details":"17"},"CWE-ID: 24Path Traversal: '../filedir'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize ../ sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"19","priority":"6","details":"1a"},"CWE-ID: 25Path Traversal: '/../filedir'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize /../ sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1c","priority":"6","details":"1d"},"CWE-ID: 26Path Traversal: '/dir/../filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize /dir/../filename sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1f","priority":"6","details":"1g"},"CWE-ID: 27Path Traversal: 'dir/../../filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize multiple internal ../ sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1i","priority":"6","details":"1j"},"CWE-ID: 28Path Traversal: '..filedir'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize .. sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1l","priority":"6","details":"1m"},"CWE-ID: 29Path Traversal: '..filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '..filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1o","priority":"6","details":"1p"},"CWE-ID: 30Path Traversal: 'dir..filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize 'dir..filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1r","priority":"6","details":"1s"},"CWE-ID: 31Path Traversal: 'dir....filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize 'dir....filename' (multiple internal backslash dot dot) sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1u","priority":"6","details":"1v"},"CWE-ID: 32Path Traversal: '...' (Triple Dot)","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '...' (triple dot) sequences that can resolve to a location that is outside of that directory.Guidelines:::TYPE:Maintenance:NOTE:This manipulation-focused entry is currently hiding two distinct weaknesses, so it might need to be split. The manipulation is effective in two different contexts: it is equivalent to .... on Windows, or it can take advantage of incomplete filtering, e.g. if the programmer does a single-pass removal of ./ in a string (collapse of data into unsafe value, CWE-182).::",{"point":"1x","priority":"6","details":"1y"},"CWE-ID: 33Path Traversal: '....' (Multiple Dot)","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....' (multiple dot) sequences that can resolve to a location that is outside of that directory.Guidelines:::TYPE:Maintenance:NOTE:Like the triple-dot CWE-32, this manipulation probably hides multiple weaknesses that should be made more explicit.::",{"point":"20","priority":"6","details":"21"},"CWE-ID: 34Path Traversal: '....//'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....//' (doubled dot dot slash) sequences that can resolve to a location that is outside of that directory.Guidelines:::TYPE:Relationship:NOTE:This could occur due to a cleansing error that removes a single ../ from ....//::",{"point":"23","priority":"6","details":"24"},"CWE-ID: 35Path Traversal: '.../...//'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"26","priority":"6","details":"27"},"CWE-ID: 36Absolute Path Traversal","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as /abs/path that can resolve to a location that is outside of that directory.Guidelines:",{"point":"29","priority":"6","details":"2a"},"CWE-ID: 37Path Traversal: '/absolute/pathname/here'","The product accepts input in the form of a slash absolute path ('/absolute/pathname/here') without appropriate validation, which can allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"2c","priority":"6","details":"2d"},"CWE-ID: 38Path Traversal: 'absolutepathnamehere'","The product accepts input in the form of a backslash absolute path ('absolutepathnamehere') without appropriate validation, which can allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"2f","priority":"6","details":"2g"},"CWE-ID: 39Path Traversal: 'C:dirname'","The product accepts input that contains a drive letter or Windows volume letter ('C:dirname') that potentially redirects access to an unintended location or arbitrary file.Guidelines:",{"point":"2i","priority":"6","details":"2j"},"CWE-ID: 40Path Traversal: 'UNCsharename' (Windows UNC Share)","The product accepts input that identifies a Windows UNC share ('UNCsharename') that potentially redirects access to an unintended location or arbitrary file.Guidelines:",{"point":"2l","priority":"6","details":"2m"},"CWE-ID: 41Improper Resolution of Path Equivalence","The product is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object.Guidelines:::TYPE:Relationship:NOTE:Some of these manipulations could be effective in path traversal issues, too.::",{"point":"2o","priority":"6","details":"2p"},"CWE-ID: 42Path Equivalence: 'filename.' (Trailing Dot)","The product accepts path input in the form of trailing dot ('filedir.') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"2r","priority":"6","details":"2s"},"CWE-ID: 43Path Equivalence: 'filename....' (Multiple Trailing Dot)","The product accepts path input in the form of multiple trailing dot ('filedir....') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"2u","priority":"6","details":"2v"},"CWE-ID: 44Path Equivalence: 'file.name' (Internal Dot)","The product accepts path input in the form of internal dot ('file.ordir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:::TYPE:Relationship:NOTE:An improper attempt to remove the internal dots from the string could lead to CWE-181 (Incorrect Behavior Order: Validate Before Filter).::",{"point":"2x","priority":"6","details":"2y"},"CWE-ID: 45Path Equivalence: 'file...name' (Multiple Internal Dot)","The product accepts path input in the form of multiple internal dot ('file...dir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:::TYPE:Relationship:NOTE:An improper attempt to remove the internal dots from the string could lead to CWE-181 (Incorrect Behavior Order: Validate Before Filter).::",{"point":"30","priority":"6","details":"31"},"CWE-ID: 46Path Equivalence: 'filename ' (Trailing Space)","The product accepts path input in the form of trailing space ('filedir ') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"33","priority":"6","details":"34"},"CWE-ID: 47Path Equivalence: ' filename' (Leading Space)","The product accepts path input in the form of leading space (' filedir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"36","priority":"6","details":"37"},"CWE-ID: 48Path Equivalence: 'file name' (Internal Whitespace)","The product accepts path input in the form of internal space ('file(SPACE)name') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:::TYPE:Relationship:NOTE:This weakness is likely to overlap quoting problems, e.g. the Program Files unquoted search path (CWE-428). It also could be an equivalence issue if filtering removes all extraneous spaces.::TYPE:Relationship:NOTE:Whitespace can be a factor in other weaknesses not directly related to equivalence. It can also be used to spoof icons or hide files with dangerous names (see icon manipulation and visual truncation in CWE-451).::",{"point":"39","priority":"6","details":"3a"},"CWE-ID: 49Path Equivalence: 'filename/' (Trailing Slash)","The product accepts path input in the form of trailing slash ('filedir/') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3c","priority":"6","details":"3d"},"CWE-ID: 50Path Equivalence: '//multiple/leading/slash'","The product accepts path input in the form of multiple leading slash ('//multiple/leading/slash') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3f","priority":"6","details":"3g"},"CWE-ID: 51Path Equivalence: '/multiple//internal/slash'","The product accepts path input in the form of multiple internal slash ('/multiple//internal/slash/') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3i","priority":"6","details":"3j"},"CWE-ID: 52Path Equivalence: '/multiple/trailing/slash//'","The product accepts path input in the form of multiple trailing slash ('/multiple/trailing/slash//') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3l","priority":"6","details":"3m"},"CWE-ID: 53Path Equivalence: 'multipleinternalbackslash'","The product accepts path input in the form of multiple internal backslash ('multipletrailingslash') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3o","priority":"6","details":"3p"},"CWE-ID: 54Path Equivalence: 'filedir' (Trailing Backslash)","The product accepts path input in the form of trailing backslash ('filedir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3r","priority":"6","details":"3s"},"CWE-ID: 55Path Equivalence: '/./' (Single Dot Directory)","The product accepts path input in the form of single dot directory exploit ('/./') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3u","priority":"6","details":"3v"},"CWE-ID: 56Path Equivalence: 'filedir*' (Wildcard)","The product accepts path input in the form of asterisk wildcard ('filedir*') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3x","priority":"6","details":"3y"},"CWE-ID: 57Path Equivalence: 'fakedir/../realdir/filename'","The product contains protection mechanisms to restrict access to 'realdir/filename', but it constructs pathnames using external input in the form of 'fakedir/../realdir/filename' that are not handled by those mechanisms. This allows attackers to perform unauthorized actions against the targeted file.Guidelines:::TYPE:Theoretical:NOTE:This is a manipulation that uses an injection for one consequence (containment violation using relative path) to achieve a different consequence (equivalence by alternate name).::",{"point":"40","priority":"6","details":"41"},"CWE-ID: 58Path Equivalence: Windows 8.3 Filename","The product contains a protection mechanism that restricts access to a long filename on a Windows operating system, but it does not properly restrict access to the equivalent short 8.3 filename.Guidelines:::TYPE:Research Gap:NOTE:Probably under-studied.::",{"point":"43","priority":"6","details":"44"},"CWE-ID: 59Improper Link Resolution Before File Access ('Link Following')","The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.Guidelines:::TYPE:Theoretical:NOTE:Link following vulnerabilities are Multi-factor Vulnerabilities (MFV). They are the combination of multiple elements: file or directory permissions, filename predictability, race conditions, and in some cases, a design limitation in which there is no mechanism for performing atomic file creation operations. Some potential factors are race conditions, permissions, and predictability.::",{"point":"46","priority":"6","details":"47"},"CWE-ID: 61UNIX Symbolic Link (Symlink) Following","The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.Guidelines:::TYPE:Research Gap:NOTE:Symlink vulnerabilities are regularly found in C and shell programs, but all programming languages can have this problem. Even shell programs are probably under-reported. Second-order symlink vulnerabilities may exist in programs that invoke other programs that follow symlinks. They are rarely reported but are likely to be fairly common when process invocation is used [REF-493].::",{"point":"49","priority":"6","details":"4a"},"CWE-ID: 62UNIX Hard Link","The product, when opening a file or directory, does not sufficiently account for when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.Guidelines:",{"point":"4c","priority":"6","details":"4d"},"CWE-ID: 64Windows Shortcut Following (.LNK)","The product, when opening a file or directory, does not sufficiently handle when the file is a Windows shortcut (.LNK) whose target is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.Guidelines:::TYPE:Research Gap:NOTE:Under-studied. Windows .LNK files are more portable than Unix symlinks and have been used in remote exploits. Some Windows API's will access LNK's as if they are regular files, so one would expect that they would be reported more frequently.::",{"point":"4f","priority":"6","details":"4g"},"CWE-ID: 65Windows Hard Link","The product, when opening a file or directory, does not sufficiently handle when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.Guidelines:",{"point":"4i","priority":"6","details":"4j"},"CWE-ID: 66Improper Handling of File Names that Identify Virtual Resources","The product does not handle or incorrectly handles a file name that identifies a virtual resource that is not directly specified within the directory that is associated with the file name, causing the product to perform file-based operations on a resource that is not a file.Guidelines:",{"point":"4l","priority":"6","details":"4m"},"CWE-ID: 67Improper Handling of Windows Device Names","The product constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.Guidelines:",{"point":"4o","priority":"6","details":"4p"},"CWE-ID: 69Improper Handling of Windows ::DATA Alternate Data Stream","The product does not properly prevent access to, or detect usage of, alternate data streams (ADS).Guidelines:::TYPE:Theoretical:NOTE:This and similar problems exist because the same resource can have multiple identifiers that dictate which behavior can be performed on the resource.::",{"point":"4r","priority":"6","details":"4s"},"CWE-ID: 72Improper Handling of Apple HFS+ Alternate Data Stream Path","The product does not properly handle special paths that may identify the data or resource fork of a file on the HFS+ file system.Guidelines:::TYPE:Theoretical:NOTE:This and similar problems exist because the same resource can have multiple identifiers that dictate which behavior can be performed on the resource.::TYPE:Research Gap:NOTE:Under-studied::",{"point":"4u","priority":"6","details":"4v"},"CWE-ID: 73External Control of File Name or Path","The product allows user input to control or influence paths or file names that are used in filesystem operations.Guidelines:::TYPE:Maintenance:NOTE:CWE-114 is a Class, but it is listed a child of CWE-73 in view 1000. This suggests some abstraction problems that should be resolved in future versions.::TYPE:Relationship:NOTE:The external control of filenames can be the primary link in chains with other file-related weaknesses, as seen in the CanPrecede relationships. This is because software systems use files for many different purposes: to execute programs, load code libraries, to store application data, to store configuration settings, record temporary data, act as signals or semaphores to other processes, etc. However, those weaknesses do not always require external control. For example, link-following weaknesses (CWE-59) often involve pathnames that are not controllable by the attacker at all. The external control can be resultant from other issues. For example, in PHP applications, the register_globals setting can allow an attacker to modify variables that the programmer thought were immutable, enabling file inclusion (CWE-98) and path traversal (CWE-22). Operating with excessive privileges (CWE-250) might allow an attacker to specify an input filename that is not directly readable by the attacker, but is accessible to the privileged program. A buffer overflow (CWE-119) might give an attacker control over nearby memory locations that are related to pathnames, but were not directly modifiable by the attacker.::",{"point":"4x","priority":"6","details":"4y"},"CWE-ID: 74Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')","The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Guidelines:::TYPE:Theoretical:NOTE:Many people treat injection only as an input validation problem (CWE-20) because many people do not distinguish between the consequence/attack (injection) and the protection mechanism that prevents the attack from succeeding. However, input validation is only one potential protection mechanism (output encoding is another), and there is a chaining relationship between improper input validation and the improper enforcement of the structure of messages to other components. Other issues not directly related to input validation, such as race conditions, could similarly impact message structure.::",{"point":"50","priority":"6","details":"51"},"CWE-ID: 75Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)","The product does not adequately filter user-controlled input for special elements with control implications.Guidelines:",{"point":"53","priority":"6","details":"54"},"CWE-ID: 76Improper Neutralization of Equivalent Special Elements","The product correctly neutralizes certain special elements, but it improperly neutralizes equivalent special elements.Guidelines:",{"point":"56","priority":"6","details":"57"},"CWE-ID: 77Improper Neutralization of Special Elements used in a Command ('Command Injection')","The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.Guidelines:::TYPE:Terminology:NOTE:The command injection phrase carries different meanings to different people. For some people, it refers to any type of attack that can allow the attacker to execute commands of their own choosing, regardless of how those commands are inserted. The command injection could thus be resultant from another weakness. This usage also includes cases in which the functionality allows the user to specify an entire command, which is then executed; within CWE, this situation might be better regarded as an authorization problem (since an attacker should not be able to specify arbitrary commands.) Another common usage, which includes CWE-77 and its descendants, involves cases in which the attacker injects separators into the command being constructed.::",{"point":"59","priority":"6","details":"5a"},"CWE-ID: 78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Guidelines:::TYPE:Terminology:NOTE:The OS command injection phrase carries different meanings to different people. For some people, it only refers to cases in which the attacker injects command separators into arguments for an application-controlled program that is being invoked. For some people, it refers to any type of attack that can allow the attacker to execute OS commands of their own choosing. This usage could include untrusted search path weaknesses (CWE-426) that cause the application to find and execute an attacker-controlled program. Further complicating the issue is the case when argument injection (CWE-88) allows alternate command-line switches or options to be inserted into the command line, such as an -exec switch whose purpose may be to execute the subsequent argument as a command (this -exec switch exists in the UNIX find command, for example). In this latter case, however, CWE-88 could be regarded as the primary weakness in a chain with CWE-78.::TYPE:Research Gap:NOTE:More investigation is needed into the distinction between the OS command injection variants, including the role with argument injection (CWE-88). Equivalent distinctions may exist in other injection-related problems such as SQL injection.::",{"point":"5c","priority":"6","details":"5d"},"CWE-ID: 79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Guidelines:::TYPE:Relationship:NOTE:There can be a close relationship between XSS and CSRF (CWE-352). An attacker might use CSRF in order to trick the victim into submitting requests to the server in which the requests contain an XSS payload. A well-known example of this was the Samy worm on MySpace [REF-956]. The worm used XSS to insert malicious HTML sequences into a user's profile and add the attacker as a MySpace friend. MySpace friends of that victim would then execute the payload to modify their own profiles, causing the worm to propagate exponentially. Since the victims did not intentionally insert the malicious script themselves, CSRF was a root cause.::TYPE:Applicable Platform:NOTE:XSS flaws are very common in web applications, since they require a great deal of developer discipline to avoid them.::",{"point":"5f","priority":"6","details":"5g"},"CWE-ID: 80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as <, >, and & that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.Guidelines:",{"point":"5i","priority":"6","details":"5j"},"CWE-ID: 81Improper Neutralization of Script in an Error Message Web Page","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters that could be interpreted as web-scripting elements when they are sent to an error page.Guidelines:",{"point":"5l","priority":"6","details":"5m"},"CWE-ID: 82Improper Neutralization of Script in Attributes of IMG Tags in a Web Page","The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute.Guidelines:",{"point":"5o","priority":"6","details":"5p"},"CWE-ID: 83Improper Neutralization of Script in Attributes in a Web Page","The product does not neutralize or incorrectly neutralizes javascript: or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.Guidelines:",{"point":"5r","priority":"6","details":"5s"},"CWE-ID: 84Improper Neutralization of Encoded URI Schemes in a Web Page","The web application improperly neutralizes user-controlled input for executable script disguised with URI encodings.Guidelines:",{"point":"5u","priority":"6","details":"5v"},"CWE-ID: 85Doubled Character XSS Manipulations","The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters.Guidelines:",{"point":"5x","priority":"6","details":"5y"},"CWE-ID: 86Improper Neutralization of Invalid Characters in Identifiers in Web Pages","The product does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers.Guidelines:",{"point":"60","priority":"6","details":"61"},"CWE-ID: 87Improper Neutralization of Alternate XSS Syntax","The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.Guidelines:",{"point":"63","priority":"6","details":"64"},"CWE-ID: 88Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')","The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.Guidelines:::TYPE:Relationship:NOTE:At one layer of abstraction, this can overlap other weaknesses that have whitespace problems, e.g. injection of javascript into attributes of HTML tags.::",{"point":"66","priority":"6","details":"67"},"CWE-ID: 89Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:SQL injection can be resultant from special character mismanagement, MAID, or denylist/allowlist problems. It can be primary to authentication errors.::",{"point":"69","priority":"6","details":"6a"},"CWE-ID: 90Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')","The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:Factors: resultant to special character mismanagement, MAID, or denylist/allowlist problems. Can be primary to authentication and verification errors.::",{"point":"6c","priority":"6","details":"6d"},"CWE-ID: 91XML Injection (aka Blind XPath Injection)","The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.Guidelines:::TYPE:Maintenance:NOTE:The description for this entry is generally applicable to XML, but the name includes blind XPath injection which is more closely associated with CWE-643. Therefore this entry might need to be deprecated or converted to a general category - although injection into raw XML is not covered by CWE-643 or CWE-652.::TYPE:Theoretical:NOTE:In vulnerability theory terms, this is a representation-specific case of a Data/Directive Boundary Error.::TYPE:Research Gap:NOTE:Under-reported. This is likely found regularly by third party code auditors, but there are very few publicly reported examples.::",{"point":"6f","priority":"6","details":"6g"},"CWE-ID: 93Improper Neutralization of CRLF Sequences ('CRLF Injection')","The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.Guidelines:",{"point":"6i","priority":"6","details":"6j"},"CWE-ID: 94Improper Control of Generation of Code ('Code Injection')","The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.Guidelines:",{"point":"6l","priority":"6","details":"6m"},"CWE-ID: 95Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. eval).Guidelines:::TYPE:Other:NOTE:Factors: special character errors can play a role in increasing the variety of code that can be injected, although some vulnerabilities do not require special characters at all, e.g. when a single function without arguments can be referenced and a terminator character is not necessary.::",{"point":"6o","priority":"6","details":"6p"},"CWE-ID: 96Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.Guidelines:::TYPE:Relationship:NOTE:HTML injection (see CWE-79: XSS) could be thought of as an example of this, but the code is injected and executed on the client side, not the server side. Server-Side Includes (SSI) are an example of direct static code injection.::",{"point":"6r","priority":"6","details":"6s"},"CWE-ID: 97Improper Neutralization of Server-Side Includes (SSI) Within a Web Page","The product generates a web page, but does not neutralize or incorrectly neutralizes user-controllable input that could be interpreted as a server-side include (SSI) directive.Guidelines:::TYPE:Relationship:NOTE:This can be resultant from XSS/HTML injection because the same special characters can be involved. However, this is server-side code execution, not client-side.::",{"point":"6u","priority":"6","details":"6v"},"CWE-ID: 98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')","The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in require, include, or similar functions.Guidelines:::TYPE:Relationship:NOTE:This is frequently a functional consequence of other weaknesses. It is usually multi-factor with other factors (e.g. MAID), although not all inclusion bugs involve assumed-immutable data. Direct request weaknesses frequently play a role. Can overlap directory traversal in local inclusion problems.::",{"point":"6x","priority":"6","details":"6y"},"CWE-ID: 99Improper Control of Resource Identifiers ('Resource Injection')","The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.Guidelines:::TYPE:Relationship:NOTE:Resource injection that involves resources stored on the filesystem goes by the name path manipulation (CWE-73).::TYPE:Maintenance:NOTE:The relationship between CWE-99 and CWE-610 needs further investigation and clarification. They might be duplicates. CWE-99 Resource Injection, as originally defined in Seven Pernicious Kingdoms taxonomy, emphasizes the identifier used to access a system resource such as a file name or port number, yet it explicitly states that the resource injection term does not apply to path manipulation, which effectively identifies the path at which a resource can be found and could be considered to be one aspect of a resource identifier. Also, CWE-610 effectively covers any type of resource, whether that resource is at the system layer, the application layer, or the code layer.::",{"point":"70","priority":"6","details":"71"},"CWE-ID: 102Struts: Duplicate Validation Forms","The product uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not expect.Guidelines:",{"point":"73","priority":"6","details":"74"},"CWE-ID: 103Struts: Incomplete validate() Method Definition","The product has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate().Guidelines:::TYPE:Relationship:NOTE:This could introduce other weaknesses related to missing input validation.::TYPE:Maintenance:NOTE:The current description implies a loose composite of two separate weaknesses, so this node might need to be split or converted into a low-level category.::",{"point":"76","priority":"6","details":"77"},"CWE-ID: 104Struts: Form Bean Does Not Extend Validation Class","If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation.Guidelines:",{"point":"79","priority":"6","details":"7a"},"CWE-ID: 105Struts: Form Field Without Validator","The product has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation.Guidelines:",{"point":"7c","priority":"6","details":"7d"},"CWE-ID: 106Struts: Plug-in Framework not in Use","When an application does not use an input validation framework such as the Struts Validator, there is a greater risk of introducing weaknesses related to insufficient input validation.Guidelines:",{"point":"7f","priority":"6","details":"7g"},"CWE-ID: 107Struts: Unused Validation Form","An unused validation form indicates that validation logic is not up-to-date.Guidelines:",{"point":"7i","priority":"6","details":"7j"},"CWE-ID: 108Struts: Unvalidated Action Form","Every Action Form must have a corresponding validation form.Guidelines:",{"point":"7l","priority":"6","details":"7m"},"CWE-ID: 109Struts: Validator Turned Off","Automatic filtering via a Struts bean has been turned off, which disables the Struts Validator and custom validation logic. This exposes the application to other weaknesses related to insufficient input validation.Guidelines:::TYPE:Other:NOTE:The Action Form mapping in the demonstrative example disables the form's validate() method. The Struts bean: write tag automatically encodes special HTML characters, replacing a < with < and a > with >. This action can be disabled by specifying filter=false as an attribute of the tag to disable specified JSP pages. However, being disabled makes these pages susceptible to cross-site scripting attacks. An attacker may be able to insert malicious scripts as user input to write to these JSP pages.::",{"point":"7o","priority":"6","details":"7p"},"CWE-ID: 110Struts: Validator Without Form Field","Validation fields that do not appear in forms they are associated with indicate that the validation logic is out of date.Guidelines:",{"point":"7r","priority":"6","details":"7s"},"CWE-ID: 111Direct Use of Unsafe JNI","When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that code, even if those weaknesses cannot occur in Java.Guidelines:",{"point":"7u","priority":"6","details":"7v"},"CWE-ID: 112Missing XML Validation","The product accepts XML from an untrusted source but does not validate the XML against the proper schema.Guidelines:",{"point":"7x","priority":"6","details":"7y"},"CWE-ID: 113Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')","The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.Guidelines:",{"point":"80","priority":"6","details":"81"},"CWE-ID: 114Process Control","Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) on behalf of an attacker.Guidelines:::TYPE:Maintenance:NOTE:CWE-114 is a Class, but it is listed a child of CWE-73 in view 1000. This suggests some abstraction problems that should be resolved in future versions.::TYPE:Maintenance:NOTE:This entry seems to have close relationships with CWE-426/CWE-427. It seems more attack-oriented.::",{"point":"83","priority":"6","details":"84"},"CWE-ID: 115Misinterpretation of Input","The product misinterprets an input, whether from an attacker or another product, in a security-relevant fashion.Guidelines:::TYPE:Research Gap:NOTE:This concept needs further study. It is likely a factor in several weaknesses, possibly resultant as well. Overlaps Multiple Interpretation Errors (MIE).::",{"point":"86","priority":"6","details":"87"},"CWE-ID: 116Improper Encoding or Escaping of Output","The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.Guidelines:::TYPE:Relationship:NOTE:This weakness is primary to all weaknesses related to injection (CWE-74) since the inherent nature of injection involves the violation of structured messages.::TYPE:Relationship:NOTE:CWE-116 and CWE-20 have a close association because, depending on the nature of the structured message, proper input validation can indirectly prevent special characters from changing the meaning of a structured message. For example, by validating that a numeric ID field should only contain the 0-9 characters, the programmer effectively prevents injection attacks. However, input validation is not always sufficient, especially when less stringent data types must be supported, such as free-form text. Consider a SQL injection scenario in which a last name is inserted into a query. The name O'Reilly would likely pass the validation step since it is a common last name in the English language. However, it cannot be directly inserted into the database because it contains the ' apostrophe character, which would need to be escaped or otherwise neutralized. In this case, stripping the apostrophe might reduce the risk of SQL injection, but it would produce incorrect behavior because the wrong name would be recorded.::TYPE:Terminology:NOTE:The usage of the encoding and escaping terms varies widely. For example, in some programming languages, the terms are used interchangeably, while other languages provide APIs that use both terms for different tasks. This overlapping usage extends to the Web, such as the escape JavaScript function whose purpose is stated to be encoding. The concepts of encoding and escaping predate the Web by decades. Given such a context, it is difficult for CWE to adopt a consistent vocabulary that will not be misinterpreted by some constituency.::TYPE:Theoretical:NOTE:This is a data/directive boundary error in which data boundaries are not sufficiently enforced before it is sent to a different control sphere.::TYPE:Research Gap:NOTE:While many published vulnerabilities are related to insufficient output encoding, there is such an emphasis on input validation as a protection mechanism that the underlying causes are rarely described. Within CVE, the focus is primarily on well-understood issues like cross-site scripting and SQL injection. It is likely that this weakness frequently occurs in custom protocols that support multiple encodings, which are not necessarily detectable with automated techniques.::",{"point":"89","priority":"6","details":"8a"},"CWE-ID: 117Improper Output Neutralization for Logs","The product does not neutralize or incorrectly neutralizes output that is written to logs.Guidelines:",{"point":"8c","priority":"6","details":"8d"},"CWE-ID: 118Incorrect Access of Indexable Resource ('Range Error')","The product does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files.Guidelines:",{"point":"8f","priority":"6","details":"8g"},"CWE-ID: 119Improper Restriction of Operations within the Bounds of a Memory Buffer","The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.Guidelines:::TYPE:Applicable Platform:NOTE:It is possible in any programming languages without memory management support to attempt an operation outside of the bounds of a memory buffer, but the consequences will vary widely depending on the language, platform, and chip architecture.::",{"point":"8i","priority":"6","details":"8j"},"CWE-ID: 120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')","The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.Guidelines:::TYPE:Relationship:NOTE:At the code level, stack-based and heap-based overflows do not differ significantly, so there usually is not a need to distinguish them. From the attacker perspective, they can be quite different, since different techniques are required to exploit them.::TYPE:Terminology:NOTE:Many issues that are now called buffer overflows are substantively different than the classic overflow, including entirely different bug types that rely on overflow exploit techniques, such as integer signedness errors, integer overflows, and format string bugs. This imprecise terminology can make it difficult to determine which variant is being reported.::",{"point":"8l","priority":"6","details":"8m"},"CWE-ID: 121Stack-based Buffer Overflow","A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).Guidelines:::TYPE:Other:NOTE:Stack-based buffer overflows can instantiate in return address overwrites, stack pointer overwrites or frame pointer overwrites. They can also be considered function pointer overwrites, array indexer overwrites or write-what-where condition, etc.::",{"point":"8o","priority":"6","details":"8p"},"CWE-ID: 122Heap-based Buffer Overflow","A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().Guidelines:::TYPE:Relationship:NOTE:Heap-based buffer overflows are usually just as dangerous as stack-based buffer overflows.::",{"point":"8r","priority":"6","details":"8s"},"CWE-ID: 123Write-what-where Condition","Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow.Guidelines:",{"point":"8u","priority":"6","details":"8v"},"CWE-ID: 124Buffer Underwrite ('Buffer Underflow')","The product writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.Guidelines:::TYPE:Relationship:NOTE:This could be resultant from several errors, including a bad offset or an array index that decrements before the beginning of the buffer (see CWE-129).::",{"point":"8x","priority":"6","details":"8y"},"CWE-ID: 125Out-of-bounds Read","The product reads data past the end, or before the beginning, of the intended buffer.Guidelines:",{"point":"90","priority":"6","details":"91"},"CWE-ID: 126Buffer Over-read","The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.Guidelines:::TYPE:Relationship:NOTE:These problems may be resultant from missing sentinel values (CWE-463) or trusting a user-influenced input length variable.::",{"point":"93","priority":"6","details":"94"},"CWE-ID: 127Buffer Under-read","The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"96","priority":"6","details":"97"},"CWE-ID: 128Wrap-around Error","Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore wraps around to a very small, negative, or undefined value.Guidelines:::TYPE:Relationship:NOTE:The relationship between overflow and wrap-around needs to be examined more closely, since several entries (including CWE-190) are closely related.::",{"point":"99","priority":"6","details":"9a"},"CWE-ID: 129Improper Validation of Array Index","The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.Guidelines:::TYPE:Relationship:NOTE:This weakness can precede uncontrolled memory allocation (CWE-789) in languages that automatically expand an array when an index is used that is larger than the size of the array, such as JavaScript.::TYPE:Theoretical:NOTE:An improperly validated array index might lead directly to the always-incorrect behavior of access of array using out-of-bounds index.::",{"point":"9c","priority":"6","details":"9d"},"CWE-ID: 130Improper Handling of Length Parameter Inconsistency","The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.Guidelines:::TYPE:Relationship:NOTE:This probably overlaps other categories including zero-length issues.::",{"point":"9f","priority":"6","details":"9g"},"CWE-ID: 131Incorrect Calculation of Buffer Size","The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.Guidelines:::TYPE:Maintenance:NOTE:This is a broad category. Some examples include: simple math errors, incorrectly updating parallel counters, not accounting for size differences when transforming one input to another format (e.g. URL canonicalization or other transformation that can generate a result that's larger than the original input, i.e. expansion). This level of detail is rarely available in public reports, so it is difficult to find good examples.::TYPE:Maintenance:NOTE:This weakness may be a composite or a chain. It also may contain layering or perspective differences. This issue may be associated with many different types of incorrect calculations (CWE-682), although the integer overflow (CWE-190) is probably the most prevalent. This can be primary to resource consumption problems (CWE-400), including uncontrolled memory allocation (CWE-789). However, its relationship with out-of-bounds buffer access (CWE-119) must also be considered.::",{"point":"9i","priority":"6","details":"9j"},"CWE-ID: 134Use of Externally-Controlled Format String","The product uses a function that accepts a format string as an argument, but the format string originates from an external source.Guidelines:::TYPE:Applicable Platform:NOTE:This weakness is possible in any programming language that support format strings.::TYPE:Other:NOTE:While Format String vulnerabilities typically fall under the Buffer Overflow category, technically they are not overflowed buffers. The Format String vulnerability is fairly new (circa 1999) and stems from the fact that there is no realistic way for a function that takes a variable number of arguments to determine just how many arguments were passed in. The most common functions that take a variable number of arguments, including C-runtime functions, are the printf() family of calls. The Format String problem appears in a number of ways. A *printf() call without a format specifier is dangerous and can be exploited. For example, printf(input); is exploitable, while printf(y, input); is not exploitable in that context. The result of the first call, used incorrectly, allows for an attacker to be able to peek at stack memory since the input string will be used as the format specifier. The attacker can stuff the input string with format specifiers and begin reading stack values, since the remaining parameters will be pulled from the stack. Worst case, this improper use may give away enough control to allow an arbitrary value (or values in the case of an exploit program) to be written into the memory of the running program. Frequently targeted entities are file names, process names, identifiers. Format string problems are a classic C/C++ issue that are now rare due to the ease of discovery. One main reason format string vulnerabilities can be exploited is due to the %n operator. The %n operator will write the number of characters, which have been printed by the format string therefore far, to the memory pointed to by its argument. Through skilled creation of a format string, a malicious user may use values on the stack to create a write-what-where condition. Once this is achieved, they can execute arbitrary code. Other operators can be used as well; for example, a %9999s operator could also trigger a buffer overflow, or when used in file-formatting functions like fprintf, it can generate a much larger output than intended.::TYPE:Research Gap:NOTE:Format string issues are under-studied for languages other than C. Memory or disk consumption, control flow or variable alteration, and data corruption may result from format string exploitation in applications written in other languages such as Perl, PHP, Python, etc.::",{"point":"9l","priority":"6","details":"9m"},"CWE-ID: 135Incorrect Calculation of Multi-Byte String Length","The product does not correctly calculate the length of strings that can contain wide or multi-byte characters.Guidelines:",{"point":"9o","priority":"6","details":"9p"},"CWE-ID: 138Improper Neutralization of Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:This weakness can be related to interpretation conflicts or interaction errors in intermediaries (such as proxies or application firewalls) when the intermediary's model of an endpoint does not account for protocol-specific special elements.::TYPE:Relationship:NOTE:See this entry's children for different types of special elements that have been observed at one point or another. However, it can be difficult to find suitable CVE examples. In an attempt to be complete, CWE includes some types that do not have any associated observed example.::TYPE:Research Gap:NOTE:This weakness is probably under-studied for proprietary or custom formats. It is likely that these issues are fairly common in applications that use their own custom format for configuration files, logs, meta-data, messaging, etc. They would only be found by accident or with a focused effort based on an understanding of the format.::",{"point":"9r","priority":"6","details":"9s"},"CWE-ID: 140Improper Neutralization of Delimiters","The product does not neutralize or incorrectly neutralizes delimiters.Guidelines:",{"point":"9u","priority":"6","details":"9v"},"CWE-ID: 141Improper Neutralization of Parameter/Argument Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component.Guidelines:",{"point":"9x","priority":"6","details":"9y"},"CWE-ID: 142Improper Neutralization of Value Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component.Guidelines:",{"point":"a0","priority":"6","details":"a1"},"CWE-ID: 143Improper Neutralization of Record Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component.Guidelines:",{"point":"a3","priority":"6","details":"a4"},"CWE-ID: 144Improper Neutralization of Line Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as line delimiters when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:Depending on the language and syntax being used, this could be the same as the record delimiter (CWE-143).::",{"point":"a6","priority":"6","details":"a7"},"CWE-ID: 145Improper Neutralization of Section Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as section delimiters when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:Depending on the language and syntax being used, this could be the same as the record delimiter (CWE-143).::",{"point":"a9","priority":"6","details":"aa"},"CWE-ID: 146Improper Neutralization of Expression/Command Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:A shell metacharacter (covered in CWE-150) is one example of a potential delimiter that may need to be neutralized.::",{"point":"ac","priority":"6","details":"ad"},"CWE-ID: 147Improper Neutralization of Input Terminators","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as input terminators when they are sent to a downstream component.Guidelines:",{"point":"af","priority":"6","details":"ag"},"CWE-ID: 148Improper Neutralization of Input Leaders","The product does not properly handle when a leading character or sequence (leader) is missing or malformed, or if multiple leaders are used when only one should be allowed.Guidelines:",{"point":"ai","priority":"6","details":"aj"},"CWE-ID: 149Improper Neutralization of Quoting Syntax","Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.Guidelines:",{"point":"al","priority":"6","details":"am"},"CWE-ID: 150Improper Neutralization of Escape, Meta, or Control Sequences","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.Guidelines:",{"point":"ao","priority":"6","details":"ap"},"CWE-ID: 151Improper Neutralization of Comment Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as comment delimiters when they are sent to a downstream component.Guidelines:",{"point":"ar","priority":"6","details":"as"},"CWE-ID: 152Improper Neutralization of Macro Symbols","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as macro symbols when they are sent to a downstream component.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"au","priority":"6","details":"av"},"CWE-ID: 153Improper Neutralization of Substitution Characters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as substitution characters when they are sent to a downstream component.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"ax","priority":"6","details":"ay"},"CWE-ID: 154Improper Neutralization of Variable Name Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as variable name delimiters when they are sent to a downstream component.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"b0","priority":"6","details":"b1"},"CWE-ID: 155Improper Neutralization of Wildcards or Matching Symbols","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as wildcards or matching symbols when they are sent to a downstream component.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"b3","priority":"6","details":"b4"},"CWE-ID: 156Improper Neutralization of Whitespace","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as whitespace when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:Can overlap other separator characters or delimiters.::",{"point":"b6","priority":"6","details":"b7"},"CWE-ID: 157Failure to Sanitize Paired Delimiters","The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"b9","priority":"6","details":"ba"},"CWE-ID: 158Improper Neutralization of Null Byte or NUL Character","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:This can be a factor in multiple interpretation errors, other interaction errors, filename equivalence, etc.::",{"point":"bc","priority":"6","details":"bd"},"CWE-ID: 159Improper Handling of Invalid Use of Special Elements","The product does not properly filter, remove, quote, or otherwise manage the invalid use of special elements in user-controlled input, which could cause adverse effect on its behavior and integrity.Guidelines:::TYPE:Maintenance:NOTE:The list of children for this entry is far from complete. However, the types of special elements might be too precise for use within CWE.::TYPE:Terminology:NOTE:Precise terminology for the underlying weaknesses does not exist. Therefore, these weaknesses use the terminology associated with the manipulation.::TYPE:Research Gap:NOTE:Customized languages and grammars, even those that are specific to a particular product, are potential sources of weaknesses that are related to special elements. However, most researchers concentrate on the most commonly used representations for data transmission, such as HTML and SQL. Any representation that is commonly used is likely to be a rich source of weaknesses; researchers are encouraged to investigate previously unexplored representations.::",{"point":"bf","priority":"6","details":"bg"},"CWE-ID: 160Improper Neutralization of Leading Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes leading special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bi","priority":"6","details":"bj"},"CWE-ID: 161Improper Neutralization of Multiple Leading Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple leading special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bl","priority":"6","details":"bm"},"CWE-ID: 162Improper Neutralization of Trailing Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes trailing special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bo","priority":"6","details":"bp"},"CWE-ID: 163Improper Neutralization of Multiple Trailing Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple trailing special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"br","priority":"6","details":"bs"},"CWE-ID: 164Improper Neutralization of Internal Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes internal special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bu","priority":"6","details":"bv"},"CWE-ID: 165Improper Neutralization of Multiple Internal Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple internal special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bx","priority":"6","details":"by"},"CWE-ID: 166Improper Handling of Missing Special Element","The product receives input from an upstream component, but it does not handle or incorrectly handles when an expected special element is missing.Guidelines:",{"point":"c0","priority":"6","details":"c1"},"CWE-ID: 167Improper Handling of Additional Special Element","The product receives input from an upstream component, but it does not handle or incorrectly handles when an additional unexpected special element is provided.Guidelines:",{"point":"c3","priority":"6","details":"c4"},"CWE-ID: 168Improper Handling of Inconsistent Special Elements","The product does not properly handle input in which an inconsistency exists between two or more special characters or reserved words.Guidelines:",{"point":"c6","priority":"6","details":"c7"},"CWE-ID: 170Improper Null Termination","The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.Guidelines:::TYPE:Relationship:NOTE:Factors: this is usually resultant from other weaknesses such as off-by-one errors, but it can be primary to boundary condition violations such as buffer overflows. In buffer overflows, it can act as an expander for assumed-immutable data.::TYPE:Relationship:NOTE:Overlaps missing input terminator.::TYPE:Applicable Platform:NOTE:Conceptually, this does not just apply to the C language; any language or representation that involves a terminator could have this type of problem.::TYPE:Maintenance:NOTE:As currently described, this entry is more like a category than a weakness.::",{"point":"c9","priority":"6","details":"ca"},"CWE-ID: 172Encoding Error","The product does not properly encode or decode the data, resulting in unexpected values.Guidelines:::TYPE:Relationship:NOTE:Partially overlaps path traversal and equivalence weaknesses.::TYPE:Maintenance:NOTE:This is more like a category than a weakness.::TYPE:Maintenance:NOTE:Many other types of encodings should be listed in this category.::",{"point":"cc","priority":"6","details":"cd"},"CWE-ID: 173Improper Handling of Alternate Encoding","The product does not properly handle when an input uses an alternate encoding that is valid for the control sphere to which the input is being sent.Guidelines:",{"point":"cf","priority":"6","details":"cg"},"CWE-ID: 174Double Decoding of the Same Data","The product decodes the same input twice, which can limit the effectiveness of any protection mechanism that occurs in between the decoding operations.Guidelines:::TYPE:Research Gap:NOTE:Probably under-studied.::",{"point":"ci","priority":"6","details":"cj"},"CWE-ID: 175Improper Handling of Mixed Encoding","The product does not properly handle when the same input uses several different (mixed) encodings.Guidelines:",{"point":"cl","priority":"6","details":"cm"},"CWE-ID: 176Improper Handling of Unicode Encoding","The product does not properly handle when an input contains Unicode encoding.Guidelines:",{"point":"co","priority":"6","details":"cp"},"CWE-ID: 177Improper Handling of URL Encoding (Hex Encoding)","The product does not properly handle when all or part of an input has been URL encoded.Guidelines:",{"point":"cr","priority":"6","details":"cs"},"CWE-ID: 178Improper Handling of Case Sensitivity","The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.Guidelines:::TYPE:Research Gap:NOTE:These are probably under-studied in Windows and Mac environments, where file names are case-insensitive and thus are subject to equivalence manipulations involving case.::",{"point":"cu","priority":"6","details":"cv"},"CWE-ID: 179Incorrect Behavior Order: Early Validation","The product validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous inputs that only arise after the modification.Guidelines:::TYPE:Research Gap:NOTE:These errors are mostly reported in path traversal vulnerabilities, but the concept applies whenever validation occurs.::",{"point":"cx","priority":"6","details":"cy"},"CWE-ID: 180Incorrect Behavior Order: Validate Before Canonicalize","The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step.Guidelines:::TYPE:Relationship:NOTE:This overlaps other categories.::",{"point":"d0","priority":"6","details":"d1"},"CWE-ID: 181Incorrect Behavior Order: Validate Before Filter","The product validates data before it has been filtered, which prevents the product from detecting data that becomes invalid after the filtering step.Guidelines:::TYPE:Research Gap:NOTE:This category is probably under-studied.::",{"point":"d3","priority":"6","details":"d4"},"CWE-ID: 182Collapse of Data into Unsafe Value","The product filters data in a way that causes it to be reduced or collapsed into an unsafe value that violates an expected security property.Guidelines:::TYPE:Relationship:NOTE:Overlaps regular expressions, although an implementation might not necessarily use regexp's.::",{"point":"d6","priority":"6","details":"d7"},"CWE-ID: 183Permissive List of Allowed Inputs","The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.Guidelines:",{"point":"d9","priority":"6","details":"da"},"CWE-ID: 184Incomplete List of Disallowed Inputs","The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses.Guidelines:::TYPE:Relationship:NOTE:Multiple interpretation errors can indirectly introduce inputs that should be disallowed. For example, a list of dangerous shell metacharacters might not include a metacharacter that only has meaning in one particular shell, not all of them; or a check for XSS manipulations might ignore an unusual construct that is supported by one web browser, but not others.::",{"point":"dc","priority":"6","details":"dd"},"CWE-ID: 185Incorrect Regular Expression","The product specifies a regular expression in a way that causes data to be improperly matched or compared.Guidelines:::TYPE:Relationship:NOTE:While there is some overlap with allowlist/denylist problems, this entry is intended to deal with incorrectly written regular expressions, regardless of their intended use. Not every regular expression is intended for use as an allowlist or denylist. In addition, allowlists and denylists can be implemented using other mechanisms besides regular expressions.::TYPE:Research Gap:NOTE:Regexp errors are likely a primary factor in many MFVs, especially those that require multiple manipulations to exploit. However, they are rarely diagnosed at this level of detail.::",{"point":"df","priority":"6","details":"dg"},"CWE-ID: 186Overly Restrictive Regular Expression","A regular expression is overly restrictive, which prevents dangerous values from being detected.Guidelines:::TYPE:Relationship:NOTE:Can overlap allowlist/denylist errors (CWE-183/CWE-184)::",{"point":"di","priority":"6","details":"dj"},"CWE-ID: 187Partial String Comparison","The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.Guidelines:::TYPE:Relationship:NOTE:This is conceptually similar to other weaknesses, such as insufficient verification and regular expression errors. It is primary to some weaknesses.::",{"point":"dl","priority":"6","details":"dm"},"CWE-ID: 188Reliance on Data/Memory Layout","The product makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior.Guidelines:",{"point":"do","priority":"6","details":"dp"},"CWE-ID: 190Integer Overflow or Wraparound","The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.Guidelines:::TYPE:Relationship:NOTE:Integer overflows can be primary to buffer overflows.::TYPE:Terminology:NOTE:Integer overflow is sometimes used to cover several types of errors, including signedness errors, or buffer overflows that involve manipulation of integer data types instead of characters. Part of the confusion results from the fact that 0xffffffff is -1 in a signed context. Other confusion also arises because of the role that integer overflows have in chains.::",{"point":"dr","priority":"6","details":"ds"},"CWE-ID: 191Integer Underflow (Wrap or Wraparound)","The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.Guidelines:",{"point":"du","priority":"6","details":"dv"},"CWE-ID: 192Integer Coercion Error","Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types.Guidelines:::TYPE:Maintenance:NOTE:Within C, it might be that coercion is semantically different than casting, possibly depending on whether the programmer directly specifies the conversion, or if the compiler does it implicitly. This has implications for the presentation of this entry and others, such as CWE-681, and whether there is enough of a difference for these entries to be split.::",{"point":"dx","priority":"6","details":"dy"},"CWE-ID: 193Off-by-one Error","A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.Guidelines:::TYPE:Relationship:NOTE:This is not always a buffer overflow. For example, an off-by-one error could be a factor in a partial comparison, a read from the wrong memory location, an incorrect conditional, etc.::",{"point":"e0","priority":"6","details":"e1"},"CWE-ID: 194Unexpected Sign Extension","The product performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses.Guidelines:::TYPE:Relationship:NOTE:Sign extension errors can lead to buffer overflows and other memory-based problems. They are also likely to be factors in other weaknesses that are not based on memory operations, but rely on numeric calculation.::TYPE:Maintenance:NOTE:This entry is closely associated with signed-to-unsigned conversion errors (CWE-195) and other numeric errors. These relationships need to be more closely examined within CWE.::",{"point":"e3","priority":"6","details":"e4"},"CWE-ID: 195Signed to Unsigned Conversion Error","The product uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive.Guidelines:",{"point":"e6","priority":"6","details":"e7"},"CWE-ID: 196Unsigned to Signed Conversion Error","The product uses an unsigned primitive and performs a cast to a signed primitive, which can produce an unexpected value if the value of the unsigned primitive can not be represented using a signed primitive.Guidelines:",{"point":"e9","priority":"6","details":"ea"},"CWE-ID: 197Numeric Truncation Error","Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion.Guidelines:::TYPE:Research Gap:NOTE:This weakness has traditionally been under-studied and under-reported, although vulnerabilities in popular software have been published in 2008 and 2009.::",{"point":"ec","priority":"6","details":"ed"},"CWE-ID: 198Use of Incorrect Byte Ordering","The product receives input from an upstream component, but it does not account for byte ordering (e.g. big-endian and little-endian) when processing the input, causing an incorrect number or value to be used.Guidelines:::TYPE:Research Gap:NOTE:Under-reported.::",{"point":"ef","priority":"6","details":"eg"},"CWE-ID: 200Exposure of Sensitive Information to an Unauthorized Actor","The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Guidelines:::TYPE:Maintenance:NOTE:As a result of mapping analysis in the 2020 Top 25 and more recent versions, this weakness is under review, since it is frequently misused in mapping to cover many problems that lead to loss of confidentiality. See Mapping Notes, Extended Description, and Alternate Terms.::",{"point":"ei","priority":"6","details":"ej"},"CWE-ID: 201Insertion of Sensitive Information Into Sent Data","The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.Guidelines:",{"point":"el","priority":"6","details":"em"},"CWE-ID: 202Exposure of Sensitive Information Through Data Queries","When trying to keep information confidential, an attacker can often infer some of the information by using statistics.Guidelines:::TYPE:Maintenance:NOTE:The relationship between CWE-202 and CWE-612 needs to be investigated more closely, as they may be different descriptions of the same kind of problem. CWE-202 is also being considered for deprecation, as it is not clearly described and may have been misunderstood by CWE users. It could be argued that this issue is better covered by CAPEC; an attacker can utilize their data-query privileges to perform this kind of operation, and if the attacker should not be allowed to perform the operation - or if the sensitive data should not have been made accessible at all - then that is more appropriately classified as a separate CWE related to authorization (see the parent, CWE-1230).::",{"point":"eo","priority":"6","details":"ep"},"CWE-ID: 203Observable Discrepancy","The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.Guidelines:",{"point":"er","priority":"6","details":"es"},"CWE-ID: 204Observable Response Discrepancy","The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.Guidelines:::TYPE:Relationship:NOTE:can overlap errors related to escalated privileges::",{"point":"eu","priority":"6","details":"ev"},"CWE-ID: 205Observable Behavioral Discrepancy","The product's behaviors indicate important differences that may be observed by unauthorized actors in a way that reveals (1) its internal state or decision process, or (2) differences from other products with equivalent functionality.Guidelines:",{"point":"ex","priority":"6","details":"ey"},"CWE-ID: 206Observable Internal Behavioral Discrepancy","The product performs multiple behaviors that are combined to produce a single result, but the individual behaviors are observable separately in a way that allows attackers to reveal internal state or internal decision points.Guidelines:",{"point":"f0","priority":"6","details":"f1"},"CWE-ID: 207Observable Behavioral Discrepancy With Equivalent Products","The product operates in an environment in which its existence or specific identity should not be known, but it behaves differently than other products with equivalent functionality, in a way that is observable to an attacker.Guidelines:",{"point":"f3","priority":"6","details":"f4"},"CWE-ID: 208Observable Timing Discrepancy","Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.Guidelines:::TYPE:Relationship:NOTE:Often primary in cryptographic applications and algorithms.::",{"point":"f6","priority":"6","details":"f7"},"CWE-ID: 209Generation of Error Message Containing Sensitive Information","The product generates an error message that includes sensitive information about its environment, users, or associated data.Guidelines:",{"point":"f9","priority":"6","details":"fa"},"CWE-ID: 210Self-generated Error Message Containing Sensitive Information","The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.Guidelines:",{"point":"fc","priority":"6","details":"fd"},"CWE-ID: 211Externally-Generated Error Message Containing Sensitive Information","The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information.Guidelines:::TYPE:Relationship:NOTE:This is inherently a resultant vulnerability from a weakness within the product or an interaction error.::",{"point":"ff","priority":"6","details":"fg"},"CWE-ID: 212Improper Removal of Sensitive Information Before Storage or Transfer","The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.Guidelines:::TYPE:Relationship:NOTE:This entry is intended to be different from resultant information leaks, including those that occur from improper buffer initialization and reuse, improper encryption, interaction errors, and multiple interpretation errors. This entry could be regarded as a privacy leak, depending on the type of information that is leaked.::TYPE:Relationship:NOTE:There is a close association between CWE-226 and CWE-212. The difference is partially that of perspective. CWE-226 is geared towards the final stage of the resource lifecycle, in which the resource is deleted, eliminated, expired, or otherwise released for reuse. Technically, this involves a transfer to a different control sphere, in which the original contents of the resource are no longer relevant. CWE-212, however, is intended for sensitive data in resources that are intentionally shared with others, so they are still active. This distinction is useful from the perspective of the CWE research view (CWE-1000).::TYPE:Terminology:NOTE:The terms cleansing and scrubbing have multiple uses within computing. In information security, these are used for the removal of sensitive data, but they are also used for the modification of incoming/outgoing data so that it conforms to specifications.::",{"point":"fi","priority":"6","details":"fj"},"CWE-ID: 213Exposure of Sensitive Information Due to Incompatible Policies","The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product's administrator, users, or others whose information is being processed.Guidelines:::TYPE:Maintenance:NOTE:This entry is being considered for deprecation. It overlaps many other entries related to information exposures. It might not be essential to preserve this entry, since other key stakeholder policies are covered elsewhere, e.g. personal privacy leaks (CWE-359) and system-level exposures that are important to system administrators (CWE-497).::TYPE:Theoretical:NOTE:In vulnerability theory terms, this covers cases in which the developer's Intended Policy allows the information to be made available, but the information might be in violation of a Universal Policy in which the product's administrator should have control over which information is considered sensitive and therefore should not be exposed.::",{"point":"fl","priority":"6","details":"fm"},"CWE-ID: 214Invocation of Process Using Visible Sensitive Information","A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system.Guidelines:::TYPE:Research Gap:NOTE:Under-studied, especially environment variables.::",{"point":"fo","priority":"6","details":"fp"},"CWE-ID: 215Insertion of Sensitive Information Into Debugging Code","The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.Guidelines:::TYPE:Relationship:NOTE:This overlaps other categories.::",{"point":"fr","priority":"6","details":"fs"},"CWE-ID: 219Storage of File with Sensitive Data Under Web Root","The product stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties.Guidelines:",{"point":"fu","priority":"6","details":"fv"},"CWE-ID: 220Storage of File With Sensitive Data Under FTP Root","The product stores sensitive data under the FTP server root with insufficient access control, which might make it accessible to untrusted parties.Guidelines:",{"point":"fx","priority":"6","details":"fy"},"CWE-ID: 221Information Loss or Omission","The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.Guidelines:",{"point":"g0","priority":"6","details":"g1"},"CWE-ID: 222Truncation of Security-relevant Information","The product truncates the display, recording, or processing of security-relevant information in a way that can obscure the source or nature of an attack.Guidelines:",{"point":"g3","priority":"6","details":"g4"},"CWE-ID: 223Omission of Security-relevant Information","The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.Guidelines:",{"point":"g6","priority":"6","details":"g7"},"CWE-ID: 224Obscured Security-relevant Information by Alternate Name","The product records security-relevant information according to an alternate name of the affected entity, instead of the canonical name.Guidelines:",{"point":"g9","priority":"6","details":"ga"},"CWE-ID: 226Sensitive Information in Resource Not Removed Before Reuse","The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or zeroize the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.Guidelines:::TYPE:Relationship:NOTE:There is a close association between CWE-226 and CWE-212. The difference is partially that of perspective. CWE-226 is geared towards the final stage of the resource lifecycle, in which the resource is deleted, eliminated, expired, or otherwise released for reuse. Technically, this involves a transfer to a different control sphere, in which the original contents of the resource are no longer relevant. CWE-212, however, is intended for sensitive data in resources that are intentionally shared with others, so they are still active. This distinction is useful from the perspective of the CWE research view (CWE-1000).::TYPE:Maintenance:NOTE:This entry needs modification to clarify the differences with CWE-212. The description also combines two problems that are distinct from the CWE research perspective: the inadvertent transfer of information to another sphere, and improper initialization/shutdown. Some of the associated taxonomy mappings reflect these different uses.::TYPE:Research Gap:NOTE:This is frequently found for network packets, but it can also exist in local memory allocation, files, etc.::",{"point":"gc","priority":"6","details":"gd"},"CWE-ID: 228Improper Handling of Syntactically Invalid Structure","The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification.Guidelines:::TYPE:Maintenance:NOTE:This entry needs more investigation. Public vulnerability research generally focuses on the manipulations that generate invalid structure, instead of the weaknesses that are exploited by those manipulations. For example, a common attack involves making a request that omits a required field, which can trigger a crash in some cases. The crash could be due to a named chain such as CWE-690 (Unchecked Return Value to NULL Pointer Dereference), but public reports rarely cover this aspect of a vulnerability.::TYPE:Theoretical:NOTE:The validity of input could be roughly classified along syntactic, semantic, and lexical dimensions. If the specification requires that an input value should be delimited with the [ and ] square brackets, then any input that does not follow this specification would be syntactically invalid. If the input between the brackets is expected to be a number, but the letters aaa are provided, then the input is syntactically invalid. If the input is a number and enclosed in brackets, but the number is outside of the allowable range, then it is semantically invalid. The inter-relationships between these properties - and their associated weaknesses- need further exploration.::",{"point":"gf","priority":"6","details":"gg"},"CWE-ID: 229Improper Handling of Values","The product does not properly handle when the expected number of values for parameters, fields, or arguments is not provided in input, or if those values are undefined.Guidelines:",{"point":"gi","priority":"6","details":"gj"},"CWE-ID: 230Improper Handling of Missing Values","The product does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empty, blank, or null.Guidelines:::TYPE:Research Gap:NOTE:Some crash by port scan bugs are probably due to this, but lack of diagnosis makes it difficult to be certain.::",{"point":"gl","priority":"6","details":"gm"},"CWE-ID: 231Improper Handling of Extra Values","The product does not handle or incorrectly handles when more values are provided than expected.Guidelines:::TYPE:Relationship:NOTE:This can overlap buffer overflows.::",{"point":"go","priority":"6","details":"gp"},"CWE-ID: 232Improper Handling of Undefined Values","The product does not handle or incorrectly handles when a value is not defined or supported for the associated parameter, field, or argument name.Guidelines:",{"point":"gr","priority":"6","details":"gs"},"CWE-ID: 233Improper Handling of Parameters","The product does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined.Guidelines:",{"point":"gu","priority":"6","details":"gv"},"CWE-ID: 234Failure to Handle Missing Parameter","If too few arguments are sent to a function, the function will still pop the expected number of arguments from the stack. Potentially, a variable number of arguments could be exhausted in a function as well.Guidelines:::TYPE:Maintenance:NOTE:This entry will be deprecated in a future version of CWE. The term missing parameter was used in both PLOVER and CLASP, with completely different meanings. However, data from both taxonomies was merged into this entry. In PLOVER, it was meant to cover malformed inputs that do not contain required parameters, such as a missing parameter in a CGI request. This entry's observed examples and classification came from PLOVER. However, the description, demonstrative example, and other information are derived from CLASP. They are related to an incorrect number of function arguments, which is already covered by CWE-685.::",{"point":"gx","priority":"6","details":"gy"},"CWE-ID: 235Improper Handling of Extra Parameters","The product does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount.Guidelines:::TYPE:Relationship:NOTE:This type of problem has a big role in multiple interpretation vulnerabilities and various HTTP attacks.::",{"point":"h0","priority":"6","details":"h1"},"CWE-ID: 236Improper Handling of Undefined Parameters","The product does not handle or incorrectly handles when a particular parameter, field, or argument name is not defined or supported by the product.Guidelines:",{"point":"h3","priority":"6","details":"h4"},"CWE-ID: 237Improper Handling of Structural Elements","The product does not handle or incorrectly handles inputs that are related to complex structures.Guidelines:",{"point":"h6","priority":"6","details":"h7"},"CWE-ID: 238Improper Handling of Incomplete Structural Elements","The product does not handle or incorrectly handles when a particular structural element is not completely specified.Guidelines:::TYPE:Relationship:NOTE:Can be primary to other problems.::",{"point":"h9","priority":"6","details":"ha"},"CWE-ID: 239Failure to Handle Incomplete Element","The product does not properly handle when a particular element is not completely specified.Guidelines:",{"point":"hc","priority":"6","details":"hd"},"CWE-ID: 240Improper Handling of Inconsistent Structural Elements","The product does not handle or incorrectly handles when two or more structural elements should be consistent, but are not.Guidelines:",{"point":"hf","priority":"6","details":"hg"},"CWE-ID: 241Improper Handling of Unexpected Data Type","The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).Guidelines:::TYPE:Research Gap:NOTE:Probably under-studied.::",{"point":"hi","priority":"6","details":"hj"},"CWE-ID: 242Use of Inherently Dangerous Function","The product calls a function that can never be guaranteed to work safely.Guidelines:",{"point":"hl","priority":"6","details":"hm"},"CWE-ID: 243Creation of chroot Jail Without Changing Working Directory","The product uses the chroot() system call to create a jail, but does not change the working directory afterward. This does not prevent access to files outside of the jail.Guidelines:",{"point":"ho","priority":"6","details":"hp"},"CWE-ID: 244Improper Clearing of Heap Memory Before Release ('Heap Inspection')","Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory.Guidelines:",{"point":"hr","priority":"6","details":"hs"},"CWE-ID: 245J2EE Bad Practices: Direct Management of Connections","The J2EE application directly manages connections, instead of using the container's connection management facilities.Guidelines:",{"point":"hu","priority":"6","details":"hv"},"CWE-ID: 246J2EE Bad Practices: Direct Use of Sockets","The J2EE application directly uses sockets instead of using framework method calls.Guidelines:",{"point":"hx","priority":"6","details":"hy"},"CWE-ID: 248Uncaught Exception","An exception is thrown from a function, but it is not caught.Guidelines:",{"point":"i0","priority":"6","details":"i1"},"CWE-ID: 250Execution with Unnecessary Privileges","The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.Guidelines:::TYPE:Relationship:NOTE:There is a close association with CWE-653 (Insufficient Separation of Privileges). CWE-653 is about providing separate components for each privilege; CWE-250 is about ensuring that each component has the least amount of privileges possible.::TYPE:Maintenance:NOTE:CWE-271, CWE-272, and CWE-250 are all closely related and possibly overlapping. CWE-271 is probably better suited as a category. Both CWE-272 and CWE-250 are in active use by the community. The least privilege phrase has multiple interpretations.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"i3","priority":"6","details":"i4"},"CWE-ID: 252Unchecked Return Value","The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.Guidelines:",{"point":"i6","priority":"6","details":"i7"},"CWE-ID: 253Incorrect Check of Function Return Value","The product incorrectly checks a return value from a function, which prevents it from detecting errors or exceptional conditions.Guidelines:",{"point":"i9","priority":"6","details":"ia"},"CWE-ID: 256Plaintext Storage of a Password","Storing a password in plaintext may result in a system compromise.Guidelines:",{"point":"ic","priority":"6","details":"id"},"CWE-ID: 257Storing Passwords in a Recoverable Format","The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.Guidelines:::TYPE:Maintenance:NOTE:The meaning of this entry needs to be investigated more closely, especially with respect to what is meant by recoverable.::",{"point":"if","priority":"6","details":"ig"},"CWE-ID: 258Empty Password in Configuration File","Using an empty string as a password is insecure.Guidelines:",{"point":"ii","priority":"6","details":"ij"},"CWE-ID: 259Use of Hard-coded Password","The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.Guidelines:::TYPE:Maintenance:NOTE:This entry could be split into multiple variants: an inbound variant (as seen in the second demonstrative example) and an outbound variant (as seen in the first demonstrative example). These variants are likely to have different consequences, detectability, etc. More importantly, from a vulnerability theory perspective, they could be characterized as different behaviors.::",{"point":"il","priority":"6","details":"im"},"CWE-ID: 260Password in Configuration File","The product stores a password in a configuration file that might be accessible to actors who do not know the password.Guidelines:",{"point":"io","priority":"6","details":"ip"},"CWE-ID: 261Weak Encoding for Password","Obscuring a password with a trivial encoding does not protect the password.Guidelines:::TYPE:Other:NOTE:The crypt family of functions uses weak cryptographic algorithms and should be avoided. It may be present in some projects for compatibility.::",{"point":"ir","priority":"6","details":"is"},"CWE-ID: 262Not Using Password Aging","The product does not have a mechanism in place for managing password aging.Guidelines:",{"point":"iu","priority":"6","details":"iv"},"CWE-ID: 263Password Aging with Long Expiration","The product supports password aging, but the expiration period is too long.Guidelines:",{"point":"ix","priority":"6","details":"iy"},"CWE-ID: 266Incorrect Privilege Assignment","A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.Guidelines:",{"point":"j0","priority":"6","details":"j1"},"CWE-ID: 267Privilege Defined With Unsafe Actions","A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity.Guidelines:::TYPE:Maintenance:NOTE:Note: there are 2 separate sub-categories here: - privilege incorrectly allows entities to perform certain actions - object is incorrectly accessible to entities with a given privilege::",{"point":"j3","priority":"6","details":"j4"},"CWE-ID: 268Privilege Chaining","Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination.Guidelines:::TYPE:Relationship:NOTE:There is some conceptual overlap with Unsafe Privilege.::",{"point":"j6","priority":"6","details":"j7"},"CWE-ID: 269Improper Privilege Management","The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.Guidelines:::TYPE:Maintenance:NOTE:The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693).::",{"point":"j9","priority":"6","details":"ja"},"CWE-ID: 270Privilege Context Switching Error","The product does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control.Guidelines:::TYPE:Research Gap:NOTE:This concept needs more study.::",{"point":"jc","priority":"6","details":"jd"},"CWE-ID: 271Privilege Dropping / Lowering Errors","The product does not drop privileges before passing control of a resource to an actor that does not have those privileges.Guidelines:::TYPE:Maintenance:NOTE:CWE-271, CWE-272, and CWE-250 are all closely related and possibly overlapping. CWE-271 is probably better suited as a category.::",{"point":"jf","priority":"6","details":"jg"},"CWE-ID: 272Least Privilege Violation","The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.Guidelines:::TYPE:Maintenance:NOTE:CWE-271, CWE-272, and CWE-250 are all closely related and possibly overlapping. CWE-271 is probably better suited as a category.::TYPE:Other:NOTE:If system privileges are not dropped when it is reasonable to do so, this is not a vulnerability by itself. According to the principle of least privilege, access should be allowed only when it is absolutely necessary to the function of a given system, and only for the minimal necessary amount of time. Any further allowance of privilege widens the window of time during which a successful exploitation of the system will provide an attacker with that same privilege. If at all possible, limit the allowance of system privilege to small, simple sections of code that may be called atomically. When a program calls a privileged function, such as chroot(), it must first acquire root privilege. As soon as the privileged operation has completed, the program should drop root privilege and return to the privilege level of the invoking user.::",{"point":"ji","priority":"6","details":"jj"},"CWE-ID: 273Improper Check for Dropped Privileges","The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.Guidelines:",{"point":"jl","priority":"6","details":"jm"},"CWE-ID: 274Improper Handling of Insufficient Privileges","The product does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses.Guidelines:::TYPE:Maintenance:NOTE:CWE-280 and CWE-274 are too similar. It is likely that CWE-274 will be deprecated in the future.::TYPE:Relationship:NOTE:Overlaps dropped privileges, insufficient permissions.::TYPE:Theoretical:NOTE:This has a layering relationship with Unchecked Error Condition and Unchecked Return Value.::TYPE:Theoretical:NOTE:Within the context of vulnerability theory, privileges and permissions are two sides of the same coin. Privileges are associated with actors, and permissions are associated with resources. To perform access control, at some point the product makes a decision about whether the actor (and the privileges that have been assigned to that actor) is allowed to access the resource (based on the permissions that have been specified for that resource).::",{"point":"jo","priority":"6","details":"jp"},"CWE-ID: 276Incorrect Default Permissions","During installation, installed file permissions are set to allow anyone to modify those files.Guidelines:",{"point":"jr","priority":"6","details":"js"},"CWE-ID: 277Insecure Inherited Permissions","A product defines a set of insecure permissions that are inherited by objects that are created by the program.Guidelines:",{"point":"ju","priority":"6","details":"jv"},"CWE-ID: 278Insecure Preserved Inherited Permissions","A product inherits a set of insecure permissions for an object, e.g. when copying from an archive file, without user awareness or involvement.Guidelines:",{"point":"jx","priority":"6","details":"jy"},"CWE-ID: 279Incorrect Execution-Assigned Permissions","While it is executing, the product sets the permissions of an object in a way that violates the intended permissions that have been specified by the user.Guidelines:",{"point":"k0","priority":"6","details":"k1"},"CWE-ID: 280Improper Handling of Insufficient Permissions or Privileges","The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.Guidelines:::TYPE:Maintenance:NOTE:CWE-280 and CWE-274 are too similar. It is likely that CWE-274 will be deprecated in the future.::TYPE:Relationship:NOTE:This can be both primary and resultant. When primary, it can expose a variety of weaknesses because a resource might not have the expected state, and subsequent operations might fail. It is often resultant from Unchecked Error Condition (CWE-391).::TYPE:Theoretical:NOTE:Within the context of vulnerability theory, privileges and permissions are two sides of the same coin. Privileges are associated with actors, and permissions are associated with resources. To perform access control, at some point the software makes a decision about whether the actor (and the privileges that have been assigned to that actor) is allowed to access the resource (based on the permissions that have been specified for that resource).::TYPE:Research Gap:NOTE:This type of issue is under-studied, since researchers often concentrate on whether an object has too many permissions, instead of not enough. These weaknesses are likely to appear in environments with fine-grained models for permissions and privileges, which can include operating systems and other large-scale software packages. However, even highly simplistic permission/privilege models are likely to contain these issues if the developer has not considered the possibility of access failure.::",{"point":"k3","priority":"6","details":"k4"},"CWE-ID: 281Improper Preservation of Permissions","The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.Guidelines:",{"point":"k6","priority":"6","details":"k7"},"CWE-ID: 282Improper Ownership Management","The product assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.Guidelines:::TYPE:Maintenance:NOTE:The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693).::",{"point":"k9","priority":"6","details":"ka"},"CWE-ID: 283Unverified Ownership","The product does not properly verify that a critical resource is owned by the proper entity.Guidelines:::TYPE:Relationship:NOTE:This overlaps insufficient comparison, verification errors, permissions, and privileges.::",{"point":"kc","priority":"6","details":"kd"},"CWE-ID: 284Improper Access Control","The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.Guidelines:::TYPE:Maintenance:NOTE:This entry needs more work. Possible sub-categories include: Trusted group includes undesired entities (partially covered by CWE-286) Group can perform undesired actions ACL parse error does not fail closed::",{"point":"kf","priority":"6","details":"kg"},"CWE-ID: 285Improper Authorization","The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.Guidelines:",{"point":"ki","priority":"6","details":"kj"},"CWE-ID: 286Incorrect User Management","The product does not properly manage a user within its environment.Guidelines:::TYPE:Maintenance:NOTE:The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693).::TYPE:Maintenance:NOTE:This item needs more work. Possible sub-categories include: user in wrong group, and user with insecure profile or configuration. It also might be better expressed as a category than a weakness.::",{"point":"kl","priority":"6","details":"km"},"CWE-ID: 287Improper Authentication","When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Guidelines:::TYPE:Relationship:NOTE:This can be resultant from SQL injection vulnerabilities and other issues.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"ko","priority":"6","details":"kp"},"CWE-ID: 288Authentication Bypass Using an Alternate Path or Channel","A product requires authentication, but the product has an alternate path or channel that does not require authentication.Guidelines:::TYPE:Relationship:NOTE:overlaps Unprotected Alternate Channel::",{"point":"kr","priority":"6","details":"ks"},"CWE-ID: 289Authentication Bypass by Alternate Name","The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.Guidelines:::TYPE:Relationship:NOTE:Overlaps equivalent encodings, canonicalization, authorization, multiple trailing slash, trailing space, mixed case, and other equivalence issues.::TYPE:Theoretical:NOTE:Alternate names are useful in data driven manipulation attacks, not just for authentication.::",{"point":"ku","priority":"6","details":"kv"},"CWE-ID: 290Authentication Bypass by Spoofing","This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.Guidelines:::TYPE:Relationship:NOTE:This can be resultant from insufficient verification.::",{"point":"kx","priority":"6","details":"ky"},"CWE-ID: 291Reliance on IP Address for Authentication","The product uses an IP address for authentication.Guidelines:",{"point":"l0","priority":"6","details":"l1"},"CWE-ID: 293Using Referer Field for Authentication","The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking.Guidelines:",{"point":"l3","priority":"6","details":"l4"},"CWE-ID: 294Authentication Bypass by Capture-replay","A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).Guidelines:",{"point":"l6","priority":"6","details":"l7"},"CWE-ID: 295Improper Certificate Validation","The product does not validate, or incorrectly validates, a certificate.Guidelines:",{"point":"l9","priority":"6","details":"la"},"CWE-ID: 296Improper Following of a Certificate's Chain of Trust","The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.Guidelines:",{"point":"lc","priority":"6","details":"ld"},"CWE-ID: 297Improper Validation of Certificate with Host Mismatch","The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.Guidelines:",{"point":"lf","priority":"6","details":"lg"},"CWE-ID: 298Improper Validation of Certificate Expiration","A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age.Guidelines:",{"point":"li","priority":"6","details":"lj"},"CWE-ID: 299Improper Check for Certificate Revocation","The product does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised.Guidelines:",{"point":"ll","priority":"6","details":"lm"},"CWE-ID: 300Channel Accessible by Non-Endpoint","The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.Guidelines:::TYPE:Maintenance:NOTE:The summary identifies multiple distinct possibilities, suggesting that this is a category that must be broken into more specific weaknesses.::",{"point":"lo","priority":"6","details":"lp"},"CWE-ID: 301Reflection Attack in an Authentication Protocol","Simple authentication protocols are subject to reflection attacks if a malicious user can use the target machine to impersonate a trusted user.Guidelines:::TYPE:Maintenance:NOTE:The term reflection is used in multiple ways within CWE and the community, so its usage should be reviewed.::",{"point":"lr","priority":"6","details":"ls"},"CWE-ID: 302Authentication Bypass by Assumed-Immutable Data","The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.Guidelines:",{"point":"lu","priority":"6","details":"lv"},"CWE-ID: 303Incorrect Implementation of Authentication Algorithm","The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.Guidelines:",{"point":"lx","priority":"6","details":"ly"},"CWE-ID: 304Missing Critical Step in Authentication","The product implements an authentication technique, but it skips a step that weakens the technique.Guidelines:",{"point":"m0","priority":"6","details":"m1"},"CWE-ID: 305Authentication Bypass by Primary Weakness","The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.Guidelines:::TYPE:Relationship:NOTE:Most authentication bypass errors are resultant, not primary.::",{"point":"m3","priority":"6","details":"m4"},"CWE-ID: 306Missing Authentication for Critical Function","The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.Guidelines:",{"point":"m6","priority":"6","details":"m7"},"CWE-ID: 307Improper Restriction of Excessive Authentication Attempts","The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.Guidelines:",{"point":"m9","priority":"6","details":"ma"},"CWE-ID: 308Use of Single-factor Authentication","The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme.Guidelines:",{"point":"mc","priority":"6","details":"md"},"CWE-ID: 309Use of Password System for Primary Authentication","The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.Guidelines:",{"point":"mf","priority":"6","details":"mg"},"CWE-ID: 311Missing Encryption of Sensitive Data","The product does not encrypt sensitive or critical information before storage or transmission.Guidelines:::TYPE:Relationship:NOTE:There is an overlapping relationship between insecure storage of sensitive information (CWE-922) and missing encryption of sensitive information (CWE-311). Encryption is often used to prevent an attacker from reading the sensitive data. However, encryption does not prevent the attacker from erasing or overwriting the data.::",{"point":"mi","priority":"6","details":"mj"},"CWE-ID: 312Cleartext Storage of Sensitive Information","The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"ml","priority":"6","details":"mm"},"CWE-ID: 313Cleartext Storage in a File or on Disk","The product stores sensitive information in cleartext in a file, or on disk.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"mo","priority":"6","details":"mp"},"CWE-ID: 314Cleartext Storage in the Registry","The product stores sensitive information in cleartext in the registry.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"mr","priority":"6","details":"ms"},"CWE-ID: 315Cleartext Storage of Sensitive Information in a Cookie","The product stores sensitive information in cleartext in a cookie.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"mu","priority":"6","details":"mv"},"CWE-ID: 316Cleartext Storage of Sensitive Information in Memory","The product stores sensitive information in cleartext in memory.Guidelines:::TYPE:Relationship:NOTE:This could be a resultant weakness, e.g. if the compiler removes code that was intended to wipe memory.::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"mx","priority":"6","details":"my"},"CWE-ID: 317Cleartext Storage of Sensitive Information in GUI","The product stores sensitive information in cleartext within the GUI.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"n0","priority":"6","details":"n1"},"CWE-ID: 318Cleartext Storage of Sensitive Information in Executable","The product stores sensitive information in cleartext in an executable.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"n3","priority":"6","details":"n4"},"CWE-ID: 319Cleartext Transmission of Sensitive Information","The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.Guidelines:::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"n6","priority":"6","details":"n7"},"CWE-ID: 321Use of Hard-coded Cryptographic Key","The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.Guidelines:::TYPE:Other:NOTE:The main difference between the use of hard-coded passwords and the use of hard-coded cryptographic keys is the false sense of security that the former conveys. Many people believe that simply hashing a hard-coded password before storage will protect the information from malicious users. However, many hashes are reversible (or at least vulnerable to brute force attacks) -- and further, many authentication protocols simply request the hash itself, making it no better than a password.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"n9","priority":"6","details":"na"},"CWE-ID: 322Key Exchange without Entity Authentication","The product performs a key exchange with an actor without verifying the identity of that actor.Guidelines:",{"point":"nc","priority":"6","details":"nd"},"CWE-ID: 323Reusing a Nonce, Key Pair in Encryption","Nonces should be used for the present occasion and only once.Guidelines:",{"point":"nf","priority":"6","details":"ng"},"CWE-ID: 324Use of a Key Past its Expiration Date","The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.Guidelines:",{"point":"ni","priority":"6","details":"nj"},"CWE-ID: 325Missing Cryptographic Step","The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.Guidelines:::TYPE:Relationship:NOTE:Overlaps incomplete/missing security check.::TYPE:Relationship:NOTE:Can be resultant.::",{"point":"nl","priority":"6","details":"nm"},"CWE-ID: 326Inadequate Encryption Strength","The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.Guidelines:",{"point":"no","priority":"6","details":"np"},"CWE-ID: 327Use of a Broken or Risky Cryptographic Algorithm","The product uses a broken or risky cryptographic algorithm or protocol.Guidelines:::TYPE:Maintenance:NOTE:Since CWE 4.4, various cryptography-related entries, including CWE-327 and CWE-1240, have been slated for extensive research, analysis, and community consultation to define consistent terminology, improve relationships, and reduce overlap or duplication. As of CWE 4.6, this work is still ongoing.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"nr","priority":"6","details":"ns"},"CWE-ID: 328Use of Weak Hash","The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).Guidelines:::TYPE:Maintenance:NOTE:Since CWE 4.4, various cryptography-related entries including CWE-328 have been slated for extensive research, analysis, and community consultation to define consistent terminology, improve relationships, and reduce overlap or duplication. As of CWE 4.6, this work is still ongoing.::",{"point":"nu","priority":"6","details":"nv"},"CWE-ID: 329Generation of Predictable IV with CBC Mode","The product generates and uses a predictable initialization Vector (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible to dictionary attacks when they are encrypted under the same key.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"nx","priority":"6","details":"ny"},"CWE-ID: 330Use of Insufficiently Random Values","The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.Guidelines:::TYPE:Relationship:NOTE:This can be primary to many other weaknesses such as cryptographic errors, authentication errors, symlink following, information leaks, and others.::TYPE:Maintenance:NOTE:As of CWE 4.3, CWE-330 and its descendants are being investigated by the CWE crypto team to identify gaps related to randomness and unpredictability, as well as the relationships between randomness and cryptographic primitives. This subtree analysis might result in the addition or deprecation of existing entries; the reorganization of relationships in some views, e.g. the research view (CWE-1000); more consistent use of terminology; and/or significant modifications to related entries.::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"o0","priority":"6","details":"o1"},"CWE-ID: 331Insufficient Entropy","The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"o3","priority":"6","details":"o4"},"CWE-ID: 332Insufficient Entropy in PRNG","The lack of entropy available for, or used by, a Pseudo-Random Number Generator (PRNG) can be a stability and security threat.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"o6","priority":"6","details":"o7"},"CWE-ID: 333Improper Handling of Insufficient Entropy in TRNG","True random number generators (TRNG) generally have a limited source of entropy and therefore can fail or block.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"o9","priority":"6","details":"oa"},"CWE-ID: 334Small Space of Random Values","The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"oc","priority":"6","details":"od"},"CWE-ID: 335Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)","The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"of","priority":"6","details":"og"},"CWE-ID: 336Same Seed in Pseudo-Random Number Generator (PRNG)","A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"oi","priority":"6","details":"oj"},"CWE-ID: 337Predictable Seed in Pseudo-Random Number Generator (PRNG)","A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"ol","priority":"6","details":"om"},"CWE-ID: 338Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)","The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"oo","priority":"6","details":"op"},"CWE-ID: 339Small Seed Space in PRNG","A Pseudo-Random Number Generator (PRNG) uses a relatively small seed space, which makes it more susceptible to brute force attacks.Guidelines:::TYPE:Maintenance:NOTE:This entry may have a chaining relationship with predictable from observable state (CWE-341).::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"or","priority":"6","details":"os"},"CWE-ID: 340Generation of Predictable Numbers or Identifiers","The product uses a scheme that generates numbers or identifiers that are more predictable than required.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"ou","priority":"6","details":"ov"},"CWE-ID: 341Predictable from Observable State","A number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"ox","priority":"6","details":"oy"},"CWE-ID: 342Predictable Exact Value from Previous Values","An exact value or random number can be precisely predicted by observing previous values.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"p0","priority":"6","details":"p1"},"CWE-ID: 343Predictable Value Range from Previous Values","The product's random number generator produces a series of values which, when observed, can be used to infer a relatively small range of possibilities for the next value that could be generated.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"p3","priority":"6","details":"p4"},"CWE-ID: 344Use of Invariant Value in Dynamically Changing Context","The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.Guidelines:::TYPE:Relationship:NOTE:overlaps default configuration.::",{"point":"p6","priority":"6","details":"p7"},"CWE-ID: 345Insufficient Verification of Data Authenticity","The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.Guidelines:::TYPE:Relationship:NOTE:origin validation could fall under this.::TYPE:Maintenance:NOTE:The specific ways in which the origin is not properly identified should be laid out as separate weaknesses. In some sense, this is more like a category.::",{"point":"p9","priority":"6","details":"pa"},"CWE-ID: 346Origin Validation Error","The product does not properly verify that the source of data or communication is valid.Guidelines:::TYPE:Maintenance:NOTE:This entry has some significant overlap with other CWE entries and may need some clarification. See terminology notes.::TYPE:Terminology:NOTE:The Origin Validation Error term was originally used in a 1995 thesis [REF-324]. Although not formally defined, an issue is considered to be an origin validation error if either (1) an object [accepts] input from an unauthorized subject, or (2) the system [fails] to properly or completely authenticate a subject. A later section says that an origin validation error can occur when the system (1) does not properly authenticate a user or process or (2) does not properly authenticate the shared data or libraries. The only example provided in the thesis (covered by OSVDB:57615) involves a setuid program running command-line arguments without dropping privileges. So, this definition (and its examples in the thesis) effectively cover other weaknesses such as CWE-287 (Improper Authentication), CWE-285 (Improper Authorization), and CWE-250 (Execution with Unnecessary Privileges). There appears to be little usage of this term today, except in the SecurityFocus vulnerability database, where the term is used for a variety of issues, including web-browser problems that allow violation of the Same Origin Policy and improper validation of the source of an incoming message.::",{"point":"pc","priority":"6","details":"pd"},"CWE-ID: 347Improper Verification of Cryptographic Signature","The product does not verify, or incorrectly verifies, the cryptographic signature for data.Guidelines:",{"point":"pf","priority":"6","details":"pg"},"CWE-ID: 348Use of Less Trusted Source","The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.Guidelines:",{"point":"pi","priority":"6","details":"pj"},"CWE-ID: 349Acceptance of Extraneous Untrusted Data With Trusted Data","The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.Guidelines:",{"point":"pl","priority":"6","details":"pm"},"CWE-ID: 350Reliance on Reverse DNS Resolution for a Security-Critical Action","The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.Guidelines:::TYPE:Maintenance:NOTE:CWE-350, CWE-247, and CWE-292 were merged into CWE-350 in CWE 2.5. CWE-247 was originally derived from Seven Pernicious Kingdoms, CWE-350 from PLOVER, and CWE-292 from CLASP. All taxonomies focused closely on the use of reverse DNS for authentication of incoming requests.::",{"point":"po","priority":"6","details":"pp"},"CWE-ID: 351Insufficient Type Distinction","The product does not properly distinguish between different types of elements in a way that leads to insecure behavior.Guidelines:::TYPE:Relationship:NOTE:Overlaps others, e.g. Multiple Interpretation Errors.::",{"point":"pr","priority":"6","details":"ps"},"CWE-ID: 352Cross-Site Request Forgery (CSRF)","The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.Guidelines:::TYPE:Relationship:NOTE:There can be a close relationship between XSS and CSRF (CWE-352). An attacker might use CSRF in order to trick the victim into submitting requests to the server in which the requests contain an XSS payload. A well-known example of this was the Samy worm on MySpace [REF-956]. The worm used XSS to insert malicious HTML sequences into a user's profile and add the attacker as a MySpace friend. MySpace friends of that victim would then execute the payload to modify their own profiles, causing the worm to propagate exponentially. Since the victims did not intentionally insert the malicious script themselves, CSRF was a root cause.::TYPE:Theoretical:NOTE:The CSRF topology is multi-channel: Attacker (as outsider) to intermediary (as user). The interaction point is either an external or internal channel. Intermediary (as user) to server (as victim). The activation point is an internal channel.::",{"point":"pu","priority":"6","details":"pv"},"CWE-ID: 353Missing Support for Integrity Check","The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.Guidelines:",{"point":"px","priority":"6","details":"py"},"CWE-ID: 354Improper Validation of Integrity Check Value","The product does not validate or incorrectly validates the integrity check values or checksums of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.Guidelines:",{"point":"q0","priority":"6","details":"q1"},"CWE-ID: 356Product UI does not Warn User of Unsafe Actions","The product's user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick users into inflicting damage to their system.Guidelines:::TYPE:Relationship:NOTE:Often resultant, e.g. in unhandled error conditions.::TYPE:Relationship:NOTE:Can overlap privilege errors, conceptually at least.::",{"point":"q3","priority":"6","details":"q4"},"CWE-ID: 357Insufficient UI Warning of Dangerous Operations","The user interface provides a warning to a user regarding dangerous or sensitive operations, but the warning is not noticeable enough to warrant attention.Guidelines:",{"point":"q6","priority":"6","details":"q7"},"CWE-ID: 358Improperly Implemented Security Check for Standard","The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.Guidelines:::TYPE:Relationship:NOTE:This is a missing step error on the product side, which can overlap weaknesses such as insufficient verification and spoofing. It is frequently found in cryptographic and authentication errors. It is sometimes resultant.::",{"point":"q9","priority":"6","details":"qa"},"CWE-ID: 359Exposure of Private Personal Information to an Unauthorized Actor","The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.Guidelines:::TYPE:Maintenance:NOTE:This entry overlaps many other entries that are not organized around the kind of sensitive information that is exposed. However, because privacy is treated with such importance due to regulations and other factors, and it may be useful for weakness-finding tools to highlight capabilities that detect personal private information instead of system information, it is not clear whether - and how - this entry should be deprecated.::",{"point":"qc","priority":"6","details":"qd"},"CWE-ID: 360Trust of System Event Data","Security based on event locations are insecure and can be spoofed.Guidelines:",{"point":"qf","priority":"6","details":"qg"},"CWE-ID: 362Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')","The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.Guidelines:::TYPE:Maintenance:NOTE:The relationship between race conditions and synchronization problems (CWE-662) needs to be further developed. They are not necessarily two perspectives of the same core concept, since synchronization is only one technique for avoiding race conditions, and synchronization can be used for other purposes besides race condition prevention.::TYPE:Research Gap:NOTE:Race conditions in web applications are under-studied and probably under-reported. However, in 2008 there has been growing interest in this area.::TYPE:Research Gap:NOTE:Much of the focus of race condition research has been in Time-of-check Time-of-use (TOCTOU) variants (CWE-367), but many race conditions are related to synchronization problems that do not necessarily require a time-of-check.::TYPE:Research Gap:NOTE:From a classification/taxonomy perspective, the relationships between concurrency and program state need closer investigation and may be useful in organizing related issues.::",{"point":"qi","priority":"6","details":"qj"},"CWE-ID: 363Race Condition Enabling Link Following","The product checks the status of a file or directory before accessing it, which produces a race condition in which the file can be replaced with a link before the access is performed, causing the product to access the wrong file.Guidelines:::TYPE:Relationship:NOTE:This is already covered by the Link Following weakness (CWE-59). It is included here because so many people associate race conditions with link problems; however, not all link following issues involve race conditions.::",{"point":"ql","priority":"6","details":"qm"},"CWE-ID: 364Signal Handler Race Condition","The product uses a signal handler that introduces a race condition.Guidelines:",{"point":"qo","priority":"6","details":"qp"},"CWE-ID: 366Race Condition within a Thread","If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.Guidelines:",{"point":"qr","priority":"6","details":"qs"},"CWE-ID: 367Time-of-check Time-of-use (TOCTOU) Race Condition","The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.Guidelines:::TYPE:Relationship:NOTE:TOCTOU issues do not always involve symlinks, and not every symlink issue is a TOCTOU problem.::TYPE:Research Gap:NOTE:Non-symlink TOCTOU issues are not reported frequently, but they are likely to occur in code that attempts to be secure.::",{"point":"qu","priority":"6","details":"qv"},"CWE-ID: 368Context Switching Race Condition","A product performs a series of non-atomic actions to switch between contexts that cross privilege or other security boundaries, but a race condition allows an attacker to modify or misrepresent the product's behavior during the switch.Guidelines:::TYPE:Relationship:NOTE:Can overlap signal handler race conditions.::TYPE:Research Gap:NOTE:Under-studied as a concept. Frequency unknown; few vulnerability reports give enough detail to know when a context switching race condition is a factor.::",{"point":"qx","priority":"6","details":"qy"},"CWE-ID: 369Divide By Zero","The product divides a value by zero.Guidelines:",{"point":"r0","priority":"6","details":"r1"},"CWE-ID: 370Missing Check for Certificate Revocation after Initial Check","The product does not check the revocation status of a certificate after its initial revocation check, which can cause the product to perform privileged actions even after the certificate is revoked at a later time.Guidelines:",{"point":"r3","priority":"6","details":"r4"},"CWE-ID: 372Incomplete Internal State Distinction","The product does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect operations in a security-relevant manner.Guidelines:::TYPE:Relationship:NOTE:This conceptually overlaps other categories such as insufficient verification, but this entry refers to the product's incorrect perception of its own state.::TYPE:Relationship:NOTE:This is probably resultant from other weaknesses such as unhandled error conditions, inability to handle out-of-order steps, multiple interpretation errors, etc.::TYPE:Maintenance:NOTE:This entry is being considered for deprecation. It was poorly-defined in PLOVER and is not easily described using the behavior/resource/property model of vulnerability theory.::",{"point":"r6","priority":"6","details":"r7"},"CWE-ID: 374Passing Mutable Objects to an Untrusted Method","The product sends non-cloned mutable data as an argument to a method or function.Guidelines:",{"point":"r9","priority":"6","details":"ra"},"CWE-ID: 375Returning a Mutable Object to an Untrusted Caller","Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function.Guidelines:",{"point":"rc","priority":"6","details":"rd"},"CWE-ID: 377Insecure Temporary File","Creating and using insecure temporary files can leave application and system data vulnerable to attack.Guidelines:::TYPE:Other:NOTE:Applications require temporary files so frequently that many different mechanisms exist for creating them in the C Library and Windows(R) API. Most of these functions are vulnerable to various forms of attacks. The functions designed to aid in the creation of temporary files can be broken into two groups based whether they simply provide a filename or actually open a new file. - Group 1: Unique Filenames: The first group of C Library and WinAPI functions designed to help with the process of creating temporary files do so by generating a unique file name for a new temporary file, which the program is then supposed to open. This group includes C Library functions like tmpnam(), tempnam(), mktemp() and their C++ equivalents prefaced with an _ (underscore) as well as the GetTempFileName() function from the Windows API. This group of functions suffers from an underlying race condition on the filename chosen. Although the functions guarantee that the filename is unique at the time it is selected, there is no mechanism to prevent another process or an attacker from creating a file with the same name after it is selected but before the application attempts to open the file. Beyond the risk of a legitimate collision caused by another call to the same function, there is a high probability that an attacker will be able to create a malicious collision because the filenames generated by these functions are not sufficiently randomized to make them difficult to guess. If a file with the selected name is created, then depending on how the file is opened the existing contents or access permissions of the file may remain intact. If the existing contents of the file are malicious in nature, an attacker may be able to inject dangerous data into the application when it reads data back from the temporary file. If an attacker pre-creates the file with relaxed access permissions, then data stored in the temporary file by the application may be accessed, modified or corrupted by an attacker. On Unix based systems an even more insidious attack is possible if the attacker pre-creates the file as a link to another important file. Then, if the application truncates or writes data to the file, it may unwittingly perform damaging operations for the attacker. This is an especially serious threat if the program operates with elevated permissions. Finally, in the best case the file will be opened with the a call to open() using the O_CREAT and O_EXCL flags or to CreateFile() using the CREATE_NEW attribute, which will fail if the file already exists and therefore prevent the types of attacks described above. However, if an attacker is able to accurately predict a sequence of temporary file names, then the application may be prevented from opening necessary temporary storage causing a denial of service (DoS) attack. This type of attack would not be difficult to mount given the small amount of randomness used in the selection of the filenames generated by these functions. - Group 2: Unique Files: The second group of C Library functions attempts to resolve some of the security problems related to temporary files by not only generating a unique file name, but also opening the file. This group includes C Library functions like tmpfile() and its C++ equivalents prefaced with an _ (underscore), as well as the slightly better-behaved C Library function mkstemp(). The tmpfile() style functions construct a unique filename and open it in the same way that fopen() would if passed the flags wb+, that is, as a binary file in read/write mode. If the file already exists, tmpfile() will truncate it to size zero, possibly in an attempt to assuage the security concerns mentioned earlier regarding the race condition that exists between the selection of a supposedly unique filename and the subsequent opening of the selected file. However, this behavior clearly does not solve the function's security problems. First, an attacker can pre-create the file with relaxed access-permissions that will likely be retained by the file opened by tmpfile(). Furthermore, on Unix based systems if the attacker pre-creates the file as a link to another important file, the application may use its possibly elevated permissions to truncate that file, thereby doing damage on behalf of the attacker. Finally, if tmpfile() does create a new file, the access permissions applied to that file will vary from one operating system to another, which can leave application data vulnerable even if an attacker is unable to predict the filename to be used in advance. Finally, mkstemp() is a reasonably safe way create temporary files. It will attempt to create and open a unique file based on a filename template provided by the user combined with a series of randomly generated characters. If it is unable to create such a file, it will fail and return -1. On modern systems the file is opened using mode 0600, which means the file will be secure from tampering unless the user explicitly changes its access permissions. However, mkstemp() still suffers from the use of predictable file names and can leave an application vulnerable to denial of service attacks if an attacker causes mkstemp() to fail by predicting and pre-creating the filenames to be used.::",{"point":"rf","priority":"6","details":"rg"},"CWE-ID: 378Creation of Temporary File With Insecure Permissions","Opening temporary files without appropriate measures or controls can leave the file, its contents and any function that it impacts vulnerable to attack.Guidelines:",{"point":"ri","priority":"6","details":"rj"},"CWE-ID: 379Creation of Temporary File in Directory with Insecure Permissions","The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.Guidelines:",{"point":"rl","priority":"6","details":"rm"},"CWE-ID: 382J2EE Bad Practices: Use of System.exit()","A J2EE application uses System.exit(), which also shuts down its container.Guidelines:",{"point":"ro","priority":"6","details":"rp"},"CWE-ID: 383J2EE Bad Practices: Direct Use of Threads","Thread management in a Web application is forbidden in some circumstances and is always highly error prone.Guidelines:",{"point":"rr","priority":"6","details":"rs"},"CWE-ID: 384Session Fixation","Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.Guidelines:::TYPE:Other:NOTE:Other attack vectors include DNS poisoning and related network based attacks where an attacker causes the user to visit a malicious site by redirecting a request for a valid site. Network based attacks typically involve a physical presence on the victim's network or control of a compromised machine on the network, which makes them harder to exploit remotely, but their significance should not be overlooked. Less secure session management mechanisms, such as the default implementation in Apache Tomcat, allow session identifiers normally expected in a cookie to be specified on the URL as well, which enables an attacker to cause a victim to use a fixed session identifier simply by emailing a malicious URL.::",{"point":"ru","priority":"6","details":"rv"},"CWE-ID: 385Covert Timing Channel","Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are working to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks that create or exploit covert channels. As a result of that work, this entry might change in CWE 4.10.::",{"point":"rx","priority":"6","details":"ry"},"CWE-ID: 386Symbolic Name not Mapping to Correct Object","A constant symbolic reference to an object is used, even though the reference can resolve to a different object over time.Guidelines:",{"point":"s0","priority":"6","details":"s1"},"CWE-ID: 390Detection of Error Condition Without Action","The product detects a specific error, but takes no actions to handle the error.Guidelines:",{"point":"s3","priority":"6","details":"s4"},"CWE-ID: 391Unchecked Error Condition","[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.Guidelines:::TYPE:Maintenance:NOTE:This entry is slated for deprecation; it has multiple widespread interpretations by CWE analysts. It currently combines information from three different taxonomies, but each taxonomy is talking about a slightly different issue. CWE analysts might map to this entry based on any of these issues. 7PK has Empty Catch Block which has an association with empty exception block (CWE-1069); in this case, the exception has performed the check, but does not handle. In PLOVER there is Unchecked Return Value which is CWE-252, but unlike Empty Catch Block there isn't even a check of the issue - and Unchecked Error Condition implies lack of a check. For CLASP, Uncaught Exception (CWE-248) is associated with incorrect error propagation - uncovered in CWE 3.2 and earlier, at least. There are other issues related to error handling and checks.::TYPE:Other:NOTE:When a programmer ignores an exception, they implicitly state that they are operating under one of two assumptions: This method call can never fail. It doesn't matter if this call fails.::",{"point":"s6","priority":"6","details":"s7"},"CWE-ID: 392Missing Report of Error Condition","The product encounters an error but does not provide a status code or return value to indicate that an error has occurred.Guidelines:",{"point":"s9","priority":"6","details":"sa"},"CWE-ID: 393Return of Wrong Status Code","A function or operation returns an incorrect return value or status code that does not indicate an error, but causes the product to modify its behavior based on the incorrect result.Guidelines:::TYPE:Relationship:NOTE:This can be primary or resultant, but it is probably most often primary to other issues.::",{"point":"sc","priority":"6","details":"sd"},"CWE-ID: 394Unexpected Status Code or Return Value","The product does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the product.Guidelines:::TYPE:Relationship:NOTE:Usually primary, but can be resultant from issues such as behavioral change or API abuse. This can produce resultant vulnerabilities.::",{"point":"sf","priority":"6","details":"sg"},"CWE-ID: 395Use of NullPointerException Catch to Detect NULL Pointer Dereference","Catching NullPointerException should not be used as an alternative to programmatic checks to prevent dereferencing a null pointer.Guidelines:",{"point":"si","priority":"6","details":"sj"},"CWE-ID: 396Declaration of Catch for Generic Exception","Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.Guidelines:",{"point":"sl","priority":"6","details":"sm"},"CWE-ID: 397Declaration of Throws for Generic Exception","Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.Guidelines:::TYPE:Applicable Platform:NOTE:For C++, this weakness only applies to C++98, C++03, and C++11. It relies on a feature known as Dynamic Exception Specification, which was part of early versions of C++ but was deprecated in C++11. It has been removed for C++17 and later.::",{"point":"so","priority":"6","details":"sp"},"CWE-ID: 400Uncontrolled Resource Consumption","The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Guidelines:::TYPE:Maintenance:NOTE:Resource consumption could be interpreted as a consequence instead of an insecure behavior, so this entry is being considered for modification. It appears to be referenced too frequently when more precise mappings are available. Some of its children, such as CWE-771, might be better considered as a chain.::TYPE:Theoretical:NOTE:Vulnerability theory is largely about how behaviors and resources interact. Resource exhaustion can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect the underlying weaknesses that enable these attacks (or consequences) to take place.::TYPE:Other:NOTE:Database queries that take a long time to process are good DoS targets. An attacker would have to write a few lines of Perl code to generate enough traffic to exceed the site's ability to keep up. This would effectively prevent authorized users from using the site at all. Resources can be exploited simply by ensuring that the target machine must do much more work and consume more resources in order to service a request than the attacker must do to initiate a request. A prime example of this can be found in old switches that were vulnerable to macof attacks (so named for a tool developed by Dugsong). These attacks flooded a switch with random IP and MAC address combinations, therefore exhausting the switch's cache, which held the information of which port corresponded to which MAC addresses. Once this cache was exhausted, the switch would fail in an insecure way and would begin to act simply as a hub, broadcasting all traffic on all ports and allowing for basic sniffing attacks.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"sr","priority":"6","details":"ss"},"CWE-ID: 401Missing Release of Memory after Effective Lifetime","The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.Guidelines:::TYPE:Relationship:NOTE:This is often a resultant weakness due to improper handling of malformed data or early termination of sessions.::TYPE:Terminology:NOTE:memory leak has sometimes been used to describe other kinds of issues, e.g. for information leaks in which the contents of memory are inadvertently leaked (CVE-2003-0400 is one such example of this terminology conflict).::",{"point":"su","priority":"6","details":"sv"},"CWE-ID: 402Transmission of Private Resources into a New Sphere ('Resource Leak')","The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product.Guidelines:",{"point":"sx","priority":"6","details":"sy"},"CWE-ID: 403Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')","A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors.Guidelines:",{"point":"t0","priority":"6","details":"t1"},"CWE-ID: 404Improper Resource Shutdown or Release","The product does not release or incorrectly releases a resource before it is made available for re-use.Guidelines:::TYPE:Relationship:NOTE:Overlaps memory leaks, asymmetric resource consumption, malformed input errors.::",{"point":"t3","priority":"6","details":"t4"},"CWE-ID: 405Asymmetric Resource Consumption (Amplification)","The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is asymmetric.Guidelines:",{"point":"t6","priority":"6","details":"t7"},"CWE-ID: 406Insufficient Control of Network Message Volume (Network Amplification)","The product does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the product to transmit more traffic than should be allowed for that actor.Guidelines:::TYPE:Relationship:NOTE:This can be resultant from weaknesses that simplify spoofing attacks.::TYPE:Theoretical:NOTE:Network amplification, when performed with spoofing, is normally a multi-channel attack from attacker (acting as user) to amplifier, and amplifier to victim.::",{"point":"t9","priority":"6","details":"ta"},"CWE-ID: 407Inefficient Algorithmic Complexity","An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.Guidelines:",{"point":"tc","priority":"6","details":"td"},"CWE-ID: 408Incorrect Behavior Order: Early Amplification","The product allows an entity to perform a legitimate but expensive operation before authentication or authorization has taken place.Guidelines:::TYPE:Relationship:NOTE:Overlaps authentication errors.::",{"point":"tf","priority":"6","details":"tg"},"CWE-ID: 409Improper Handling of Highly Compressed Data (Data Amplification)","The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.Guidelines:",{"point":"ti","priority":"6","details":"tj"},"CWE-ID: 410Insufficient Resource Pool","The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.Guidelines:",{"point":"tl","priority":"6","details":"tm"},"CWE-ID: 412Unrestricted Externally Accessible Lock","The product properly checks for the existence of a lock, but the lock can be externally controlled or influenced by an actor that is outside of the intended sphere of control.Guidelines:::TYPE:Relationship:NOTE:This overlaps Insufficient Resource Pool when the pool is of size 1. It can also be resultant from race conditions, although the timing window could be quite large in some cases.::",{"point":"to","priority":"6","details":"tp"},"CWE-ID: 413Improper Resource Locking","The product does not lock or does not correctly lock a resource when the product must have exclusive access to the resource.Guidelines:",{"point":"tr","priority":"6","details":"ts"},"CWE-ID: 414Missing Lock Check","A product does not check to see if a lock is present before performing sensitive operations on a resource.Guidelines:",{"point":"tu","priority":"6","details":"tv"},"CWE-ID: 415Double Free","The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.Guidelines:::TYPE:Relationship:NOTE:This is usually resultant from another weakness, such as an unhandled error or race condition between threads. It could also be primary to weaknesses such as buffer overflows.::TYPE:Theoretical:NOTE:It could be argued that Double Free would be most appropriately located as a child of Use after Free, but Use and Release are considered to be distinct operations within vulnerability theory, therefore this is more accurately Release of a Resource after Expiration or Release, which doesn't exist yet.::",{"point":"tx","priority":"6","details":"ty"},"CWE-ID: 416Use After Free","Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.Guidelines:",{"point":"u0","priority":"6","details":"u1"},"CWE-ID: 419Unprotected Primary Channel","The product uses a primary channel for administration or restricted functionality, but it does not properly protect the channel.Guidelines:",{"point":"u3","priority":"6","details":"u4"},"CWE-ID: 420Unprotected Alternate Channel","The product protects a primary channel, but it does not use the same level of protection for an alternate channel.Guidelines:::TYPE:Relationship:NOTE:This can be primary to authentication errors, and resultant from unhandled error conditions.::",{"point":"u6","priority":"6","details":"u7"},"CWE-ID: 421Race Condition During Access to Alternate Channel","The product opens an alternate channel to communicate with an authorized user, but the channel is accessible to other actors.Guidelines:",{"point":"u9","priority":"6","details":"ua"},"CWE-ID: 422Unprotected Windows Messaging Channel ('Shatter')","The product does not properly verify the source of a message in the Windows Messaging System while running at elevated privileges, creating an alternate channel through which an attacker can directly send a message to the product.Guidelines:::TYPE:Relationship:NOTE:Overlaps privilege errors and UI errors.::TYPE:Research Gap:NOTE:Possibly under-reported, probably under-studied. It is suspected that a number of publicized vulnerabilities that involve local privilege escalation on Windows systems may be related to Shatter attacks, but they are not labeled as such. Alternate channel attacks likely exist in other operating systems and messaging models, e.g. in privileged X Windows applications, but examples are not readily available.::",{"point":"uc","priority":"6","details":"ud"},"CWE-ID: 424Improper Protection of Alternate Path","The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.Guidelines:",{"point":"uf","priority":"6","details":"ug"},"CWE-ID: 425Direct Request ('Forced Browsing')","The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.Guidelines:::TYPE:Relationship:NOTE:Overlaps Modification of Assumed-Immutable Data (MAID), authorization errors, container errors; often primary to other weaknesses such as XSS and SQL injection.::TYPE:Theoretical:NOTE:Forced browsing is a step-based manipulation involving the omission of one or more steps, whose order is assumed to be immutable. The application does not verify that the first step was performed successfully before the second step. The consequence is typically authentication bypass or path disclosure, although it can be primary to all kinds of weaknesses, especially in languages such as PHP, which allow external modification of assumed-immutable variables.::",{"point":"ui","priority":"6","details":"uj"},"CWE-ID: 426Untrusted Search Path","The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.Guidelines:",{"point":"ul","priority":"6","details":"um"},"CWE-ID: 427Uncontrolled Search Path Element","The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.Guidelines:::TYPE:Relationship:NOTE:Unlike untrusted search path (CWE-426), which inherently involves control over the definition of a control sphere (i.e., modification of a search path), this entry concerns a fixed control sphere in which some part of the sphere may be under attacker control (i.e., the search path cannot be modified by an attacker, but one element of the path can be under attacker control).::TYPE:Theoretical:NOTE:This weakness is not a clean fit under CWE-668 or CWE-610, which suggests that the control sphere model might need enhancement or clarification.::",{"point":"uo","priority":"6","details":"up"},"CWE-ID: 428Unquoted Search Path or Element","The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.Guidelines:::TYPE:Applicable Platform:NOTE:This weakness could apply to any OS that supports spaces in filenames, especially any OS that make it easy for a user to insert spaces into filenames or folders, such as Windows. While spaces are technically supported in Unix, the practice is generally avoided. .::TYPE:Maintenance:NOTE:This weakness primarily involves the lack of quoting, which is not explicitly stated as a part of CWE-116. CWE-116 also describes output in light of structured messages, but the generation of a filename or search path (as in this weakness) might not be considered a structured message. An additional complication is the relationship to control spheres. Unlike untrusted search path (CWE-426), which inherently involves control over the definition of a control sphere, this entry concerns a fixed control sphere in which some part of the sphere may be under attacker control. This is not a clean fit under CWE-668 or CWE-610, which suggests that the control sphere model needs enhancement or clarification.::",{"point":"ur","priority":"6","details":"us"},"CWE-ID: 430Deployment of Wrong Handler","The wrong handler is assigned to process an object.Guidelines:",{"point":"uu","priority":"6","details":"uv"},"CWE-ID: 431Missing Handler","A handler is not available or implemented.Guidelines:",{"point":"ux","priority":"6","details":"uy"},"CWE-ID: 432Dangerous Signal Handler not Disabled During Sensitive Operations","The product uses a signal handler that shares state with other signal handlers, but it does not properly mask or prevent those signal handlers from being invoked while the original signal handler is still running.Guidelines:",{"point":"v0","priority":"6","details":"v1"},"CWE-ID: 433Unparsed Raw Web Content Delivery","The product stores raw content or supporting code under the web document root with an extension that is not specifically handled by the server.Guidelines:::TYPE:Relationship:NOTE:This overlaps direct requests (CWE-425), alternate path (CWE-424), permissions (CWE-275), and sensitive file under web root (CWE-219).::",{"point":"v3","priority":"6","details":"v4"},"CWE-ID: 434Unrestricted Upload of File with Dangerous Type","The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.Guidelines:::TYPE:Relationship:NOTE:This can have a chaining relationship with incomplete denylist / permissive allowlist errors when the product tries, but fails, to properly limit which types of files are allowed (CWE-183, CWE-184). This can also overlap multiple interpretation errors for intermediaries, e.g. anti-virus products that do not remove or quarantine attachments with certain file extensions that can be processed by client systems.::",{"point":"v6","priority":"6","details":"v7"},"CWE-ID: 435Improper Interaction Between Multiple Correctly-Behaving Entities","An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses.Guidelines:::TYPE:Research Gap:NOTE:Weaknesses related to this Pillar appear to be under-studied, especially with respect to classification schemes. Input from academic and other communities could help identify and resolve gaps or organizational difficulties within CWE.::TYPE:Relationship:NOTE:The Interaction Error term, in CWE and elsewhere, is only intended to describe products that behave according to specification. When one or more of the products do not comply with specifications, then it is more likely to be API Abuse (CWE-227) or an interpretation conflict (CWE-436). This distinction can be blurred in real world scenarios, especially when de facto standards do not comply with specifications, or when there are no standards but there is widespread adoption. As a result, it can be difficult to distinguish these weaknesses during mapping and classification.::",{"point":"v9","priority":"6","details":"va"},"CWE-ID: 436Interpretation Conflict","Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.Guidelines:",{"point":"vc","priority":"6","details":"vd"},"CWE-ID: 437Incomplete Model of Endpoint Features","A product acts as an intermediary or monitor between two or more endpoints, but it does not have a complete model of an endpoint's features, behaviors, or state, potentially causing the product to perform incorrect actions based on this incomplete model.Guidelines:::TYPE:Relationship:NOTE:This can be related to interaction errors, although in some cases, one of the endpoints is not performing correctly according to specification.::",{"point":"vf","priority":"6","details":"vg"},"CWE-ID: 439Behavioral Change in New Version or Environment","A's behavior or functionality changes with a new version of A, or a new environment, which is not known (or manageable) by B.Guidelines:",{"point":"vi","priority":"6","details":"vj"},"CWE-ID: 440Expected Behavior Violation","A feature, API, or function does not perform according to its specification.Guidelines:::TYPE:Theoretical:NOTE:The behavior of an application that is not consistent with the expectations of the developer may lead to incorrect use of the software.::",{"point":"vl","priority":"6","details":"vm"},"CWE-ID: 441Unintended Proxy or Intermediary ('Confused Deputy')","The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.Guidelines:::TYPE:Relationship:NOTE:This weakness has a chaining relationship with CWE-668 (Exposure of Resource to Wrong Sphere) because the proxy effectively provides the attacker with access to the target's resources that the attacker cannot directly obtain.::TYPE:Maintenance:NOTE:This could possibly be considered as an emergent resource.::TYPE:Theoretical:NOTE:It could be argued that the confused deputy is a fundamental aspect of most vulnerabilities that require an active attacker. Even for common implementation issues such as buffer overflows, SQL injection, OS command injection, and path traversal, the vulnerable program already has the authorization to run code or access files. The vulnerability arises when the attacker causes the program to run unexpected code or access unexpected files.::",{"point":"vo","priority":"6","details":"vp"},"CWE-ID: 444Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')","The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.Guidelines:::TYPE:Theoretical:NOTE:Request smuggling can be performed due to a multiple interpretation error, where the target is an intermediary or monitor, via a consistency manipulation (Transfer-Encoding and Content-Length headers).::",{"point":"vr","priority":"6","details":"vs"},"CWE-ID: 446UI Discrepancy for Security Feature","The user interface does not correctly enable or configure a security feature, but the interface provides feedback that causes the user to believe that the feature is in a secure state.Guidelines:::TYPE:Maintenance:NOTE:This entry is likely a loose composite that could be broken down into the different types of errors that cause the user interface to have incorrect interactions with the underlying security feature.::",{"point":"vu","priority":"6","details":"vv"},"CWE-ID: 447Unimplemented or Unsupported Feature in UI","A UI function for a security feature appears to be supported and gives feedback to the user that suggests that it is supported, but the underlying functionality is not implemented.Guidelines:::TYPE:Research Gap:NOTE:This issue needs more study, as there are not many examples. It is not clear whether it is primary or resultant.::",{"point":"vx","priority":"6","details":"vy"},"CWE-ID: 448Obsolete Feature in UI","A UI function is obsolete and the product does not warn the user.Guidelines:",{"point":"w0","priority":"6","details":"w1"},"CWE-ID: 449The UI Performs the Wrong Action","The UI performs the wrong action with respect to the user's request.Guidelines:",{"point":"w3","priority":"6","details":"w4"},"CWE-ID: 450Multiple Interpretations of UI Input","The UI has multiple interpretations of user input but does not prompt the user when it selects the less secure interpretation.Guidelines:",{"point":"w6","priority":"6","details":"w7"},"CWE-ID: 451User Interface (UI) Misrepresentation of Critical Information","The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks.Guidelines:::TYPE:Maintenance:NOTE:This entry should be broken down into more precise entries. See extended description.::TYPE:Research Gap:NOTE:Misrepresentation problems are frequently studied in web browsers, but there are no known efforts for classifying these kinds of problems in terms of the shortcomings of the interface. In addition, many misrepresentation issues are resultant.::",{"point":"w9","priority":"6","details":"wa"},"CWE-ID: 453Insecure Default Variable Initialization","The product, by default, initializes an internal variable with an insecure or less secure value than is possible.Guidelines:::TYPE:Maintenance:NOTE:This overlaps other categories, probably should be split into separate items.::",{"point":"wc","priority":"6","details":"wd"},"CWE-ID: 454External Initialization of Trusted Variables or Data Stores","The product initializes critical internal variables or data stores using inputs that can be modified by untrusted actors.Guidelines:::TYPE:Relationship:NOTE:Overlaps Missing variable initialization, especially in PHP.::TYPE:Applicable Platform:NOTE:This is often found in PHP due to register_globals and the common practice of storing library/include files under the web document root so that they are available using a direct request.::",{"point":"wf","priority":"6","details":"wg"},"CWE-ID: 455Non-exit on Failed Initialization","The product does not exit or otherwise modify its operation when security-relevant errors occur during initialization, such as when a configuration file has a format error or a hardware security module (HSM) cannot be activated, which can cause the product to execute in a less secure fashion than intended by the administrator.Guidelines:::TYPE:Research Gap:NOTE:Under-studied. These issues are not frequently reported, and it is difficult to find published examples.::",{"point":"wi","priority":"6","details":"wj"},"CWE-ID: 456Missing Initialization of a Variable","The product does not initialize critical variables, which causes the execution environment to use unexpected values.Guidelines:::TYPE:Relationship:NOTE:This weakness is a major factor in a number of resultant weaknesses, especially in web applications that allow global variable initialization (such as PHP) with libraries that can be directly requested.::TYPE:Research Gap:NOTE:It is highly likely that a large number of resultant weaknesses have missing initialization as a primary factor, but researcher reports generally do not provide this level of detail.::",{"point":"wl","priority":"6","details":"wm"},"CWE-ID: 457Use of Uninitialized Variable","The code uses a variable that has not been initialized, leading to unpredictable or unintended results.Guidelines:",{"point":"wo","priority":"6","details":"wp"},"CWE-ID: 459Incomplete Cleanup","The product does not properly clean up and remove temporary or supporting resources after they have been used.Guidelines:::TYPE:Relationship:NOTE:CWE-459 is a child of CWE-404 because, while CWE-404 covers any type of improper shutdown or release of a resource, CWE-459 deals specifically with a multi-step shutdown process in which a crucial step for proper cleanup is omitted or impossible. That is, CWE-459 deals specifically with a cleanup or shutdown process that does not successfully remove all potentially sensitive data.::TYPE:Relationship:NOTE:Overlaps other categories such as permissions and containment. Concept needs further development. This could be primary (e.g. leading to infoleak) or resultant (e.g. resulting from unhandled error conditions or early termination).::",{"point":"wr","priority":"6","details":"ws"},"CWE-ID: 460Improper Cleanup on Thrown Exception","The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow.Guidelines:",{"point":"wu","priority":"6","details":"wv"},"CWE-ID: 462Duplicate Key in Associative List (Alist)","Duplicate keys in associative lists can lead to non-unique keys being mistaken for an error.Guidelines:",{"point":"wx","priority":"6","details":"wy"},"CWE-ID: 463Deletion of Data Structure Sentinel","The accidental deletion of a data-structure sentinel can cause serious programming logic problems.Guidelines:",{"point":"x0","priority":"6","details":"x1"},"CWE-ID: 464Addition of Data Structure Sentinel","The accidental addition of a data-structure sentinel can cause serious programming logic problems.Guidelines:",{"point":"x3","priority":"6","details":"x4"},"CWE-ID: 466Return of Pointer Value Outside of Expected Range","A function can return a pointer to memory that is outside of the buffer that the pointer is expected to reference.Guidelines:::TYPE:Maintenance:NOTE:This entry should have a chaining relationship with CWE-119 instead of a parent / child relationship, however the focus of this weakness does not map cleanly to any existing entries in CWE. A new parent is being considered which covers the more generic problem of incorrect return values. There is also an abstract relationship to weaknesses in which one component sends incorrect messages to another component; in this case, one routine is sending an incorrect value to another.::",{"point":"x6","priority":"6","details":"x7"},"CWE-ID: 467Use of sizeof() on a Pointer Type","The code calls sizeof() on a malloced pointer type, which always returns the wordsize/8. This can produce an unexpected result if the programmer intended to determine how much memory has been allocated.Guidelines:",{"point":"x9","priority":"6","details":"xa"},"CWE-ID: 468Incorrect Pointer Scaling","In C and C++, one may often accidentally refer to the wrong memory due to the semantics of when math operations are implicitly scaled.Guidelines:",{"point":"xc","priority":"6","details":"xd"},"CWE-ID: 469Use of Pointer Subtraction to Determine Size","The product subtracts one pointer from another in order to determine size, but this calculation can be incorrect if the pointers do not exist in the same memory chunk.Guidelines:",{"point":"xf","priority":"6","details":"xg"},"CWE-ID: 470Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')","The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.Guidelines:",{"point":"xi","priority":"6","details":"xj"},"CWE-ID: 471Modification of Assumed-Immutable Data (MAID)","The product does not properly protect an assumed-immutable element from being modified by an attacker.Guidelines:::TYPE:Relationship:NOTE:MAID issues can be primary to many other weaknesses, and they are a major factor in languages that provide easy access to internal program constructs, such as PHP's register_globals and similar features. However, MAID issues can also be resultant from weaknesses that modify internal state; for example, a program might validate some data and store it in memory, but a buffer overflow could overwrite that validated data, leading to a change in program logic.::TYPE:Theoretical:NOTE:There are many examples where the MUTABILITY property is a major factor in a vulnerability.::",{"point":"xl","priority":"6","details":"xm"},"CWE-ID: 472External Control of Assumed-Immutable Web Parameter","The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.Guidelines:::TYPE:Relationship:NOTE:This is a primary weakness for many other weaknesses and functional consequences, including XSS, SQL injection, path disclosure, and file inclusion.::TYPE:Theoretical:NOTE:This is a technology-specific MAID problem.::",{"point":"xo","priority":"6","details":"xp"},"CWE-ID: 473PHP External Variable Modification","A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies. This can expose the application to numerous weaknesses that would not exist otherwise.Guidelines:::TYPE:Relationship:NOTE:This is a language-specific instance of Modification of Assumed-Immutable Data (MAID). This can be resultant from direct request (alternate path) issues. It can be primary to weaknesses such as PHP file inclusion, SQL injection, XSS, authentication bypass, and others.::",{"point":"xr","priority":"6","details":"xs"},"CWE-ID: 474Use of Function with Inconsistent Implementations","The code uses a function that has inconsistent implementations across operating systems and versions.Guidelines:",{"point":"xu","priority":"6","details":"xv"},"CWE-ID: 475Undefined Behavior for Input to API","The behavior of this function is undefined unless its control parameter is set to a specific value.Guidelines:::TYPE:Other:NOTE:The Linux Standard Base Specification 2.0.1 for libc places constraints on the arguments to some internal functions [21]. If the constraints are not met, the behavior of the functions is not defined. It is unusual for this function to be called directly. It is almost always invoked through a macro defined in a system header file, and the macro ensures that the following constraints are met: The value 1 must be passed to the third parameter (the version number) of the following file system function: __xmknod The value 2 must be passed to the third parameter (the group argument) of the following wide character string functions: __wcstod_internal __wcstof_internal __wcstol_internal __wcstold_internal __wcstoul_internal The value 3 must be passed as the first parameter (the version number) of the following file system functions: __xstat __lxstat __fxstat __xstat64 __lxstat64 __fxstat64::",{"point":"xx","priority":"6","details":"xy"},"CWE-ID: 476NULL Pointer Dereference","A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.Guidelines:",{"point":"y0","priority":"6","details":"y1"},"CWE-ID: 477Use of Obsolete Function","The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained.Guidelines:",{"point":"y3","priority":"6","details":"y4"},"CWE-ID: 478Missing Default Case in Multiple Condition Expression","The code does not have a default case in an expression with multiple conditions, such as a switch statement.Guidelines:",{"point":"y6","priority":"6","details":"y7"},"CWE-ID: 479Signal Handler Use of a Non-reentrant Function","The product defines a signal handler that calls a non-reentrant function.Guidelines:",{"point":"y9","priority":"6","details":"ya"},"CWE-ID: 480Use of Incorrect Operator","The product accidentally uses the wrong operator, which changes the logic in security-relevant ways.Guidelines:",{"point":"yc","priority":"6","details":"yd"},"CWE-ID: 481Assigning instead of Comparing","The code uses an operator for assignment when the intention was to perform a comparison.Guidelines:",{"point":"yf","priority":"6","details":"yg"},"CWE-ID: 482Comparing instead of Assigning","The code uses an operator for comparison when the intention was to perform an assignment.Guidelines:",{"point":"yi","priority":"6","details":"yj"},"CWE-ID: 483Incorrect Block Delimitation","The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.Guidelines:",{"point":"yl","priority":"6","details":"ym"},"CWE-ID: 484Omitted Break Statement in Switch","The product omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition.Guidelines:",{"point":"yo","priority":"6","details":"yp"},"CWE-ID: 486Comparison of Classes by Name","The product compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name.Guidelines:",{"point":"yr","priority":"6","details":"ys"},"CWE-ID: 487Reliance on Package-level Scope","Java packages are not inherently closed; therefore, relying on them for code security is not a good practice.Guidelines:",{"point":"yu","priority":"6","details":"yv"},"CWE-ID: 488Exposure of Data Element to Wrong Session","The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.Guidelines:",{"point":"yx","priority":"6","details":"yy"},"CWE-ID: 489Active Debug Code","The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.Guidelines:::TYPE:Other:NOTE:In J2EE a main method may be a good indicator that debug code has been left in the application, although there may not be any direct security impact.::",{"point":"z0","priority":"6","details":"z1"},"CWE-ID: 491Public cloneable() Method Without Final ('Object Hijack')","A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state.Guidelines:",{"point":"z3","priority":"6","details":"z4"},"CWE-ID: 492Use of Inner Class Containing Sensitive Data","Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers.Guidelines:::TYPE:Other:NOTE:Mobile code, in this case a Java Applet, is code that is transmitted across a network and executed on a remote machine. Because mobile code developers have little if any control of the environment in which their code will execute, special security concerns become relevant. One of the biggest environmental threats results from the risk that the mobile code will run side-by-side with other, potentially malicious, mobile code. Because all of the popular web browsers execute code from multiple sources together in the same JVM, many of the security guidelines for mobile code are focused on preventing manipulation of your objects' state and behavior by adversaries who have access to the same virtual machine where your program is running.::",{"point":"z6","priority":"6","details":"z7"},"CWE-ID: 493Critical Public Variable Without Final Modifier","The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.Guidelines:",{"point":"z9","priority":"6","details":"za"},"CWE-ID: 494Download of Code Without Integrity Check","The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.Guidelines:::TYPE:Research Gap:NOTE:This is critical for mobile code, but it is likely to become more and more common as developers continue to adopt automated, network-based product distributions and upgrades. Software-as-a-Service (SaaS) might introduce additional subtleties. Common exploitation scenarios may include ad server compromises and bad upgrades.::",{"point":"zc","priority":"6","details":"zd"},"CWE-ID: 495Private Data Structure Returned From A Public Method","The product has a method that is declared public, but returns a reference to a private data structure, which could then be modified in unexpected ways.Guidelines:",{"point":"zf","priority":"6","details":"zg"},"CWE-ID: 496Public Data Assigned to Private Array-Typed Field","Assigning public data to a private array is equivalent to giving public access to the array.Guidelines:",{"point":"zi","priority":"6","details":"zj"},"CWE-ID: 497Exposure of Sensitive System Information to an Unauthorized Control Sphere","The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.Guidelines:",{"point":"zl","priority":"6","details":"zm"},"CWE-ID: 498Cloneable Class Containing Sensitive Information","The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class.Guidelines:",{"point":"zo","priority":"6","details":"zp"},"CWE-ID: 499Serializable Class Containing Sensitive Data","The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another class.Guidelines:",{"point":"zr","priority":"6","details":"zs"},"CWE-ID: 500Public Static Field Not Marked Final","An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways.Guidelines:",{"point":"zu","priority":"6","details":"zv"},"CWE-ID: 501Trust Boundary Violation","The product mixes trusted and untrusted data in the same data structure or structured message.Guidelines:",{"point":"zx","priority":"6","details":"zy"},"CWE-ID: 502Deserialization of Untrusted Data","The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.Guidelines:::TYPE:Maintenance:NOTE:The relationships between CWE-502 and CWE-915 need further exploration. CWE-915 is more narrowly scoped to object modification, and is not necessarily used for deserialization.::",{"point":"100","priority":"6","details":"101"},"CWE-ID: 506Embedded Malicious Code","The product contains code that appears to be malicious in nature.Guidelines:::TYPE:Terminology:NOTE:The term Trojan horse was introduced by Dan Edwards and recorded by James Anderson [18] to characterize a particular computer security threat; it has been redefined many times [4,18-20].::",{"point":"103","priority":"6","details":"104"},"CWE-ID: 507Trojan Horse","The product appears to contain benign or useful functionality, but it also contains code that is hidden from normal operation that violates the intended security policy of the user or the system administrator.Guidelines:::TYPE:Other:NOTE:Potentially malicious dynamic code compiled at runtime can conceal any number of attacks that will not appear in the baseline. The use of dynamically compiled code could also allow the injection of attacks on post-deployed applications.::TYPE:Terminology:NOTE:Definitions of Trojan horse and related terms have varied widely over the years, but common usage in 2008 generally refers to software that performs a legitimate function, but also contains malicious code. Almost any malicious code can be called a Trojan horse, since the author of malicious code needs to disguise it somehow so that it will be invoked by a nonmalicious user (unless the author means also to invoke the code, in which case they presumably already possess the authorization to perform the intended sabotage). A Trojan horse that replicates itself by copying its code into other program files (see case MA1) is commonly referred to as a virus. One that replicates itself by creating new processes or files to contain its code, instead of modifying existing storage entities, is often called a worm. Denning provides a general discussion of these terms; differences of opinion about the term applicable to a particular flaw or its exploitations sometimes occur.::",{"point":"106","priority":"6","details":"107"},"CWE-ID: 508Non-Replicating Malicious Code","Non-replicating malicious code only resides on the target system or product that is attacked; it does not attempt to spread to other systems.Guidelines:",{"point":"109","priority":"6","details":"10a"},"CWE-ID: 509Replicating Malicious Code (Virus or Worm)","Replicating malicious code, including viruses and worms, will attempt to attack other systems once it has successfully compromised the target system or the product.Guidelines:",{"point":"10c","priority":"6","details":"10d"},"CWE-ID: 510Trapdoor","A trapdoor is a hidden piece of code that responds to a special input, allowing its user access to resources without passing through the normal security enforcement mechanism.Guidelines:",{"point":"10f","priority":"6","details":"10g"},"CWE-ID: 511Logic/Time Bomb","The product contains code that is designed to disrupt the legitimate operation of the product (or its environment) when a certain time passes, or when a certain logical condition is met.Guidelines:",{"point":"10i","priority":"6","details":"10j"},"CWE-ID: 512Spyware","The product collects personally identifiable information about a human user or the user's activities, but the product accesses this information using other resources besides itself, and it does not require that user's explicit approval or direct input into the product.Guidelines:",{"point":"10l","priority":"6","details":"10m"},"CWE-ID: 514Covert Channel","A covert channel is a path that can be used to transfer information in a way not intended by the system's designers.Guidelines:::TYPE:Theoretical:NOTE:A covert channel can be thought of as an emergent resource, meaning that it was not an originally intended resource, however it exists due the application's behaviors.::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are working to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks that create or exploit covert channels. As a result of that work, this entry might change in CWE 4.10.::",{"point":"10o","priority":"6","details":"10p"},"CWE-ID: 515Covert Storage Channel","A covert storage channel transfers information through the setting of bits by one program and the reading of those bits by another. What distinguishes this case from that of ordinary operation is that the bits are used to convey encoded information.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are working to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks that create or exploit covert channels. As a result of that work, this entry might change in CWE 4.10.::",{"point":"10r","priority":"6","details":"10s"},"CWE-ID: 520.NET Misconfiguration: Use of Impersonation","Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms of attacks.Guidelines:",{"point":"10u","priority":"6","details":"10v"},"CWE-ID: 521Weak Password Requirements","The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.Guidelines:",{"point":"10x","priority":"6","details":"10y"},"CWE-ID: 522Insufficiently Protected Credentials","The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.Guidelines:",{"point":"110","priority":"6","details":"111"},"CWE-ID: 523Unprotected Transport of Credentials","Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.Guidelines:",{"point":"113","priority":"6","details":"114"},"CWE-ID: 524Use of Cache Containing Sensitive Information","The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.Guidelines:",{"point":"116","priority":"6","details":"117"},"CWE-ID: 525Use of Web Browser Cache Containing Sensitive Information","The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.Guidelines:",{"point":"119","priority":"6","details":"11a"},"CWE-ID: 526Cleartext Storage of Sensitive Information in an Environment Variable","The product uses an environment variable to store unencrypted sensitive information.Guidelines:",{"point":"11c","priority":"6","details":"11d"},"CWE-ID: 527Exposure of Version-Control Repository to an Unauthorized Control Sphere","The product stores a CVS, git, or other repository in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.Guidelines:",{"point":"11f","priority":"6","details":"11g"},"CWE-ID: 528Exposure of Core Dump File to an Unauthorized Control Sphere","The product generates a core dump file in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.Guidelines:",{"point":"11i","priority":"6","details":"11j"},"CWE-ID: 529Exposure of Access Control List Files to an Unauthorized Control Sphere","The product stores access control list files in a directory or other container that is accessible to actors outside of the intended control sphere.Guidelines:",{"point":"11l","priority":"6","details":"11m"},"CWE-ID: 530Exposure of Backup File to an Unauthorized Control Sphere","A backup file is stored in a directory or archive that is made accessible to unauthorized actors.Guidelines:",{"point":"11o","priority":"6","details":"11p"},"CWE-ID: 531Inclusion of Sensitive Information in Test Code","Accessible test applications can pose a variety of security risks. Since developers or administrators rarely consider that someone besides themselves would even know about the existence of these applications, it is common for them to contain sensitive information or functions.Guidelines:",{"point":"11r","priority":"6","details":"11s"},"CWE-ID: 532Insertion of Sensitive Information into Log File","Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.Guidelines:",{"point":"11u","priority":"6","details":"11v"},"CWE-ID: 535Exposure of Information Through Shell Error Message","A command shell error message indicates that there exists an unhandled exception in the web application code. In many cases, an attacker can leverage the conditions that cause these errors in order to gain unauthorized access to the system.Guidelines:",{"point":"11x","priority":"6","details":"11y"},"CWE-ID: 536Servlet Runtime Error Message Containing Sensitive Information","A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker.Guidelines:",{"point":"120","priority":"6","details":"121"},"CWE-ID: 537Java Runtime Error Message Containing Sensitive Information","In many cases, an attacker can leverage the conditions that cause unhandled exception errors in order to gain unauthorized access to the system.Guidelines:",{"point":"123","priority":"6","details":"124"},"CWE-ID: 538Insertion of Sensitive Information into Externally-Accessible File or Directory","The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.Guidelines:::TYPE:Maintenance:NOTE:Depending on usage, this could be a weakness or a category. Further study of all its children is needed, and the entire sub-tree may need to be clarified. The current organization is based primarily on the exposure of sensitive information as a consequence, instead of as a primary weakness.::TYPE:Maintenance:NOTE:There is a close relationship with CWE-552, which is more focused on weaknesses. As a result, it may be more appropriate to convert CWE-538 to a category.::",{"point":"126","priority":"6","details":"127"},"CWE-ID: 539Use of Persistent Cookies Containing Sensitive Information","The web application uses persistent cookies, but the cookies contain sensitive information.Guidelines:",{"point":"129","priority":"6","details":"12a"},"CWE-ID: 540Inclusion of Sensitive Information in Source Code","Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.Guidelines:",{"point":"12c","priority":"6","details":"12d"},"CWE-ID: 541Inclusion of Sensitive Information in an Include File","If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system.Guidelines:",{"point":"12f","priority":"6","details":"12g"},"CWE-ID: 543Use of Singleton Pattern Without Synchronization in a Multithreaded Context","The product uses the singleton pattern when creating a resource within a multithreaded environment.Guidelines:",{"point":"12i","priority":"6","details":"12j"},"CWE-ID: 544Missing Standardized Error Handling Mechanism","The product does not use a standardized method for handling errors throughout the code, which might introduce inconsistent error handling and resultant weaknesses.Guidelines:",{"point":"12l","priority":"6","details":"12m"},"CWE-ID: 546Suspicious Comment","The code contains comments that suggest the presence of bugs, incomplete functionality, or weaknesses.Guidelines:",{"point":"12o","priority":"6","details":"12p"},"CWE-ID: 547Use of Hard-coded, Security-relevant Constants","The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change.Guidelines:",{"point":"12r","priority":"6","details":"12s"},"CWE-ID: 548Exposure of Information Through Directory Listing","A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers.Guidelines:",{"point":"12u","priority":"6","details":"12v"},"CWE-ID: 549Missing Password Field Masking","The product does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords.Guidelines:",{"point":"12x","priority":"6","details":"12y"},"CWE-ID: 550Server-generated Error Message Containing Sensitive Information","Certain conditions, such as network failure, will cause a server error message to be displayed.Guidelines:",{"point":"130","priority":"6","details":"131"},"CWE-ID: 551Incorrect Behavior Order: Authorization Before Parsing and Canonicalization","If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.Guidelines:",{"point":"133","priority":"6","details":"134"},"CWE-ID: 552Files or Directories Accessible to External Parties","The product makes files or directories accessible to unauthorized actors, even though they should not be.Guidelines:",{"point":"136","priority":"6","details":"137"},"CWE-ID: 553Command Shell in Externally Accessible Directory","A possible shell file exists in /cgi-bin/ or other accessible directories. This is extremely dangerous and can be used by an attacker to execute commands on the web server.Guidelines:",{"point":"139","priority":"6","details":"13a"},"CWE-ID: 554ASP.NET Misconfiguration: Not Using Input Validation Framework","The ASP.NET application does not use an input validation framework.Guidelines:",{"point":"13c","priority":"6","details":"13d"},"CWE-ID: 555J2EE Misconfiguration: Plaintext Password in Configuration File","The J2EE application stores a plaintext password in a configuration file.Guidelines:",{"point":"13f","priority":"6","details":"13g"},"CWE-ID: 556ASP.NET Misconfiguration: Use of Identity Impersonation","Configuring an ASP.NET application to run with impersonated credentials may give the application unnecessary privileges.Guidelines:",{"point":"13i","priority":"6","details":"13j"},"CWE-ID: 558Use of getlogin() in Multithreaded Application","The product uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values.Guidelines:",{"point":"13l","priority":"6","details":"13m"},"CWE-ID: 560Use of umask() with chmod-style Argument","The product calls umask() with an incorrect argument that is specified as if it is an argument to chmod().Guidelines:::TYPE:Other:NOTE:Some umask() manual pages begin with the false statement: umask sets the umask to mask & 0777 Although this behavior would better align with the usage of chmod(), where the user provided argument specifies the bits to enable on the specified file, the behavior of umask() is in fact opposite: umask() sets the umask to ~mask & 0777. The documentation goes on to describe the correct usage of umask(): The umask is used by open() to set initial file permissions on a newly-created file. Specifically, permissions in the umask are turned off from the mode argument to open(2) (so, for example, the common umask default value of 022 results in new files being created with permissions 0666 & ~022 = 0644 = rw-r--r-- in the usual case where the mode is specified as 0666).::",{"point":"13o","priority":"6","details":"13p"},"CWE-ID: 561Dead Code","The product contains dead code, which can never be executed.Guidelines:",{"point":"13r","priority":"6","details":"13s"},"CWE-ID: 562Return of Stack Variable Address","A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.Guidelines:",{"point":"13u","priority":"6","details":"13v"},"CWE-ID: 563Assignment to Variable without Use","The variable's value is assigned but never used, making it a dead store.Guidelines:",{"point":"13x","priority":"6","details":"13y"},"CWE-ID: 564SQL Injection: Hibernate","Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.Guidelines:",{"point":"140","priority":"6","details":"141"},"CWE-ID: 565Reliance on Cookies without Validation and Integrity Checking","The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.Guidelines:::TYPE:Relationship:NOTE:This problem can be primary to many types of weaknesses in web applications. A developer may perform proper validation against URL parameters while assuming that attackers cannot modify cookies. As a result, the program might skip basic input validation to enable cross-site scripting, SQL injection, price tampering, and other attacks..::",{"point":"143","priority":"6","details":"144"},"CWE-ID: 566Authorization Bypass Through User-Controlled SQL Primary Key","The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.Guidelines:",{"point":"146","priority":"6","details":"147"},"CWE-ID: 567Unsynchronized Access to Shared Data in a Multithreaded Context","The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.Guidelines:",{"point":"149","priority":"6","details":"14a"},"CWE-ID: 568finalize() Method Without super.finalize()","The product contains a finalize() method that does not call super.finalize().Guidelines:",{"point":"14c","priority":"6","details":"14d"},"CWE-ID: 570Expression is Always False","The product contains an expression that will always evaluate to false.Guidelines:",{"point":"14f","priority":"6","details":"14g"},"CWE-ID: 571Expression is Always True","The product contains an expression that will always evaluate to true.Guidelines:",{"point":"14i","priority":"6","details":"14j"},"CWE-ID: 572Call to Thread run() instead of start()","The product calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee.Guidelines:",{"point":"14l","priority":"6","details":"14m"},"CWE-ID: 573Improper Following of Specification by Caller","The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.Guidelines:",{"point":"14o","priority":"6","details":"14p"},"CWE-ID: 574EJB Bad Practices: Use of Synchronization Primitives","The product violates the Enterprise JavaBeans (EJB) specification by using thread synchronization primitives.Guidelines:",{"point":"14r","priority":"6","details":"14s"},"CWE-ID: 575EJB Bad Practices: Use of AWT Swing","The product violates the Enterprise JavaBeans (EJB) specification by using AWT/Swing.Guidelines:",{"point":"14u","priority":"6","details":"14v"},"CWE-ID: 576EJB Bad Practices: Use of Java I/O","The product violates the Enterprise JavaBeans (EJB) specification by using the java.io package.Guidelines:",{"point":"14x","priority":"6","details":"14y"},"CWE-ID: 577EJB Bad Practices: Use of Sockets","The product violates the Enterprise JavaBeans (EJB) specification by using sockets.Guidelines:",{"point":"150","priority":"6","details":"151"},"CWE-ID: 578EJB Bad Practices: Use of Class Loader","The product violates the Enterprise JavaBeans (EJB) specification by using the class loader.Guidelines:",{"point":"153","priority":"6","details":"154"},"CWE-ID: 579J2EE Bad Practices: Non-serializable Object Stored in Session","The product stores a non-serializable object as an HttpSession attribute, which can hurt reliability.Guidelines:",{"point":"156","priority":"6","details":"157"},"CWE-ID: 580clone() Method Without super.clone()","The product contains a clone() method that does not call super.clone() to obtain the new object.Guidelines:",{"point":"159","priority":"6","details":"15a"},"CWE-ID: 581Object Model Violation: Just One of Equals and Hashcode Defined","The product does not maintain equal hashcodes for equal objects.Guidelines:",{"point":"15c","priority":"6","details":"15d"},"CWE-ID: 582Array Declared Public, Final, and Static","The product declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified.Guidelines:",{"point":"15f","priority":"6","details":"15g"},"CWE-ID: 583finalize() Method Declared Public","The product violates secure coding principles for mobile code by declaring a finalize() method public.Guidelines:",{"point":"15i","priority":"6","details":"15j"},"CWE-ID: 584Return Inside Finally Block","The code has a return statement inside a finally block, which will cause any thrown exception in the try block to be discarded.Guidelines:",{"point":"15l","priority":"6","details":"15m"},"CWE-ID: 585Empty Synchronized Block","The product contains an empty synchronized block.Guidelines:",{"point":"15o","priority":"6","details":"15p"},"CWE-ID: 586Explicit Call to Finalize()","The product makes an explicit call to the finalize() method from outside the finalizer.Guidelines:",{"point":"15r","priority":"6","details":"15s"},"CWE-ID: 587Assignment of a Fixed Address to a Pointer","The product sets a pointer to a specific address other than NULL or 0.Guidelines:",{"point":"15u","priority":"6","details":"15v"},"CWE-ID: 588Attempt to Access Child of a Non-structure Pointer","Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption.Guidelines:",{"point":"15x","priority":"6","details":"15y"},"CWE-ID: 589Call to Non-ubiquitous API","The product uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allow denial of service or other consequences.Guidelines:",{"point":"160","priority":"6","details":"161"},"CWE-ID: 590Free of Memory not on the Heap","The product calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc().Guidelines:::TYPE:Other:NOTE:In C++, if the new operator was used to allocate the memory, it may be allocated with the malloc(), calloc() or realloc() family of functions in the implementation. Someone aware of this behavior might choose to map this problem to CWE-590 or to its parent, CWE-762, depending on their perspective.::",{"point":"163","priority":"6","details":"164"},"CWE-ID: 591Sensitive Data Storage in Improperly Locked Memory","The product stores sensitive data in memory that is not locked, or that has been incorrectly locked, which might cause the memory to be written to swap files on disk by the virtual memory manager. This can make the data more accessible to external actors.Guidelines:",{"point":"166","priority":"6","details":"167"},"CWE-ID: 593Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created","The product modifies the SSL context after connection creation has begun.Guidelines:",{"point":"169","priority":"6","details":"16a"},"CWE-ID: 594J2EE Framework: Saving Unserializable Objects to Disk","When the J2EE container attempts to write unserializable objects to disk there is no guarantee that the process will complete successfully.Guidelines:",{"point":"16c","priority":"6","details":"16d"},"CWE-ID: 595Comparison of Object References Instead of Object Contents","The product compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects.Guidelines:",{"point":"16f","priority":"6","details":"16g"},"CWE-ID: 597Use of Wrong Operator in String Comparison","The product uses the wrong operator when comparing a string, such as using == when the .equals() method should be used instead.Guidelines:",{"point":"16i","priority":"6","details":"16j"},"CWE-ID: 598Use of GET Request Method With Sensitive Query Strings","The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.Guidelines:",{"point":"16l","priority":"6","details":"16m"},"CWE-ID: 599Missing Validation of OpenSSL Certificate","The product uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all necessary security requirements.Guidelines:::TYPE:Relationship:NOTE:CWE-295 and CWE-599 are very similar, although CWE-599 has a more narrow scope that is only applied to OpenSSL certificates. As a result, other children of CWE-295 can be regarded as children of CWE-599 as well. CWE's use of one-dimensional hierarchical relationships is not well-suited to handle different kinds of abstraction relationships based on concepts like types of resources (OpenSSL certificate as a child of any certificate) and types of behaviors (not validating expiration as a child of improper validation).::",{"point":"16o","priority":"6","details":"16p"},"CWE-ID: 600Uncaught Exception in Servlet","The Servlet does not catch all exceptions, which may reveal sensitive debugging information.Guidelines:::TYPE:Maintenance:NOTE:The Missing Catch Block concept is probably broader than just Servlets, but the broader concept is not sufficiently covered in CWE.::",{"point":"16r","priority":"6","details":"16s"},"CWE-ID: 601URL Redirection to Untrusted Site ('Open Redirect')","A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.Guidelines:",{"point":"16u","priority":"6","details":"16v"},"CWE-ID: 602Client-Side Enforcement of Server-Side Security","The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.Guidelines:",{"point":"16x","priority":"6","details":"16y"},"CWE-ID: 603Use of Client-Side Authentication","A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check.Guidelines:",{"point":"170","priority":"6","details":"171"},"CWE-ID: 605Multiple Binds to the Same Port","When multiple sockets are allowed to bind to the same port, other services on that port may be stolen or spoofed.Guidelines:",{"point":"173","priority":"6","details":"174"},"CWE-ID: 606Unchecked Input for Loop Condition","The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping.Guidelines:",{"point":"176","priority":"6","details":"177"},"CWE-ID: 607Public Static Final Field References Mutable Object","A public or protected static final field references a mutable object, which allows the object to be changed by malicious code, or accidentally from another package.Guidelines:",{"point":"179","priority":"6","details":"17a"},"CWE-ID: 608Struts: Non-private Field in ActionForm Class","An ActionForm class contains a field that has not been declared private, which can be accessed without using a setter or getter.Guidelines:",{"point":"17c","priority":"6","details":"17d"},"CWE-ID: 609Double-Checked Locking","The product uses double-checked locking to access a resource without the overhead of explicit synchronization, but the locking is insufficient.Guidelines:",{"point":"17f","priority":"6","details":"17g"},"CWE-ID: 610Externally Controlled Reference to a Resource in Another Sphere","The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.Guidelines:::TYPE:Relationship:NOTE:This is a general class of weakness, but most research is focused on more specialized cases, such as path traversal (CWE-22) and symlink following (CWE-61). A symbolic link has a name; in general, it appears like any other file in the file system. However, the link includes a reference to another file, often in another directory - perhaps in another sphere of control. Many common library functions that accept filenames will follow a symbolic link and use the link's target instead.::TYPE:Maintenance:NOTE:The relationship between CWE-99 and CWE-610 needs further investigation and clarification. They might be duplicates. CWE-99 Resource Injection, as originally defined in Seven Pernicious Kingdoms taxonomy, emphasizes the identifier used to access a system resource such as a file name or port number, yet it explicitly states that the resource injection term does not apply to path manipulation, which effectively identifies the path at which a resource can be found and could be considered to be one aspect of a resource identifier. Also, CWE-610 effectively covers any type of resource, whether that resource is at the system layer, the application layer, or the code layer.::",{"point":"17i","priority":"6","details":"17j"},"CWE-ID: 611Improper Restriction of XML External Entity Reference","The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.Guidelines:::TYPE:Relationship:NOTE:CWE-918 (SSRF) and CWE-611 (XXE) are closely related, because they both involve web-related technologies and can launch outbound requests to unexpected destinations. However, XXE can be performed client-side, or in other contexts in which the software is not acting directly as a server, so the Server portion of the SSRF acronym does not necessarily apply.::",{"point":"17l","priority":"6","details":"17m"},"CWE-ID: 612Improper Authorization of Index Containing Sensitive Information","The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the original information.Guidelines:::TYPE:Research Gap:NOTE:This weakness is probably under-studied and under-reported.::",{"point":"17o","priority":"6","details":"17p"},"CWE-ID: 613Insufficient Session Expiration","According to WASC, Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.Guidelines:::TYPE:Other:NOTE:The lack of proper session expiration may improve the likely success of certain attacks. For example, an attacker may intercept a session ID, possibly via a network sniffer or Cross-site Scripting attack. Although short session expiration times do not help if a stolen token is immediately used, they will protect against ongoing replaying of the session ID. In another scenario, a user might access a web site from a shared computer (such as at a library, Internet cafe, or open work environment). Insufficient Session Expiration could allow an attacker to use the browser's back button to access web pages previously accessed by the victim.::",{"point":"17r","priority":"6","details":"17s"},"CWE-ID: 614Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.Guidelines:",{"point":"17u","priority":"6","details":"17v"},"CWE-ID: 615Inclusion of Sensitive Information in Source Code Comments","While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc.Guidelines:",{"point":"17x","priority":"6","details":"17y"},"CWE-ID: 616Incomplete Identification of Uploaded File Variables (PHP)","The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files.Guidelines:",{"point":"180","priority":"6","details":"181"},"CWE-ID: 617Reachable Assertion","The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.Guidelines:",{"point":"183","priority":"6","details":"184"},"CWE-ID: 618Exposed Unsafe ActiveX Method","An ActiveX control is intended for use in a web browser, but it exposes dangerous methods that perform actions that are outside of the browser's security model (e.g. the zone or domain).Guidelines:",{"point":"186","priority":"6","details":"187"},"CWE-ID: 619Dangling Database Cursor ('Cursor Injection')","If a database cursor is not closed properly, then it could become accessible to other users while retaining the same privileges that were originally assigned, leaving the cursor dangling.Guidelines:",{"point":"189","priority":"6","details":"18a"},"CWE-ID: 620Unverified Password Change","When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.Guidelines:",{"point":"18c","priority":"6","details":"18d"},"CWE-ID: 621Variable Extraction Error","The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables.Guidelines:::TYPE:Research Gap:NOTE:Probably under-reported for PHP. Seems under-studied for other interpreted languages.::",{"point":"18f","priority":"6","details":"18g"},"CWE-ID: 622Improper Validation of Function Hook Arguments","The product adds hooks to user-accessible API functions, but it does not properly validate the arguments. This could lead to resultant vulnerabilities.Guidelines:",{"point":"18i","priority":"6","details":"18j"},"CWE-ID: 623Unsafe ActiveX Control Marked Safe For Scripting","An ActiveX control is intended for restricted use, but it has been marked as safe-for-scripting.Guidelines:",{"point":"18l","priority":"6","details":"18m"},"CWE-ID: 624Executable Regular Expression Error","The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.Guidelines:::TYPE:Research Gap:NOTE:Under-studied. The existing PHP reports are limited to highly skilled researchers, but there are few examples for other languages. It is suspected that this is under-reported for all languages. Usability factors might make it more prevalent in PHP, but this theory has not been investigated.::",{"point":"18o","priority":"6","details":"18p"},"CWE-ID: 625Permissive Regular Expression","The product uses a regular expression that does not sufficiently restrict the set of allowed values.Guidelines:",{"point":"18r","priority":"6","details":"18s"},"CWE-ID: 626Null Byte Interaction Error (Poison Null Byte)","The product does not properly handle null bytes or NUL characters when passing data between different representations or components.Guidelines:::TYPE:Terminology:NOTE:Current usage of poison null byte is typically related to this C/Perl/PHP interaction error, but the original term in 1998 was applied to an off-by-one buffer overflow involving a null byte.::TYPE:Research Gap:NOTE:There are not many CVE examples, because the poison NULL byte is a design limitation, which typically is not included in CVE by itself. It is typically used as a facilitator manipulation to widen the scope of potential attacks against other vulnerabilities.::",{"point":"18u","priority":"6","details":"18v"},"CWE-ID: 627Dynamic Variable Evaluation","In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions.Guidelines:::TYPE:Research Gap:NOTE:Under-studied, probably under-reported. Few researchers look for this issue; most public reports are for PHP, although other languages are affected. This issue is likely to grow in PHP as developers begin to implement functionality in place of register_globals.::",{"point":"18x","priority":"6","details":"18y"},"CWE-ID: 628Function Call with Incorrectly Specified Arguments","The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.Guidelines:",{"point":"190","priority":"6","details":"191"},"CWE-ID: 636Not Failing Securely ('Failing Open')","When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.Guidelines:::TYPE:Research Gap:NOTE:Since design issues are hard to fix, they are rarely publicly reported, so there are few CVE examples of this problem as of January 2008. Most publicly reported issues occur as the result of an implementation error instead of design, such as CVE-2005-3177 (Improper handling of large numbers of resources) or CVE-2005-2969 (inadvertently disabling a verification step, leading to selection of a weaker protocol).::",{"point":"193","priority":"6","details":"194"},"CWE-ID: 637Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')","The product uses a more complex mechanism than necessary, which could lead to resultant weaknesses when the mechanism is not correctly understood, modeled, configured, implemented, or used.Guidelines:",{"point":"196","priority":"6","details":"197"},"CWE-ID: 638Not Using Complete Mediation","The product does not perform access checks on a resource every time the resource is accessed by an entity, which can create resultant weaknesses if that entity's rights or privileges change over time.Guidelines:",{"point":"199","priority":"6","details":"19a"},"CWE-ID: 639Authorization Bypass Through User-Controlled Key","The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.Guidelines:",{"point":"19c","priority":"6","details":"19d"},"CWE-ID: 640Weak Password Recovery Mechanism for Forgotten Password","The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.Guidelines:::TYPE:Maintenance:NOTE:This entry might be reclassified as a category or loose composite, since it lists multiple specific errors that can make the mechanism weak. However, under view 1000, it could be a weakness under protection mechanism failure, although it is different from most PMF issues since it is related to a feature that is designed to bypass a protection mechanism (specifically, the lack of knowledge of a password).::TYPE:Maintenance:NOTE:This entry probably needs to be split; see extended description.::",{"point":"19f","priority":"6","details":"19g"},"CWE-ID: 641Improper Restriction of Names for Files and Other Resources","The product constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name.Guidelines:",{"point":"19i","priority":"6","details":"19j"},"CWE-ID: 642External Control of Critical State Data","The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.Guidelines:",{"point":"19l","priority":"6","details":"19m"},"CWE-ID: 643Improper Neutralization of Data within XPath Expressions ('XPath Injection')","The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.Guidelines:::TYPE:Relationship:NOTE:This weakness is similar to other weaknesses that enable injection style attacks, such as SQL injection, command injection and LDAP injection. The main difference is that the target of attack here is the XML database.::",{"point":"19o","priority":"6","details":"19p"},"CWE-ID: 644Improper Neutralization of HTTP Headers for Scripting Syntax","The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.Guidelines:",{"point":"19r","priority":"6","details":"19s"},"CWE-ID: 645Overly Restrictive Account Lockout Mechanism","The product contains an account lockout protection mechanism, but the mechanism is too restrictive and can be triggered too easily, which allows attackers to deny service to legitimate users by causing their accounts to be locked out.Guidelines:",{"point":"19u","priority":"6","details":"19v"},"CWE-ID: 646Reliance on File Name or Extension of Externally-Supplied File","The product allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attackers to cause the file to be misclassified and processed in a dangerous fashion.Guidelines:",{"point":"19x","priority":"6","details":"19y"},"CWE-ID: 647Use of Non-Canonical URL Paths for Authorization Decisions","The product defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization.Guidelines:",{"point":"1a0","priority":"6","details":"1a1"},"CWE-ID: 648Incorrect Use of Privileged APIs","The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.Guidelines:",{"point":"1a3","priority":"6","details":"1a4"},"CWE-ID: 649Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking","The product uses obfuscation or encryption of inputs that should not be mutable by an external actor, but the product does not use integrity checks to detect if those inputs have been modified.Guidelines:",{"point":"1a6","priority":"6","details":"1a7"},"CWE-ID: 650Trusting HTTP Permission Methods on the Server Side","The server contains a protection mechanism that assumes that any URI that is accessed using HTTP GET will not cause a state change to the associated resource. This might allow attackers to bypass intended access restrictions and conduct resource modification and deletion attacks, since some applications allow GET to modify state.Guidelines:",{"point":"1a9","priority":"6","details":"1aa"},"CWE-ID: 651Exposure of WSDL File Containing Sensitive Information","The Web services architecture may require exposing a Web Service Definition Language (WSDL) file that contains information on the publicly accessible services and how callers of these services should interact with them (e.g. what parameters they expect and what types they return).Guidelines:",{"point":"1ac","priority":"6","details":"1ad"},"CWE-ID: 652Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')","The product uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.Guidelines:::TYPE:Relationship:NOTE:This weakness is similar to other weaknesses that enable injection style attacks, such as SQL injection, command injection and LDAP injection. The main difference is that the target of attack here is the XML database.::",{"point":"1af","priority":"6","details":"1ag"},"CWE-ID: 653Improper Isolation or Compartmentalization","The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.Guidelines:::TYPE:Relationship:NOTE:There is a close association with CWE-250 (Execution with Unnecessary Privileges). CWE-653 is about providing separate components for each privilege; CWE-250 is about ensuring that each component has the least amount of privileges possible. In this fashion, compartmentalization becomes one mechanism for reducing privileges.::TYPE:Terminology:NOTE:The term Separation of Privilege is used in several different ways in the industry, but they generally combine two closely related principles: compartmentalization (this node) and using only one factor in a security decision (CWE-654). Proper compartmentalization implicitly introduces multiple factors into a security decision, but there can be cases in which multiple factors are required for authentication or other mechanisms that do not involve compartmentalization, such as performing all required checks on a submitted certificate. It is likely that CWE-653 and CWE-654 will provoke further discussion.::",{"point":"1ai","priority":"6","details":"1aj"},"CWE-ID: 654Reliance on a Single Factor in a Security Decision","A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality.Guidelines:::TYPE:Maintenance:NOTE:This entry is closely associated with the term Separation of Privilege. This term is used in several different ways in the industry, but they generally combine two closely related principles: compartmentalization (CWE-653) and using only one factor in a security decision (this entry). Proper compartmentalization implicitly introduces multiple factors into a security decision, but there can be cases in which multiple factors are required for authentication or other mechanisms that do not involve compartmentalization, such as performing all required checks on a submitted certificate. It is likely that CWE-653 and CWE-654 will provoke further discussion.::",{"point":"1al","priority":"6","details":"1am"},"CWE-ID: 655Insufficient Psychological Acceptability","The product has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose.Guidelines:::TYPE:Other:NOTE:This weakness covers many security measures causing user inconvenience, requiring effort or causing frustration, that are disproportionate to the risks or value of the protected assets, or that are perceived to be ineffective.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"1ao","priority":"6","details":"1ap"},"CWE-ID: 656Reliance on Security Through Obscurity","The product uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism.Guidelines:::TYPE:Relationship:NOTE:Note that there is a close relationship between this weakness and CWE-603 (Use of Client-Side Authentication). If developers do not believe that a user can reverse engineer a client, then they are more likely to choose client-side authentication in the belief that it is safe.::",{"point":"1ar","priority":"6","details":"1as"},"CWE-ID: 657Violation of Secure Design Principles","The product violates well-established principles for secure design.Guidelines:::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"1au","priority":"6","details":"1av"},"CWE-ID: 662Improper Synchronization","The product utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.Guidelines:::TYPE:Maintenance:NOTE:Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships.::",{"point":"1ax","priority":"6","details":"1ay"},"CWE-ID: 663Use of a Non-reentrant Function in a Concurrent Context","The product calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity to call the same function or otherwise influence its state.Guidelines:",{"point":"1b0","priority":"6","details":"1b1"},"CWE-ID: 664Improper Control of a Resource Through its Lifetime","The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.Guidelines:::TYPE:Maintenance:NOTE:More work is needed on this entry and its children. There are perspective/layering issues; for example, one breakdown is based on lifecycle phase (CWE-404, CWE-665), while other children are independent of lifecycle, such as CWE-400. Others do not specify as many bases or variants, such as CWE-704, which primarily covers numbers at this stage.::",{"point":"1b3","priority":"6","details":"1b4"},"CWE-ID: 665Improper Initialization","The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.Guidelines:",{"point":"1b6","priority":"6","details":"1b7"},"CWE-ID: 666Operation on Resource in Wrong Phase of Lifetime","The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors.Guidelines:",{"point":"1b9","priority":"6","details":"1ba"},"CWE-ID: 667Improper Locking","The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.Guidelines:::TYPE:Maintenance:NOTE:Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships.::",{"point":"1bc","priority":"6","details":"1bd"},"CWE-ID: 668Exposure of Resource to Wrong Sphere","The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.Guidelines:::TYPE:Theoretical:NOTE:A control sphere is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product's security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for administrators who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be users who are authenticated to the operating system on which the product is installed. Each sphere has different sets of actors and allowable behaviors.::",{"point":"1bf","priority":"6","details":"1bg"},"CWE-ID: 669Incorrect Resource Transfer Between Spheres","The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.Guidelines:",{"point":"1bi","priority":"6","details":"1bj"},"CWE-ID: 670Always-Incorrect Control Flow Implementation","The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.Guidelines:::TYPE:Maintenance:NOTE:This node could possibly be split into lower-level nodes. Early Return is for returning control to the caller too soon (e.g., CWE-584). Excess Return is when control is returned too far up the call stack (CWE-600, CWE-395). Improper control limitation occurs when the product maintains control at a lower level of execution, when control should be returned further up the call stack (CWE-455). Incorrect syntax covers code that's just plain wrong such as CWE-484 and CWE-483.::",{"point":"1bl","priority":"6","details":"1bm"},"CWE-ID: 671Lack of Administrator Control over Security","The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.Guidelines:",{"point":"1bo","priority":"6","details":"1bp"},"CWE-ID: 672Operation on a Resource after Expiration or Release","The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.Guidelines:",{"point":"1br","priority":"6","details":"1bs"},"CWE-ID: 673External Influence of Sphere Definition","The product does not prevent the definition of control spheres from external actors.Guidelines:::TYPE:Theoretical:NOTE:A control sphere is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product's security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for administrators who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be users who are authenticated to the operating system on which the product is installed. Each sphere has different sets of actors and allowable behaviors.::",{"point":"1bu","priority":"6","details":"1bv"},"CWE-ID: 674Uncontrolled Recursion","The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.Guidelines:",{"point":"1bx","priority":"6","details":"1by"},"CWE-ID: 675Multiple Operations on Resource in Single-Operation Context","The product performs the same operation on a resource two or more times, when the operation should only be applied once.Guidelines:::TYPE:Relationship:NOTE:This weakness is probably closely associated with other issues related to doubling, such as CWE-462 (duplicate key in alist) or CWE-102 (Struts duplicate validation forms). It's usually a case of an API contract violation (CWE-227).::",{"point":"1c0","priority":"6","details":"1c1"},"CWE-ID: 676Use of Potentially Dangerous Function","The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.Guidelines:::TYPE:Relationship:NOTE:This weakness is different than CWE-242 (Use of Inherently Dangerous Function). CWE-242 covers functions with such significant security problems that they can never be guaranteed to be safe. Some functions, if used properly, do not directly pose a security risk, but can introduce a weakness if not called correctly. These are regarded as potentially dangerous. A well-known example is the strcpy() function. When provided with a destination buffer that is larger than its source, strcpy() will not overflow. However, it is so often misused that some developers prohibit strcpy() entirely.::",{"point":"1c3","priority":"6","details":"1c4"},"CWE-ID: 680Integer Overflow to Buffer Overflow","The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow.Guidelines:",{"point":"1c6","priority":"6","details":"1c7"},"CWE-ID: 681Incorrect Conversion between Numeric Types","When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.Guidelines:",{"point":"1c9","priority":"6","details":"1ca"},"CWE-ID: 682Incorrect Calculation","The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.Guidelines:::TYPE:Research Gap:NOTE:Weaknesses related to this Pillar appear to be under-studied, especially with respect to classification schemes. Input from academic and other communities could help identify and resolve gaps or organizational difficulties within CWE.::",{"point":"1cc","priority":"6","details":"1cd"},"CWE-ID: 683Function Call With Incorrect Order of Arguments","The product calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses.Guidelines:",{"point":"1cf","priority":"6","details":"1cg"},"CWE-ID: 684Incorrect Provision of Specified Functionality","The code does not function according to its published specifications, potentially leading to incorrect usage.Guidelines:",{"point":"1ci","priority":"6","details":"1cj"},"CWE-ID: 685Function Call With Incorrect Number of Arguments","The product calls a function, procedure, or routine, but the caller specifies too many arguments, or too few arguments, which may lead to undefined behavior and resultant weaknesses.Guidelines:",{"point":"1cl","priority":"6","details":"1cm"},"CWE-ID: 686Function Call With Incorrect Argument Type","The product calls a function, procedure, or routine, but the caller specifies an argument that is the wrong data type, which may lead to resultant weaknesses.Guidelines:",{"point":"1co","priority":"6","details":"1cp"},"CWE-ID: 687Function Call With Incorrectly Specified Argument Value","The product calls a function, procedure, or routine, but the caller specifies an argument that contains the wrong value, which may lead to resultant weaknesses.Guidelines:::TYPE:Relationship:NOTE:When primary, this weakness is most likely to occur in rarely-tested code, since the wrong value can change the semantic meaning of the program's execution and lead to obviously-incorrect behavior. It can also be resultant from issues in which the program assigns the wrong value to a variable, and that variable is later used in a function call. In that sense, this issue could be argued as having chaining relationships with many implementation errors in CWE.::",{"point":"1cr","priority":"6","details":"1cs"},"CWE-ID: 688Function Call With Incorrect Variable or Reference as Argument","The product calls a function, procedure, or routine, but the caller specifies the wrong variable or reference as one of the arguments, which may lead to undefined behavior and resultant weaknesses.Guidelines:",{"point":"1cu","priority":"6","details":"1cv"},"CWE-ID: 689Permission Race Condition During Resource Copy","The product, while copying or cloning a resource, does not set the resource's permissions or access control until the copy is complete, leaving the resource exposed to other spheres while the copy is taking place.Guidelines:::TYPE:Research Gap:NOTE:Under-studied. It seems likely that this weakness could occur in any situation in which a complex or large copy operation occurs, when the resource can be made available to other spheres as soon as it is created, but before its initialization is complete.::",{"point":"1cx","priority":"6","details":"1cy"},"CWE-ID: 690Unchecked Return Value to NULL Pointer Dereference","The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference.Guidelines:",{"point":"1d0","priority":"6","details":"1d1"},"CWE-ID: 691Insufficient Control Flow Management","The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.Guidelines:",{"point":"1d3","priority":"6","details":"1d4"},"CWE-ID: 692Incomplete Denylist to Cross-Site Scripting","The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.Guidelines:",{"point":"1d6","priority":"6","details":"1d7"},"CWE-ID: 693Protection Mechanism Failure","The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.Guidelines:::TYPE:Research Gap:NOTE:The concept of protection mechanisms is well established, but protection mechanism failures have not been studied comprehensively. It is suspected that protection mechanisms can have significantly different types of weaknesses than the weaknesses that they are intended to prevent.::",{"point":"1d9","priority":"6","details":"1da"},"CWE-ID: 694Use of Multiple Resources with Duplicate Identifier","The product uses multiple resources that can have the same identifier, in a context in which unique identifiers are required.Guidelines:::TYPE:Relationship:NOTE:This weakness is probably closely associated with other issues related to doubling, such as CWE-675 (Duplicate Operations on Resource). It's often a case of an API contract violation (CWE-227).::",{"point":"1dc","priority":"6","details":"1dd"},"CWE-ID: 695Use of Low-Level Functionality","The product uses low-level functionality that is explicitly prohibited by the framework or specification under which the product is supposed to operate.Guidelines:",{"point":"1df","priority":"6","details":"1dg"},"CWE-ID: 696Incorrect Behavior Order","The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses.Guidelines:",{"point":"1di","priority":"6","details":"1dj"},"CWE-ID: 697Incorrect Comparison","The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.Guidelines:::TYPE:Research Gap:NOTE:Weaknesses related to this Pillar appear to be under-studied, especially with respect to classification schemes. Input from academic and other communities could help identify and resolve gaps or organizational difficulties within CWE.::TYPE:Maintenance:NOTE:This entry likely has some relationships with case sensitivity (CWE-178), but case sensitivity is a factor in other types of weaknesses besides comparison. Also, in cryptography, certain attacks are possible when certain comparison operations do not take place in constant time, causing a timing-related information leak (CWE-208).::",{"point":"1dl","priority":"6","details":"1dm"},"CWE-ID: 698Execution After Redirect (EAR)","The web application sends a redirect to another location, but instead of exiting, it executes additional code.Guidelines:",{"point":"1do","priority":"6","details":"1dp"},"CWE-ID: 703Improper Check or Handling of Exceptional Conditions","The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.Guidelines:::TYPE:Relationship:NOTE:This is a high-level class that might have some overlap with other classes. It could be argued that even normal weaknesses such as buffer overflows involve unusual or exceptional conditions. In that sense, this might be an inherent aspect of most other weaknesses within CWE, similar to API Abuse (CWE-227) and Indicator of Poor Code Quality (CWE-398). However, this entry is currently intended to unify disparate concepts that do not have other places within the Research Concepts view (CWE-1000).::",{"point":"1dr","priority":"6","details":"1ds"},"CWE-ID: 704Incorrect Type Conversion or Cast","The product does not correctly convert an object, resource, or structure from one type to a different type.Guidelines:",{"point":"1du","priority":"6","details":"1dv"},"CWE-ID: 705Incorrect Control Flow Scoping","The product does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.Guidelines:",{"point":"1dx","priority":"6","details":"1dy"},"CWE-ID: 706Use of Incorrectly-Resolved Name or Reference","The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.Guidelines:",{"point":"1e0","priority":"6","details":"1e1"},"CWE-ID: 707Improper Neutralization","The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.Guidelines:::TYPE:Maintenance:NOTE:Concepts such as validation, data transformation, and neutralization are being refined, so relationships between CWE-20 and other entries such as CWE-707 may change in future versions, along with an update to the Vulnerability Theory document.::",{"point":"1e3","priority":"6","details":"1e4"},"CWE-ID: 708Incorrect Ownership Assignment","The product assigns an owner to a resource, but the owner is outside of the intended control sphere.Guidelines:::TYPE:Maintenance:NOTE:This overlaps verification errors, permissions, and privileges. A closely related weakness is the incorrect assignment of groups to a resource. It is not clear whether it would fall under this entry or require a different entry.::",{"point":"1e6","priority":"6","details":"1e7"},"CWE-ID: 710Improper Adherence to Coding Standards","The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.Guidelines:",{"point":"1e9","priority":"6","details":"1ea"},"CWE-ID: 732Incorrect Permission Assignment for Critical Resource","The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.Guidelines:::TYPE:Maintenance:NOTE:The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693).::",{"point":"1ec","priority":"6","details":"1ed"},"CWE-ID: 733Compiler Optimization Removal or Modification of Security-critical Code","The developer builds a security-critical protection mechanism into the software, but the compiler optimizes the program such that the mechanism is removed or modified.Guidelines:",{"point":"1ef","priority":"6","details":"1eg"},"CWE-ID: 749Exposed Dangerous Method or Function","The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.Guidelines:::TYPE:Research Gap:NOTE:Under-reported and under-studied. This weakness could appear in any technology, language, or framework that allows the programmer to provide a functional interface to external parties, but it is not heavily reported. In 2007, CVE began showing a notable increase in reports of exposed method vulnerabilities in ActiveX applications, as well as IOCTL access to OS-level resources. These weaknesses have been documented for Java applications in various secure programming sources, but there are few reports in CVE, which suggests limited awareness in most parts of the vulnerability research community.::",{"point":"1ei","priority":"6","details":"1ej"},"CWE-ID: 754Improper Check for Unusual or Exceptional Conditions","The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.Guidelines:::TYPE:Relationship:NOTE:Sometimes, when a return value can be used to indicate an error, an unchecked return value is a code-layer instance of a missing application-layer check for exceptional conditions. However, return values are not always needed to communicate exceptional conditions. For example, expiration of resources, values passed by reference, asynchronously modified data, sockets, etc. may indicate exceptional conditions without the use of a return value.::",{"point":"1el","priority":"6","details":"1em"},"CWE-ID: 755Improper Handling of Exceptional Conditions","The product does not handle or incorrectly handles an exceptional condition.Guidelines:",{"point":"1eo","priority":"6","details":"1ep"},"CWE-ID: 756Missing Custom Error Page","The product does not return custom error pages to the user, possibly exposing sensitive information.Guidelines:",{"point":"1er","priority":"6","details":"1es"},"CWE-ID: 757Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')","A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties.Guidelines:::TYPE:Relationship:NOTE:This is related to CWE-300, although not all downgrade attacks necessarily require an entity that redirects or interferes with the network. See examples.::",{"point":"1eu","priority":"6","details":"1ev"},"CWE-ID: 758Reliance on Undefined, Unspecified, or Implementation-Defined Behavior","The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity.Guidelines:",{"point":"1ex","priority":"6","details":"1ey"},"CWE-ID: 759Use of a One-Way Hash without a Salt","The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.Guidelines:",{"point":"1f0","priority":"6","details":"1f1"},"CWE-ID: 760Use of a One-Way Hash with a Predictable Salt","The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"1f3","priority":"6","details":"1f4"},"CWE-ID: 761Free of Pointer not at Start of Buffer","The product calls free() on a pointer to a memory resource that was allocated on the heap, but the pointer is not at the start of the buffer.Guidelines:::TYPE:Maintenance:NOTE:Currently, CWE-763 is the parent, however it may be desirable to have an intermediate parent which is not function-specific, similar to how CWE-762 is an intermediate parent between CWE-763 and CWE-590.::",{"point":"1f6","priority":"6","details":"1f7"},"CWE-ID: 762Mismatched Memory Management Routines","The product attempts to return a memory resource to the system, but it calls a release function that is not compatible with the function that was originally used to allocate that resource.Guidelines:::TYPE:Applicable Platform:NOTE:This weakness is possible in any programming language that allows manual management of memory.::",{"point":"1f9","priority":"6","details":"1fa"},"CWE-ID: 763Release of Invalid Pointer or Reference","The product attempts to return a memory resource to the system, but it calls the wrong release function or calls the appropriate release function incorrectly.Guidelines:::TYPE:Maintenance:NOTE:The view-1000 subtree that is associated with this weakness needs additional work. Several entries will likely be created in this branch. Currently the focus is on free() of memory, but delete and other related release routines may require the creation of intermediate entries that are not specific to a particular function. In addition, the role of other types of invalid pointers, such as an expired pointer, i.e. CWE-415 Double Free and release of uninitialized pointers, related to CWE-457.::",{"point":"1fc","priority":"6","details":"1fd"},"CWE-ID: 764Multiple Locks of a Critical Resource","The product locks a critical resource more times than intended, leading to an unexpected state in the system.Guidelines:::TYPE:Maintenance:NOTE:An alternate way to think about this weakness is as an imbalance between the number of locks / unlocks in the control flow. Over the course of execution, if each lock call is not followed by a subsequent call to unlock in a reasonable amount of time, then system performance may be degraded or at least operating at less than peak levels if there is competition for the locks. This entry may need to be modified to reflect these concepts in the future.::",{"point":"1ff","priority":"6","details":"1fg"},"CWE-ID: 765Multiple Unlocks of a Critical Resource","The product unlocks a critical resource more times than intended, leading to an unexpected state in the system.Guidelines:::TYPE:Maintenance:NOTE:An alternate way to think about this weakness is as an imbalance between the number of locks / unlocks in the control flow. Over the course of execution, if each lock call is not followed by a subsequent call to unlock in a reasonable amount of time, then system performance may be degraded or at least operating at less than peak levels if there is competition for the locks. This entry may need to be modified to reflect these concepts in the future.::",{"point":"1fi","priority":"6","details":"1fj"},"CWE-ID: 766Critical Data Element Declared Public","The product declares a critical variable, field, or member to be public when intended security policy requires it to be private.Guidelines:",{"point":"1fl","priority":"6","details":"1fm"},"CWE-ID: 767Access to Critical Private Variable via Public Method","The product defines a public method that reads or modifies a private variable.Guidelines:::TYPE:Maintenance:NOTE:This entry is closely associated with access control for public methods. If the public methods are restricted with proper access controls, then the information in the private variable will not be exposed to unexpected parties. There may be chaining or composite relationships between improper access controls and this weakness.::",{"point":"1fo","priority":"6","details":"1fp"},"CWE-ID: 768Incorrect Short Circuit Evaluation","The product contains a conditional statement with multiple logical expressions in which one of the non-leading expressions may produce side effects. This may lead to an unexpected state in the program after the execution of the conditional, because short-circuiting logic may prevent the side effects from occurring.Guidelines:",{"point":"1fr","priority":"6","details":"1fs"},"CWE-ID: 770Allocation of Resources Without Limits or Throttling","The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.Guidelines:::TYPE:Relationship:NOTE:This entry is different from uncontrolled resource consumption (CWE-400) in that there are other weaknesses that are related to inability to control resource consumption, such as holding on to a resource too long after use, or not correctly keeping track of active resources so that they can be managed and released when they are finished (CWE-771).::TYPE:Theoretical:NOTE:Vulnerability theory is largely about how behaviors and resources interact. Resource exhaustion can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect one of the underlying weaknesses that enable these attacks (or consequences) to take place.::",{"point":"1fu","priority":"6","details":"1fv"},"CWE-ID: 771Missing Reference to Active Allocated Resource","The product does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed.Guidelines:",{"point":"1fx","priority":"6","details":"1fy"},"CWE-ID: 772Missing Release of Resource after Effective Lifetime","The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.Guidelines:::TYPE:Maintenance:NOTE:Resource exhaustion (CWE-400) is currently treated as a weakness, although it is more like a category of weaknesses that all have the same type of consequence. While this entry treats CWE-400 as a parent in view 1000, the relationship is probably more appropriately described as a chain.::TYPE:Theoretical:NOTE:Vulnerability theory is largely about how behaviors and resources interact. Resource exhaustion can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect one of the underlying weaknesses that enable these attacks (or consequences) to take place.::",{"point":"1g0","priority":"6","details":"1g1"},"CWE-ID: 773Missing Reference to Active File Descriptor or Handle","The product does not properly maintain references to a file descriptor or handle, which prevents that file descriptor/handle from being reclaimed.Guidelines:",{"point":"1g3","priority":"6","details":"1g4"},"CWE-ID: 774Allocation of File Descriptors or Handles Without Limits or Throttling","The product allocates file descriptors or handles on behalf of an actor without imposing any restrictions on how many descriptors can be allocated, in violation of the intended security policy for that actor.Guidelines:",{"point":"1g6","priority":"6","details":"1g7"},"CWE-ID: 775Missing Release of File Descriptor or Handle after Effective Lifetime","The product does not release a file descriptor or handle after its effective lifetime has ended, i.e., after the file descriptor/handle is no longer needed.Guidelines:",{"point":"1g9","priority":"6","details":"1ga"},"CWE-ID: 776Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.Guidelines:",{"point":"1gc","priority":"6","details":"1gd"},"CWE-ID: 777Regular Expression without Anchors","The product uses a regular expression to perform neutralization, but the regular expression is not anchored and may allow malicious or malformed data to slip through.Guidelines:",{"point":"1gf","priority":"6","details":"1gg"},"CWE-ID: 778Insufficient Logging","When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.Guidelines:",{"point":"1gi","priority":"6","details":"1gj"},"CWE-ID: 779Logging of Excessive Data","The product logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack.Guidelines:",{"point":"1gl","priority":"6","details":"1gm"},"CWE-ID: 780Use of RSA Algorithm without OAEP","The product uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption.Guidelines:::TYPE:Maintenance:NOTE:This entry could probably have a new parent related to improper padding, however the role of padding in cryptographic algorithms can vary, such as hiding the length of the plaintext and providing additional random bits for the cipher. In general, cryptographic problems in CWE are not well organized and further research is needed.::",{"point":"1go","priority":"6","details":"1gp"},"CWE-ID: 781Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code","The product defines an IOCTL that uses METHOD_NEITHER for I/O, but it does not validate or incorrectly validates the addresses that are provided.Guidelines:::TYPE:Applicable Platform:NOTE:Because IOCTL functionality is typically performing low-level actions and closely interacts with the operating system, this weakness may only appear in code that is written in low-level languages.::TYPE:Research Gap:NOTE:While this type of issue has been known since 2006, it is probably still under-studied and under-reported. Most of the focus has been on high-profile software and security products, but other kinds of system software also use drivers. Since exploitation requires the development of custom code, it requires some skill to find this weakness. Because exploitation typically requires local privileges, it might not be a priority for active attackers. However, remote exploitation may be possible for software such as device drivers. Even when remote vectors are not available, it may be useful as the final privilege-escalation step in multi-stage remote attacks against application-layer software, or as the primary attack by a local user on a multi-user system.::",{"point":"1gr","priority":"6","details":"1gs"},"CWE-ID: 782Exposed IOCTL with Insufficient Access Control","The product implements an IOCTL with functionality that should be restricted, but it does not properly enforce access control for the IOCTL.Guidelines:::TYPE:Relationship:NOTE:This can be primary to many other weaknesses when the programmer assumes that the IOCTL can only be accessed by trusted parties. For example, a program or driver might not validate incoming addresses in METHOD_NEITHER IOCTLs in Windows environments (CWE-781), which could allow buffer overflow and similar attacks to take place, even when the attacker never should have been able to access the IOCTL at all.::TYPE:Applicable Platform:NOTE:Because IOCTL functionality is typically performing low-level actions and closely interacts with the operating system, this weakness may only appear in code that is written in low-level languages.::",{"point":"1gu","priority":"6","details":"1gv"},"CWE-ID: 783Operator Precedence Logic Error","The product uses an expression in which operator precedence causes incorrect logic to be used.Guidelines:",{"point":"1gx","priority":"6","details":"1gy"},"CWE-ID: 784Reliance on Cookies without Validation and Integrity Checking in a Security Decision","The product uses a protection mechanism that relies on the existence or values of a cookie, but it does not properly ensure that the cookie is valid for the associated user.Guidelines:::TYPE:Maintenance:NOTE:A new parent might need to be defined for this entry. This entry is specific to cookies, which reflects the significant number of vulnerabilities being reported for cookie-based authentication in CVE during 2008 and 2009. However, other types of inputs - such as parameters or headers - could also be used for similar authentication or authorization. Similar issues (under the Research view) include CWE-247 and CWE-472.::",{"point":"1h0","priority":"6","details":"1h1"},"CWE-ID: 785Use of Path Manipulation Function without Maximum-sized Buffer","The product invokes a function for normalizing paths or file names, but it provides an output buffer that is smaller than the maximum possible size, such as PATH_MAX.Guidelines:::TYPE:Maintenance:NOTE:This entry is at a much lower level of abstraction than most entries because it is function-specific. It also has significant overlap with other entries that can vary depending on the perspective. For example, incorrect usage could trigger either a stack-based overflow (CWE-121) or a heap-based overflow (CWE-122). The CWE team has not decided how to handle such entries.::",{"point":"1h3","priority":"6","details":"1h4"},"CWE-ID: 786Access of Memory Location Before Start of Buffer","The product reads or writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.Guidelines:",{"point":"1h6","priority":"6","details":"1h7"},"CWE-ID: 787Out-of-bounds Write","The product writes data past the end, or before the beginning, of the intended buffer.Guidelines:",{"point":"1h9","priority":"6","details":"1ha"},"CWE-ID: 788Access of Memory Location After End of Buffer","The product reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer.Guidelines:",{"point":"1hc","priority":"6","details":"1hd"},"CWE-ID: 789Memory Allocation with Excessive Size Value","The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.Guidelines:::TYPE:Relationship:NOTE:This weakness can be closely associated with integer overflows (CWE-190). Integer overflow attacks would concentrate on providing an extremely large number that triggers an overflow that causes less memory to be allocated than expected. By providing a large value that does not trigger an integer overflow, the attacker could still cause excessive amounts of memory to be allocated.::TYPE:Applicable Platform:NOTE:Uncontrolled memory allocation is possible in many languages, such as dynamic array allocation in perl or initial size parameters in Collections in Java. However, languages like C and C++ where programmers have the power to more directly control memory management will be more susceptible.::",{"point":"1hf","priority":"6","details":"1hg"},"CWE-ID: 790Improper Filtering of Special Elements","The product receives data from an upstream component, but does not filter or incorrectly filters special elements before sending it to a downstream component.Guidelines:",{"point":"1hi","priority":"6","details":"1hj"},"CWE-ID: 791Incomplete Filtering of Special Elements","The product receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component.Guidelines:",{"point":"1hl","priority":"6","details":"1hm"},"CWE-ID: 792Incomplete Filtering of One or More Instances of Special Elements","The product receives data from an upstream component, but does not completely filter one or more instances of special elements before sending it to a downstream component.Guidelines:",{"point":"1ho","priority":"6","details":"1hp"},"CWE-ID: 793Only Filtering One Instance of a Special Element","The product receives data from an upstream component, but only filters a single instance of a special element before sending it to a downstream component.Guidelines:",{"point":"1hr","priority":"6","details":"1hs"},"CWE-ID: 794Incomplete Filtering of Multiple Instances of Special Elements","The product receives data from an upstream component, but does not filter all instances of a special element before sending it to a downstream component.Guidelines:",{"point":"1hu","priority":"6","details":"1hv"},"CWE-ID: 795Only Filtering Special Elements at a Specified Location","The product receives data from an upstream component, but only accounts for special elements at a specified location, thereby missing remaining special elements that may exist before sending it to a downstream component.Guidelines:",{"point":"1hx","priority":"6","details":"1hy"},"CWE-ID: 796Only Filtering Special Elements Relative to a Marker","The product receives data from an upstream component, but only accounts for special elements positioned relative to a marker (e.g. at the beginning/end of a string; the second argument), thereby missing remaining special elements that may exist before sending it to a downstream component.Guidelines:",{"point":"1i0","priority":"6","details":"1i1"},"CWE-ID: 797Only Filtering Special Elements at an Absolute Position","The product receives data from an upstream component, but only accounts for special elements at an absolute position (e.g. byte number 10), thereby missing remaining special elements that may exist before sending it to a downstream component.Guidelines:",{"point":"1i3","priority":"6","details":"1i4"},"CWE-ID: 798Use of Hard-coded Credentials","The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.Guidelines:::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"1i6","priority":"6","details":"1i7"},"CWE-ID: 799Improper Control of Interaction Frequency","The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.Guidelines:",{"point":"1i9","priority":"6","details":"1ia"},"CWE-ID: 804Guessable CAPTCHA","The product uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.Guidelines:",{"point":"1ic","priority":"6","details":"1id"},"CWE-ID: 805Buffer Access with Incorrect Length Value","The product uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer.Guidelines:",{"point":"1if","priority":"6","details":"1ig"},"CWE-ID: 806Buffer Access Using Size of Source Buffer","The product uses the size of a source buffer when reading from or writing to a destination buffer, which may cause it to access memory that is outside of the bounds of the buffer.Guidelines:",{"point":"1ii","priority":"6","details":"1ij"},"CWE-ID: 807Reliance on Untrusted Inputs in a Security Decision","The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.Guidelines:",{"point":"1il","priority":"6","details":"1im"},"CWE-ID: 820Missing Synchronization","The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.Guidelines:::TYPE:Maintenance:NOTE:Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships.::",{"point":"1io","priority":"6","details":"1ip"},"CWE-ID: 821Incorrect Synchronization","The product utilizes a shared resource in a concurrent manner, but it does not correctly synchronize access to the resource.Guidelines:::TYPE:Maintenance:NOTE:Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships.::",{"point":"1ir","priority":"6","details":"1is"},"CWE-ID: 822Untrusted Pointer Dereference","The product obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer.Guidelines:::TYPE:Maintenance:NOTE:There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.::TYPE:Terminology:NOTE:Many weaknesses related to pointer dereferences fall under the general term of memory corruption or memory safety. As of September 2010, there is no commonly-used terminology that covers the lower-level variants.::",{"point":"1iu","priority":"6","details":"1iv"},"CWE-ID: 823Use of Out-of-range Pointer Offset","The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.Guidelines:::TYPE:Maintenance:NOTE:There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.::TYPE:Terminology:NOTE:Many weaknesses related to pointer dereferences fall under the general term of memory corruption or memory safety. As of September 2010, there is no commonly-used terminology that covers the lower-level variants.::",{"point":"1ix","priority":"6","details":"1iy"},"CWE-ID: 824Access of Uninitialized Pointer","The product accesses or uses a pointer that has not been initialized.Guidelines:::TYPE:Maintenance:NOTE:There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.::TYPE:Terminology:NOTE:Many weaknesses related to pointer dereferences fall under the general term of memory corruption or memory safety. As of September 2010, there is no commonly-used terminology that covers the lower-level variants.::",{"point":"1j0","priority":"6","details":"1j1"},"CWE-ID: 825Expired Pointer Dereference","The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.Guidelines:::TYPE:Maintenance:NOTE:There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.::TYPE:Terminology:NOTE:Many weaknesses related to pointer dereferences fall under the general term of memory corruption or memory safety. As of September 2010, there is no commonly-used terminology that covers the lower-level variants.::",{"point":"1j3","priority":"6","details":"1j4"},"CWE-ID: 826Premature Release of Resource During Expected Lifetime","The product releases a resource that is still intended to be used by itself or another actor.Guidelines:::TYPE:Research Gap:NOTE:Under-studied and under-reported as of September 2010. This weakness has been reported in high-visibility software, although the focus has been primarily on memory allocation and de-allocation. There are very few examples of this weakness that are not directly related to memory management, although such weaknesses are likely to occur in real-world software for other types of resources.::",{"point":"1j6","priority":"6","details":"1j7"},"CWE-ID: 827Improper Control of Document Type Definition","The product does not restrict a reference to a Document Type Definition (DTD) to the intended control sphere. This might allow attackers to reference arbitrary DTDs, possibly causing the product to expose files, consume excessive system resources, or execute arbitrary http requests on behalf of the attacker.Guidelines:",{"point":"1j9","priority":"6","details":"1ja"},"CWE-ID: 828Signal Handler with Functionality that is not Asynchronous-Safe","The product defines a signal handler that contains code sequences that are not asynchronous-safe, i.e., the functionality is not reentrant, or it can be interrupted.Guidelines:",{"point":"1jc","priority":"6","details":"1jd"},"CWE-ID: 829Inclusion of Functionality from Untrusted Control Sphere","The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.Guidelines:",{"point":"1jf","priority":"6","details":"1jg"},"CWE-ID: 830Inclusion of Web Functionality from an Untrusted Source","The product includes web functionality (such as a web widget) from another domain, which causes it to operate within the domain of the product, potentially granting total access and control of the product to the untrusted source.Guidelines:",{"point":"1ji","priority":"6","details":"1jj"},"CWE-ID: 831Signal Handler Function Associated with Multiple Signals","The product defines a function that is used as a handler for more than one signal.Guidelines:",{"point":"1jl","priority":"6","details":"1jm"},"CWE-ID: 832Unlock of a Resource that is not Locked","The product attempts to unlock a resource that is not locked.Guidelines:",{"point":"1jo","priority":"6","details":"1jp"},"CWE-ID: 833Deadlock","The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.Guidelines:",{"point":"1jr","priority":"6","details":"1js"},"CWE-ID: 834Excessive Iteration","The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.Guidelines:",{"point":"1ju","priority":"6","details":"1jv"},"CWE-ID: 835Loop with Unreachable Exit Condition ('Infinite Loop')","The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.Guidelines:",{"point":"1jx","priority":"6","details":"1jy"},"CWE-ID: 836Use of Password Hash Instead of Password for Authentication","The product records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store.Guidelines:",{"point":"1k0","priority":"6","details":"1k1"},"CWE-ID: 837Improper Enforcement of a Single, Unique Action","The product requires that an actor should only be able to perform an action once, or to have only one unique action, but the product does not enforce or improperly enforces this restriction.Guidelines:",{"point":"1k3","priority":"6","details":"1k4"},"CWE-ID: 838Inappropriate Encoding for Output Context","The product uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is expected by the downstream component.Guidelines:",{"point":"1k6","priority":"6","details":"1k7"},"CWE-ID: 839Numeric Range Comparison Without Minimum Check","The product checks a value to ensure that it is less than or equal to a maximum, but it does not also verify that the value is greater than or equal to the minimum.Guidelines:",{"point":"1k9","priority":"6","details":"1ka"},"CWE-ID: 841Improper Enforcement of Behavioral Workflow","The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.Guidelines:::TYPE:Research Gap:NOTE:This weakness is typically associated with business logic flaws, except when it produces resultant weaknesses. The classification of business logic flaws has been under-studied, although exploitation of business flaws frequently happens in real-world systems, and many applied vulnerability researchers investigate them. The greatest focus is in web applications. There is debate within the community about whether these problems represent particularly new concepts, or if they are variations of well-known principles. Many business logic flaws appear to be oriented toward business processes, application flows, and sequences of behaviors, which are not as well-represented in CWE as weaknesses related to input validation, memory management, etc.::",{"point":"1kc","priority":"6","details":"1kd"},"CWE-ID: 842Placement of User into Incorrect Group","The product or the administrator places a user into an incorrect group.Guidelines:",{"point":"1kf","priority":"6","details":"1kg"},"CWE-ID: 843Access of Resource Using Incompatible Type ('Type Confusion')","The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.Guidelines:::TYPE:Applicable Platform:NOTE:This weakness is possible in any type-unsafe programming language.::TYPE:Research Gap:NOTE:Type confusion weaknesses have received some attention by applied researchers and major software vendors for C and C++ code. Some publicly-reported vulnerabilities probably have type confusion as a root-cause weakness, but these may be described as memory corruption instead. For other languages, there are very few public reports of type confusion weaknesses. These are probably under-studied. Since many programs rely directly or indirectly on loose typing, a potential type confusion behavior might be intentional, possibly requiring more manual analysis.::",{"point":"1ki","priority":"6","details":"1kj"},"CWE-ID: 862Missing Authorization","The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Guidelines:",{"point":"1kl","priority":"6","details":"1km"},"CWE-ID: 863Incorrect Authorization","The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.Guidelines:",{"point":"1ko","priority":"6","details":"1kp"},"CWE-ID: 908Use of Uninitialized Resource","The product uses or accesses a resource that has not been initialized.Guidelines:",{"point":"1kr","priority":"6","details":"1ks"},"CWE-ID: 909Missing Initialization of Resource","The product does not initialize a critical resource.Guidelines:",{"point":"1ku","priority":"6","details":"1kv"},"CWE-ID: 910Use of Expired File Descriptor","The product uses or accesses a file descriptor after it has been closed.Guidelines:",{"point":"1kx","priority":"6","details":"1ky"},"CWE-ID: 911Improper Update of Reference Count","The product uses a reference count to manage a resource, but it does not update or incorrectly updates the reference count.Guidelines:",{"point":"1l0","priority":"6","details":"1l1"},"CWE-ID: 912Hidden Functionality","The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the product's users or administrators.Guidelines:",{"point":"1l3","priority":"6","details":"1l4"},"CWE-ID: 913Improper Control of Dynamically-Managed Code Resources","The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.Guidelines:",{"point":"1l6","priority":"6","details":"1l7"},"CWE-ID: 914Improper Control of Dynamically-Identified Variables","The product does not properly restrict reading from or writing to dynamically-identified variables.Guidelines:",{"point":"1l9","priority":"6","details":"1la"},"CWE-ID: 915Improperly Controlled Modification of Dynamically-Determined Object Attributes","The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.Guidelines:::TYPE:Maintenance:NOTE:The relationships between CWE-502 and CWE-915 need further exploration. CWE-915 is more narrowly scoped to object modification, and is not necessarily used for deserialization.::",{"point":"1lc","priority":"6","details":"1ld"},"CWE-ID: 916Use of Password Hash With Insufficient Computational Effort","The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.Guidelines:",{"point":"1lf","priority":"6","details":"1lg"},"CWE-ID: 917Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')","The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.Guidelines:::TYPE:Maintenance:NOTE:The interrelationships and differences between CWE-917 and CWE-1336 need to be further clarified.::TYPE:Relationship:NOTE:In certain versions of Spring 3.0.5 and earlier, there was a vulnerability (CVE-2011-2730) in which Expression Language tags would be evaluated twice, which effectively exposed any application to EL injection. However, even for later versions, this weakness is still possible depending on configuration.::",{"point":"1li","priority":"6","details":"1lj"},"CWE-ID: 918Server-Side Request Forgery (SSRF)","The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.Guidelines:::TYPE:Relationship:NOTE:CWE-918 (SSRF) and CWE-611 (XXE) are closely related, because they both involve web-related technologies and can launch outbound requests to unexpected destinations. However, XXE can be performed client-side, or in other contexts in which the software is not acting directly as a server, so the Server portion of the SSRF acronym does not necessarily apply.::",{"point":"1ll","priority":"6","details":"1lm"},"CWE-ID: 920Improper Restriction of Power Consumption","The product operates in an environment in which power is a limited resource that cannot be automatically replenished, but the product does not properly restrict the amount of power that its operation consumes.Guidelines:",{"point":"1lo","priority":"6","details":"1lp"},"CWE-ID: 921Storage of Sensitive Data in a Mechanism without Access Control","The product stores sensitive information in a file system or device that does not have built-in access control.Guidelines:",{"point":"1lr","priority":"6","details":"1ls"},"CWE-ID: 922Insecure Storage of Sensitive Information","The product stores sensitive information without properly limiting read or write access by unauthorized actors.Guidelines:::TYPE:Relationship:NOTE:There is an overlapping relationship between insecure storage of sensitive information (CWE-922) and missing encryption of sensitive information (CWE-311). Encryption is often used to prevent an attacker from reading the sensitive data. However, encryption does not prevent the attacker from erasing or overwriting the data. While data tampering would be visible upon inspection, the integrity and availability of the data is compromised prior to the audit.::TYPE:Maintenance:NOTE:This is a high-level entry that includes children from various parts of the CWE research view (CWE-1000). Currently, most of the information is in these child entries. This entry will be made more comprehensive in later CWE versions.::",{"point":"1lu","priority":"6","details":"1lv"},"CWE-ID: 923Improper Restriction of Communication Channel to Intended Endpoints","The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.Guidelines:",{"point":"1lx","priority":"6","details":"1ly"},"CWE-ID: 924Improper Enforcement of Message Integrity During Transmission in a Communication Channel","The product establishes a communication channel with an endpoint and receives a message from that endpoint, but it does not sufficiently ensure that the message was not modified during transmission.Guidelines:::TYPE:Maintenance:NOTE:This entry should be made more comprehensive in later CWE versions, as it is likely an important design flaw that underlies (or chains to) other weaknesses.::",{"point":"1m0","priority":"6","details":"1m1"},"CWE-ID: 925Improper Verification of Intent by Broadcast Receiver","The Android application uses a Broadcast Receiver that receives an Intent but does not properly verify that the Intent came from an authorized source.Guidelines:::TYPE:Maintenance:NOTE:This entry will be made more comprehensive in later CWE versions.::",{"point":"1m3","priority":"6","details":"1m4"},"CWE-ID: 926Improper Export of Android Application Components","The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.Guidelines:",{"point":"1m6","priority":"6","details":"1m7"},"CWE-ID: 927Use of Implicit Intent for Sensitive Communication","The Android application uses an implicit intent for transmitting sensitive data to other applications.Guidelines:",{"point":"1m9","priority":"6","details":"1ma"},"CWE-ID: 939Improper Authorization in Handler for Custom URL Scheme","The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.Guidelines:",{"point":"1mc","priority":"6","details":"1md"},"CWE-ID: 940Improper Verification of Source of a Communication Channel","The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin.Guidelines:::TYPE:Relationship:NOTE:While many access control issues involve authenticating the user, this weakness is more about authenticating the actual source of the communication channel itself; there might not be any user in such cases.::",{"point":"1mf","priority":"6","details":"1mg"},"CWE-ID: 941Incorrectly Specified Destination in a Communication Channel","The product creates a communication channel to initiate an outgoing request to an actor, but it does not correctly specify the intended destination for that actor.Guidelines:",{"point":"1mi","priority":"6","details":"1mj"},"CWE-ID: 942Permissive Cross-domain Policy with Untrusted Domains","The product uses a cross-domain policy file that includes domains that should not be trusted.Guidelines:",{"point":"1ml","priority":"6","details":"1mm"},"CWE-ID: 943Improper Neutralization of Special Elements in Data Query Logic","The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.Guidelines:::TYPE:Relationship:NOTE:It could be argued that data query languages are effectively a command language - albeit with a limited set of commands - and thus any query-language injection issue could be treated as a child of CWE-74. However, CWE-943 is intended to better organize query-oriented issues to separate them from fully-functioning programming languages, and also to provide a more precise identifier for the many query languages that do not have their own CWE identifier.::",{"point":"1mo","priority":"6","details":"1mp"},"CWE-ID: 1004Sensitive Cookie Without 'HttpOnly' Flag","The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.Guidelines:",{"point":"1mr","priority":"6","details":"1ms"},"CWE-ID: 1007Insufficient Visual Distinction of Homoglyphs Presented to User","The product displays information or identifiers to a user, but the display mechanism does not make it easy for the user to distinguish between visually similar or identical glyphs (homoglyphs), which may cause the user to misinterpret a glyph and perform an unintended, insecure action.Guidelines:",{"point":"1mu","priority":"6","details":"1mv"},"CWE-ID: 1021Improper Restriction of Rendered UI Layers or Frames","The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.Guidelines:",{"point":"1mx","priority":"6","details":"1my"},"CWE-ID: 1022Use of Web Link to Untrusted Target with window.opener Access","The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property.Guidelines:",{"point":"1n0","priority":"6","details":"1n1"},"CWE-ID: 1023Incomplete Comparison with Missing Factors","The product performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors.Guidelines:",{"point":"1n3","priority":"6","details":"1n4"},"CWE-ID: 1024Comparison of Incompatible Types","The product performs a comparison between two entities, but the entities are of different, incompatible types that cannot be guaranteed to provide correct results when they are directly compared.Guidelines:",{"point":"1n6","priority":"6","details":"1n7"},"CWE-ID: 1025Comparison Using Wrong Factors","The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.Guidelines:",{"point":"1n9","priority":"6","details":"1na"},"CWE-ID: 1037Processor Optimization Removal or Modification of Security-critical Code","The developer builds a security-critical protection mechanism into the software, but the processor optimizes the execution of the program such that the mechanism is removed or modified.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. As a result, this entry might change significantly in CWE 4.10.::",{"point":"1nc","priority":"6","details":"1nd"},"CWE-ID: 1038Insecure Automated Optimizations","The product uses a mechanism that automatically optimizes code, e.g. to improve a characteristic such as performance, but the optimizations can have an unintended side effect that might violate an intended security assumption.Guidelines:",{"point":"1nf","priority":"6","details":"1ng"},"CWE-ID: 1039Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations","The product uses an automated mechanism such as machine learning to recognize complex data inputs (e.g. image or audio) as a particular concept or category, but it does not properly detect or handle inputs that have been modified or constructed in a way that causes the mechanism to detect a different, incorrect concept.Guidelines:::TYPE:Relationship:NOTE:Further investigation is needed to determine if better relationships exist or if additional organizational entries need to be created. For example, this issue might be better related to recognition of input as an incorrect type, which might place it as a sibling of CWE-704 (incorrect type conversion).::",{"point":"1ni","priority":"6","details":"1nj"},"CWE-ID: 1041Use of Redundant Code","The product has multiple functions, methods, procedures, macros, etc. that contain the same code.Guidelines:",{"point":"1nl","priority":"6","details":"1nm"},"CWE-ID: 1042Static Member Data Element outside of a Singleton Class Element","The code contains a member element that is declared as static (but not final), in which its parent class element is not a singleton class - that is, a class element that can be used only once in the 'to' association of a Create action.Guidelines:",{"point":"1no","priority":"6","details":"1np"},"CWE-ID: 1043Data Element Aggregating an Excessively Large Number of Non-Primitive Elements","The product uses a data element that has an excessively large number of sub-elements with non-primitive data types such as structures or aggregated objects.Guidelines:",{"point":"1nr","priority":"6","details":"1ns"},"CWE-ID: 1044Architecture with Number of Horizontal Layers Outside of Expected Range","The product's architecture contains too many - or too few - horizontal layers.Guidelines:",{"point":"1nu","priority":"6","details":"1nv"},"CWE-ID: 1045Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor","A parent class has a virtual destructor method, but the parent has a child class that does not have a virtual destructor.Guidelines:",{"point":"1nx","priority":"6","details":"1ny"},"CWE-ID: 1046Creation of Immutable Text Using String Concatenation","The product creates an immutable text string using string concatenation operations.Guidelines:",{"point":"1o0","priority":"6","details":"1o1"},"CWE-ID: 1047Modules with Circular Dependencies","The product contains modules in which one module has references that cycle back to itself, i.e., there are circular dependencies.Guidelines:",{"point":"1o3","priority":"6","details":"1o4"},"CWE-ID: 1048Invokable Control Element with Large Number of Outward Calls","The code contains callable control elements that contain an excessively large number of references to other application objects external to the context of the callable, i.e. a Fan-Out value that is excessively large.Guidelines:",{"point":"1o6","priority":"6","details":"1o7"},"CWE-ID: 1049Excessive Data Query Operations in a Large Data Table","The product performs a data query with a large number of joins and sub-queries on a large data table.Guidelines:",{"point":"1o9","priority":"6","details":"1oa"},"CWE-ID: 1050Excessive Platform Resource Consumption within a Loop","The product has a loop body or loop condition that contains a control element that directly or indirectly consumes platform resources, e.g. messaging, sessions, locks, or file descriptors.Guidelines:",{"point":"1oc","priority":"6","details":"1od"},"CWE-ID: 1051Initialization with Hard-Coded Network Resource Configuration Data","The product initializes data using hard-coded values that act as network resource identifiers.Guidelines:",{"point":"1of","priority":"6","details":"1og"},"CWE-ID: 1052Excessive Use of Hard-Coded Literals in Initialization","The product initializes a data element using a hard-coded literal that is not a simple integer or static constant element.Guidelines:",{"point":"1oi","priority":"6","details":"1oj"},"CWE-ID: 1053Missing Documentation for Design","The product does not have documentation that represents how it is designed.Guidelines:",{"point":"1ol","priority":"6","details":"1om"},"CWE-ID: 1054Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer","The code at one architectural layer invokes code that resides at a deeper layer than the adjacent layer, i.e., the invocation skips at least one layer, and the invoked code is not part of a vertical utility layer that can be referenced from any horizontal layer.Guidelines:",{"point":"1oo","priority":"6","details":"1op"},"CWE-ID: 1055Multiple Inheritance from Concrete Classes","The product contains a class with inheritance from more than one concrete class.Guidelines:",{"point":"1or","priority":"6","details":"1os"},"CWE-ID: 1056Invokable Control Element with Variadic Parameters","A named-callable or method control element has a signature that supports a variable (variadic) number of parameters or arguments.Guidelines:",{"point":"1ou","priority":"6","details":"1ov"},"CWE-ID: 1057Data Access Operations Outside of Expected Data Manager Component","The product uses a dedicated, central data manager component as required by design, but it contains code that performs data-access operations that do not use this data manager.Guidelines:",{"point":"1ox","priority":"6","details":"1oy"},"CWE-ID: 1058Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element","The code contains a function or method that operates in a multi-threaded environment but owns an unsafe non-final static storable or member data element.Guidelines:",{"point":"1p0","priority":"6","details":"1p1"},"CWE-ID: 1059Insufficient Technical Documentation","The product does not contain sufficient technical or engineering documentation (whether on paper or in electronic form) that contains descriptions of all the relevant software/hardware elements of the product, such as its usage, structure, architectural components, interfaces, design, implementation, configuration, operation, etc.Guidelines:",{"point":"1p3","priority":"6","details":"1p4"},"CWE-ID: 1060Excessive Number of Inefficient Server-Side Data Accesses","The product performs too many data queries without using efficient data processing functionality such as stored procedures.Guidelines:",{"point":"1p6","priority":"6","details":"1p7"},"CWE-ID: 1061Insufficient Encapsulation","The product does not sufficiently hide the internal representation and implementation details of data or methods, which might allow external components or modules to modify data unexpectedly, invoke unexpected functionality, or introduce dependencies that the programmer did not intend.Guidelines:",{"point":"1p9","priority":"6","details":"1pa"},"CWE-ID: 1062Parent Class with References to Child Class","The code has a parent class that contains references to a child class, its methods, or its members.Guidelines:",{"point":"1pc","priority":"6","details":"1pd"},"CWE-ID: 1063Creation of Class Instance within a Static Code Block","A static code block creates an instance of a class.Guidelines:",{"point":"1pf","priority":"6","details":"1pg"},"CWE-ID: 1064Invokable Control Element with Signature Containing an Excessive Number of Parameters","The product contains a function, subroutine, or method whose signature has an unnecessarily large number of parameters/arguments.Guidelines:",{"point":"1pi","priority":"6","details":"1pj"},"CWE-ID: 1065Runtime Resource Management Control Element in a Component Built to Run on Application Servers","The product uses deployed components from application servers, but it also uses low-level functions/methods for management of resources, instead of the API provided by the application server.Guidelines:",{"point":"1pl","priority":"6","details":"1pm"},"CWE-ID: 1066Missing Serialization Control Element","The product contains a serializable data element that does not have an associated serialization method.Guidelines:",{"point":"1po","priority":"6","details":"1pp"},"CWE-ID: 1067Excessive Execution of Sequential Searches of Data Resource","The product contains a data query against an SQL table or view that is configured in a way that does not utilize an index and may cause sequential searches to be performed.Guidelines:",{"point":"1pr","priority":"6","details":"1ps"},"CWE-ID: 1068Inconsistency Between Implementation and Documented Design","The implementation of the product is not consistent with the design as described within the relevant documentation.Guidelines:",{"point":"1pu","priority":"6","details":"1pv"},"CWE-ID: 1069Empty Exception Block","An invokable code block contains an exception handling block that does not contain any code, i.e. is empty.Guidelines:",{"point":"1px","priority":"6","details":"1py"},"CWE-ID: 1070Serializable Data Element Containing non-Serializable Item Elements","The product contains a serializable, storable data element such as a field or member, but the data element contains member elements that are not serializable.Guidelines:",{"point":"1q0","priority":"6","details":"1q1"},"CWE-ID: 1071Empty Code Block","The source code contains a block that does not contain any code, i.e., the block is empty.Guidelines:",{"point":"1q3","priority":"6","details":"1q4"},"CWE-ID: 1072Data Resource Access without Use of Connection Pooling","The product accesses a data resource through a database without using a connection pooling capability.Guidelines:",{"point":"1q6","priority":"6","details":"1q7"},"CWE-ID: 1073Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses","The product contains a client with a function or method that contains a large number of data accesses/queries that are sent through a data manager, i.e., does not use efficient database capabilities.Guidelines:",{"point":"1q9","priority":"6","details":"1qa"},"CWE-ID: 1074Class with Excessively Deep Inheritance","A class has an inheritance level that is too high, i.e., it has a large number of parent classes.Guidelines:",{"point":"1qc","priority":"6","details":"1qd"},"CWE-ID: 1075Unconditional Control Flow Transfer outside of Switch Block","The product performs unconditional control transfer (such as a goto) in code outside of a branching structure such as a switch block.Guidelines:",{"point":"1qf","priority":"6","details":"1qg"},"CWE-ID: 1076Insufficient Adherence to Expected Conventions","The product's architecture, source code, design, documentation, or other artifact does not follow required conventions.Guidelines:",{"point":"1qi","priority":"6","details":"1qj"},"CWE-ID: 1077Floating Point Comparison with Incorrect Operator","The code performs a comparison such as an equality test between two float (floating point) values, but it uses comparison operators that do not account for the possibility of loss of precision.Guidelines:",{"point":"1ql","priority":"6","details":"1qm"},"CWE-ID: 1078Inappropriate Source Code Style or Formatting","The source code does not follow desired style or formatting for indentation, white space, comments, etc.Guidelines:",{"point":"1qo","priority":"6","details":"1qp"},"CWE-ID: 1079Parent Class without Virtual Destructor Method","A parent class contains one or more child classes, but the parent class does not have a virtual destructor method.Guidelines:",{"point":"1qr","priority":"6","details":"1qs"},"CWE-ID: 1080Source Code File with Excessive Number of Lines of Code","A source code file has too many lines of code.Guidelines:",{"point":"1qu","priority":"6","details":"1qv"},"CWE-ID: 1082Class Instance Self Destruction Control Element","The code contains a class instance that calls the method or function to delete or destroy itself.Guidelines:",{"point":"1qx","priority":"6","details":"1qy"},"CWE-ID: 1083Data Access from Outside Expected Data Manager Component","The product is intended to manage data access through a particular data manager component such as a relational or non-SQL database, but it contains code that performs data access operations without using that component.Guidelines:",{"point":"1r0","priority":"6","details":"1r1"},"CWE-ID: 1084Invokable Control Element with Excessive File or Data Access Operations","A function or method contains too many operations that utilize a data manager or file resource.Guidelines:",{"point":"1r3","priority":"6","details":"1r4"},"CWE-ID: 1085Invokable Control Element with Excessive Volume of Commented-out Code","A function, method, procedure, etc. contains an excessive amount of code that has been commented out within its body.Guidelines:",{"point":"1r6","priority":"6","details":"1r7"},"CWE-ID: 1086Class with Excessive Number of Child Classes","A class contains an unnecessarily large number of children.Guidelines:",{"point":"1r9","priority":"6","details":"1ra"},"CWE-ID: 1087Class with Virtual Method without a Virtual Destructor","A class contains a virtual method, but the method does not have an associated virtual destructor.Guidelines:",{"point":"1rc","priority":"6","details":"1rd"},"CWE-ID: 1088Synchronous Access of Remote Resource without Timeout","The code has a synchronous call to a remote resource, but there is no timeout for the call, or the timeout is set to infinite.Guidelines:",{"point":"1rf","priority":"6","details":"1rg"},"CWE-ID: 1089Large Data Table with Excessive Number of Indices","The product uses a large data table that contains an excessively large number of indices.Guidelines:",{"point":"1ri","priority":"6","details":"1rj"},"CWE-ID: 1090Method Containing Access of a Member Element from Another Class","A method for a class performs an operation that directly accesses a member element from another class.Guidelines:",{"point":"1rl","priority":"6","details":"1rm"},"CWE-ID: 1091Use of Object without Invoking Destructor Method","The product contains a method that accesses an object but does not later invoke the element's associated finalize/destructor method.Guidelines:",{"point":"1ro","priority":"6","details":"1rp"},"CWE-ID: 1092Use of Same Invokable Control Element in Multiple Architectural Layers","The product uses the same control element across multiple architectural layers.Guidelines:",{"point":"1rr","priority":"6","details":"1rs"},"CWE-ID: 1093Excessively Complex Data Representation","The product uses an unnecessarily complex internal representation for its data structures or interrelationships between those structures.Guidelines:",{"point":"1ru","priority":"6","details":"1rv"},"CWE-ID: 1094Excessive Index Range Scan for a Data Resource","The product contains an index range scan for a large data table, but the scan can cover a large number of rows.Guidelines:",{"point":"1rx","priority":"6","details":"1ry"},"CWE-ID: 1095Loop Condition Value Update within the Loop","The product uses a loop with a control flow condition based on a value that is updated within the body of the loop.Guidelines:",{"point":"1s0","priority":"6","details":"1s1"},"CWE-ID: 1096Singleton Class Instance Creation without Proper Locking or Synchronization","The product implements a Singleton design pattern but does not use appropriate locking or other synchronization mechanism to ensure that the singleton class is only instantiated once.Guidelines:",{"point":"1s3","priority":"6","details":"1s4"},"CWE-ID: 1097Persistent Storable Data Element without Associated Comparison Control Element","The product uses a storable data element that does not have all of the associated functions or methods that are necessary to support comparison.Guidelines:",{"point":"1s6","priority":"6","details":"1s7"},"CWE-ID: 1098Data Element containing Pointer Item without Proper Copy Control Element","The code contains a data element with a pointer that does not have an associated copy or constructor method.Guidelines:",{"point":"1s9","priority":"6","details":"1sa"},"CWE-ID: 1099Inconsistent Naming Conventions for Identifiers","The product's code, documentation, or other artifacts do not consistently use the same naming conventions for variables, callables, groups of related callables, I/O capabilities, data types, file names, or similar types of elements.Guidelines:",{"point":"1sc","priority":"6","details":"1sd"},"CWE-ID: 1100Insufficient Isolation of System-Dependent Functions","The product or code does not isolate system-dependent functionality into separate standalone modules.Guidelines:",{"point":"1sf","priority":"6","details":"1sg"},"CWE-ID: 1101Reliance on Runtime Component in Generated Code","The product uses automatically-generated code that cannot be executed without a specific runtime support component.Guidelines:",{"point":"1si","priority":"6","details":"1sj"},"CWE-ID: 1102Reliance on Machine-Dependent Data Representation","The code uses a data representation that relies on low-level data representation or constructs that may vary across different processors, physical machines, OSes, or other physical components.Guidelines:",{"point":"1sl","priority":"6","details":"1sm"},"CWE-ID: 1103Use of Platform-Dependent Third Party Components","The product relies on third-party components that do not provide equivalent functionality across all desirable platforms.Guidelines:",{"point":"1so","priority":"6","details":"1sp"},"CWE-ID: 1104Use of Unmaintained Third Party Components","The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer.Guidelines:",{"point":"1sr","priority":"6","details":"1ss"},"CWE-ID: 1105Insufficient Encapsulation of Machine-Dependent Functionality","The product or code uses machine-dependent functionality, but it does not sufficiently encapsulate or isolate this functionality from the rest of the code.Guidelines:",{"point":"1su","priority":"6","details":"1sv"},"CWE-ID: 1106Insufficient Use of Symbolic Constants","The source code uses literal constants that may need to change or evolve over time, instead of using symbolic constants.Guidelines:",{"point":"1sx","priority":"6","details":"1sy"},"CWE-ID: 1107Insufficient Isolation of Symbolic Constant Definitions","The source code uses symbolic constants, but it does not sufficiently place the definitions of these constants into a more centralized or isolated location.Guidelines:",{"point":"1t0","priority":"6","details":"1t1"},"CWE-ID: 1108Excessive Reliance on Global Variables","The code is structured in a way that relies too much on using or setting global variables throughout various points in the code, instead of preserving the associated information in a narrower, more local context.Guidelines:",{"point":"1t3","priority":"6","details":"1t4"},"CWE-ID: 1109Use of Same Variable for Multiple Purposes","The code contains a callable, block, or other code element in which the same variable is used to control more than one unique task or store more than one instance of data.Guidelines:",{"point":"1t6","priority":"6","details":"1t7"},"CWE-ID: 1110Incomplete Design Documentation","The product's design documentation does not adequately describe control flow, data flow, system initialization, relationships between tasks, components, rationales, or other important aspects of the design.Guidelines:",{"point":"1t9","priority":"6","details":"1ta"},"CWE-ID: 1111Incomplete I/O Documentation","The product's documentation does not adequately define inputs, outputs, or system/software interfaces.Guidelines:",{"point":"1tc","priority":"6","details":"1td"},"CWE-ID: 1112Incomplete Documentation of Program Execution","The document does not fully define all mechanisms that are used to control or influence how product-specific programs are executed.Guidelines:",{"point":"1tf","priority":"6","details":"1tg"},"CWE-ID: 1113Inappropriate Comment Style","The source code uses comment styles or formats that are inconsistent or do not follow expected standards for the product.Guidelines:",{"point":"1ti","priority":"6","details":"1tj"},"CWE-ID: 1114Inappropriate Whitespace Style","The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product.Guidelines:",{"point":"1tl","priority":"6","details":"1tm"},"CWE-ID: 1115Source Code Element without Standard Prologue","The source code contains elements such as source files that do not consistently provide a prologue or header that has been standardized for the project.Guidelines:",{"point":"1to","priority":"6","details":"1tp"},"CWE-ID: 1116Inaccurate Comments","The source code contains comments that do not accurately describe or explain aspects of the portion of the code with which the comment is associated.Guidelines:",{"point":"1tr","priority":"6","details":"1ts"},"CWE-ID: 1117Callable with Insufficient Behavioral Summary","The code contains a function or method whose signature and/or associated inline documentation does not sufficiently describe the callable's inputs, outputs, side effects, assumptions, or return codes.Guidelines:",{"point":"1tu","priority":"6","details":"1tv"},"CWE-ID: 1118Insufficient Documentation of Error Handling Techniques","The documentation does not sufficiently describe the techniques that are used for error handling, exception processing, or similar mechanisms.Guidelines:",{"point":"1tx","priority":"6","details":"1ty"},"CWE-ID: 1119Excessive Use of Unconditional Branching","The code uses too many unconditional branches (such as goto).Guidelines:",{"point":"1u0","priority":"6","details":"1u1"},"CWE-ID: 1120Excessive Code Complexity","The code is too complex, as calculated using a well-defined, quantitative measure.Guidelines:",{"point":"1u3","priority":"6","details":"1u4"},"CWE-ID: 1121Excessive McCabe Cyclomatic Complexity","The code contains McCabe cyclomatic complexity that exceeds a desirable maximum.Guidelines:",{"point":"1u6","priority":"6","details":"1u7"},"CWE-ID: 1122Excessive Halstead Complexity","The code is structured in a way that a Halstead complexity measure exceeds a desirable maximum.Guidelines:",{"point":"1u9","priority":"6","details":"1ua"},"CWE-ID: 1123Excessive Use of Self-Modifying Code","The product uses too much self-modifying code.Guidelines:",{"point":"1uc","priority":"6","details":"1ud"},"CWE-ID: 1124Excessively Deep Nesting","The code contains a callable or other code grouping in which the nesting / branching is too deep.Guidelines:",{"point":"1uf","priority":"6","details":"1ug"},"CWE-ID: 1125Excessive Attack Surface","The product has an attack surface whose quantitative measurement exceeds a desirable maximum.Guidelines:",{"point":"1ui","priority":"6","details":"1uj"},"CWE-ID: 1126Declaration of Variable with Unnecessarily Wide Scope","The source code declares a variable in one scope, but the variable is only used within a narrower scope.Guidelines:",{"point":"1ul","priority":"6","details":"1um"},"CWE-ID: 1127Compilation with Insufficient Warnings or Errors","The code is compiled without sufficient warnings enabled, which may prevent the detection of subtle bugs or quality issues.Guidelines:",{"point":"1uo","priority":"6","details":"1up"},"CWE-ID: 1164Irrelevant Code","The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness.Guidelines:",{"point":"1ur","priority":"6","details":"1us"},"CWE-ID: 1173Improper Use of Validation Framework","The product does not use, or incorrectly uses, an input validation framework that is provided by the source language or an independent library.Guidelines:",{"point":"1uu","priority":"6","details":"1uv"},"CWE-ID: 1174ASP.NET Misconfiguration: Improper Model Validation","The ASP.NET application does not use, or incorrectly uses, the model validation framework.Guidelines:",{"point":"1ux","priority":"6","details":"1uy"},"CWE-ID: 1176Inefficient CPU Computation","The product performs CPU computations using algorithms that are not as efficient as they could be for the needs of the developer, i.e., the computations can be optimized further.Guidelines:",{"point":"1v0","priority":"6","details":"1v1"},"CWE-ID: 1177Use of Prohibited Code","The product uses a function, library, or third party component that has been explicitly prohibited, whether by the developer or the customer.Guidelines:",{"point":"1v3","priority":"6","details":"1v4"},"CWE-ID: 1188Initialization of a Resource with an Insecure Default","The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.Guidelines:::TYPE:Maintenance:NOTE:This entry improves organization of concepts under initialization. The typical CWE model is to cover Missing and Incorrect behaviors. Arguably, this entry could be named as Incorrect instead of Insecure. This might be changed in the near future.::",{"point":"1v6","priority":"6","details":"1v7"},"CWE-ID: 1189Improper Isolation of Shared Resources on System-on-a-Chip (SoC)","The System-On-a-Chip (SoC) does not properly isolate shared resources between trusted and untrusted agents.Guidelines:",{"point":"1v9","priority":"6","details":"1va"},"CWE-ID: 1190DMA Device Enabled Too Early in Boot Phase","The product enables a Direct Memory Access (DMA) capable device before the security configuration settings are established, which allows an attacker to extract data from or gain privileges on the product.Guidelines:",{"point":"1vc","priority":"6","details":"1vd"},"CWE-ID: 1191On-Chip Debug and Test Interface With Improper Access Control","The chip does not implement or does not correctly perform access control to check whether users are authorized to access internal registers and test modes through the physical debug/test interface.Guidelines:::TYPE:Relationship:NOTE:CWE-1191 and CWE-1244 both involve physical debug access, but the weaknesses are different. CWE-1191 is effectively about missing authorization for a debug interface, i.e. JTAG. CWE-1244 is about providing internal assets with the wrong debug access level, exposing the asset to untrusted debug agents.::",{"point":"1vf","priority":"6","details":"1vg"},"CWE-ID: 1192Improper Identifier for IP Block used in System-On-Chip (SOC)","The System-on-Chip (SoC) does not have unique, immutable identifiers for each of its components.Guidelines:",{"point":"1vi","priority":"6","details":"1vj"},"CWE-ID: 1193Power-On of Untrusted Execution Core Before Enabling Fabric Access Control","The product enables components that contain untrusted firmware before memory and fabric access controls have been enabled.Guidelines:",{"point":"1vl","priority":"6","details":"1vm"},"CWE-ID: 1204Generation of Weak Initialization Vector (IV)","The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or unique according to the expected cryptographic requirements for that primitive.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"1vo","priority":"6","details":"1vp"},"CWE-ID: 1209Failure to Disable Reserved Bits","The reserved bits in a hardware design are not disabled prior to production. Typically, reserved bits are used for future capabilities and should not support any functional logic in the design. However, designers might covertly use these bits to debug or further develop new capabilities in production hardware. Adversaries with access to these bits will write to them in hopes of compromising hardware state.Guidelines:",{"point":"1vr","priority":"6","details":"1vs"},"CWE-ID: 1220Insufficient Granularity of Access Control","The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.Guidelines:",{"point":"1vu","priority":"6","details":"1vv"},"CWE-ID: 1221Incorrect Register Defaults or Module Parameters","Hardware description language code incorrectly defines register defaults or hardware Intellectual Property (IP) parameters to insecure values.Guidelines:",{"point":"1vx","priority":"6","details":"1vy"},"CWE-ID: 1222Insufficient Granularity of Address Regions Protected by Register Locks","The product defines a large address region protected from modification by the same register lock control bit. This results in a conflict between the functional requirement that some addresses need to be writable by software during operation and the security requirement that the system configuration lock bit must be set during the boot process.Guidelines:",{"point":"1w0","priority":"6","details":"1w1"},"CWE-ID: 1223Race Condition for Write-Once Attributes","A write-once register in hardware design is programmable by an untrusted software component earlier than the trusted software component, resulting in a race condition issue.Guidelines:",{"point":"1w3","priority":"6","details":"1w4"},"CWE-ID: 1224Improper Restriction of Write-Once Bit Fields","The hardware design control register sticky bits or write-once bit fields are improperly implemented, such that they can be reprogrammed by software.Guidelines:",{"point":"1w6","priority":"6","details":"1w7"},"CWE-ID: 1229Creation of Emergent Resource","The product manages resources or behaves in a way that indirectly creates a new, distinct resource that can be used by attackers in violation of the intended policy.Guidelines:",{"point":"1w9","priority":"6","details":"1wa"},"CWE-ID: 1230Exposure of Sensitive Information Through Metadata","The product prevents direct access to a resource containing sensitive information, but it does not sufficiently limit access to metadata that is derived from the original, sensitive information.Guidelines:",{"point":"1wc","priority":"6","details":"1wd"},"CWE-ID: 1231Improper Prevention of Lock Bit Modification","The product uses a trusted lock bit for restricting access to registers, address regions, or other resources, but the product does not prevent the value of the lock bit from being modified after it has been set.Guidelines:",{"point":"1wf","priority":"6","details":"1wg"},"CWE-ID: 1232Improper Lock Behavior After Power State Transition","Register lock bit protection disables changes to system configuration once the bit is set. Some of the protected registers or lock bits become programmable after power state transitions (e.g., Entry and wake from low power sleep modes) causing the system configuration to be changeable.Guidelines:",{"point":"1wi","priority":"6","details":"1wj"},"CWE-ID: 1233Security-Sensitive Hardware Controls with Missing Lock Bit Protection","The product uses a register lock bit protection mechanism, but it does not ensure that the lock bit prevents modification of system registers or controls that perform changes to important hardware system configuration.Guidelines:",{"point":"1wl","priority":"6","details":"1wm"},"CWE-ID: 1234Hardware Internal or Debug Modes Allow Override of Locks","System configuration protection may be bypassed during debug mode.Guidelines:",{"point":"1wo","priority":"6","details":"1wp"},"CWE-ID: 1235Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations","The code uses boxed primitives, which may introduce inefficiencies into performance-critical operations.Guidelines:",{"point":"1wr","priority":"6","details":"1ws"},"CWE-ID: 1236Improper Neutralization of Formula Elements in a CSV File","The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.Guidelines:",{"point":"1wu","priority":"6","details":"1wv"},"CWE-ID: 1239Improper Zeroization of Hardware Register","The hardware product does not properly clear sensitive information from built-in registers when the user of the hardware block changes.Guidelines:",{"point":"1wx","priority":"6","details":"1wy"},"CWE-ID: 1240Use of a Cryptographic Primitive with a Risky Implementation","To fulfill the need for a cryptographic primitive, the product implements a cryptographic algorithm using a non-standard, unproven, or disallowed/non-compliant cryptographic implementation.Guidelines:::TYPE:Terminology:NOTE:Terminology for cryptography varies widely, from informal and colloquial to mathematically-defined, with different precision and formalism depending on whether the stakeholder is a developer, cryptologist, etc. Yet there is a need for CWE to be self-consistent while remaining understandable and acceptable to multiple audiences. As of CWE 4.6, CWE terminology around primitives and algorithms is emerging as shown by the following example, subject to future consultation and agreement within the CWE and cryptography communities. Suppose one wishes to send encrypted data using a CLI tool such as OpenSSL. One might choose to use AES with a 256-bit key and require tamper protection (GCM mode, for instance). For compatibility's sake, one might also choose the ciphertext to be formatted to the PKCS#5 standard. In this case, the cryptographic system would be AES-256-GCM with PKCS#5 formatting. The cryptographic function would be AES-256 in the GCM mode of operation, and the algorithm would be AES. Colloquially, one would say that AES (and sometimes AES-256) is the cryptographic primitive, because it is the algorithm that realizes the concept of symmetric encryption (without modes of operation or other protocol related modifications). In practice, developers and architects typically refer to base cryptographic algorithms (AES, SHA, etc.) as cryptographic primitives.::TYPE:Maintenance:NOTE:Since CWE 4.4, various cryptography-related entries, including CWE-327 and CWE-1240, have been slated for extensive research, analysis, and community consultation to define consistent terminology, improve relationships, and reduce overlap or duplication. As of CWE 4.6, this work is still ongoing.::",{"point":"1x0","priority":"6","details":"1x1"},"CWE-ID: 1241Use of Predictable Algorithm in Random Number Generator","The device uses an algorithm that is predictable and generates a pseudo-random number.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"1x3","priority":"6","details":"1x4"},"CWE-ID: 1242Inclusion of Undocumented Features or Chicken Bits","The device includes chicken bits or undocumented features that can create entry points for unauthorized actors.Guidelines:",{"point":"1x6","priority":"6","details":"1x7"},"CWE-ID: 1243Sensitive Non-Volatile Information Not Protected During Debug","Access to security-sensitive information stored in fuses is not limited during debug.Guidelines:",{"point":"1x9","priority":"6","details":"1xa"},"CWE-ID: 1244Internal Asset Exposed to Unsafe Debug Access Level or State","The product uses physical debug or test interfaces with support for multiple access levels, but it assigns the wrong debug access level to an internal asset, providing unintended access to the asset from untrusted debug agents.Guidelines:::TYPE:Relationship:NOTE:CWE-1191 and CWE-1244 both involve physical debug access, but the weaknesses are different. CWE-1191 is effectively about missing authorization for a debug interface, i.e. JTAG. CWE-1244 is about providing internal assets with the wrong debug access level, exposing the asset to untrusted debug agents.::",{"point":"1xc","priority":"6","details":"1xd"},"CWE-ID: 1245Improper Finite State Machines (FSMs) in Hardware Logic","Faulty finite state machines (FSMs) in the hardware logic allow an attacker to put the system in an undefined state, to cause a denial of service (DoS) or gain privileges on the victim's system.Guidelines:",{"point":"1xf","priority":"6","details":"1xg"},"CWE-ID: 1246Improper Write Handling in Limited-write Non-Volatile Memories","The product does not implement or incorrectly implements wear leveling operations in limited-write non-volatile memories.Guidelines:",{"point":"1xi","priority":"6","details":"1xj"},"CWE-ID: 1247Improper Protection Against Voltage and Clock Glitches","The device does not contain or contains incorrectly implemented circuitry or sensors to detect and mitigate voltage and clock glitches and protect sensitive information or software contained on the device.Guidelines:",{"point":"1xl","priority":"6","details":"1xm"},"CWE-ID: 1248Semiconductor Defects in Hardware Logic with Security-Sensitive Implications","The security-sensitive hardware module contains semiconductor defects.Guidelines:",{"point":"1xo","priority":"6","details":"1xp"},"CWE-ID: 1249Application-Level Admin Tool with Inconsistent View of Underlying Operating System","The product provides an application for administrators to manage parts of the underlying operating system, but the application does not accurately identify all of the relevant entities or resources that exist in the OS; that is, the application's model of the OS's state is inconsistent with the OS's actual state.Guidelines:",{"point":"1xr","priority":"6","details":"1xs"},"CWE-ID: 1250Improper Preservation of Consistency Between Independent Representations of Shared State","The product has or supports multiple distributed components or sub-systems that are each required to keep their own local copy of shared data - such as state or cache - but the product does not ensure that all local copies remain consistent with each other.Guidelines:::TYPE:Research Gap:NOTE:Issues related to state and cache - creation, preservation, and update - are a significant gap in CWE that is expected to be addressed in future versions. It likely has relationships to concurrency and synchronization, incorrect behavior order, and other areas that already have some coverage in CWE, although the focus has typically been on independent processes on the same operating system - not on independent systems that are all a part of a larger system-of-systems.::",{"point":"1xu","priority":"6","details":"1xv"},"CWE-ID: 1251Mirrored Regions with Different Values","The product's architecture mirrors regions without ensuring that their contents always stay in sync.Guidelines:::TYPE:Research Gap:NOTE:Issues related to state and cache - creation, preservation, and update - are a significant gap in CWE that is expected to be addressed in future versions. It has relationships to concurrency and synchronization, incorrect behavior order, and other areas that already have some coverage in CWE, although the focus has typically been on independent processes on the same operating system - not on independent systems that are all a part of a larger system-of-systems.::",{"point":"1xx","priority":"6","details":"1xy"},"CWE-ID: 1252CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations","The CPU is not configured to provide hardware support for exclusivity of write and execute operations on memory. This allows an attacker to execute data from all of memory.Guidelines:",{"point":"1y0","priority":"6","details":"1y1"},"CWE-ID: 1253Incorrect Selection of Fuse Values","The logic level used to set a system to a secure state relies on a fuse being unblown. An attacker can set the system to an insecure state merely by blowing the fuse.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1y3","priority":"6","details":"1y4"},"CWE-ID: 1254Incorrect Comparison Logic Granularity","The product's comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failure on one of these steps, the operation may be vulnerable to a timing attack that can result in the interception of the process for nefarious purposes.Guidelines:",{"point":"1y6","priority":"6","details":"1y7"},"CWE-ID: 1255Comparison Logic is Vulnerable to Power Side-Channel Attacks","A device's real time power consumption may be monitored during security token evaluation and the information gleaned may be used to determine the value of the reference token.Guidelines:",{"point":"1y9","priority":"6","details":"1ya"},"CWE-ID: 1256Improper Restriction of Software Interfaces to Hardware Features","The product provides software-controllable device functionality for capabilities such as power and clock management, but it does not properly limit functionality that can lead to modification of hardware memory or register bits, or the ability to observe physical side channels.Guidelines:",{"point":"1yc","priority":"6","details":"1yd"},"CWE-ID: 1257Improper Access Control Applied to Mirrored or Aliased Memory Regions","Aliased or mirrored memory regions in hardware designs may have inconsistent read/write permissions enforced by the hardware. A possible result is that an untrusted agent is blocked from accessing a memory region but is not blocked from accessing the corresponding aliased memory region.Guidelines:",{"point":"1yf","priority":"6","details":"1yg"},"CWE-ID: 1258Exposure of Sensitive System Information Due to Uncleared Debug Information","The hardware does not fully clear security-sensitive values, such as keys and intermediate values in cryptographic operations, when debug mode is entered.Guidelines:",{"point":"1yi","priority":"6","details":"1yj"},"CWE-ID: 1259Improper Restriction of Security Token Assignment","The System-On-A-Chip (SoC) implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens are improperly protected.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements. Currently it is expressed as a general absence of a protection mechanism as opposed to a specific mistake, and the entry's name and description could be interpreted as applying to software.::",{"point":"1yl","priority":"6","details":"1ym"},"CWE-ID: 1260Improper Handling of Overlap Between Protected Memory Ranges","The product allows address regions to overlap, which can result in the bypassing of intended memory protection.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.6, CWE-1260 and CWE-1316 are siblings under view 1000, but CWE-1260 might be a parent of CWE-1316. More analysis is warranted.::",{"point":"1yo","priority":"6","details":"1yp"},"CWE-ID: 1261Improper Handling of Single Event Upsets","The hardware logic does not effectively handle when single-event upsets (SEUs) occur.Guidelines:",{"point":"1yr","priority":"6","details":"1ys"},"CWE-ID: 1262Improper Access Control for Register Interface","The product uses memory-mapped I/O registers that act as an interface to hardware functionality from software, but there is improper access control to those registers.Guidelines:",{"point":"1yu","priority":"6","details":"1yv"},"CWE-ID: 1263Improper Physical Access Control","The product is designed with access restricted to certain information, but it does not sufficiently protect against an unauthorized actor with physical access to these areas.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1yx","priority":"6","details":"1yy"},"CWE-ID: 1264Hardware Logic with Insecure De-Synchronization between Control and Data Channels","The hardware logic for error handling and security checks can incorrectly forward data before the security check is complete.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. As a result, this entry might change significantly in CWE 4.10.::",{"point":"1z0","priority":"6","details":"1z1"},"CWE-ID: 1265Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls","During execution of non-reentrant code, the product performs a call that unintentionally produces a nested invocation of the non-reentrant code.Guidelines:",{"point":"1z3","priority":"6","details":"1z4"},"CWE-ID: 1266Improper Scrubbing of Sensitive Data from Decommissioned Device","The product does not properly provide a capability for the product administrator to remove sensitive data at the time the product is decommissioned. A scrubbing capability could be missing, insufficient, or incorrect.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1z6","priority":"6","details":"1z7"},"CWE-ID: 1267Policy Uses Obsolete Encoding","The product uses an obsolete encoding mechanism to implement access controls.Guidelines:",{"point":"1z9","priority":"6","details":"1za"},"CWE-ID: 1268Policy Privileges are not Assigned Consistently Between Control and Data Agents","The product's hardware-enforced access control for a particular resource improperly accounts for privilege discrepancies between control and write policies.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1zc","priority":"6","details":"1zd"},"CWE-ID: 1269Product Released in Non-Release Configuration","The product released to market is released in pre-production or manufacturing configuration.Guidelines:",{"point":"1zf","priority":"6","details":"1zg"},"CWE-ID: 1270Generation of Incorrect Security Tokens","The product implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens generated in the system are incorrect.Guidelines:",{"point":"1zi","priority":"6","details":"1zj"},"CWE-ID: 1271Uninitialized Value on Reset for Registers Holding Security Settings","Security-critical logic is not set to a known value on reset.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1zl","priority":"6","details":"1zm"},"CWE-ID: 1272Sensitive Information Uncleared Before Debug/Power State Transition","The product performs a power or debug state transition, but it does not clear sensitive information that should no longer be accessible due to changes to information access restrictions.Guidelines:",{"point":"1zo","priority":"6","details":"1zp"},"CWE-ID: 1273Device Unlock Credential Sharing","The credentials necessary for unlocking a device are shared across multiple parties and may expose sensitive information.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1zr","priority":"6","details":"1zs"},"CWE-ID: 1274Improper Access Control for Volatile Memory Containing Boot Code","The product conducts a secure-boot process that transfers bootloader code from Non-Volatile Memory (NVM) into Volatile Memory (VM), but it does not have sufficient access control or other protections for the Volatile Memory.Guidelines:",{"point":"1zu","priority":"6","details":"1zv"},"CWE-ID: 1275Sensitive Cookie with Improper SameSite Attribute","The SameSite attribute for sensitive cookies is not set, or an insecure value is used.Guidelines:",{"point":"1zx","priority":"6","details":"1zy"},"CWE-ID: 1276Hardware Child Block Incorrectly Connected to Parent System","Signals between a hardware IP and the parent system design are incorrectly connected causing security risks.Guidelines:",{"point":"200","priority":"6","details":"201"},"CWE-ID: 1277Firmware Not Updateable","The product does not provide its users with the ability to update or patch its firmware to address any vulnerabilities or weaknesses that may be present.Guidelines:::TYPE:Terminology:NOTE:The firmware term does not have a single commonly-shared definition, so there may be variations in how this CWE entry is interpreted during mapping.::",{"point":"203","priority":"6","details":"204"},"CWE-ID: 1278Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques","Information stored in hardware may be recovered by an attacker with the capability to capture and analyze images of the integrated circuit using techniques such as scanning electron microscopy.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements. It is more attack-oriented, so it might be more suited for CAPEC.::",{"point":"206","priority":"6","details":"207"},"CWE-ID: 1279Cryptographic Operations are run Before Supporting Units are Ready","Performing cryptographic operations without ensuring that the supporting inputs are ready to supply valid data may compromise the cryptographic result.Guidelines:",{"point":"209","priority":"6","details":"20a"},"CWE-ID: 1280Access Control Check Implemented After Asset is Accessed","A product's hardware-based access control check occurs after the asset has been accessed.Guidelines:",{"point":"20c","priority":"6","details":"20d"},"CWE-ID: 1281Sequence of Processor Instructions Leads to Unexpected Behavior","Specific combinations of processor instructions lead to undesirable behavior such as locking the processor until a hard reset performed.Guidelines:",{"point":"20f","priority":"6","details":"20g"},"CWE-ID: 1282Assumed-Immutable Data is Stored in Writable Memory","Immutable data, such as a first-stage bootloader, device identifiers, and write-once configuration settings are stored in writable memory that can be re-programmed or updated in the field.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::TYPE:Maintenance:NOTE:As of CWE 4.3, CWE-1282 and CWE-1233 are being investigated for potential duplication or overlap.::",{"point":"20i","priority":"6","details":"20j"},"CWE-ID: 1283Mutable Attestation or Measurement Reporting Data","The register contents used for attestation or measurement reporting data to verify boot flow are modifiable by an adversary.Guidelines:::TYPE:Maintenance:NOTE:This entry is still in development and will continue to see updates and content improvements.::",{"point":"20l","priority":"6","details":"20m"},"CWE-ID: 1284Improper Validation of Specified Quantity in Input","The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"20o","priority":"6","details":"20p"},"CWE-ID: 1285Improper Validation of Specified Index, Position, or Offset in Input","The product receives input that is expected to specify an index, position, or offset into an indexable resource such as a buffer or file, but it does not validate or incorrectly validates that the specified index/position/offset has the required properties.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"20r","priority":"6","details":"20s"},"CWE-ID: 1286Improper Validation of Syntactic Correctness of Input","The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"20u","priority":"6","details":"20v"},"CWE-ID: 1287Improper Validation of Specified Type of Input","The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"20x","priority":"6","details":"20y"},"CWE-ID: 1288Improper Validation of Consistency within Input","The product receives a complex input with multiple elements or fields that must be consistent with each other, but it does not validate or incorrectly validates that the input is actually consistent.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"210","priority":"6","details":"211"},"CWE-ID: 1289Improper Validation of Unsafe Equivalence in Input","The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"213","priority":"6","details":"214"},"CWE-ID: 1290Incorrect Decoding of Security Identifiers","The product implements a decoding mechanism to decode certain bus-transaction signals to security identifiers. If the decoding is implemented incorrectly, then untrusted agents can now gain unauthorized access to the asset.Guidelines:",{"point":"216","priority":"6","details":"217"},"CWE-ID: 1291Public Key Re-Use for Signing both Debug and Production Code","The same public key is used for signing both debug and production code.Guidelines:",{"point":"219","priority":"6","details":"21a"},"CWE-ID: 1292Incorrect Conversion of Security Identifiers","The product implements a conversion mechanism to map certain bus-transaction signals to security identifiers. However, if the conversion is incorrectly implemented, untrusted agents can gain unauthorized access to the asset.Guidelines:",{"point":"21c","priority":"6","details":"21d"},"CWE-ID: 1293Missing Source Correlation of Multiple Independent Data","The product relies on one source of data, preventing the ability to detect if an adversary has compromised a data source.Guidelines:",{"point":"21f","priority":"6","details":"21g"},"CWE-ID: 1294Insecure Security Identifier Mechanism","The System-on-Chip (SoC) implements a Security Identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Identifiers are not correctly implemented.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"21i","priority":"6","details":"21j"},"CWE-ID: 1295Debug Messages Revealing Unnecessary Information","The product fails to adequately prevent the revealing of unnecessary and potentially sensitive system information within debugging messages.Guidelines:",{"point":"21l","priority":"6","details":"21m"},"CWE-ID: 1296Incorrect Chaining or Granularity of Debug Components","The product's debug components contain incorrect chaining or granularity of debug components.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"21o","priority":"6","details":"21p"},"CWE-ID: 1297Unprotected Confidential Information on Device is Accessible by OSAT Vendors","The product does not adequately protect confidential information on the device from being accessed by Outsourced Semiconductor Assembly and Test (OSAT) vendors.Guidelines:::TYPE:Maintenance:NOTE:This entry might be subject to CWE Scope Exclusion SCOPE.SITUATIONS (Focus on situations in which weaknesses may appear); SCOPE.HUMANPROC (Human/organizational process; and/or SCOPE.CUSTREL (Not customer-relevant).::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"21r","priority":"6","details":"21s"},"CWE-ID: 1298Hardware Logic Contains Race Conditions","A race condition in the hardware logic results in undermining security guarantees of the system.Guidelines:",{"point":"21u","priority":"6","details":"21v"},"CWE-ID: 1299Missing Protection Mechanism for Alternate Hardware Interface","The lack of protections on alternate paths to access control-protected assets (such as unprotected shadow registers and other external facing unguarded interfaces) allows an attacker to bypass existing protections to the asset that are only performed against the primary path.Guidelines:",{"point":"21x","priority":"6","details":"21y"},"CWE-ID: 1300Improper Protection of Physical Side Channels","The device does not contain sufficient protection mechanisms to prevent physical side channels from exposing sensitive information due to patterns in physically observable phenomena such as variations in power consumption, electromagnetic emissions (EME), or acoustic emissions.Guidelines:",{"point":"220","priority":"6","details":"221"},"CWE-ID: 1301Insufficient or Incomplete Data Removal within Hardware Component","The product's data removal process does not completely delete all data and potentially sensitive information within hardware components.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"223","priority":"6","details":"224"},"CWE-ID: 1302Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)","The product implements a security identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. A transaction is sent without a security identifier.Guidelines:",{"point":"226","priority":"6","details":"227"},"CWE-ID: 1303Non-Transparent Sharing of Microarchitectural Resources","Hardware structures shared across execution contexts (e.g., caches and branch predictors) can violate the expected architecture isolation between contexts.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. Finally, this entry's demonstrative example might not be appropriate. As a result, this entry might change significantly in CWE 4.10.::",{"point":"229","priority":"6","details":"22a"},"CWE-ID: 1304Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation","The product performs a power save/restore operation, but it does not ensure that the integrity of the configuration state is maintained and/or verified between the beginning and ending of the operation.Guidelines:",{"point":"22c","priority":"6","details":"22d"},"CWE-ID: 1310Missing Ability to Patch ROM Code","Missing an ability to patch ROM code may leave a System or System-on-Chip (SoC) in a vulnerable state.Guidelines:",{"point":"22f","priority":"6","details":"22g"},"CWE-ID: 1311Improper Translation of Security Attributes by Fabric Bridge","The bridge incorrectly translates security attributes from either trusted to untrusted or from untrusted to trusted when converting from one fabric protocol to another.Guidelines:",{"point":"22i","priority":"6","details":"22j"},"CWE-ID: 1312Missing Protection for Mirrored Regions in On-Chip Fabric Firewall","The firewall in an on-chip fabric protects the main addressed region, but it does not protect any mirrored memory or memory-mapped-IO (MMIO) regions.Guidelines:",{"point":"22l","priority":"6","details":"22m"},"CWE-ID: 1313Hardware Allows Activation of Test or Debug Logic at Runtime","During runtime, the hardware allows for test or debug logic (feature) to be activated, which allows for changing the state of the hardware. This feature can alter the intended behavior of the system and allow for alteration and leakage of sensitive data by an adversary.Guidelines:",{"point":"22o","priority":"6","details":"22p"},"CWE-ID: 1314Missing Write Protection for Parametric Data Values","The device does not write-protect the parametric data values for sensors that scale the sensor value, allowing untrusted software to manipulate the apparent result and potentially damage hardware or cause operational failure.Guidelines:",{"point":"22r","priority":"6","details":"22s"},"CWE-ID: 1315Improper Setting of Bus Controlling Capability in Fabric End-point","The bus controller enables bits in the fabric end-point to allow responder devices to control transactions on the fabric.Guidelines:",{"point":"22u","priority":"6","details":"22v"},"CWE-ID: 1316Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges","The address map of the on-chip fabric has protected and unprotected regions overlapping, allowing an attacker to bypass access control to the overlapping portion of the protected region.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.6, CWE-1260 and CWE-1316 are siblings under view 1000, but CWE-1260 might be a parent of CWE-1316. More analysis is warranted.::",{"point":"22x","priority":"6","details":"22y"},"CWE-ID: 1317Improper Access Control in Fabric Bridge","The product uses a fabric bridge for transactions between two Intellectual Property (IP) blocks, but the bridge does not properly perform the expected privilege, identity, or other access control checks between those IP blocks.Guidelines:",{"point":"230","priority":"6","details":"231"},"CWE-ID: 1318Missing Support for Security Features in On-chip Fabrics or Buses","On-chip fabrics or buses either do not support or are not configured to support privilege separation or other security features, such as access control.Guidelines:",{"point":"233","priority":"6","details":"234"},"CWE-ID: 1319Improper Protection against Electromagnetic Fault Injection (EM-FI)","The device is susceptible to electromagnetic fault injection attacks, causing device internal information to be compromised or security mechanisms to be bypassed.Guidelines:::TYPE:Maintenance:NOTE:This entry is attack-oriented and may require significant modification in future versions, or even deprecation. It is not clear whether there is really a design mistake that enables such attacks, so this is not necessarily a weakness and may be more appropriate for CAPEC.::",{"point":"236","priority":"6","details":"237"},"CWE-ID: 1320Improper Protection for Outbound Error Messages and Alert Signals","Untrusted agents can disable alerts about signal conditions exceeding limits or the response mechanism that handles such alerts.Guidelines:",{"point":"239","priority":"6","details":"23a"},"CWE-ID: 1321Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')","The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.Guidelines:",{"point":"23c","priority":"6","details":"23d"},"CWE-ID: 1322Use of Blocking Code in Single-threaded, Non-blocking Context","The product uses a non-blocking model that relies on a single threaded process for features such as scalability, but it contains code that can block when it is invoked.Guidelines:",{"point":"23f","priority":"6","details":"23g"},"CWE-ID: 1323Improper Management of Sensitive Trace Data","Trace data collected from several sources on the System-on-Chip (SoC) is stored in unprotected locations or transported to untrusted agents.Guidelines:",{"point":"23i","priority":"6","details":"23j"},"CWE-ID: 1325Improperly Controlled Sequential Memory Allocation","The product manages a group of objects or resources and performs a separate memory allocation for each object, but it does not properly limit the total amount of memory that is consumed by all of the combined objects.Guidelines:",{"point":"23l","priority":"6","details":"23m"},"CWE-ID: 1326Missing Immutable Root of Trust in Hardware","A missing immutable root of trust in the hardware results in the ability to bypass secure boot or execute untrusted or adversarial boot code.Guidelines:",{"point":"23o","priority":"6","details":"23p"},"CWE-ID: 1327Binding to an Unrestricted IP Address","The product assigns the address 0.0.0.0 for a database server, a cloud service/instance, or any computing resource that communicates remotely.Guidelines:",{"point":"23r","priority":"6","details":"23s"},"CWE-ID: 1328Security Version Number Mutable to Older Versions","Security-version number in hardware is mutable, resulting in the ability to downgrade (roll-back) the boot firmware to vulnerable code versions.Guidelines:",{"point":"23u","priority":"6","details":"23v"},"CWE-ID: 1329Reliance on Component That is Not Updateable","The product contains a component that cannot be updated or patched in order to remove vulnerabilities or significant bugs.Guidelines:",{"point":"23x","priority":"6","details":"23y"},"CWE-ID: 1330Remanent Data Readable after Memory Erase","Confidential information stored in memory circuits is readable or recoverable after being cleared or erased.Guidelines:",{"point":"240","priority":"6","details":"241"},"CWE-ID: 1331Improper Isolation of Shared Resources in Network On Chip (NoC)","The Network On Chip (NoC) does not isolate or incorrectly isolates its on-chip-fabric and internal resources such that they are shared between trusted and untrusted agents, creating timing channels.Guidelines:",{"point":"243","priority":"6","details":"244"},"CWE-ID: 1332Improper Handling of Faults that Lead to Instruction Skips","The device is missing or incorrectly implements circuitry or sensors that detect and mitigate the skipping of security-critical CPU instructions when they occur.Guidelines:",{"point":"246","priority":"6","details":"247"},"CWE-ID: 1333Inefficient Regular Expression Complexity","The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.Guidelines:",{"point":"249","priority":"6","details":"24a"},"CWE-ID: 1334Unauthorized Error Injection Can Degrade Hardware Redundancy","An unauthorized agent can inject errors into a redundant block to deprive the system of redundancy or put the system in a degraded operating mode.Guidelines:",{"point":"24c","priority":"6","details":"24d"},"CWE-ID: 1335Incorrect Bitwise Shift of Integer","An integer value is specified to be shifted by a negative amount or an amount greater than or equal to the number of bits contained in the value causing an unexpected or indeterminate result.Guidelines:",{"point":"24f","priority":"6","details":"24g"},"CWE-ID: 1336Improper Neutralization of Special Elements Used in a Template Engine","The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.Guidelines:::TYPE:Relationship:NOTE:Since expression languages are often used in templating languages, there may be some overlap with CWE-917 (Expression Language Injection). XSS (CWE-79) is also co-located with template injection.::TYPE:Maintenance:NOTE:The interrelationships and differences between CWE-917 and CWE-1336 need to be further clarified.::",{"point":"24i","priority":"6","details":"24j"},"CWE-ID: 1338Improper Protections Against Hardware Overheating","A hardware device is missing or has inadequate protection features to prevent overheating.Guidelines:",{"point":"24l","priority":"6","details":"24m"},"CWE-ID: 1339Insufficient Precision or Accuracy of a Real Number","The product processes a real number with an implementation in which the number's representation does not preserve required accuracy and precision in its fractional part, causing an incorrect result.Guidelines:",{"point":"24o","priority":"6","details":"24p"},"CWE-ID: 1341Multiple Releases of Same Resource or Handle","The product attempts to close or release a resource or handle more than once, without any successful open between the close operations.Guidelines:::TYPE:Terminology:NOTE:The terms related to release may vary depending on the type of resource, programming language, specification, or framework. Close has been used synonymously for the release of resources like file descriptors and file handles. Return is sometimes used instead of Release. Free is typically used when releasing memory or buffers back into the system for reuse.::",{"point":"24r","priority":"6","details":"24s"},"CWE-ID: 1342Information Exposure through Microarchitectural State after Transient Execution","The processor does not properly clear microarchitectural state after incorrect microcode assists or speculative execution, resulting in transient execution.Guidelines:::TYPE:Relationship:NOTE:CWE-1342 differs from CWE-1303, which is related to misprediction and biasing microarchitectural components, while CWE-1342 addresses illegal data flows and retention. For example, Spectre is an instance of CWE-1303 biasing branch prediction to steer the transient execution indirectly.::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. As a result, this entry might change significantly in CWE 4.10.::",{"point":"24u","priority":"6","details":"24v"},"CWE-ID: 1351Improper Handling of Hardware Behavior in Exceptionally Cold Environments","A hardware device, or the firmware running on it, is missing or has incorrect protection features to maintain goals of security primitives when the device is cooled below standard operating temperatures.Guidelines:",{"point":"24x","priority":"6","details":"24y"},"CWE-ID: 1357Reliance on Insufficiently Trustworthy Component","The product is built from multiple separate components, but it uses a component that is not sufficiently trusted to meet expectations for security, reliability, updateability, and maintainability.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.10, the name and description for this entry has undergone significant change and is still under public discussion, especially by members of the HW SIG.::",{"point":"250","priority":"6","details":"251"},"CWE-ID: 1384Improper Handling of Physical or Environmental Conditions","The product does not properly handle unexpected physical or environmental conditions that occur naturally or are artificially induced.Guidelines:",{"point":"253","priority":"6","details":"254"},"CWE-ID: 1385Missing Origin Validation in WebSockets","The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid.Guidelines:",{"point":"256","priority":"6","details":"257"},"CWE-ID: 1386Insecure Operation on Windows Junction / Mount Point","The product opens a file or directory, but it does not properly prevent the name from being associated with a junction or mount point to a destination that is outside of the intended control sphere.Guidelines:::TYPE:Terminology:NOTE:Symbolic links, hard links, junctions, and mount points can be confusing terminology, as there are differences in how they operate between UNIX-based systems and Windows, and there are interactions between them.::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"259","priority":"6","details":"25a"},"CWE-ID: 1389Incorrect Parsing of Numbers with Different Radices","The product parses numeric input assuming base 10 (decimal) values, but it does not account for inputs that use a different base number (radix).Guidelines:",{"point":"25c","priority":"6","details":"25d"},"CWE-ID: 1390Weak Authentication","The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.Guidelines:",{"point":"25f","priority":"6","details":"25g"},"CWE-ID: 1391Use of Weak Credentials","The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker.Guidelines:",{"point":"25i","priority":"6","details":"25j"},"CWE-ID: 1392Use of Default Credentials","The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality.Guidelines:",{"point":"25l","priority":"6","details":"25m"},"CWE-ID: 1393Use of Default Password","The product uses default passwords for potentially critical functionality.Guidelines:",{"point":"25o","priority":"6","details":"25p"},"CWE-ID: 1394Use of Default Cryptographic Key","The product uses a default cryptographic key for potentially critical functionality.Guidelines:",{"point":"25r","priority":"6","details":"25s"},"CWE-ID: 1395Dependency on Vulnerable Third-Party Component","The product has a dependency on a third-party component that contains one or more known vulnerabilities.Guidelines:",{"point":"25u","priority":"6","details":"25v"},"CWE-ID: 1419Incorrect Initialization of Resource","The product attempts to initialize a resource but does not correctly do so, which might leave the resource in an unexpected, incorrect, or insecure state when it is accessed.Guidelines:",{"point":"25x","priority":"6","details":"25y"},"CWE-ID: 1420Exposure of Sensitive Information during Transient Execution","A processor event or prediction may allow incorrect operations (or correct operations with incorrect data) to execute transiently, potentially exposing data over a covert channel.Guidelines:",{"point":"260","priority":"6","details":"261"},"CWE-ID: 1421Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution","A processor event may allow transient operations to access architecturally restricted data (for example, in another address space) in a shared microarchitectural structure (for example, a CPU cache), potentially exposing the data over a covert channel.Guidelines:",{"point":"263","priority":"6","details":"264"},"CWE-ID: 1422Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution","A processor event or prediction may allow incorrect or stale data to be forwarded to transient operations, potentially exposing data over a covert channel.Guidelines:",{"point":"266","priority":"6","details":"267"},"CWE-ID: 1423Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution","Shared microarchitectural predictor state may allow code to influence transient execution across a hardware boundary, potentially exposing data that is accessible beyond the boundary over a covert channel.Guidelines:",{"point":"269","priority":"6","details":"26a"},["8","b","e","h","k","n","q","t","w","z","12","15","18","1b","1e","1h","1k","1n","1q","1t","1w","1z","22","25","28","2b","2e","2h","2k","2n","2q","2t","2w","2z","32","35","38","3b","3e","3h","3k","3n","3q","3t","3w","3z","42","45","48","4b","4e","4h","4k","4n","4q","4t","4w","4z","52","55","58","5b","5e","5h","5k","5n","5q","5t","5w","5z","62","65","68","6b","6e","6h","6k","6n","6q","6t","6w","6z","72","75","78","7b","7e","7h","7k","7n","7q","7t","7w","7z","82","85","88","8b","8e","8h","8k","8n","8q","8t","8w","8z","92","95","98","9b","9e","9h","9k","9n","9q","9t","9w","9z","a2","a5","a8","ab","ae","ah","ak","an","aq","at","aw","az","b2","b5","b8","bb","be","bh","bk","bn","bq","bt","bw","bz","c2","c5","c8","cb","ce","ch","ck","cn","cq","ct","cw","cz","d2","d5","d8","db","de","dh","dk","dn","dq","dt","dw","dz","e2","e5","e8","eb","ee","eh","ek","en","eq","et","ew","ez","f2","f5","f8","fb","fe","fh","fk","fn","fq","ft","fw","fz","g2","g5","g8","gb","ge","gh","gk","gn","gq","gt","gw","gz","h2","h5","h8","hb","he","hh","hk","hn","hq","ht","hw","hz","i2","i5","i8","ib","ie","ih","ik","in","iq","it","iw","iz","j2","j5","j8","jb","je","jh","jk","jn","jq","jt","jw","jz","k2","k5","k8","kb","ke","kh","kk","kn","kq","kt","kw","kz","l2","l5","l8","lb","le","lh","lk","ln","lq","lt","lw","lz","m2","m5","m8","mb","me","mh","mk","mn","mq","mt","mw","mz","n2","n5","n8","nb","ne","nh","nk","nn","nq","nt","nw","nz","o2","o5","o8","ob","oe","oh","ok","on","oq","ot","ow","oz","p2","p5","p8","pb","pe","ph","pk","pn","pq","pt","pw","pz","q2","q5","q8","qb","qe","qh","qk","qn","qq","qt","qw","qz","r2","r5","r8","rb","re","rh","rk","rn","rq","rt","rw","rz","s2","s5","s8","sb","se","sh","sk","sn","sq","st","sw","sz","t2","t5","t8","tb","te","th","tk","tn","tq","tt","tw","tz","u2","u5","u8","ub","ue","uh","uk","un","uq","ut","uw","uz","v2","v5","v8","vb","ve","vh","vk","vn","vq","vt","vw","vz","w2","w5","w8","wb","we","wh","wk","wn","wq","wt","ww","wz","x2","x5","x8","xb","xe","xh","xk","xn","xq","xt","xw","xz","y2","y5","y8","yb","ye","yh","yk","yn","yq","yt","yw","yz","z2","z5","z8","zb","ze","zh","zk","zn","zq","zt","zw","zz","102","105","108","10b","10e","10h","10k","10n","10q","10t","10w","10z","112","115","118","11b","11e","11h","11k","11n","11q","11t","11w","11z","122","125","128","12b","12e","12h","12k","12n","12q","12t","12w","12z","132","135","138","13b","13e","13h","13k","13n","13q","13t","13w","13z","142","145","148","14b","14e","14h","14k","14n","14q","14t","14w","14z","152","155","158","15b","15e","15h","15k","15n","15q","15t","15w","15z","162","165","168","16b","16e","16h","16k","16n","16q","16t","16w","16z","172","175","178","17b","17e","17h","17k","17n","17q","17t","17w","17z","182","185","188","18b","18e","18h","18k","18n","18q","18t","18w","18z","192","195","198","19b","19e","19h","19k","19n","19q","19t","19w","19z","1a2","1a5","1a8","1ab","1ae","1ah","1ak","1an","1aq","1at","1aw","1az","1b2","1b5","1b8","1bb","1be","1bh","1bk","1bn","1bq","1bt","1bw","1bz","1c2","1c5","1c8","1cb","1ce","1ch","1ck","1cn","1cq","1ct","1cw","1cz","1d2","1d5","1d8","1db","1de","1dh","1dk","1dn","1dq","1dt","1dw","1dz","1e2","1e5","1e8","1eb","1ee","1eh","1ek","1en","1eq","1et","1ew","1ez","1f2","1f5","1f8","1fb","1fe","1fh","1fk","1fn","1fq","1ft","1fw","1fz","1g2","1g5","1g8","1gb","1ge","1gh","1gk","1gn","1gq","1gt","1gw","1gz","1h2","1h5","1h8","1hb","1he","1hh","1hk","1hn","1hq","1ht","1hw","1hz","1i2","1i5","1i8","1ib","1ie","1ih","1ik","1in","1iq","1it","1iw","1iz","1j2","1j5","1j8","1jb","1je","1jh","1jk","1jn","1jq","1jt","1jw","1jz","1k2","1k5","1k8","1kb","1ke","1kh","1kk","1kn","1kq","1kt","1kw","1kz","1l2","1l5","1l8","1lb","1le","1lh","1lk","1ln","1lq","1lt","1lw","1lz","1m2","1m5","1m8","1mb","1me","1mh","1mk","1mn","1mq","1mt","1mw","1mz","1n2","1n5","1n8","1nb","1ne","1nh","1nk","1nn","1nq","1nt","1nw","1nz","1o2","1o5","1o8","1ob","1oe","1oh","1ok","1on","1oq","1ot","1ow","1oz","1p2","1p5","1p8","1pb","1pe","1ph","1pk","1pn","1pq","1pt","1pw","1pz","1q2","1q5","1q8","1qb","1qe","1qh","1qk","1qn","1qq","1qt","1qw","1qz","1r2","1r5","1r8","1rb","1re","1rh","1rk","1rn","1rq","1rt","1rw","1rz","1s2","1s5","1s8","1sb","1se","1sh","1sk","1sn","1sq","1st","1sw","1sz","1t2","1t5","1t8","1tb","1te","1th","1tk","1tn","1tq","1tt","1tw","1tz","1u2","1u5","1u8","1ub","1ue","1uh","1uk","1un","1uq","1ut","1uw","1uz","1v2","1v5","1v8","1vb","1ve","1vh","1vk","1vn","1vq","1vt","1vw","1vz","1w2","1w5","1w8","1wb","1we","1wh","1wk","1wn","1wq","1wt","1ww","1wz","1x2","1x5","1x8","1xb","1xe","1xh","1xk","1xn","1xq","1xt","1xw","1xz","1y2","1y5","1y8","1yb","1ye","1yh","1yk","1yn","1yq","1yt","1yw","1yz","1z2","1z5","1z8","1zb","1ze","1zh","1zk","1zn","1zq","1zt","1zw","1zz","202","205","208","20b","20e","20h","20k","20n","20q","20t","20w","20z","212","215","218","21b","21e","21h","21k","21n","21q","21t","21w","21z","222","225","228","22b","22e","22h","22k","22n","22q","22t","22w","22z","232","235","238","23b","23e","23h","23k","23n","23q","23t","23w","23z","242","245","248","24b","24e","24h","24k","24n","24q","24t","24w","24z","252","255","258","25b","25e","25h","25k","25n","25q","25t","25w","25z","262","265","268","26b"],"red",{"title":"0","slug":"1","description":"2","icon":"3","intro":"4","checklist":"26c","color":"26d"},"CWE: Weaknesses During Design","cwe-design","This view (slice) lists weaknesses that can be introduced during design.","physical","This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities.","CWE-ID:20 Improper Input Validation","::METHOD:Automated Static Analysis:DESCRIPTION:Some instances of improper input validation can be detected using automated static analysis. A static analysis tool might allow the user to specify which application-specific methods or functions perform input validation; the tool might also have built-in knowledge of validation frameworks such as Struts. The tool may then suppress or de-prioritize any associated warnings. This allows the analyst to focus on areas of the software in which input validation does not appear to be present. Except in the cases described in the previous paragraph, automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes.::METHOD:Manual Static Analysis:DESCRIPTION:When custom input validation is required, such as when enforcing business rules, manual analysis is necessary to ensure that the validation is properly implemented.::METHOD:Fuzzing:DESCRIPTION:Fuzzing techniques can be useful for detecting input validation errors. When unexpected inputs are provided to the software, the software should not crash or otherwise become unstable, and it should generate application-controlled error messages. If exceptions or interpreter-generated error messages occur, this indicates that the input was not detected and handled within the application logic itself.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer Cost effective for partial coverage: Host Application Interface Scanner Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"26k","priority":"6","details":"11","howto":"26l"},"CWE-ID:73 External Control of File Name or Path","::METHOD:Automated Static Analysis:DESCRIPTION:The external control or influence of filenames can often be detected using automated static analysis that models data flow within the product. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes.::",{"point":"26n","priority":"6","details":"4y","howto":"26o"},"CWE-ID:99 Improper Control of Resource Identifiers ('Resource Injection')","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"26q","priority":"6","details":"71","howto":"26r"},"CWE-ID:115 Misinterpretation of Input","::METHOD:Fuzzing:DESCRIPTION:Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.:EFFECTIVENESS:High::",{"point":"26t","priority":"6","details":"87","howto":"26u"},"CWE-ID:184 Incomplete List of Disallowed Inputs","::METHOD:Black Box:DESCRIPTION:Exploitation of a vulnerability with commonly-used manipulations might fail, but minor variations might succeed.::",{"point":"26w","priority":"6","details":"dd","howto":"26x"},"CWE-ID:200 Exposure of Sensitive Information to an Unauthorized Actor","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Inter-application Flow Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Source code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"26z","priority":"6","details":"ej","howto":"270"},"CWE-ID:201 Insertion of Sensitive Information Into Sent Data",{"point":"272","priority":"6","details":"em","howto":"26r"},"CWE-ID:202 Exposure of Sensitive Information Through Data Queries","",{"point":"274","priority":"6","details":"ep","howto":"275"},"CWE-ID:203 Observable Discrepancy",{"point":"277","priority":"6","details":"es","howto":"275"},"CWE-ID:204 Observable Response Discrepancy",{"point":"279","priority":"6","details":"ev","howto":"275"},"CWE-ID:205 Observable Behavioral Discrepancy",{"point":"27b","priority":"6","details":"ey","howto":"275"},"CWE-ID:208 Observable Timing Discrepancy",{"point":"27d","priority":"6","details":"f7","howto":"275"},"CWE-ID:209 Generation of Error Message Containing Sensitive Information","::METHOD:Manual Analysis:DESCRIPTION:This weakness generally requires domain-specific interpretation using manual analysis. However, the number of potential error conditions may be too large to cover completely within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Analysis:DESCRIPTION:Automated methods may be able to detect certain idioms automatically, such as exposed stack traces or pathnames, but violation of business rules or privacy requirements is not typically feasible.:EFFECTIVENESS:Moderate::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Error conditions may be triggered with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.)::",{"point":"27f","priority":"6","details":"fa","howto":"27g"},"CWE-ID:210 Self-generated Error Message Containing Sensitive Information",{"point":"27i","priority":"6","details":"fd","howto":"275"},"CWE-ID:211 Externally-Generated Error Message Containing Sensitive Information",{"point":"27k","priority":"6","details":"fg","howto":"275"},"CWE-ID:212 Improper Removal of Sensitive Information Before Storage or Transfer",{"point":"27m","priority":"6","details":"fj","howto":"275"},"CWE-ID:213 Exposure of Sensitive Information Due to Incompatible Policies",{"point":"27o","priority":"6","details":"fm","howto":"275"},"CWE-ID:214 Invocation of Process Using Visible Sensitive Information",{"point":"27q","priority":"6","details":"fp","howto":"275"},"CWE-ID:221 Information Loss or Omission",{"point":"27s","priority":"6","details":"g1","howto":"275"},"CWE-ID:223 Omission of Security-relevant Information",{"point":"27u","priority":"6","details":"g7","howto":"275"},"CWE-ID:250 Execution with Unnecessary Privileges","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and perform a login. Look for library functions and system calls that indicate when privileges are being raised or dropped. Look for accesses of resources that are restricted to normal users.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Compare binary / bytecode to application permission manifest Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker Permission Manifest Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"27w","priority":"6","details":"i4","howto":"27x"},"CWE-ID:256 Plaintext Storage of a Password",{"point":"27z","priority":"6","details":"id","howto":"26r"},"CWE-ID:257 Storing Passwords in a Recoverable Format",{"point":"281","priority":"6","details":"ig","howto":"26r"},"CWE-ID:260 Password in Configuration File",{"point":"283","priority":"6","details":"ip","howto":"26r"},"CWE-ID:261 Weak Encoding for Password",{"point":"285","priority":"6","details":"is","howto":"26r"},"CWE-ID:262 Not Using Password Aging",{"point":"287","priority":"6","details":"iv","howto":"275"},"CWE-ID:263 Password Aging with Long Expiration",{"point":"289","priority":"6","details":"iy","howto":"275"},"CWE-ID:267 Privilege Defined With Unsafe Actions",{"point":"28b","priority":"6","details":"j4","howto":"275"},"CWE-ID:268 Privilege Chaining",{"point":"28d","priority":"6","details":"j7","howto":"275"},"CWE-ID:269 Improper Privilege Management",{"point":"28f","priority":"6","details":"ja","howto":"26r"},"CWE-ID:270 Privilege Context Switching Error",{"point":"28h","priority":"6","details":"jd","howto":"275"},"CWE-ID:271 Privilege Dropping / Lowering Errors",{"point":"28j","priority":"6","details":"jg","howto":"275"},"CWE-ID:276 Incorrect Default Permissions","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Inter-application Flow Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Host Application Interface Scanner Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Forced Path Execution:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"28l","priority":"6","details":"js","howto":"28m"},"CWE-ID:282 Improper Ownership Management",{"point":"28o","priority":"6","details":"ka","howto":"26r"},"CWE-ID:283 Unverified Ownership",{"point":"28q","priority":"6","details":"kd","howto":"275"},"CWE-ID:285 Improper Authorization","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries. Generally, automated static analysis tools have difficulty detecting custom authorization schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an authorization check; an automated technique that detects the absence of authorization may report false positives.:EFFECTIVENESS:Limited::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated dynamic analysis may find many or all possible interfaces that do not require authorization, but manual analysis is required to determine if the lack of authorization violates business logic::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer Forced Path Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"28s","priority":"6","details":"kj","howto":"28t"},"CWE-ID:286 Incorrect User Management",{"point":"28v","priority":"6","details":"km","howto":"275"},"CWE-ID:287 Improper Authentication","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting certain types of authentication. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authentication libraries. Generally, automated static analysis tools have difficulty detecting custom authentication schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an established identity; an automated technique that detects the absence of authentication may report false positives.:EFFECTIVENESS:Limited::METHOD:Manual Static Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Manual static analysis is useful for evaluating the correctness of custom authentication mechanisms.:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"28x","priority":"6","details":"kp","howto":"28y"},"CWE-ID:288 Authentication Bypass Using an Alternate Path or Channel",{"point":"290","priority":"6","details":"ks","howto":"275"},"CWE-ID:289 Authentication Bypass by Alternate Name",{"point":"292","priority":"6","details":"kv","howto":"275"},"CWE-ID:294 Authentication Bypass by Capture-replay",{"point":"294","priority":"6","details":"l7","howto":"275"},"CWE-ID:295 Improper Certificate Validation","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Man-in-the-middle attack tool:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"296","priority":"6","details":"la","howto":"297"},"CWE-ID:300 Channel Accessible by Non-Endpoint",{"point":"299","priority":"6","details":"lp","howto":"26r"},"CWE-ID:301 Reflection Attack in an Authentication Protocol",{"point":"29b","priority":"6","details":"ls","howto":"275"},"CWE-ID:302 Authentication Bypass by Assumed-Immutable Data",{"point":"29d","priority":"6","details":"lv","howto":"275"},"CWE-ID:306 Missing Authentication for Critical Function","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authentication mechanisms.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting commonly-used idioms for authentication. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authentication libraries. Generally, automated static analysis tools have difficulty detecting custom authentication schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an established identity; an automated technique that detects the absence of authentication may report false positives.:EFFECTIVENESS:Limited::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"29f","priority":"6","details":"m7","howto":"29g"},"CWE-ID:307 Improper Restriction of Excessive Authentication Attempts","::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer Cost effective for partial coverage: Forced Path Execution:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"29i","priority":"6","details":"ma","howto":"29j"},"CWE-ID:308 Use of Single-factor Authentication",{"point":"29l","priority":"6","details":"md","howto":"275"},"CWE-ID:309 Use of Password System for Primary Authentication",{"point":"29n","priority":"6","details":"mg","howto":"275"},"CWE-ID:311 Missing Encryption of Sensitive Data","::METHOD:Manual Analysis:DESCRIPTION:The characterizaton of sensitive data often requires domain-specific understanding, so manual methods are useful. However, manual efforts might not achieve desired code coverage within limited time constraints. Black box methods may produce artifacts (e.g. stored data or unencrypted network transfer) that require manual evaluation.:EFFECTIVENESS:High::METHOD:Automated Analysis:DESCRIPTION:Automated measurement of the entropy of an input/output source may indicate the use or lack of encryption, but human analysis is still required to distinguish intentionally-unencrypted data (e.g. metadata) from sensitive data.::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Network Sniffer Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Man-in-the-middle attack tool:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"29p","priority":"6","details":"mj","howto":"29q"},"CWE-ID:312 Cleartext Storage of Sensitive Information",{"point":"29s","priority":"6","details":"mm","howto":"26r"},"CWE-ID:319 Cleartext Transmission of Sensitive Information","::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process, trigger the feature that sends the data, and look for the presence or absence of common cryptographic functions in the call tree. Monitor the network and determine if the data packets contain readable commands. Tools exist for detecting if certain encodings are in use. If the traffic contains high entropy, this might indicate the usage of encryption.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"29u","priority":"6","details":"n7","howto":"29v"},"CWE-ID:322 Key Exchange without Entity Authentication",{"point":"29x","priority":"6","details":"nd","howto":"275"},"CWE-ID:323 Reusing a Nonce, Key Pair in Encryption",{"point":"29z","priority":"6","details":"ng","howto":"275"},"CWE-ID:324 Use of a Key Past its Expiration Date",{"point":"2a1","priority":"6","details":"nj","howto":"275"},"CWE-ID:326 Inadequate Encryption Strength",{"point":"2a3","priority":"6","details":"np","howto":"26r"},"CWE-ID:327 Use of a Broken or Risky Cryptographic Algorithm","::METHOD:Automated Analysis:DESCRIPTION:Automated methods may be useful for recognizing commonly-used libraries or features that have become obsolete.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis Binary / Bytecode simple extractor - strings, ELF readers, etc.:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Man-in-the-middle attack tool Cost effective for partial coverage: Framework-based Fuzzer Automated Monitored Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2a5","priority":"6","details":"ns","howto":"2a6"},"CWE-ID:328 Use of Weak Hash",{"point":"2a8","priority":"6","details":"nv","howto":"26r"},"CWE-ID:330 Use of Insufficiently Random Values","::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and look for library functions that indicate when randomness is being used. Run the process multiple times to see if the seed changes. Look for accesses of devices or equivalent resources that are commonly used for strong (or weak) randomness, such as /dev/urandom on Linux. Look for library or system calls that access predictable information such as process IDs and system time.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Man-in-the-middle attack tool:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2aa","priority":"6","details":"o1","howto":"2ab"},"CWE-ID:331 Insufficient Entropy",{"point":"2ad","priority":"6","details":"o4","howto":"275"},"CWE-ID:334 Small Space of Random Values",{"point":"2af","priority":"6","details":"od","howto":"275"},"CWE-ID:338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",{"point":"2ah","priority":"6","details":"op","howto":"26r"},"CWE-ID:340 Generation of Predictable Numbers or Identifiers",{"point":"2aj","priority":"6","details":"ov","howto":"275"},"CWE-ID:341 Predictable from Observable State",{"point":"2al","priority":"6","details":"oy","howto":"275"},"CWE-ID:342 Predictable Exact Value from Previous Values",{"point":"2an","priority":"6","details":"p1","howto":"275"},"CWE-ID:343 Predictable Value Range from Previous Values",{"point":"2ap","priority":"6","details":"p4","howto":"275"},"CWE-ID:344 Use of Invariant Value in Dynamically Changing Context",{"point":"2ar","priority":"6","details":"p7","howto":"275"},"CWE-ID:345 Insufficient Verification of Data Authenticity",{"point":"2at","priority":"6","details":"pa","howto":"26r"},"CWE-ID:346 Origin Validation Error",{"point":"2av","priority":"6","details":"pd","howto":"275"},"CWE-ID:347 Improper Verification of Cryptographic Signature",{"point":"2ax","priority":"6","details":"pg","howto":"26r"},"CWE-ID:348 Use of Less Trusted Source",{"point":"2az","priority":"6","details":"pj","howto":"275"},"CWE-ID:353 Missing Support for Integrity Check",{"point":"2b1","priority":"6","details":"py","howto":"275"},"CWE-ID:354 Improper Validation of Integrity Check Value",{"point":"2b3","priority":"6","details":"q1","howto":"275"},"CWE-ID:356 Product UI does not Warn User of Unsafe Actions",{"point":"2b5","priority":"6","details":"q4","howto":"275"},"CWE-ID:357 Insufficient UI Warning of Dangerous Operations",{"point":"2b7","priority":"6","details":"q7","howto":"275"},"CWE-ID:358 Improperly Implemented Security Check for Standard",{"point":"2b9","priority":"6","details":"qa","howto":"275"},"CWE-ID:359 Exposure of Private Personal Information to an Unauthorized Actor","::METHOD:Architecture or Design Review:DESCRIPTION:Private personal data can enter a program in a variety of ways: Directly from the user in the form of a password or personal information Accessed from a database or other data store by the application Indirectly from a partner or other third party If the data is written to an external location - such as the console, file system, or network - a privacy violation may occur.:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2bb","priority":"6","details":"qd","howto":"2bc"},"CWE-ID:360 Trust of System Event Data",{"point":"2be","priority":"6","details":"qg","howto":"275"},"CWE-ID:362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')","::METHOD:Black Box:DESCRIPTION:Black box methods may be able to identify evidence of race conditions via methods such as multiple simultaneous connections, which may cause the software to become instable or crash. However, race conditions with very narrow timing windows would not be detectable.::METHOD:White Box:DESCRIPTION:Common idioms are detectable in white box analysis, such as time-of-check-time-of-use (TOCTOU) file operations (CWE-367), or double-checked locking (CWE-609).::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Race conditions may be detected with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior. Insert breakpoints or delays in between relevant code statements to artificially expand the race window so that it will be easier to detect.:EFFECTIVENESS:Moderate::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Framework-based Fuzzer Cost effective for partial coverage: Fuzz Tester Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2bg","priority":"6","details":"qj","howto":"2bh"},"CWE-ID:363 Race Condition Enabling Link Following",{"point":"2bj","priority":"6","details":"qm","howto":"275"},"CWE-ID:368 Context Switching Race Condition",{"point":"2bl","priority":"6","details":"qy","howto":"275"},"CWE-ID:385 Covert Timing Channel",{"point":"2bn","priority":"6","details":"ry","howto":"275"},"CWE-ID:386 Symbolic Name not Mapping to Correct Object",{"point":"2bp","priority":"6","details":"s1","howto":"275"},"CWE-ID:400 Uncontrolled Resource Consumption","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis typically has limited utility in recognizing resource exhaustion problems, except for program-independent system resources such as files, sockets, and processes. For system resources, automated static analysis may be able to detect circumstances in which resources are not released after they have expired. Automated analysis of configuration files may be able to detect settings that do not specify a maximum value. Automated static analysis tools will not be appropriate for detecting exhaustion of custom resources, such as an intended security policy in which a bulletin board user is only allowed to make a limited number of posts per day.:EFFECTIVENESS:Limited::METHOD:Automated Dynamic Analysis:DESCRIPTION:Certain automated dynamic analysis techniques may be effective in spotting resource exhaustion problems, especially with resources such as processes, memory, and connections. The technique may involve generating a large number of requests to the product within a short time frame.:EFFECTIVENESS:Moderate::METHOD:Fuzzing:DESCRIPTION:While fuzzing is typically geared toward finding low-level implementation bugs, it can inadvertently find resource exhaustion problems. This can occur when the fuzzer generates a large number of test cases but does not restart the targeted product in between test cases. If an individual test case produces a crash, but it does not do so reliably, then an inability to handle resource exhaustion may be the cause.:EFFECTIVENESS:Opportunistic::",{"point":"2br","priority":"6","details":"ss","howto":"2bs"},"CWE-ID:402 Transmission of Private Resources into a New Sphere ('Resource Leak')",{"point":"2bu","priority":"6","details":"sy","howto":"26r"},"CWE-ID:405 Asymmetric Resource Consumption (Amplification)",{"point":"2bw","priority":"6","details":"t7","howto":"275"},"CWE-ID:406 Insufficient Control of Network Message Volume (Network Amplification)",{"point":"2by","priority":"6","details":"ta","howto":"275"},"CWE-ID:407 Inefficient Algorithmic Complexity",{"point":"2c0","priority":"6","details":"td","howto":"275"},"CWE-ID:408 Incorrect Behavior Order: Early Amplification",{"point":"2c2","priority":"6","details":"tg","howto":"275"},"CWE-ID:409 Improper Handling of Highly Compressed Data (Data Amplification)",{"point":"2c4","priority":"6","details":"tj","howto":"275"},"CWE-ID:410 Insufficient Resource Pool",{"point":"2c6","priority":"6","details":"tm","howto":"275"},"CWE-ID:412 Unrestricted Externally Accessible Lock","::METHOD:White Box:DESCRIPTION:Automated code analysis techniques might not be able to reliably detect this weakness, since the application's behavior and general security model dictate which resource locks are critical. Interpretation of the weakness might require knowledge of the environment, e.g. if the existence of a file is used as a lock, but the file is created in a world-writable directory.::",{"point":"2c8","priority":"6","details":"tp","howto":"2c9"},"CWE-ID:413 Improper Resource Locking",{"point":"2cb","priority":"6","details":"ts","howto":"26r"},"CWE-ID:414 Missing Lock Check",{"point":"2cd","priority":"6","details":"tv","howto":"275"},"CWE-ID:419 Unprotected Primary Channel",{"point":"2cf","priority":"6","details":"u4","howto":"275"},"CWE-ID:420 Unprotected Alternate Channel",{"point":"2ch","priority":"6","details":"u7","howto":"275"},"CWE-ID:421 Race Condition During Access to Alternate Channel",{"point":"2cj","priority":"6","details":"ua","howto":"275"},"CWE-ID:424 Improper Protection of Alternate Path",{"point":"2cl","priority":"6","details":"ug","howto":"275"},"CWE-ID:434 Unrestricted Upload of File with Dangerous Type","::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2cn","priority":"6","details":"v7","howto":"2co"},"CWE-ID:436 Interpretation Conflict",{"point":"2cq","priority":"6","details":"vd","howto":"275"},"CWE-ID:437 Incomplete Model of Endpoint Features",{"point":"2cs","priority":"6","details":"vg","howto":"275"},"CWE-ID:439 Behavioral Change in New Version or Environment",{"point":"2cu","priority":"6","details":"vj","howto":"275"},"CWE-ID:440 Expected Behavior Violation",{"point":"2cw","priority":"6","details":"vm","howto":"275"},"CWE-ID:441 Unintended Proxy or Intermediary ('Confused Deputy')",{"point":"2cy","priority":"6","details":"vp","howto":"26r"},"CWE-ID:446 UI Discrepancy for Security Feature",{"point":"2d0","priority":"6","details":"vv","howto":"275"},"CWE-ID:451 User Interface (UI) Misrepresentation of Critical Information",{"point":"2d2","priority":"6","details":"wa","howto":"275"},"CWE-ID:454 External Initialization of Trusted Variables or Data Stores",{"point":"2d4","priority":"6","details":"wg","howto":"275"},"CWE-ID:470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')",{"point":"2d6","priority":"6","details":"xj","howto":"26r"},"CWE-ID:471 Modification of Assumed-Immutable Data (MAID)",{"point":"2d8","priority":"6","details":"xm","howto":"275"},"CWE-ID:475 Undefined Behavior for Input to API",{"point":"2da","priority":"6","details":"xy","howto":"26r"},"CWE-ID:494 Download of Code Without Integrity Check","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is typically required to find the behavior that triggers the download of code, and to determine whether integrity-checking methods are in use.::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and also sniff the network connection. Trigger features related to product updates or plugin installation, which is likely to force a code download. Monitor when files are downloaded and separately executed, or if they are otherwise read back into the process. Look for evidence of cryptographic library calls that use integrity checking.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2dc","priority":"6","details":"zd","howto":"2dd"},"CWE-ID:501 Trust Boundary Violation",{"point":"2df","priority":"6","details":"zy","howto":"26r"},"CWE-ID:502 Deserialization of Untrusted Data",{"point":"2dh","priority":"6","details":"101","howto":"26r"},"CWE-ID:510 Trapdoor","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Inter-application Flow Analysis Binary / Bytecode simple extractor - strings, ELF readers, etc.:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies Generated Code Inspection:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Automated Monitored Execution Forced Path Execution Debugger Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Cost effective for partial coverage: Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"2dj","priority":"6","details":"10g","howto":"2dk"},"CWE-ID:511 Logic/Time Bomb",{"point":"2dm","priority":"6","details":"10j","howto":"275"},"CWE-ID:512 Spyware",{"point":"2do","priority":"6","details":"10m","howto":"275"},"CWE-ID:521 Weak Password Requirements",{"point":"2dq","priority":"6","details":"10y","howto":"26r"},"CWE-ID:522 Insufficiently Protected Credentials",{"point":"2ds","priority":"6","details":"111","howto":"26r"},"CWE-ID:523 Unprotected Transport of Credentials",{"point":"2du","priority":"6","details":"114","howto":"26r"},"CWE-ID:532 Insertion of Sensitive Information into Log File",{"point":"2dw","priority":"6","details":"11v","howto":"26r"},"CWE-ID:544 Missing Standardized Error Handling Mechanism",{"point":"2dy","priority":"6","details":"12m","howto":"275"},"CWE-ID:552 Files or Directories Accessible to External Parties",{"point":"2e0","priority":"6","details":"137","howto":"26r"},"CWE-ID:565 Reliance on Cookies without Validation and Integrity Checking",{"point":"2e2","priority":"6","details":"144","howto":"26r"},"CWE-ID:601 URL Redirection to Untrusted Site ('Open Redirect')","::METHOD:Manual Static Analysis:DESCRIPTION:Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated black box tools that supply URLs to every input may be able to spot Location header modifications, but test case coverage is a factor, and custom redirects may not be detected.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis tools may not be able to determine whether input influences the beginning of a URL, which is important for reducing false positives.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2e4","priority":"6","details":"16v","howto":"2e5"},"CWE-ID:602 Client-Side Enforcement of Server-Side Security",{"point":"2e7","priority":"6","details":"16y","howto":"275"},"CWE-ID:603 Use of Client-Side Authentication",{"point":"2e9","priority":"6","details":"171","howto":"275"},"CWE-ID:610 Externally Controlled Reference to a Resource in Another Sphere",{"point":"2eb","priority":"6","details":"17j","howto":"275"},"CWE-ID:612 Improper Authorization of Index Containing Sensitive Information",{"point":"2ed","priority":"6","details":"17p","howto":"275"},"CWE-ID:613 Insufficient Session Expiration",{"point":"2ef","priority":"6","details":"17s","howto":"26r"},"CWE-ID:620 Unverified Password Change",{"point":"2eh","priority":"6","details":"18d","howto":"275"},"CWE-ID:636 Not Failing Securely ('Failing Open')",{"point":"2ej","priority":"6","details":"194","howto":"275"},"CWE-ID:637 Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')",{"point":"2el","priority":"6","details":"197","howto":"275"},"CWE-ID:639 Authorization Bypass Through User-Controlled Key",{"point":"2en","priority":"6","details":"19d","howto":"26r"},"CWE-ID:640 Weak Password Recovery Mechanism for Forgotten Password",{"point":"2ep","priority":"6","details":"19g","howto":"275"},"CWE-ID:641 Improper Restriction of Names for Files and Other Resources",{"point":"2er","priority":"6","details":"19j","howto":"275"},"CWE-ID:642 External Control of Critical State Data",{"point":"2et","priority":"6","details":"19m","howto":"26r"},"CWE-ID:645 Overly Restrictive Account Lockout Mechanism",{"point":"2ev","priority":"6","details":"19v","howto":"275"},"CWE-ID:648 Incorrect Use of Privileged APIs",{"point":"2ex","priority":"6","details":"1a4","howto":"275"},"CWE-ID:649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking",{"point":"2ez","priority":"6","details":"1a7","howto":"275"},"CWE-ID:653 Improper Isolation or Compartmentalization","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Compare binary / bytecode to application permission manifest:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"2f1","priority":"6","details":"1aj","howto":"2f2"},"CWE-ID:654 Reliance on a Single Factor in a Security Decision",{"point":"2f4","priority":"6","details":"1am","howto":"275"},"CWE-ID:655 Insufficient Psychological Acceptability",{"point":"2f6","priority":"6","details":"1ap","howto":"275"},"CWE-ID:656 Reliance on Security Through Obscurity",{"point":"2f8","priority":"6","details":"1as","howto":"275"},"CWE-ID:657 Violation of Secure Design Principles",{"point":"2fa","priority":"6","details":"1av","howto":"275"},"CWE-ID:662 Improper Synchronization",{"point":"2fc","priority":"6","details":"1ay","howto":"275"},"CWE-ID:667 Improper Locking",{"point":"2fe","priority":"6","details":"1bd","howto":"26r"},"CWE-ID:668 Exposure of Resource to Wrong Sphere",{"point":"2fg","priority":"6","details":"1bg","howto":"275"},"CWE-ID:669 Incorrect Resource Transfer Between Spheres",{"point":"2fi","priority":"6","details":"1bj","howto":"275"},"CWE-ID:671 Lack of Administrator Control over Security",{"point":"2fk","priority":"6","details":"1bp","howto":"275"},"CWE-ID:673 External Influence of Sphere Definition",{"point":"2fm","priority":"6","details":"1bv","howto":"275"},"CWE-ID:694 Use of Multiple Resources with Duplicate Identifier",{"point":"2fo","priority":"6","details":"1dd","howto":"275"},"CWE-ID:696 Incorrect Behavior Order",{"point":"2fq","priority":"6","details":"1dj","howto":"275"},"CWE-ID:706 Use of Incorrectly-Resolved Name or Reference",{"point":"2fs","priority":"6","details":"1e1","howto":"275"},"CWE-ID:708 Incorrect Ownership Assignment",{"point":"2fu","priority":"6","details":"1e7","howto":"275"},"CWE-ID:732 Incorrect Permission Assignment for Critical Resource","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis may be effective in detecting permission problems for system resources such as files, directories, shared memory, device interfaces, etc. Automated techniques may be able to detect the use of library functions that modify permissions, then analyze function calls for arguments that contain potentially insecure values. However, since the software's intended security policy might allow loose permissions for certain operations (such as publishing a file on a web server), automated static analysis may produce some false positives - i.e., warnings that do not have any security consequences or require any code changes. When custom permissions models are used - such as defining who can read messages in a particular forum in a bulletin board system - these can be difficult to detect using automated static analysis. It may be possible to define custom signatures that identify any custom functions that implement the permission checks and assignments.::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated dynamic analysis may be effective in detecting permission problems for system resources such as files, directories, shared memory, device interfaces, etc. However, since the software's intended security policy might allow loose permissions for certain operations (such as publishing a file on a web server), automated dynamic analysis may produce some false positives - i.e., warnings that do not have any security consequences or require any code changes. When custom permissions models are used - such as defining who can read messages in a particular forum in a bulletin board system - these can be difficult to detect using automated dynamic analysis. It may be possible to define custom signatures that identify any custom functions that implement the permission checks and assignments.::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.::METHOD:Manual Static Analysis:DESCRIPTION:Manual static analysis may be effective in detecting the use of custom permissions models and functions. The code could then be examined to identifying usage of the related functions. Then the human analyst could evaluate permission assignments in the context of the intended security model of the software.::METHOD:Manual Dynamic Analysis:DESCRIPTION:Manual dynamic analysis may be effective in detecting the use of custom permissions models and functions. The program could then be executed with a focus on exercising code paths that are related to the custom permissions. Then the human analyst could evaluate permission assignments in the context of the intended security model of the software.::METHOD:Fuzzing:DESCRIPTION:Fuzzing is not effective in detecting this weakness.::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and watch for library functions or system calls on OS resources such as files, directories, and shared memory. Examine the arguments to these calls to infer which permissions are being used.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Inter-application Flow Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Host Application Interface Scanner Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Forced Path Execution:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2fw","priority":"6","details":"1ed","howto":"2fx"},"CWE-ID:749 Exposed Dangerous Method or Function",{"point":"2fz","priority":"6","details":"1ej","howto":"26r"},"CWE-ID:757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')",{"point":"2g1","priority":"6","details":"1ev","howto":"26r"},"CWE-ID:770 Allocation of Resources Without Limits or Throttling","::METHOD:Manual Static Analysis:DESCRIPTION:Manual static analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. If denial-of-service is not considered a significant risk, or if there is strong emphasis on consequences such as code execution, then manual analysis may not focus on this weakness at all.::METHOD:Fuzzing:DESCRIPTION:While fuzzing is typically geared toward finding low-level implementation bugs, it can inadvertently find uncontrolled resource allocation problems. This can occur when the fuzzer generates a large number of test cases but does not restart the targeted product in between test cases. If an individual test case produces a crash, but it does not do so reliably, then an inability to limit resource allocation may be the cause. When the allocation is directly affected by numeric inputs, then fuzzing may produce indications of this weakness.:EFFECTIVENESS:Opportunistic::METHOD:Automated Dynamic Analysis:DESCRIPTION:Certain automated dynamic analysis techniques may be effective in producing side effects of uncontrolled resource allocation problems, especially with resources such as processes, memory, and connections. The technique may involve generating a large number of requests to the product within a short time frame. Manual analysis is likely required to interpret the results.::METHOD:Automated Static Analysis:DESCRIPTION:Specialized configuration or tuning may be required to train automated tools to recognize this weakness. Automated static analysis typically has limited utility in recognizing unlimited allocation problems, except for the missing release of program-independent system resources such as files, sockets, and processes, or unchecked arguments to memory. For system resources, automated static analysis may be able to detect circumstances in which resources are not released after they have expired, or if too much of a resource is requested at once, as can occur with memory. Automated analysis of configuration files may be able to detect settings that do not specify a maximum value. Automated static analysis tools will not be appropriate for detecting exhaustion of custom resources, such as an intended security policy in which a bulletin board user is only allowed to make a limited number of posts per day.::",{"point":"2g3","priority":"6","details":"1fv","howto":"2g4"},"CWE-ID:798 Use of Hard-coded Credentials","::METHOD:Black Box:DESCRIPTION:Credential storage in configuration files is findable using black box methods, but the use of hard-coded credentials for an incoming authentication routine typically involves an account that is not visible outside of the code.:EFFECTIVENESS:Moderate::METHOD:Automated Static Analysis:DESCRIPTION:Automated white box techniques have been published for detecting hard-coded credentials for incoming authentication, but there is some expert disagreement regarding their effectiveness and applicability to a broad range of methods.::METHOD:Manual Static Analysis:DESCRIPTION:This weakness may be detectable using manual code analysis. Unless authentication is decentralized and applied throughout the product, there can be sufficient time for the analyst to find incoming authentication routines and examine the program logic looking for usage of hard-coded credentials. Configuration files could also be analyzed.::METHOD:Manual Dynamic Analysis:DESCRIPTION:For hard-coded credentials in incoming authentication: use monitoring tools that examine the product's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the product was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and perform a login. Using call trees or similar artifacts from the output, examine the associated behaviors and see if any of them appear to be comparing the input to a fixed string or value.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Network Sniffer Forced Path Execution:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"2g6","priority":"6","details":"1i7","howto":"2g7"},"CWE-ID:799 Improper Control of Interaction Frequency",{"point":"2g9","priority":"6","details":"1ia","howto":"275"},"CWE-ID:804 Guessable CAPTCHA",{"point":"2gb","priority":"6","details":"1id","howto":"275"},"CWE-ID:807 Reliance on Untrusted Inputs in a Security Decision","::METHOD:Manual Static Analysis:DESCRIPTION:Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"2gd","priority":"6","details":"1im","howto":"2ge"},"CWE-ID:862 Missing Authorization","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries. Generally, automated static analysis tools have difficulty detecting custom authorization schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an authorization check; an automated technique that detects the absence of authorization may report false positives.:EFFECTIVENESS:Limited::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated dynamic analysis may find many or all possible interfaces that do not require authorization, but manual analysis is required to determine if the lack of authorization violates business logic.::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"2gg","priority":"6","details":"1km","howto":"2gh"},"CWE-ID:863 Incorrect Authorization","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries. Generally, automated static analysis tools have difficulty detecting custom authorization schemes. Even if they can be customized to recognize these schemes, they might not be able to tell whether the scheme correctly performs the authorization in a way that cannot be bypassed or subverted by an attacker.:EFFECTIVENESS:Limited::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated dynamic analysis may not be able to find interfaces that are protected by authorization checks, even if those checks contain weaknesses.::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer Forced Path Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2gj","priority":"6","details":"1kp","howto":"2gk"},"CWE-ID:912 Hidden Functionality",{"point":"2gm","priority":"6","details":"1l4","howto":"275"},"CWE-ID:913 Improper Control of Dynamically-Managed Code Resources",{"point":"2go","priority":"6","details":"1l7","howto":"26u"},"CWE-ID:915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",{"point":"2gq","priority":"6","details":"1ld","howto":"26r"},"CWE-ID:916 Use of Password Hash With Insufficient Computational Effort","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2gs","priority":"6","details":"1lg","howto":"2gt"},"CWE-ID:917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')",{"point":"2gv","priority":"6","details":"1lj","howto":"26r"},"CWE-ID:918 Server-Side Request Forgery (SSRF)",{"point":"2gx","priority":"6","details":"1lm","howto":"26r"},"CWE-ID:920 Improper Restriction of Power Consumption",{"point":"2gz","priority":"6","details":"1lp","howto":"275"},"CWE-ID:921 Storage of Sensitive Data in a Mechanism without Access Control",{"point":"2h1","priority":"6","details":"1ls","howto":"275"},"CWE-ID:922 Insecure Storage of Sensitive Information",{"point":"2h3","priority":"6","details":"1lv","howto":"26r"},"CWE-ID:923 Improper Restriction of Communication Channel to Intended Endpoints",{"point":"2h5","priority":"6","details":"1ly","howto":"26r"},"CWE-ID:924 Improper Enforcement of Message Integrity During Transmission in a Communication Channel",{"point":"2h7","priority":"6","details":"1m1","howto":"275"},"CWE-ID:940 Improper Verification of Source of a Communication Channel",{"point":"2h9","priority":"6","details":"1mg","howto":"275"},"CWE-ID:941 Incorrectly Specified Destination in a Communication Channel",{"point":"2hb","priority":"6","details":"1mj","howto":"275"},"CWE-ID:1007 Insufficient Visual Distinction of Homoglyphs Presented to User","::METHOD:Manual Dynamic Analysis:DESCRIPTION:If utilizing user accounts, attempt to submit a username that contains homoglyphs. Similarly, check to see if links containing homoglyphs can be sent via email, web browsers, or other mechanisms.:EFFECTIVENESS:Moderate::",{"point":"2hd","priority":"6","details":"1mv","howto":"2he"},"CWE-ID:1037 Processor Optimization Removal or Modification of Security-critical Code","::METHOD:White Box:DESCRIPTION:In theory this weakness can be detected through the use of white box testing techniques where specifically crafted test cases are used in conjunction with debuggers to verify the order of statements being executed.:EFFECTIVENESS:Opportunistic::",{"point":"2hg","priority":"6","details":"1nd","howto":"2hh"},"CWE-ID:1038 Insecure Automated Optimizations",{"point":"2hj","priority":"6","details":"1ng","howto":"275"},"CWE-ID:1039 Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations",{"point":"2hl","priority":"6","details":"1nj","howto":"275"},"CWE-ID:1044 Architecture with Number of Horizontal Layers Outside of Expected Range",{"point":"2hn","priority":"6","details":"1nv","howto":"275"},"CWE-ID:1059 Insufficient Technical Documentation",{"point":"2hp","priority":"6","details":"1p4","howto":"275"},"CWE-ID:1173 Improper Use of Validation Framework","::METHOD:Automated Static Analysis:DESCRIPTION:Some instances of improper input validation can be detected using automated static analysis. A static analysis tool might allow the user to specify which application-specific methods or functions perform input validation; the tool might also have built-in knowledge of validation frameworks such as Struts. The tool may then suppress or de-prioritize any associated warnings. This allows the analyst to focus on areas of the software in which input validation does not appear to be present. Except in the cases described in the previous paragraph, automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes.::",{"point":"2hr","priority":"6","details":"1uv","howto":"2hs"},"CWE-ID:1176 Inefficient CPU Computation",{"point":"2hu","priority":"6","details":"1v1","howto":"275"},"CWE-ID:1189 Improper Isolation of Shared Resources on System-on-a-Chip (SoC)","::METHOD:Automated Dynamic Analysis:DESCRIPTION:Pre-silicon / post-silicon: Test access to shared systems resources (memory ranges, control registers, etc.) from untrusted software to verify that the assets are not incorrectly exposed to untrusted agents. Note that access to shared resources can be dynamically allowed or revoked based on system flows. Security testing should cover such dynamic shared resource allocation and access control modification flows.:EFFECTIVENESS:High::",{"point":"2hw","priority":"6","details":"1va","howto":"2hx"},"CWE-ID:1190 DMA Device Enabled Too Early in Boot Phase",{"point":"2hz","priority":"6","details":"1vd","howto":"275"},"CWE-ID:1191 On-Chip Debug and Test Interface With Improper Access Control","::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Authentication and authorization of debug and test interfaces should be part of the architecture and design review process. Withholding of private register documentation from the debug and test interface public specification (Security by obscurity) should not be considered as sufficient security.::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Dynamic tests should be done in the pre-silicon and post-silicon stages to verify that the debug and test interfaces are not open by default.::METHOD:Fuzzing:DESCRIPTION:Tests that fuzz Debug and Test Interfaces should ensure that no access without appropriate authentication and authorization is possible.:EFFECTIVENESS:Moderate::",{"point":"2i1","priority":"6","details":"1vg","howto":"2i2"},"CWE-ID:1192 Improper Identifier for IP Block used in System-On-Chip (SOC)",{"point":"2i4","priority":"6","details":"1vj","howto":"275"},"CWE-ID:1209 Failure to Disable Reserved Bits",{"point":"2i6","priority":"6","details":"1vs","howto":"275"},"CWE-ID:1220 Insufficient Granularity of Access Control",{"point":"2i8","priority":"6","details":"1vv","howto":"275"},"CWE-ID:1223 Race Condition for Write-Once Attributes",{"point":"2ia","priority":"6","details":"1w4","howto":"275"},"CWE-ID:1224 Improper Restriction of Write-Once Bit Fields",{"point":"2ic","priority":"6","details":"1w7","howto":"275"},"CWE-ID:1230 Exposure of Sensitive Information Through Metadata",{"point":"2ie","priority":"6","details":"1wd","howto":"275"},"CWE-ID:1231 Improper Prevention of Lock Bit Modification","::METHOD:Manual Analysis:DESCRIPTION:Set the lock bit. Power cycle the device. Attempt to clear the lock bit. If the information is changed, implement a design fix. Retest. Also, attempt to indirectly clear the lock bit or bypass it.:EFFECTIVENESS:High::",{"point":"2ig","priority":"6","details":"1wg","howto":"2ih"},"CWE-ID:1232 Improper Lock Behavior After Power State Transition",{"point":"2ij","priority":"6","details":"1wj","howto":"275"},"CWE-ID:1233 Security-Sensitive Hardware Controls with Missing Lock Bit Protection","::METHOD:Manual Analysis:DESCRIPTION:Set the lock bit. Attempt to modify the information protected by the lock bit. If the information is changed, implement a design fix. Retest. Also, attempt to indirectly clear the lock bit or bypass it.:EFFECTIVENESS:High::",{"point":"2il","priority":"6","details":"1wm","howto":"2im"},"CWE-ID:1234 Hardware Internal or Debug Modes Allow Override of Locks",{"point":"2io","priority":"6","details":"1wp","howto":"275"},"CWE-ID:1240 Use of a Cryptographic Primitive with a Risky Implementation","::METHOD:Architecture or Design Review:DESCRIPTION:Review requirements, documentation, and product design to ensure that primitives are consistent with the strongest-available recommendations from trusted parties. If the product appears to be using custom or proprietary implementations that have not had sufficient public review and approval, then this is a significant concern.:EFFECTIVENESS:High::METHOD:Manual Analysis:DESCRIPTION:Analyze the product to ensure that implementations for each primitive do not contain any known vulnerabilities and are not using any known-weak algorithms, including MD4, MD5, SHA1, DES, etc.:EFFECTIVENESS:Moderate::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:For hardware, during the implementation (pre-Silicon / post-Silicon) phase, dynamic tests should be done to ensure that outputs from cryptographic routines are indeed working properly, such as test vectors provided by NIST [REF-1236].:EFFECTIVENESS:Moderate::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:It needs to be determined if the output of a cryptographic primitive is lacking entropy, which is one clear sign that something went wrong with the crypto implementation. There exist many methods of measuring the entropy of a bytestream, from sophisticated ones (like calculating Shannon's entropy of a sequence of characters) to crude ones (by compressing it and comparing the size of the original bytestream vs. the compressed - a truly random byte stream should not be compressible and hence the uncompressed and compressed bytestreams should be nearly identical in size).:EFFECTIVENESS:Moderate::",{"point":"2iq","priority":"6","details":"1x1","howto":"2ir"},"CWE-ID:1241 Use of Predictable Algorithm in Random Number Generator",{"point":"2it","priority":"6","details":"1x4","howto":"275"},"CWE-ID:1242 Inclusion of Undocumented Features or Chicken Bits",{"point":"2iv","priority":"6","details":"1x7","howto":"275"},"CWE-ID:1243 Sensitive Non-Volatile Information Not Protected During Debug",{"point":"2ix","priority":"6","details":"1xa","howto":"275"},"CWE-ID:1244 Internal Asset Exposed to Unsafe Debug Access Level or State","::METHOD:Manual Analysis:DESCRIPTION:Check 2 devices for their passcode to authenticate access to JTAG/debugging ports. If the passcodes are missing or the same, update the design to fix and retest. Check communications over JTAG/debugging ports for encryption. If the communications are not encrypted, fix the design and retest.:EFFECTIVENESS:Moderate::",{"point":"2iz","priority":"6","details":"1xd","howto":"2j0"},"CWE-ID:1245 Improper Finite State Machines (FSMs) in Hardware Logic",{"point":"2j2","priority":"6","details":"1xg","howto":"275"},"CWE-ID:1246 Improper Write Handling in Limited-write Non-Volatile Memories",{"point":"2j4","priority":"6","details":"1xj","howto":"275"},"CWE-ID:1249 Application-Level Admin Tool with Inconsistent View of Underlying Operating System",{"point":"2j6","priority":"6","details":"1xs","howto":"275"},"CWE-ID:1252 CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations",{"point":"2j8","priority":"6","details":"1y1","howto":"275"},"CWE-ID:1253 Incorrect Selection of Fuse Values",{"point":"2ja","priority":"6","details":"1y4","howto":"275"},"CWE-ID:1254 Incorrect Comparison Logic Granularity",{"point":"2jc","priority":"6","details":"1y7","howto":"275"},"CWE-ID:1256 Improper Restriction of Software Interfaces to Hardware Features","::METHOD:Manual Analysis:DESCRIPTION:Perform a security evaluation of system-level architecture and design with software-aided physical attacks in scope.::METHOD:Automated Dynamic Analysis:DESCRIPTION:Use custom software to change registers that control clock settings or power settings to try to bypass security locks, or repeatedly write DRAM to try to change adjacent locations. This can be effective in extracting or changing data. The drawback is that it cannot be run before manufacturing, and it may require specialized software.:EFFECTIVENESS:Moderate::",{"point":"2je","priority":"6","details":"1yd","howto":"2jf"},"CWE-ID:1257 Improper Access Control Applied to Mirrored or Aliased Memory Regions",{"point":"2jh","priority":"6","details":"1yg","howto":"275"},"CWE-ID:1258 Exposure of Sensitive System Information Due to Uncleared Debug Information",{"point":"2jj","priority":"6","details":"1yj","howto":"275"},"CWE-ID:1259 Improper Restriction of Security Token Assignment",{"point":"2jl","priority":"6","details":"1ym","howto":"275"},"CWE-ID:1260 Improper Handling of Overlap Between Protected Memory Ranges","::METHOD:Manual Analysis:DESCRIPTION:Create a high privilege memory block of any arbitrary size. Attempt to create a lower privilege memory block with an overlap of the high privilege memory block. If the creation attempt works, fix the hardware. Repeat the test.:EFFECTIVENESS:High::",{"point":"2jn","priority":"6","details":"1yp","howto":"2jo"},"CWE-ID:1261 Improper Handling of Single Event Upsets",{"point":"2jq","priority":"6","details":"1ys","howto":"275"},"CWE-ID:1262 Improper Access Control for Register Interface","::METHOD:Manual Analysis:DESCRIPTION:This is applicable in the Architecture phase before implementation started. Make sure access policy is specified for the entire memory map. Manual analysis may not ensure the implementation is correct.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Registers controlling hardware should have access control implemented. This access control may be checked manually for correct implementation. Items to check consist of how are trusted parties set, how are trusted parties verified, how are accesses verified, etc. Effectiveness of a manual analysis will vary depending upon how complicated the interface is constructed.:EFFECTIVENESS:Moderate::METHOD:Simulation / Emulation:DESCRIPTION:Functional simulation is applicable during the Implementation Phase. Testcases must be created and executed for memory mapped registers to verify adherence to the access control policy. This method can be effective, since functional verification needs to be performed on the design, and verification for this weakness will be included. There can be difficulty covering the entire memory space during the test.:EFFECTIVENESS:Moderate::METHOD:Formal Verification:DESCRIPTION:Formal verification is applicable during the Implementation phase. Assertions need to be created in order to capture illegal register access scenarios and prove that they cannot occur. Formal methods are exhaustive and can be very effective, but creating the cases for large designs may be complex and difficult.:EFFECTIVENESS:High::METHOD:Automated Analysis:DESCRIPTION:Information flow tracking can be applicable during the Implementation phase. Security sensitive data (assets) - for example, as stored in registers - is automatically tracked over time through the design to verify the data doesn't reach illegal destinations that violate the access policies for the memory map. This method can be very effective when used together with simulation and emulation, since detecting violations doesn't rely on specific scenarios or data values. This method does rely on simulation and emulation, so testcases must exist in order to use this method.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Manual documentation review of the system memory map, register specification, and permissions associated with accessing security-relevant functionality exposed via memory-mapped registers.:EFFECTIVENESS:Moderate::METHOD:Fuzzing:DESCRIPTION:Perform penetration testing (either manual or semi-automated with fuzzing) to verify that access control mechanisms such as the memory protection units or on-chip bus firewall settings adequately protect critical hardware registers from software access.:EFFECTIVENESS:Moderate::",{"point":"2js","priority":"6","details":"1yv","howto":"2jt"},"CWE-ID:1263 Improper Physical Access Control",{"point":"2jv","priority":"6","details":"1yy","howto":"275"},"CWE-ID:1264 Hardware Logic with Insecure De-Synchronization between Control and Data Channels",{"point":"2jx","priority":"6","details":"1z1","howto":"275"},"CWE-ID:1266 Improper Scrubbing of Sensitive Data from Decommissioned Device",{"point":"2jz","priority":"6","details":"1z7","howto":"275"},"CWE-ID:1267 Policy Uses Obsolete Encoding",{"point":"2k1","priority":"6","details":"1za","howto":"275"},"CWE-ID:1268 Policy Privileges are not Assigned Consistently Between Control and Data Agents",{"point":"2k3","priority":"6","details":"1zd","howto":"275"},"CWE-ID:1270 Generation of Incorrect Security Tokens",{"point":"2k5","priority":"6","details":"1zj","howto":"275"},"CWE-ID:1272 Sensitive Information Uncleared Before Debug/Power State Transition","::METHOD:Manual Analysis:DESCRIPTION:Write a known pattern into each sensitive location. Enter the power/debug state in question. Read data back from the sensitive locations. If the reads are successful, and the data is the same as the pattern that was originally written, the test fails and the device needs to be fixed. Note that this test can likely be automated.:EFFECTIVENESS:High::",{"point":"2k7","priority":"6","details":"1zp","howto":"2k8"},"CWE-ID:1274 Improper Access Control for Volatile Memory Containing Boot Code","::METHOD:Manual Analysis:DESCRIPTION:Ensure the volatile memory is lockable or has locks. Ensure the volatile memory is locked for writes from untrusted agents or adversaries. Try modifying the volatile memory from an untrusted agent, and ensure these writes are dropped.:EFFECTIVENESS:High::METHOD:Manual Analysis:DESCRIPTION:Analyze the device using the following steps: Identify all fabric master agents that are active during system Boot Flow when initial code is loaded from Non-volatile storage to volatile memory. Identify the volatile memory regions that are used for storing loaded system executable program. During system boot, test programming the identified memory regions in step 2 from all the masters identified in step 1. Only trusted masters should be allowed to write to the memory regions. For example, pluggable device peripherals should not have write access to program load memory regions.:EFFECTIVENESS:Moderate::",{"point":"2ka","priority":"6","details":"1zv","howto":"2kb"},"CWE-ID:1277 Firmware Not Updateable","::METHOD:Manual Analysis:DESCRIPTION:Create a new installable boot image of the current build with a minor version number change. Use the standard installation method to update the boot image. Verify that the minor version number has changed. Create a fake image. Verify that the boot updater will not install the fake image and generates an invalid image error message or equivalent.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Check the consumer or maintainer documentation, the architecture/design documentation, or the original requirements to ensure that the documentation includes details for how to update the firmware.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Determine if there is a lack of a capability to update read-only memory (ROM) structure. This could manifest as a difference between the latest firmware version and the current version within the device.:EFFECTIVENESS:High::",{"point":"2kd","priority":"6","details":"204","howto":"2ke"},"CWE-ID:1278 Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques",{"point":"2kg","priority":"6","details":"207","howto":"275"},"CWE-ID:1279 Cryptographic Operations are run Before Supporting Units are Ready",{"point":"2ki","priority":"6","details":"20a","howto":"275"},"CWE-ID:1281 Sequence of Processor Instructions Leads to Unexpected Behavior",{"point":"2kk","priority":"6","details":"20g","howto":"275"},"CWE-ID:1283 Mutable Attestation or Measurement Reporting Data",{"point":"2km","priority":"6","details":"20m","howto":"275"},"CWE-ID:1290 Incorrect Decoding of Security Identifiers ",{"point":"2ko","priority":"6","details":"217","howto":"275"},"CWE-ID:1292 Incorrect Conversion of Security Identifiers",{"point":"2kq","priority":"6","details":"21d","howto":"275"},"CWE-ID:1293 Missing Source Correlation of Multiple Independent Data",{"point":"2ks","priority":"6","details":"21g","howto":"275"},"CWE-ID:1294 Insecure Security Identifier Mechanism",{"point":"2ku","priority":"6","details":"21j","howto":"275"},"CWE-ID:1298 Hardware Logic Contains Race Conditions",{"point":"2kw","priority":"6","details":"21v","howto":"275"},"CWE-ID:1299 Missing Protection Mechanism for Alternate Hardware Interface",{"point":"2ky","priority":"6","details":"21y","howto":"275"},"CWE-ID:1302 Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)",{"point":"2l0","priority":"6","details":"227","howto":"275"},"CWE-ID:1303 Non-Transparent Sharing of Microarchitectural Resources",{"point":"2l2","priority":"6","details":"22a","howto":"275"},"CWE-ID:1304 Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation",{"point":"2l4","priority":"6","details":"22d","howto":"275"},"CWE-ID:1310 Missing Ability to Patch ROM Code",{"point":"2l6","priority":"6","details":"22g","howto":"275"},"CWE-ID:1311 Improper Translation of Security Attributes by Fabric Bridge",{"point":"2l8","priority":"6","details":"22j","howto":"275"},"CWE-ID:1312 Missing Protection for Mirrored Regions in On-Chip Fabric Firewall","::METHOD:Manual Dynamic Analysis:DESCRIPTION:Using an external debugger, send write transactions to mirrored regions to test if original, write-protected regions are modified. Similarly, send read transactions to mirrored regions to test if the original, read-protected signals can be read.:EFFECTIVENESS:High::",{"point":"2la","priority":"6","details":"22m","howto":"2lb"},"CWE-ID:1313 Hardware Allows Activation of Test or Debug Logic at Runtime",{"point":"2ld","priority":"6","details":"22p","howto":"275"},"CWE-ID:1314 Missing Write Protection for Parametric Data Values",{"point":"2lf","priority":"6","details":"22s","howto":"275"},"CWE-ID:1315 Improper Setting of Bus Controlling Capability in Fabric End-point",{"point":"2lh","priority":"6","details":"22v","howto":"275"},"CWE-ID:1316 Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges","::METHOD:Automated Dynamic Analysis:DESCRIPTION:Review address map in specification to see if there are any overlapping ranges.:EFFECTIVENESS:High::METHOD:Manual Static Analysis:DESCRIPTION:Negative testing of access control on overlapped ranges.:EFFECTIVENESS:High::",{"point":"2lj","priority":"6","details":"22y","howto":"2lk"},"CWE-ID:1317 Improper Access Control in Fabric Bridge","::METHOD:Simulation / Emulation:DESCRIPTION:RTL simulation to ensure that bridge-access controls are implemented properly.:EFFECTIVENESS:High::METHOD:Formal Verification:DESCRIPTION:Formal verification of bridge RTL to ensure that access control cannot be bypassed.:EFFECTIVENESS:High::",{"point":"2lm","priority":"6","details":"231","howto":"2ln"},"CWE-ID:1318 Missing Support for Security Features in On-chip Fabrics or Buses","::METHOD:Architecture or Design Review:DESCRIPTION:Review the fabric specification and ensure that it contains signals to transfer security-sensitive signals.:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:Lack of security features can also be confirmed through manual RTL review of the fabric RTL.:EFFECTIVENESS:High::",{"point":"2lp","priority":"6","details":"234","howto":"2lq"},"CWE-ID:1319 Improper Protection against Electromagnetic Fault Injection (EM-FI)",{"point":"2ls","priority":"6","details":"237","howto":"275"},"CWE-ID:1320 Improper Protection for Outbound Error Messages and Alert Signals",{"point":"2lu","priority":"6","details":"23a","howto":"275"},"CWE-ID:1323 Improper Management of Sensitive Trace Data",{"point":"2lw","priority":"6","details":"23j","howto":"275"},"CWE-ID:1326 Missing Immutable Root of Trust in Hardware","::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated testing can verify that RoT components are immutable.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Root of trust elements and memory should be part of architecture and design reviews.:EFFECTIVENESS:High::",{"point":"2ly","priority":"6","details":"23p","howto":"2lz"},"CWE-ID:1328 Security Version Number Mutable to Older Versions","::METHOD:Automated Dynamic Analysis:DESCRIPTION:Mutability of stored security version numbers and programming with older firmware images should be part of automated testing.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Anti-roll-back features should be reviewed as part of Architecture or Design review.:EFFECTIVENESS:High::",{"point":"2m1","priority":"6","details":"23v","howto":"2m2"},"CWE-ID:1329 Reliance on Component That is Not Updateable","::METHOD:Architecture or Design Review:DESCRIPTION:Check the consumer or maintainer documentation, the architecture/design documentation, or the original requirements to ensure that the documentation includes details for how to update the firmware.:EFFECTIVENESS:Moderate::",{"point":"2m4","priority":"6","details":"23y","howto":"2m5"},"CWE-ID:1331 Improper Isolation of Shared Resources in Network On Chip (NoC)","::METHOD:Manual Analysis:DESCRIPTION:Providing marker flags to send through the interfaces coupled with examination of which users are able to read or manipulate the flags will help verify that the proper isolation has been achieved and is effective.:EFFECTIVENESS:Moderate::",{"point":"2m7","priority":"6","details":"244","howto":"2m8"},"CWE-ID:1332 Improper Handling of Faults that Lead to Instruction Skips","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can be found using automated static analysis once a developer has indicated which code paths are critical to protect.:EFFECTIVENESS:Moderate::METHOD:Simulation / Emulation:DESCRIPTION:This weakness can be found using automated dynamic analysis. Both emulation of a CPU with instruction skips, as well as RTL simulation of a CPU IP, can indicate parts of the code that are sensitive to faults due to instruction skips.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:This weakness can be found using manual (static) analysis. The analyst has security objectives that are matched against the high-level code. This method is less precise than emulation, especially if the analysis is done at the higher level language rather than at assembly level.:EFFECTIVENESS:Moderate::",{"point":"2ma","priority":"6","details":"247","howto":"2mb"},"CWE-ID:1334 Unauthorized Error Injection Can Degrade Hardware Redundancy",{"point":"2md","priority":"6","details":"24d","howto":"275"},"CWE-ID:1336 Improper Neutralization of Special Elements Used in a Template Engine",{"point":"2mf","priority":"6","details":"24j","howto":"275"},"CWE-ID:1338 Improper Protections Against Hardware Overheating","::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Dynamic tests should be performed to stress-test temperature controls.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Power management controls should be part of Architecture and Design reviews.:EFFECTIVENESS:High::",{"point":"2mh","priority":"6","details":"24m","howto":"2mi"},"CWE-ID:1342 Information Exposure through Microarchitectural State after Transient Execution",{"point":"2mk","priority":"6","details":"24v","howto":"275"},"CWE-ID:1351 Improper Handling of Hardware Behavior in Exceptionally Cold Environments",{"point":"2mm","priority":"6","details":"24y","howto":"275"},"CWE-ID:1357 Reliance on Insufficiently Trustworthy Component",{"point":"2mo","priority":"6","details":"251","howto":"275"},"CWE-ID:1384 Improper Handling of Physical or Environmental Conditions",{"point":"2mq","priority":"6","details":"254","howto":"275"},"CWE-ID:1390 Weak Authentication",{"point":"2ms","priority":"6","details":"25g","howto":"275"},"CWE-ID:1391 Use of Weak Credentials",{"point":"2mu","priority":"6","details":"25j","howto":"275"},"CWE-ID:1392 Use of Default Credentials",{"point":"2mw","priority":"6","details":"25m","howto":"275"},"CWE-ID:1393 Use of Default Password",{"point":"2my","priority":"6","details":"25p","howto":"275"},"CWE-ID:1394 Use of Default Cryptographic Key",{"point":"2n0","priority":"6","details":"25s","howto":"275"},"CWE-ID:1395 Dependency on Vulnerable Third-Party Component","::METHOD:Automated Analysis:DESCRIPTION:For software, use Software Composition Analysis (SCA) tools, which automatically analyze products to identify third-party dependencies. Often, SCA tools can be used to link with known vulnerabilities in the dependencies that they detect. There are commercial and open-source alternatives, such as OWASP Dependency-Check [REF-1312]. Many languages or frameworks have package managers with similar capabilities, such as npm audit for JavaScript, pip-audit for Python, govulncheck for Go, and many others. Dynamic methods can detect loading of third-party components.:EFFECTIVENESS:High::",{"point":"2n2","priority":"6","details":"25v","howto":"2n3"},"CWE-ID:1420 Exposure of Sensitive Information during Transient Execution","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected in hardware by manually inspecting processor specifications. Features that exhibit this weakness may include microarchitectural predictors, access control checks that occur out-of-order, or any other features that can allow operations to execute without committing to architectural state. Academic researchers have demonstrated that new hardware weaknesses can be discovered by exhaustively analyzing a processor's machine clear (or nuke) conditions ([REF-1427]).:EFFECTIVENESS:Moderate::METHOD:Fuzzing:DESCRIPTION:Academic researchers have demonstrated that this weakness can be detected in hardware using software fuzzing tools that treat the underlying hardware as a black box ([REF-1428]).:EFFECTIVENESS:Opportunistic::METHOD:Fuzzing:DESCRIPTION:Academic researchers have demonstrated that this weakness can be detected in software using software fuzzing tools ([REF-1429]).:EFFECTIVENESS:Opportunistic::METHOD:Automated Static Analysis:DESCRIPTION:A variety of automated static analysis tools can identify potentially exploitable code sequences in software. These tools may perform the analysis on source code, on binary code, or on an intermediate code representation (for example, during compilation).:EFFECTIVENESS:Limited::METHOD:Automated Analysis:DESCRIPTION:Software vendors can release tools that detect presence of known weaknesses on a processor. For example, some of these tools can attempt to transiently execute a vulnerable code sequence and detect whether code successfully leaks data in a manner consistent with the weakness under test. Alternatively, some hardware vendors provide enumeration for the presence of a weakness (or lack of a weakness). These enumeration bits can be checked and reported by system software. For example, Linux supports these checks for many commodity processors: $ cat /proc/cpuinfo | grep bugs | head -n 1 bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit srbds mmio_stale_data retbleed:EFFECTIVENESS:High::",{"point":"2n5","priority":"6","details":"261","howto":"2n6"},"CWE-ID:1421 Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected in hardware by manually inspecting processor specifications. Features that exhibit this weakness may include microarchitectural predictors, access control checks that occur out-of-order, or any other features that can allow operations to execute without committing to architectural state. Academic researchers have demonstrated that new hardware weaknesses can be discovered by examining publicly available patent filings, for example [REF-1405] and [REF-1406]. Hardware designers can also scrutinize aspects of the instruction set architecture that have undefined behavior; these can become a focal point when applying other detection methods.:EFFECTIVENESS:Moderate::METHOD:Automated Analysis:DESCRIPTION:This weakness can be detected (pre-discovery) in hardware by employing static or dynamic taint analysis methods [REF-1401]. These methods can label data in one context (for example, kernel data) and perform information flow analysis (or a simulation, etc.) to determine whether tainted data can appear in another context (for example, user mode). Alternatively, stale or invalid data in shared microarchitectural resources can be marked as tainted, and the taint analysis framework can identify when transient operations encounter tainted data.:EFFECTIVENESS:Moderate::METHOD:Automated Analysis:DESCRIPTION:Software vendors can release tools that detect presence of known weaknesses (post-discovery) on a processor. For example, some of these tools can attempt to transiently execute a vulnerable code sequence and detect whether code successfully leaks data in a manner consistent with the weakness under test. Alternatively, some hardware vendors provide enumeration for the presence of a weakness (or lack of a weakness). These enumeration bits can be checked and reported by system software. For example, Linux supports these checks for many commodity processors: $ cat /proc/cpuinfo | grep bugs | head -n 1 bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit srbds mmio_stale_data retbleed:EFFECTIVENESS:High::METHOD:Fuzzing:DESCRIPTION:Academic researchers have demonstrated that this weakness can be detected in hardware using software fuzzing tools that treat the underlying hardware as a black box ([REF-1406], [REF-1430]):EFFECTIVENESS:Opportunistic::",{"point":"2n8","priority":"6","details":"264","howto":"2n9"},"CWE-ID:1422 Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution","::METHOD:Automated Static Analysis:DESCRIPTION:A variety of automated static analysis tools can identify potentially exploitable code sequences in software. These tools may perform the analysis on source code, on binary code, or on an intermediate code representation (for example, during compilation).:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected in hardware by manually inspecting processor specifications. Features that exhibit this weakness may include microarchitectural predictors, access control checks that occur out-of-order, or any other features that can allow operations to execute without committing to architectural state.Hardware designers can also scrutinize aspects of the instruction set architecture that have undefined behavior; these can become a focal point when applying other detection methods.:EFFECTIVENESS:Moderate::METHOD:Automated Analysis:DESCRIPTION:Software vendors can release tools that detect presence of known weaknesses on a processor. For example, some of these tools can attempt to transiently execute a vulnerable code sequence and detect whether code successfully leaks data in a manner consistent with the weakness under test. Alternatively, some hardware vendors provide enumeration for the presence of a weakness (or lack of a weakness). These enumeration bits can be checked and reported by system software. For example, Linux supports these checks for many commodity processors: $ cat /proc/cpuinfo | grep bugs | head -n 1 bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit srbds mmio_stale_data retbleed:EFFECTIVENESS:High::",{"point":"2nb","priority":"6","details":"267","howto":"2nc"},"CWE-ID:1423 Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected in hardware by manually inspecting processor specifications. Features that exhibit this weakness may have microarchitectural predictor state that is shared between hardware threads, execution contexts (for example, user and kernel), or other components that may host mutually distrusting software (or firmware, etc.).:EFFECTIVENESS:Moderate::METHOD:Automated Analysis:DESCRIPTION:Software vendors can release tools that detect presence of known weaknesses on a processor. For example, some of these tools can attempt to transiently execute a vulnerable code sequence and detect whether code successfully leaks data in a manner consistent with the weakness under test. Alternatively, some hardware vendors provide enumeration for the presence of a weakness (or lack of a weakness). These enumeration bits can be checked and reported by system software. For example, Linux supports these checks for many commodity processors: $ cat /proc/cpuinfo | grep bugs | head -n 1 bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit srbds mmio_stale_data retbleed:EFFECTIVENESS:High::METHOD:Automated Analysis:DESCRIPTION:This weakness can be detected in hardware by employing static or dynamic taint analysis methods [REF-1401]. These methods can label each predictor entry (or prediction history, etc.) according to the processor context that created it. Taint analysis or information flow analysis can then be applied to detect when predictor state created in one context can influence predictions made in another context.:EFFECTIVENESS:Moderate::",{"point":"2ne","priority":"6","details":"26a","howto":"2nf"},["26m","26p","26s","26v","26y","271","273","276","278","27a","27c","27e","27h","27j","27l","27n","27p","27r","27t","27v","27y","280","282","284","286","288","28a","28c","28e","28g","28i","28k","28n","28p","28r","28u","28w","28z","291","293","295","298","29a","29c","29e","29h","29k","29m","29o","29r","29t","29w","29y","2a0","2a2","2a4","2a7","2a9","2ac","2ae","2ag","2ai","2ak","2am","2ao","2aq","2as","2au","2aw","2ay","2b0","2b2","2b4","2b6","2b8","2ba","2bd","2bf","2bi","2bk","2bm","2bo","2bq","2bt","2bv","2bx","2bz","2c1","2c3","2c5","2c7","2ca","2cc","2ce","2cg","2ci","2ck","2cm","2cp","2cr","2ct","2cv","2cx","2cz","2d1","2d3","2d5","2d7","2d9","2db","2de","2dg","2di","2dl","2dn","2dp","2dr","2dt","2dv","2dx","2dz","2e1","2e3","2e6","2e8","2ea","2ec","2ee","2eg","2ei","2ek","2em","2eo","2eq","2es","2eu","2ew","2ey","2f0","2f3","2f5","2f7","2f9","2fb","2fd","2ff","2fh","2fj","2fl","2fn","2fp","2fr","2ft","2fv","2fy","2g0","2g2","2g5","2g8","2ga","2gc","2gf","2gi","2gl","2gn","2gp","2gr","2gu","2gw","2gy","2h0","2h2","2h4","2h6","2h8","2ha","2hc","2hf","2hi","2hk","2hm","2ho","2hq","2ht","2hv","2hy","2i0","2i3","2i5","2i7","2i9","2ib","2id","2if","2ii","2ik","2in","2ip","2is","2iu","2iw","2iy","2j1","2j3","2j5","2j7","2j9","2jb","2jd","2jg","2ji","2jk","2jm","2jp","2jr","2ju","2jw","2jy","2k0","2k2","2k4","2k6","2k9","2kc","2kf","2kh","2kj","2kl","2kn","2kp","2kr","2kt","2kv","2kx","2kz","2l1","2l3","2l5","2l7","2l9","2lc","2le","2lg","2li","2ll","2lo","2lr","2lt","2lv","2lx","2m0","2m3","2m6","2m9","2mc","2me","2mg","2mj","2ml","2mn","2mp","2mr","2mt","2mv","2mx","2mz","2n1","2n4","2n7","2na","2nd","2ng"],"magenta",{"title":"26f","slug":"26g","description":"26h","icon":"26i","intro":"26j","checklist":"2nh","color":"2ni"},"CWE :Weaknesses During Implementation","implementation-security","This view (slice) lists weaknesses that can be introduced during implementation.","shield","CWE-ID:5 J2EE Misconfiguration: Data Transmission Without Encryption",{"point":"2no","priority":"6","details":"7","howto":"275"},"CWE-ID:6 J2EE Misconfiguration: Insufficient Session-ID Length",{"point":"2nq","priority":"6","details":"a","howto":"275"},"CWE-ID:7 J2EE Misconfiguration: Missing Custom Error Page",{"point":"2ns","priority":"6","details":"d","howto":"275"},"CWE-ID:8 J2EE Misconfiguration: Entity Bean Declared Remote",{"point":"2nu","priority":"6","details":"g","howto":"275"},"CWE-ID:9 J2EE Misconfiguration: Weak Access Permissions for EJB Methods",{"point":"2nw","priority":"6","details":"j","howto":"275"},"CWE-ID:11 ASP.NET Misconfiguration: Creating Debug Binary",{"point":"2ny","priority":"6","details":"m","howto":"26r"},"CWE-ID:12 ASP.NET Misconfiguration: Missing Custom Error Page",{"point":"2o0","priority":"6","details":"p","howto":"275"},"CWE-ID:13 ASP.NET Misconfiguration: Password in Configuration File",{"point":"2o2","priority":"6","details":"s","howto":"275"},"CWE-ID:14 Compiler Removal of Code to Clear Buffers","::METHOD:Black Box:DESCRIPTION:This specific weakness is impossible to detect using black box methods. While an analyst could examine memory to see that it has not been scrubbed, an analysis of the executable would not be successful. This is because the compiler has already removed the relevant code. Only the source code shows whether the programmer intended to clear the memory or not, so this weakness is indistinguishable from others.::METHOD:White Box:DESCRIPTION:This weakness is only detectable using white box methods (see black box detection factor). Careful analysis is required to determine if the code is likely to be removed by the compiler.::",{"point":"2o4","priority":"6","details":"v","howto":"2o5"},"CWE-ID:15 External Control of System or Configuration Setting",{"point":"2o7","priority":"6","details":"y","howto":"26r"},{"point":"26k","priority":"6","details":"11","howto":"26l"},"CWE-ID:22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","::METHOD:Automated Static Analysis:DESCRIPTION:Automated techniques can find areas where path traversal weaknesses exist. However, tuning or customization may be required to remove or de-prioritize path-traversal problems that are only exploitable by the product's administrator - or other privileged users - and thus potentially valid behavior or, at worst, a bug instead of a vulnerability.:EFFECTIVENESS:High::METHOD:Manual Static Analysis:DESCRIPTION:Manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all file access operations can be assessed within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2oa","priority":"6","details":"14","howto":"2ob"},"CWE-ID:23 Relative Path Traversal",{"point":"2od","priority":"6","details":"17","howto":"26r"},"CWE-ID:24 Path Traversal: '../filedir'",{"point":"2of","priority":"6","details":"1a","howto":"275"},"CWE-ID:25 Path Traversal: '/../filedir'",{"point":"2oh","priority":"6","details":"1d","howto":"275"},"CWE-ID:26 Path Traversal: '/dir/../filename'",{"point":"2oj","priority":"6","details":"1g","howto":"275"},"CWE-ID:27 Path Traversal: 'dir/../../filename'",{"point":"2ol","priority":"6","details":"1j","howto":"275"},"CWE-ID:28 Path Traversal: '..filedir'",{"point":"2on","priority":"6","details":"1m","howto":"275"},"CWE-ID:29 Path Traversal: '..filename'",{"point":"2op","priority":"6","details":"1p","howto":"275"},"CWE-ID:30 Path Traversal: 'dir..filename'",{"point":"2or","priority":"6","details":"1s","howto":"275"},"CWE-ID:31 Path Traversal: 'dir....filename'",{"point":"2ot","priority":"6","details":"1v","howto":"275"},"CWE-ID:32 Path Traversal: '...' (Triple Dot)",{"point":"2ov","priority":"6","details":"1y","howto":"275"},"CWE-ID:33 Path Traversal: '....' (Multiple Dot)",{"point":"2ox","priority":"6","details":"21","howto":"275"},"CWE-ID:34 Path Traversal: '....//'","::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"2oz","priority":"6","details":"24","howto":"2p0"},"CWE-ID:35 Path Traversal: '.../...//'",{"point":"2p2","priority":"6","details":"27","howto":"275"},"CWE-ID:36 Absolute Path Traversal",{"point":"2p4","priority":"6","details":"2a","howto":"26r"},"CWE-ID:37 Path Traversal: '/absolute/pathname/here'",{"point":"2p6","priority":"6","details":"2d","howto":"275"},"CWE-ID:38 Path Traversal: 'absolutepathnamehere'",{"point":"2p8","priority":"6","details":"2g","howto":"275"},"CWE-ID:39 Path Traversal: 'C:dirname'",{"point":"2pa","priority":"6","details":"2j","howto":"275"},"CWE-ID:40 Path Traversal: 'UNCsharename' (Windows UNC Share)",{"point":"2pc","priority":"6","details":"2m","howto":"275"},"CWE-ID:41 Improper Resolution of Path Equivalence","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2pe","priority":"6","details":"2p","howto":"2pf"},"CWE-ID:42 Path Equivalence: 'filename.' (Trailing Dot)",{"point":"2ph","priority":"6","details":"2s","howto":"275"},"CWE-ID:43 Path Equivalence: 'filename....' (Multiple Trailing Dot)",{"point":"2pj","priority":"6","details":"2v","howto":"275"},"CWE-ID:44 Path Equivalence: 'file.name' (Internal Dot)",{"point":"2pl","priority":"6","details":"2y","howto":"275"},"CWE-ID:45 Path Equivalence: 'file...name' (Multiple Internal Dot)",{"point":"2pn","priority":"6","details":"31","howto":"275"},"CWE-ID:46 Path Equivalence: 'filename ' (Trailing Space)",{"point":"2pp","priority":"6","details":"34","howto":"275"},"CWE-ID:47 Path Equivalence: ' filename' (Leading Space)",{"point":"2pr","priority":"6","details":"37","howto":"275"},"CWE-ID:48 Path Equivalence: 'file name' (Internal Whitespace)",{"point":"2pt","priority":"6","details":"3a","howto":"275"},"CWE-ID:49 Path Equivalence: 'filename/' (Trailing Slash)",{"point":"2pv","priority":"6","details":"3d","howto":"275"},"CWE-ID:50 Path Equivalence: '//multiple/leading/slash'",{"point":"2px","priority":"6","details":"3g","howto":"275"},"CWE-ID:51 Path Equivalence: '/multiple//internal/slash'",{"point":"2pz","priority":"6","details":"3j","howto":"275"},"CWE-ID:52 Path Equivalence: '/multiple/trailing/slash//'",{"point":"2q1","priority":"6","details":"3m","howto":"275"},"CWE-ID:53 Path Equivalence: 'multipleinternalbackslash'",{"point":"2q3","priority":"6","details":"3p","howto":"275"},"CWE-ID:54 Path Equivalence: 'filedir' (Trailing Backslash)",{"point":"2q5","priority":"6","details":"3s","howto":"275"},"CWE-ID:55 Path Equivalence: '/./' (Single Dot Directory)",{"point":"2q7","priority":"6","details":"3v","howto":"275"},"CWE-ID:56 Path Equivalence: 'filedir*' (Wildcard)",{"point":"2q9","priority":"6","details":"3y","howto":"275"},"CWE-ID:57 Path Equivalence: 'fakedir/../realdir/filename'",{"point":"2qb","priority":"6","details":"41","howto":"275"},"CWE-ID:58 Path Equivalence: Windows 8.3 Filename",{"point":"2qd","priority":"6","details":"44","howto":"275"},"CWE-ID:59 Improper Link Resolution Before File Access ('Link Following')",{"point":"2qf","priority":"6","details":"47","howto":"2pf"},"CWE-ID:61 UNIX Symbolic Link (Symlink) Following",{"point":"2qh","priority":"6","details":"4a","howto":"275"},"CWE-ID:62 UNIX Hard Link",{"point":"2qj","priority":"6","details":"4d","howto":"275"},"CWE-ID:65 Windows Hard Link",{"point":"2ql","priority":"6","details":"4j","howto":"275"},"CWE-ID:66 Improper Handling of File Names that Identify Virtual Resources",{"point":"2qn","priority":"6","details":"4m","howto":"2pf"},"CWE-ID:67 Improper Handling of Windows Device Names",{"point":"2qp","priority":"6","details":"4p","howto":"275"},"CWE-ID:69 Improper Handling of Windows ::DATA Alternate Data Stream",{"point":"2qr","priority":"6","details":"4s","howto":"275"},"CWE-ID:72 Improper Handling of Apple HFS+ Alternate Data Stream Path",{"point":"2qt","priority":"6","details":"4v","howto":"275"},{"point":"26n","priority":"6","details":"4y","howto":"26o"},"CWE-ID:74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')",{"point":"2qw","priority":"6","details":"51","howto":"26r"},"CWE-ID:75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)",{"point":"2qy","priority":"6","details":"54","howto":"275"},"CWE-ID:76 Improper Neutralization of Equivalent Special Elements",{"point":"2r0","priority":"6","details":"57","howto":"275"},"CWE-ID:77 Improper Neutralization of Special Elements used in a Command ('Command Injection')",{"point":"2r2","priority":"6","details":"5a","howto":"26r"},"CWE-ID:78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes. Automated static analysis might not be able to detect the usage of custom API functions or third-party libraries that indirectly invoke OS commands, leading to false negatives - especially if the API/library code is not available for analysis.::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis:DESCRIPTION:Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2r4","priority":"6","details":"5d","howto":"2r5"},"CWE-ID:79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","::METHOD:Automated Static Analysis:DESCRIPTION:Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible, especially when multiple components are involved.:EFFECTIVENESS:Moderate::METHOD:Black Box:DESCRIPTION:Use the XSS Cheat Sheet [REF-714] or automated test-generation tools to help launch a wide variety of attacks against your web application. The Cheat Sheet contains many subtle XSS variations that are specifically targeted against weak XSS defenses.:EFFECTIVENESS:Moderate::",{"point":"2r7","priority":"6","details":"5g","howto":"2r8"},"CWE-ID:80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",{"point":"2ra","priority":"6","details":"5j","howto":"26r"},"CWE-ID:81 Improper Neutralization of Script in an Error Message Web Page",{"point":"2rc","priority":"6","details":"5m","howto":"275"},"CWE-ID:82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page",{"point":"2re","priority":"6","details":"5p","howto":"275"},"CWE-ID:83 Improper Neutralization of Script in Attributes in a Web Page",{"point":"2rg","priority":"6","details":"5s","howto":"26r"},"CWE-ID:84 Improper Neutralization of Encoded URI Schemes in a Web Page",{"point":"2ri","priority":"6","details":"5v","howto":"275"},"CWE-ID:85 Doubled Character XSS Manipulations",{"point":"2rk","priority":"6","details":"5y","howto":"275"},"CWE-ID:86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages",{"point":"2rm","priority":"6","details":"61","howto":"26r"},"CWE-ID:87 Improper Neutralization of Alternate XSS Syntax",{"point":"2ro","priority":"6","details":"64","howto":"275"},"CWE-ID:88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')",{"point":"2rq","priority":"6","details":"67","howto":"26r"},"CWE-ID:89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or do not require any code changes. Automated static analysis might not be able to detect the usage of custom API functions or third-party libraries that indirectly invoke SQL commands, leading to false negatives - especially if the API/library code is not available for analysis.::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Database Scanners Cost effective for partial coverage: Web Application Scanner Web Services Scanner:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2rs","priority":"6","details":"6a","howto":"2rt"},"CWE-ID:90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')",{"point":"2rv","priority":"6","details":"6d","howto":"26r"},"CWE-ID:91 XML Injection (aka Blind XPath Injection)",{"point":"2rx","priority":"6","details":"6g","howto":"26r"},"CWE-ID:93 Improper Neutralization of CRLF Sequences ('CRLF Injection')",{"point":"2rz","priority":"6","details":"6j","howto":"26r"},"CWE-ID:94 Improper Control of Generation of Code ('Code Injection')",{"point":"2s1","priority":"6","details":"6m","howto":"26r"},"CWE-ID:95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')",{"point":"2s3","priority":"6","details":"6p","howto":"26r"},"CWE-ID:96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')",{"point":"2s5","priority":"6","details":"6s","howto":"275"},"CWE-ID:97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page",{"point":"2s7","priority":"6","details":"6v","howto":"275"},"CWE-ID:98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')","::METHOD:Manual Analysis:DESCRIPTION:Manual white-box analysis can be very effective for finding this issue, since there is typically a relatively small number of include or require statements in each program.:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:The external control or influence of filenames can often be detected using automated static analysis that models data flow within the product. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes. If the program uses a customized input validation library, then some tools may allow the analyst to create custom signatures to detect usage of those routines.::",{"point":"2s9","priority":"6","details":"6y","howto":"2sa"},{"point":"26q","priority":"6","details":"71","howto":"26r"},"CWE-ID:102 Struts: Duplicate Validation Forms",{"point":"2sd","priority":"6","details":"74","howto":"275"},"CWE-ID:103 Struts: Incomplete validate() Method Definition",{"point":"2sf","priority":"6","details":"77","howto":"26r"},"CWE-ID:104 Struts: Form Bean Does Not Extend Validation Class",{"point":"2sh","priority":"6","details":"7a","howto":"26r"},"CWE-ID:105 Struts: Form Field Without Validator",{"point":"2sj","priority":"6","details":"7d","howto":"275"},"CWE-ID:106 Struts: Plug-in Framework not in Use",{"point":"2sl","priority":"6","details":"7g","howto":"275"},"CWE-ID:107 Struts: Unused Validation Form",{"point":"2sn","priority":"6","details":"7j","howto":"275"},"CWE-ID:108 Struts: Unvalidated Action Form",{"point":"2sp","priority":"6","details":"7m","howto":"275"},"CWE-ID:109 Struts: Validator Turned Off",{"point":"2sr","priority":"6","details":"7p","howto":"275"},"CWE-ID:110 Struts: Validator Without Form Field","::METHOD:Automated Static Analysis:DESCRIPTION:To find the issue in the implementation, manual checks or automated static analysis could be applied to the XML configuration files.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis:DESCRIPTION:To find the issue in the implementation, manual checks or automated static analysis could be applied to the XML configuration files.:EFFECTIVENESS:Moderate::",{"point":"2st","priority":"6","details":"7s","howto":"2su"},"CWE-ID:111 Direct Use of Unsafe JNI",{"point":"2sw","priority":"6","details":"7v","howto":"26r"},"CWE-ID:112 Missing XML Validation",{"point":"2sy","priority":"6","details":"7y","howto":"26r"},"CWE-ID:113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')",{"point":"2t0","priority":"6","details":"81","howto":"26r"},"CWE-ID:114 Process Control",{"point":"2t2","priority":"6","details":"84","howto":"26r"},{"point":"26t","priority":"6","details":"87","howto":"26u"},"CWE-ID:116 Improper Encoding or Escaping of Output","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.:EFFECTIVENESS:Moderate::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::",{"point":"2t5","priority":"6","details":"8a","howto":"2t6"},"CWE-ID:117 Improper Output Neutralization for Logs",{"point":"2t8","priority":"6","details":"8d","howto":"26r"},"CWE-ID:118 Incorrect Access of Indexable Resource ('Range Error')",{"point":"2ta","priority":"6","details":"8g","howto":"275"},"CWE-ID:119 Improper Restriction of Operations within the Bounds of a Memory Buffer","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode Quality Analysis Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Source Code Quality Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2tc","priority":"6","details":"8j","howto":"2td"},"CWE-ID:120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::METHOD:Manual Analysis:DESCRIPTION:Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2tf","priority":"6","details":"8m","howto":"2tg"},"CWE-ID:121 Stack-based Buffer Overflow","::METHOD:Fuzzing:DESCRIPTION:Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2ti","priority":"6","details":"8p","howto":"2tj"},"CWE-ID:122 Heap-based Buffer Overflow",{"point":"2tl","priority":"6","details":"8s","howto":"26u"},"CWE-ID:123 Write-what-where Condition",{"point":"2tn","priority":"6","details":"8v","howto":"275"},"CWE-ID:124 Buffer Underwrite ('Buffer Underflow')",{"point":"2tp","priority":"6","details":"8y","howto":"275"},"CWE-ID:125 Out-of-bounds Read",{"point":"2tr","priority":"6","details":"91","howto":"2tj"},"CWE-ID:126 Buffer Over-read",{"point":"2tt","priority":"6","details":"94","howto":"26r"},"CWE-ID:127 Buffer Under-read",{"point":"2tv","priority":"6","details":"97","howto":"275"},"CWE-ID:128 Wrap-around Error",{"point":"2tx","priority":"6","details":"9a","howto":"275"},"CWE-ID:129 Improper Validation of Array Index","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report array index errors that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::METHOD:Black Box:DESCRIPTION:Black box methods might not get the needed code coverage within limited time constraints, and a dynamic test might not produce any noticeable side effects even if it is successful.::",{"point":"2tz","priority":"6","details":"9d","howto":"2u0"},"CWE-ID:130 Improper Handling of Length Parameter Inconsistency",{"point":"2u2","priority":"6","details":"9g","howto":"275"},"CWE-ID:131 Incorrect Calculation of Buffer Size","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting potential errors in buffer calculations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of allocation calculations. This can be useful for detecting overflow conditions (CWE-190) or similar weaknesses that might have serious security impacts on the program.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Source Code Quality Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2u4","priority":"6","details":"9j","howto":"2u5"},"CWE-ID:134 Use of Externally-Controlled Format String","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.::METHOD:Black Box:DESCRIPTION:Since format strings often occur in rarely-occurring erroneous conditions (e.g. for error message logging), they can be difficult to detect using black box methods. It is highly likely that many latent issues exist in executables that do not have associated source code (or equivalent source.:EFFECTIVENESS:Limited::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary / Bytecode simple extractor - strings, ELF readers, etc.:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Warning Flags:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2u7","priority":"6","details":"9m","howto":"2u8"},"CWE-ID:135 Incorrect Calculation of Multi-Byte String Length",{"point":"2ua","priority":"6","details":"9p","howto":"26r"},"CWE-ID:138 Improper Neutralization of Special Elements",{"point":"2uc","priority":"6","details":"9s","howto":"275"},"CWE-ID:140 Improper Neutralization of Delimiters",{"point":"2ue","priority":"6","details":"9v","howto":"275"},"CWE-ID:141 Improper Neutralization of Parameter/Argument Delimiters",{"point":"2ug","priority":"6","details":"9y","howto":"275"},"CWE-ID:142 Improper Neutralization of Value Delimiters",{"point":"2ui","priority":"6","details":"a1","howto":"275"},"CWE-ID:143 Improper Neutralization of Record Delimiters",{"point":"2uk","priority":"6","details":"a4","howto":"275"},"CWE-ID:144 Improper Neutralization of Line Delimiters",{"point":"2um","priority":"6","details":"a7","howto":"275"},"CWE-ID:145 Improper Neutralization of Section Delimiters",{"point":"2uo","priority":"6","details":"aa","howto":"275"},"CWE-ID:146 Improper Neutralization of Expression/Command Delimiters",{"point":"2uq","priority":"6","details":"ad","howto":"275"},"CWE-ID:147 Improper Neutralization of Input Terminators",{"point":"2us","priority":"6","details":"ag","howto":"275"},"CWE-ID:148 Improper Neutralization of Input Leaders",{"point":"2uu","priority":"6","details":"aj","howto":"275"},"CWE-ID:149 Improper Neutralization of Quoting Syntax",{"point":"2uw","priority":"6","details":"am","howto":"275"},"CWE-ID:150 Improper Neutralization of Escape, Meta, or Control Sequences",{"point":"2uy","priority":"6","details":"ap","howto":"275"},"CWE-ID:151 Improper Neutralization of Comment Delimiters",{"point":"2v0","priority":"6","details":"as","howto":"275"},"CWE-ID:152 Improper Neutralization of Macro Symbols",{"point":"2v2","priority":"6","details":"av","howto":"275"},"CWE-ID:153 Improper Neutralization of Substitution Characters",{"point":"2v4","priority":"6","details":"ay","howto":"275"},"CWE-ID:154 Improper Neutralization of Variable Name Delimiters",{"point":"2v6","priority":"6","details":"b1","howto":"275"},"CWE-ID:155 Improper Neutralization of Wildcards or Matching Symbols",{"point":"2v8","priority":"6","details":"b4","howto":"275"},"CWE-ID:156 Improper Neutralization of Whitespace",{"point":"2va","priority":"6","details":"b7","howto":"275"},"CWE-ID:157 Failure to Sanitize Paired Delimiters",{"point":"2vc","priority":"6","details":"ba","howto":"275"},"CWE-ID:158 Improper Neutralization of Null Byte or NUL Character",{"point":"2ve","priority":"6","details":"bd","howto":"275"},"CWE-ID:159 Improper Handling of Invalid Use of Special Elements",{"point":"2vg","priority":"6","details":"bg","howto":"275"},"CWE-ID:160 Improper Neutralization of Leading Special Elements",{"point":"2vi","priority":"6","details":"bj","howto":"275"},"CWE-ID:161 Improper Neutralization of Multiple Leading Special Elements",{"point":"2vk","priority":"6","details":"bm","howto":"275"},"CWE-ID:162 Improper Neutralization of Trailing Special Elements",{"point":"2vm","priority":"6","details":"bp","howto":"275"},"CWE-ID:163 Improper Neutralization of Multiple Trailing Special Elements",{"point":"2vo","priority":"6","details":"bs","howto":"275"},"CWE-ID:164 Improper Neutralization of Internal Special Elements",{"point":"2vq","priority":"6","details":"bv","howto":"275"},"CWE-ID:165 Improper Neutralization of Multiple Internal Special Elements",{"point":"2vs","priority":"6","details":"by","howto":"275"},"CWE-ID:166 Improper Handling of Missing Special Element",{"point":"2vu","priority":"6","details":"c1","howto":"275"},"CWE-ID:167 Improper Handling of Additional Special Element",{"point":"2vw","priority":"6","details":"c4","howto":"275"},"CWE-ID:168 Improper Handling of Inconsistent Special Elements",{"point":"2vy","priority":"6","details":"c7","howto":"275"},"CWE-ID:170 Improper Null Termination",{"point":"2w0","priority":"6","details":"ca","howto":"26r"},"CWE-ID:172 Encoding Error",{"point":"2w2","priority":"6","details":"cd","howto":"275"},"CWE-ID:173 Improper Handling of Alternate Encoding",{"point":"2w4","priority":"6","details":"cg","howto":"275"},"CWE-ID:174 Double Decoding of the Same Data",{"point":"2w6","priority":"6","details":"cj","howto":"275"},"CWE-ID:175 Improper Handling of Mixed Encoding",{"point":"2w8","priority":"6","details":"cm","howto":"275"},"CWE-ID:176 Improper Handling of Unicode Encoding",{"point":"2wa","priority":"6","details":"cp","howto":"275"},"CWE-ID:177 Improper Handling of URL Encoding (Hex Encoding)",{"point":"2wc","priority":"6","details":"cs","howto":"275"},"CWE-ID:178 Improper Handling of Case Sensitivity",{"point":"2we","priority":"6","details":"cv","howto":"275"},"CWE-ID:179 Incorrect Behavior Order: Early Validation",{"point":"2wg","priority":"6","details":"cy","howto":"275"},"CWE-ID:180 Incorrect Behavior Order: Validate Before Canonicalize",{"point":"2wi","priority":"6","details":"d1","howto":"275"},"CWE-ID:181 Incorrect Behavior Order: Validate Before Filter",{"point":"2wk","priority":"6","details":"d4","howto":"275"},"CWE-ID:182 Collapse of Data into Unsafe Value",{"point":"2wm","priority":"6","details":"d7","howto":"26r"},"CWE-ID:183 Permissive List of Allowed Inputs",{"point":"2wo","priority":"6","details":"da","howto":"26r"},{"point":"26w","priority":"6","details":"dd","howto":"26x"},"CWE-ID:185 Incorrect Regular Expression",{"point":"2wr","priority":"6","details":"dg","howto":"26r"},"CWE-ID:186 Overly Restrictive Regular Expression",{"point":"2wt","priority":"6","details":"dj","howto":"275"},"CWE-ID:187 Partial String Comparison",{"point":"2wv","priority":"6","details":"dm","howto":"275"},"CWE-ID:188 Reliance on Data/Memory Layout",{"point":"2wx","priority":"6","details":"dp","howto":"26u"},"CWE-ID:190 Integer Overflow or Wraparound","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.:EFFECTIVENESS:High::METHOD:Black Box:DESCRIPTION:Sometimes, evidence of this weakness can be detected using dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of allocation calculations. This can be useful for detecting overflow conditions (CWE-190) or similar weaknesses that might have serious security impacts on the program.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2wz","priority":"6","details":"ds","howto":"2x0"},"CWE-ID:191 Integer Underflow (Wrap or Wraparound)",{"point":"2x2","priority":"6","details":"dv","howto":"26r"},"CWE-ID:192 Integer Coercion Error",{"point":"2x4","priority":"6","details":"dy","howto":"26r"},"CWE-ID:193 Off-by-one Error",{"point":"2x6","priority":"6","details":"e1","howto":"26r"},"CWE-ID:194 Unexpected Sign Extension",{"point":"2x8","priority":"6","details":"e4","howto":"275"},"CWE-ID:195 Signed to Unsigned Conversion Error",{"point":"2xa","priority":"6","details":"e7","howto":"26r"},"CWE-ID:196 Unsigned to Signed Conversion Error",{"point":"2xc","priority":"6","details":"ea","howto":"275"},"CWE-ID:197 Numeric Truncation Error",{"point":"2xe","priority":"6","details":"ed","howto":"2tj"},"CWE-ID:198 Use of Incorrect Byte Ordering","::METHOD:Black Box:DESCRIPTION:Because byte ordering bugs are usually very noticeable even with normal inputs, this bug is more likely to occur in rarely triggered error conditions, making them difficult to detect using black box methods.::",{"point":"2xg","priority":"6","details":"eg","howto":"2xh"},{"point":"26z","priority":"6","details":"ej","howto":"270"},{"point":"272","priority":"6","details":"em","howto":"26r"},{"point":"274","priority":"6","details":"ep","howto":"275"},{"point":"277","priority":"6","details":"es","howto":"275"},{"point":"279","priority":"6","details":"ev","howto":"275"},{"point":"27b","priority":"6","details":"ey","howto":"275"},"CWE-ID:206 Observable Internal Behavioral Discrepancy",{"point":"2xp","priority":"6","details":"f1","howto":"275"},"CWE-ID:207 Observable Behavioral Discrepancy With Equivalent Products",{"point":"2xr","priority":"6","details":"f4","howto":"275"},{"point":"27d","priority":"6","details":"f7","howto":"275"},{"point":"27f","priority":"6","details":"fa","howto":"27g"},{"point":"27i","priority":"6","details":"fd","howto":"275"},{"point":"27k","priority":"6","details":"fg","howto":"275"},{"point":"27m","priority":"6","details":"fj","howto":"275"},{"point":"27o","priority":"6","details":"fm","howto":"275"},{"point":"27q","priority":"6","details":"fp","howto":"275"},"CWE-ID:215 Insertion of Sensitive Information Into Debugging Code",{"point":"2y0","priority":"6","details":"fs","howto":"26r"},"CWE-ID:219 Storage of File with Sensitive Data Under Web Root",{"point":"2y2","priority":"6","details":"fv","howto":"275"},{"point":"27s","priority":"6","details":"g1","howto":"275"},"CWE-ID:222 Truncation of Security-relevant Information",{"point":"2y5","priority":"6","details":"g4","howto":"275"},{"point":"27u","priority":"6","details":"g7","howto":"275"},"CWE-ID:224 Obscured Security-relevant Information by Alternate Name",{"point":"2y8","priority":"6","details":"ga","howto":"275"},"CWE-ID:226 Sensitive Information in Resource Not Removed Before Reuse","::METHOD:Manual Analysis:DESCRIPTION:Write a known pattern into each sensitive location. Trigger the release of the resource or cause the desired state transition to occur. Read data back from the sensitive locations. If the reads are successful, and the data is the same as the pattern that was originally written, the test fails and the product needs to be fixed. Note that this test can likely be automated.:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2ya","priority":"6","details":"gd","howto":"2yb"},"CWE-ID:228 Improper Handling of Syntactically Invalid Structure",{"point":"2yd","priority":"6","details":"gg","howto":"26r"},"CWE-ID:229 Improper Handling of Values",{"point":"2yf","priority":"6","details":"gj","howto":"275"},"CWE-ID:230 Improper Handling of Missing Values",{"point":"2yh","priority":"6","details":"gm","howto":"275"},"CWE-ID:231 Improper Handling of Extra Values",{"point":"2yj","priority":"6","details":"gp","howto":"275"},"CWE-ID:232 Improper Handling of Undefined Values",{"point":"2yl","priority":"6","details":"gs","howto":"275"},"CWE-ID:233 Improper Handling of Parameters",{"point":"2yn","priority":"6","details":"gv","howto":"2tj"},"CWE-ID:234 Failure to Handle Missing Parameter",{"point":"2yp","priority":"6","details":"gy","howto":"275"},"CWE-ID:235 Improper Handling of Extra Parameters",{"point":"2yr","priority":"6","details":"h1","howto":"275"},"CWE-ID:236 Improper Handling of Undefined Parameters",{"point":"2yt","priority":"6","details":"h4","howto":"275"},"CWE-ID:238 Improper Handling of Incomplete Structural Elements",{"point":"2yv","priority":"6","details":"ha","howto":"275"},"CWE-ID:239 Failure to Handle Incomplete Element",{"point":"2yx","priority":"6","details":"hd","howto":"275"},"CWE-ID:240 Improper Handling of Inconsistent Structural Elements",{"point":"2yz","priority":"6","details":"hg","howto":"275"},"CWE-ID:241 Improper Handling of Unexpected Data Type",{"point":"2z1","priority":"6","details":"hj","howto":"275"},"CWE-ID:242 Use of Inherently Dangerous Function",{"point":"2z3","priority":"6","details":"hm","howto":"26r"},"CWE-ID:243 Creation of chroot Jail Without Changing Working Directory",{"point":"2z5","priority":"6","details":"hp","howto":"26r"},"CWE-ID:244 Improper Clearing of Heap Memory Before Release ('Heap Inspection')",{"point":"2z7","priority":"6","details":"hs","howto":"275"},"CWE-ID:245 J2EE Bad Practices: Direct Management of Connections",{"point":"2z9","priority":"6","details":"hv","howto":"26r"},"CWE-ID:246 J2EE Bad Practices: Direct Use of Sockets",{"point":"2zb","priority":"6","details":"hy","howto":"26r"},"CWE-ID:248 Uncaught Exception",{"point":"2zd","priority":"6","details":"i1","howto":"26r"},{"point":"27w","priority":"6","details":"i4","howto":"27x"},"CWE-ID:252 Unchecked Return Value",{"point":"2zg","priority":"6","details":"i7","howto":"26r"},"CWE-ID:253 Incorrect Check of Function Return Value",{"point":"2zi","priority":"6","details":"ia","howto":"275"},"CWE-ID:258 Empty Password in Configuration File",{"point":"2zk","priority":"6","details":"ij","howto":"275"},"CWE-ID:259 Use of Hard-coded Password","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and perform a login. Using disassembled code, look at the associated instructions and see if any of them appear to be comparing the input to a fixed string or value.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2zm","priority":"6","details":"im","howto":"2zn"},{"point":"283","priority":"6","details":"ip","howto":"26r"},"CWE-ID:266 Incorrect Privilege Assignment",{"point":"2zq","priority":"6","details":"j1","howto":"275"},{"point":"28b","priority":"6","details":"j4","howto":"275"},{"point":"28d","priority":"6","details":"j7","howto":"275"},{"point":"28f","priority":"6","details":"ja","howto":"26r"},{"point":"28h","priority":"6","details":"jd","howto":"275"},{"point":"28j","priority":"6","details":"jg","howto":"275"},"CWE-ID:272 Least Privilege Violation","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Compare binary / bytecode to application permission manifest:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Permission Manifest Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"2zx","priority":"6","details":"jj","howto":"2zy"},"CWE-ID:273 Improper Check for Dropped Privileges",{"point":"300","priority":"6","details":"jm","howto":"26r"},"CWE-ID:274 Improper Handling of Insufficient Privileges",{"point":"302","priority":"6","details":"jp","howto":"26r"},{"point":"28l","priority":"6","details":"js","howto":"28m"},"CWE-ID:277 Insecure Inherited Permissions",{"point":"305","priority":"6","details":"jv","howto":"275"},"CWE-ID:279 Incorrect Execution-Assigned Permissions",{"point":"307","priority":"6","details":"k1","howto":"275"},"CWE-ID:280 Improper Handling of Insufficient Permissions or Privileges ",{"point":"309","priority":"6","details":"k4","howto":"275"},"CWE-ID:281 Improper Preservation of Permissions",{"point":"30b","priority":"6","details":"k7","howto":"275"},"CWE-ID:284 Improper Access Control",{"point":"30d","priority":"6","details":"kg","howto":"275"},{"point":"28s","priority":"6","details":"kj","howto":"28t"},{"point":"28v","priority":"6","details":"km","howto":"275"},{"point":"28x","priority":"6","details":"kp","howto":"28y"},{"point":"292","priority":"6","details":"kv","howto":"275"},"CWE-ID:290 Authentication Bypass by Spoofing",{"point":"30j","priority":"6","details":"ky","howto":"275"},{"point":"296","priority":"6","details":"la","howto":"297"},"CWE-ID:296 Improper Following of a Certificate's Chain of Trust",{"point":"30m","priority":"6","details":"ld","howto":"26r"},"CWE-ID:297 Improper Validation of Certificate with Host Mismatch","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Set up an untrusted endpoint (e.g. a server) with which the product will connect. Create a test certificate that uses an invalid hostname but is signed by a trusted CA and provide this certificate from the untrusted endpoint. If the product performs any operations instead of disconnecting and reporting an error, then this indicates that the hostname is not being checked and the test certificate has been accepted.::METHOD:Black Box:DESCRIPTION:When Certificate Pinning is being used in a mobile application, consider using a tool such as Spinner [REF-955]. This methodology might be extensible to other technologies.::",{"point":"30o","priority":"6","details":"lg","howto":"30p"},"CWE-ID:298 Improper Validation of Certificate Expiration",{"point":"30r","priority":"6","details":"lj","howto":"275"},"CWE-ID:299 Improper Check for Certificate Revocation",{"point":"30t","priority":"6","details":"lm","howto":"26r"},{"point":"29d","priority":"6","details":"lv","howto":"275"},"CWE-ID:303 Incorrect Implementation of Authentication Algorithm",{"point":"30w","priority":"6","details":"ly","howto":"275"},"CWE-ID:304 Missing Critical Step in Authentication",{"point":"30y","priority":"6","details":"m1","howto":"26r"},"CWE-ID:305 Authentication Bypass by Primary Weakness",{"point":"310","priority":"6","details":"m4","howto":"275"},"CWE-ID:318 Cleartext Storage of Sensitive Information in Executable",{"point":"312","priority":"6","details":"n4","howto":"275"},"CWE-ID:325 Missing Cryptographic Step",{"point":"314","priority":"6","details":"nm","howto":"275"},{"point":"2a5","priority":"6","details":"ns","howto":"2a6"},"CWE-ID:329 Generation of Predictable IV with CBC Mode",{"point":"317","priority":"6","details":"ny","howto":"26r"},{"point":"2aa","priority":"6","details":"o1","howto":"2ab"},{"point":"2ad","priority":"6","details":"o4","howto":"275"},"CWE-ID:332 Insufficient Entropy in PRNG",{"point":"31b","priority":"6","details":"o7","howto":"275"},"CWE-ID:333 Improper Handling of Insufficient Entropy in TRNG",{"point":"31d","priority":"6","details":"oa","howto":"275"},{"point":"2af","priority":"6","details":"od","howto":"275"},"CWE-ID:335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)",{"point":"31g","priority":"6","details":"og","howto":"275"},"CWE-ID:336 Same Seed in Pseudo-Random Number Generator (PRNG)",{"point":"31i","priority":"6","details":"oj","howto":"26r"},"CWE-ID:337 Predictable Seed in Pseudo-Random Number Generator (PRNG)",{"point":"31k","priority":"6","details":"om","howto":"275"},{"point":"2ah","priority":"6","details":"op","howto":"26r"},"CWE-ID:339 Small Seed Space in PRNG",{"point":"31n","priority":"6","details":"os","howto":"275"},{"point":"2aj","priority":"6","details":"ov","howto":"275"},{"point":"2al","priority":"6","details":"oy","howto":"275"},{"point":"2an","priority":"6","details":"p1","howto":"275"},{"point":"2ap","priority":"6","details":"p4","howto":"275"},{"point":"2ar","priority":"6","details":"p7","howto":"275"},{"point":"2at","priority":"6","details":"pa","howto":"26r"},{"point":"2av","priority":"6","details":"pd","howto":"275"},{"point":"2ax","priority":"6","details":"pg","howto":"26r"},{"point":"2az","priority":"6","details":"pj","howto":"275"},"CWE-ID:349 Acceptance of Extraneous Untrusted Data With Trusted Data",{"point":"31y","priority":"6","details":"pm","howto":"275"},"CWE-ID:351 Insufficient Type Distinction",{"point":"320","priority":"6","details":"ps","howto":"275"},{"point":"2b1","priority":"6","details":"py","howto":"275"},{"point":"2b3","priority":"6","details":"q1","howto":"275"},{"point":"2b5","priority":"6","details":"q4","howto":"275"},{"point":"2b7","priority":"6","details":"q7","howto":"275"},{"point":"2b9","priority":"6","details":"qa","howto":"275"},{"point":"2bb","priority":"6","details":"qd","howto":"2bc"},{"point":"2be","priority":"6","details":"qg","howto":"275"},{"point":"2bg","priority":"6","details":"qj","howto":"2bh"},{"point":"2bj","priority":"6","details":"qm","howto":"275"},"CWE-ID:364 Signal Handler Race Condition",{"point":"32b","priority":"6","details":"qp","howto":"275"},"CWE-ID:366 Race Condition within a Thread",{"point":"32d","priority":"6","details":"qs","howto":"26r"},"CWE-ID:367 Time-of-check Time-of-use (TOCTOU) Race Condition",{"point":"32f","priority":"6","details":"qv","howto":"26r"},{"point":"2bl","priority":"6","details":"qy","howto":"275"},"CWE-ID:369 Divide By Zero","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::METHOD:Fuzzing:DESCRIPTION:Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.:EFFECTIVENESS:High::",{"point":"32i","priority":"6","details":"r1","howto":"32j"},"CWE-ID:370 Missing Check for Certificate Revocation after Initial Check",{"point":"32l","priority":"6","details":"r4","howto":"275"},"CWE-ID:372 Incomplete Internal State Distinction",{"point":"32n","priority":"6","details":"r7","howto":"275"},"CWE-ID:374 Passing Mutable Objects to an Untrusted Method",{"point":"32p","priority":"6","details":"ra","howto":"275"},"CWE-ID:375 Returning a Mutable Object to an Untrusted Caller",{"point":"32r","priority":"6","details":"rd","howto":"275"},"CWE-ID:377 Insecure Temporary File",{"point":"32t","priority":"6","details":"rg","howto":"26r"},"CWE-ID:378 Creation of Temporary File With Insecure Permissions",{"point":"32v","priority":"6","details":"rj","howto":"275"},"CWE-ID:379 Creation of Temporary File in Directory with Insecure Permissions",{"point":"32x","priority":"6","details":"rm","howto":"26r"},"CWE-ID:382 J2EE Bad Practices: Use of System.exit()",{"point":"32z","priority":"6","details":"rp","howto":"26r"},"CWE-ID:383 J2EE Bad Practices: Direct Use of Threads",{"point":"331","priority":"6","details":"rs","howto":"26r"},"CWE-ID:384 Session Fixation",{"point":"333","priority":"6","details":"rv","howto":"275"},{"point":"2bn","priority":"6","details":"ry","howto":"275"},{"point":"2bp","priority":"6","details":"s1","howto":"275"},"CWE-ID:390 Detection of Error Condition Without Action",{"point":"337","priority":"6","details":"s4","howto":"26r"},"CWE-ID:391 Unchecked Error Condition",{"point":"339","priority":"6","details":"s7","howto":"26r"},"CWE-ID:392 Missing Report of Error Condition",{"point":"33b","priority":"6","details":"sa","howto":"275"},"CWE-ID:393 Return of Wrong Status Code",{"point":"33d","priority":"6","details":"sd","howto":"26u"},"CWE-ID:394 Unexpected Status Code or Return Value",{"point":"33f","priority":"6","details":"sg","howto":"275"},"CWE-ID:395 Use of NullPointerException Catch to Detect NULL Pointer Dereference","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"33h","priority":"6","details":"sj","howto":"33i"},"CWE-ID:396 Declaration of Catch for Generic Exception",{"point":"33k","priority":"6","details":"sm","howto":"26r"},"CWE-ID:397 Declaration of Throws for Generic Exception",{"point":"33m","priority":"6","details":"sp","howto":"26r"},{"point":"2br","priority":"6","details":"ss","howto":"2bs"},"CWE-ID:401 Missing Release of Memory after Effective Lifetime",{"point":"33p","priority":"6","details":"sv","howto":"2tj"},{"point":"2bu","priority":"6","details":"sy","howto":"26r"},"CWE-ID:403 Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')",{"point":"33s","priority":"6","details":"t1","howto":"275"},"CWE-ID:404 Improper Resource Shutdown or Release","::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Resource clean up errors might be detected with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the product under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"33u","priority":"6","details":"t4","howto":"33v"},{"point":"2bw","priority":"6","details":"t7","howto":"275"},{"point":"2by","priority":"6","details":"ta","howto":"275"},{"point":"2c0","priority":"6","details":"td","howto":"275"},{"point":"2c2","priority":"6","details":"tg","howto":"275"},{"point":"2c4","priority":"6","details":"tj","howto":"275"},{"point":"2c6","priority":"6","details":"tm","howto":"275"},{"point":"2c8","priority":"6","details":"tp","howto":"2c9"},{"point":"2cb","priority":"6","details":"ts","howto":"26r"},{"point":"2cd","priority":"6","details":"tv","howto":"275"},"CWE-ID:415 Double Free",{"point":"346","priority":"6","details":"ty","howto":"2tj"},"CWE-ID:416 Use After Free",{"point":"348","priority":"6","details":"u1","howto":"2tj"},{"point":"2cf","priority":"6","details":"u4","howto":"275"},{"point":"2ch","priority":"6","details":"u7","howto":"275"},"CWE-ID:425 Direct Request ('Forced Browsing')",{"point":"34c","priority":"6","details":"uj","howto":"275"},"CWE-ID:426 Untrusted Search Path","::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and look for library functions and system calls that suggest when a search path is being used. One pattern is when the program performs multiple accesses of the same file but in different directories, with repeated failures until the proper filename is found. Library calls such as getenv() or their equivalent can be checked to see if any path-related variables are being accessed.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::METHOD:Manual Analysis:DESCRIPTION:Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.::",{"point":"34e","priority":"6","details":"um","howto":"34f"},"CWE-ID:427 Uncontrolled Search Path Element",{"point":"34h","priority":"6","details":"up","howto":"26r"},"CWE-ID:428 Unquoted Search Path or Element",{"point":"34j","priority":"6","details":"us","howto":"275"},"CWE-ID:430 Deployment of Wrong Handler",{"point":"34l","priority":"6","details":"uv","howto":"275"},"CWE-ID:431 Missing Handler",{"point":"34n","priority":"6","details":"uy","howto":"275"},"CWE-ID:432 Dangerous Signal Handler not Disabled During Sensitive Operations",{"point":"34p","priority":"6","details":"v1","howto":"275"},"CWE-ID:433 Unparsed Raw Web Content Delivery",{"point":"34r","priority":"6","details":"v4","howto":"275"},{"point":"2cn","priority":"6","details":"v7","howto":"2co"},"CWE-ID:435 Improper Interaction Between Multiple Correctly-Behaving Entities",{"point":"34u","priority":"6","details":"va","howto":"275"},{"point":"2cq","priority":"6","details":"vd","howto":"275"},{"point":"2cs","priority":"6","details":"vg","howto":"275"},{"point":"2cu","priority":"6","details":"vj","howto":"275"},{"point":"2cw","priority":"6","details":"vm","howto":"275"},"CWE-ID:444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')",{"point":"350","priority":"6","details":"vs","howto":"275"},{"point":"2d0","priority":"6","details":"vv","howto":"275"},"CWE-ID:447 Unimplemented or Unsupported Feature in UI",{"point":"353","priority":"6","details":"vy","howto":"275"},"CWE-ID:448 Obsolete Feature in UI",{"point":"355","priority":"6","details":"w1","howto":"275"},"CWE-ID:449 The UI Performs the Wrong Action",{"point":"357","priority":"6","details":"w4","howto":"275"},"CWE-ID:450 Multiple Interpretations of UI Input",{"point":"359","priority":"6","details":"w7","howto":"275"},{"point":"2d2","priority":"6","details":"wa","howto":"275"},"CWE-ID:453 Insecure Default Variable Initialization",{"point":"35c","priority":"6","details":"wd","howto":"275"},{"point":"2d4","priority":"6","details":"wg","howto":"275"},"CWE-ID:455 Non-exit on Failed Initialization",{"point":"35f","priority":"6","details":"wj","howto":"275"},"CWE-ID:456 Missing Initialization of a Variable",{"point":"35h","priority":"6","details":"wm","howto":"26r"},"CWE-ID:457 Use of Uninitialized Variable",{"point":"35j","priority":"6","details":"wp","howto":"2tj"},"CWE-ID:459 Incomplete Cleanup",{"point":"35l","priority":"6","details":"ws","howto":"26r"},"CWE-ID:460 Improper Cleanup on Thrown Exception",{"point":"35n","priority":"6","details":"wv","howto":"26r"},"CWE-ID:462 Duplicate Key in Associative List (Alist)",{"point":"35p","priority":"6","details":"wy","howto":"275"},"CWE-ID:463 Deletion of Data Structure Sentinel",{"point":"35r","priority":"6","details":"x1","howto":"275"},"CWE-ID:464 Addition of Data Structure Sentinel",{"point":"35t","priority":"6","details":"x4","howto":"275"},"CWE-ID:466 Return of Pointer Value Outside of Expected Range",{"point":"35v","priority":"6","details":"x7","howto":"275"},"CWE-ID:467 Use of sizeof() on a Pointer Type",{"point":"35x","priority":"6","details":"xa","howto":"26r"},"CWE-ID:468 Incorrect Pointer Scaling",{"point":"35z","priority":"6","details":"xd","howto":"275"},"CWE-ID:469 Use of Pointer Subtraction to Determine Size",{"point":"361","priority":"6","details":"xg","howto":"2tj"},{"point":"2d6","priority":"6","details":"xj","howto":"26r"},{"point":"2d8","priority":"6","details":"xm","howto":"275"},"CWE-ID:472 External Control of Assumed-Immutable Web Parameter",{"point":"365","priority":"6","details":"xp","howto":"26r"},"CWE-ID:473 PHP External Variable Modification",{"point":"367","priority":"6","details":"xs","howto":"275"},"CWE-ID:474 Use of Function with Inconsistent Implementations",{"point":"369","priority":"6","details":"xv","howto":"26r"},{"point":"2da","priority":"6","details":"xy","howto":"26r"},"CWE-ID:476 NULL Pointer Dereference","::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"36c","priority":"6","details":"y1","howto":"36d"},"CWE-ID:477 Use of Obsolete Function","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Binary / Bytecode Quality Analysis Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Debugger:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source Code Quality Analyzer Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Origin Analysis:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"36f","priority":"6","details":"y4","howto":"36g"},"CWE-ID:478 Missing Default Case in Multiple Condition Expression",{"point":"36i","priority":"6","details":"y7","howto":"26r"},"CWE-ID:479 Signal Handler Use of a Non-reentrant Function",{"point":"36k","priority":"6","details":"ya","howto":"26r"},"CWE-ID:480 Use of Incorrect Operator","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can be found easily using static analysis. However in some cases an operator might appear to be incorrect, but is actually correct and reflects unusual logic within the program.::METHOD:Manual Static Analysis:DESCRIPTION:This weakness can be found easily using static analysis. However in some cases an operator might appear to be incorrect, but is actually correct and reflects unusual logic within the program.::",{"point":"36m","priority":"6","details":"yd","howto":"36n"},"CWE-ID:481 Assigning instead of Comparing",{"point":"36p","priority":"6","details":"yg","howto":"26r"},"CWE-ID:482 Comparing instead of Assigning",{"point":"36r","priority":"6","details":"yj","howto":"26r"},"CWE-ID:483 Incorrect Block Delimitation",{"point":"36t","priority":"6","details":"ym","howto":"26r"},"CWE-ID:484 Omitted Break Statement in Switch","::METHOD:White Box:DESCRIPTION:Omission of a break statement might be intentional, in order to support fallthrough. Automated detection methods might therefore be erroneous. Semantic understanding of expected product behavior is required to interpret whether the code is correct.::METHOD:Black Box:DESCRIPTION:Since this weakness is associated with a code construct, it would be indistinguishable from other errors that produce the same behavior.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"36v","priority":"6","details":"yp","howto":"36w"},"CWE-ID:486 Comparison of Classes by Name",{"point":"36y","priority":"6","details":"ys","howto":"26r"},"CWE-ID:487 Reliance on Package-level Scope",{"point":"370","priority":"6","details":"yv","howto":"275"},"CWE-ID:488 Exposure of Data Element to Wrong Session",{"point":"372","priority":"6","details":"yy","howto":"26r"},"CWE-ID:489 Active Debug Code",{"point":"374","priority":"6","details":"z1","howto":"26r"},"CWE-ID:491 Public cloneable() Method Without Final ('Object Hijack')",{"point":"376","priority":"6","details":"z4","howto":"275"},"CWE-ID:492 Use of Inner Class Containing Sensitive Data",{"point":"378","priority":"6","details":"z7","howto":"26r"},"CWE-ID:493 Critical Public Variable Without Final Modifier",{"point":"37a","priority":"6","details":"za","howto":"26r"},{"point":"2dc","priority":"6","details":"zd","howto":"2dd"},"CWE-ID:495 Private Data Structure Returned From A Public Method",{"point":"37d","priority":"6","details":"zg","howto":"26r"},"CWE-ID:496 Public Data Assigned to Private Array-Typed Field",{"point":"37f","priority":"6","details":"zj","howto":"26r"},"CWE-ID:497 Exposure of Sensitive System Information to an Unauthorized Control Sphere",{"point":"37h","priority":"6","details":"zm","howto":"26r"},"CWE-ID:498 Cloneable Class Containing Sensitive Information",{"point":"37j","priority":"6","details":"zp","howto":"275"},"CWE-ID:499 Serializable Class Containing Sensitive Data",{"point":"37l","priority":"6","details":"zs","howto":"26r"},"CWE-ID:500 Public Static Field Not Marked Final",{"point":"37n","priority":"6","details":"zv","howto":"26r"},{"point":"2dh","priority":"6","details":"101","howto":"26r"},"CWE-ID:506 Embedded Malicious Code","::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies Generated Code Inspection:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Automated Monitored Execution:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Origin Analysis:EFFECTIVENESS:SOAR Partial::",{"point":"37q","priority":"6","details":"104","howto":"37r"},"CWE-ID:507 Trojan Horse",{"point":"37t","priority":"6","details":"107","howto":"275"},"CWE-ID:508 Non-Replicating Malicious Code",{"point":"37v","priority":"6","details":"10a","howto":"275"},"CWE-ID:509 Replicating Malicious Code (Virus or Worm)",{"point":"37x","priority":"6","details":"10d","howto":"275"},{"point":"2dj","priority":"6","details":"10g","howto":"2dk"},{"point":"2dm","priority":"6","details":"10j","howto":"275"},{"point":"2do","priority":"6","details":"10m","howto":"275"},"CWE-ID:514 Covert Channel","::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:SOAR Partial::",{"point":"382","priority":"6","details":"10p","howto":"383"},"CWE-ID:515 Covert Storage Channel",{"point":"385","priority":"6","details":"10s","howto":"275"},"CWE-ID:520 .NET Misconfiguration: Use of Impersonation",{"point":"387","priority":"6","details":"10v","howto":"275"},{"point":"2dq","priority":"6","details":"10y","howto":"26r"},{"point":"2ds","priority":"6","details":"111","howto":"26r"},"CWE-ID:524 Use of Cache Containing Sensitive Information",{"point":"38b","priority":"6","details":"117","howto":"26r"},"CWE-ID:525 Use of Web Browser Cache Containing Sensitive Information",{"point":"38d","priority":"6","details":"11a","howto":"275"},"CWE-ID:526 Cleartext Storage of Sensitive Information in an Environment Variable",{"point":"38f","priority":"6","details":"11d","howto":"26r"},{"point":"2dw","priority":"6","details":"11v","howto":"26r"},"CWE-ID:535 Exposure of Information Through Shell Error Message",{"point":"38i","priority":"6","details":"11y","howto":"26r"},"CWE-ID:536 Servlet Runtime Error Message Containing Sensitive Information",{"point":"38k","priority":"6","details":"121","howto":"275"},"CWE-ID:537 Java Runtime Error Message Containing Sensitive Information",{"point":"38m","priority":"6","details":"124","howto":"275"},"CWE-ID:538 Insertion of Sensitive Information into Externally-Accessible File or Directory",{"point":"38o","priority":"6","details":"127","howto":"26r"},"CWE-ID:539 Use of Persistent Cookies Containing Sensitive Information",{"point":"38q","priority":"6","details":"12a","howto":"26r"},"CWE-ID:540 Inclusion of Sensitive Information in Source Code",{"point":"38s","priority":"6","details":"12d","howto":"275"},"CWE-ID:541 Inclusion of Sensitive Information in an Include File",{"point":"38u","priority":"6","details":"12g","howto":"275"},"CWE-ID:543 Use of Singleton Pattern Without Synchronization in a Multithreaded Context",{"point":"38w","priority":"6","details":"12j","howto":"275"},"CWE-ID:546 Suspicious Comment",{"point":"38y","priority":"6","details":"12p","howto":"275"},"CWE-ID:547 Use of Hard-coded, Security-relevant Constants",{"point":"390","priority":"6","details":"12s","howto":"26r"},"CWE-ID:548 Exposure of Information Through Directory Listing",{"point":"392","priority":"6","details":"12v","howto":"26r"},"CWE-ID:549 Missing Password Field Masking",{"point":"394","priority":"6","details":"12y","howto":"26r"},"CWE-ID:550 Server-generated Error Message Containing Sensitive Information",{"point":"396","priority":"6","details":"131","howto":"275"},"CWE-ID:551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization",{"point":"398","priority":"6","details":"134","howto":"275"},{"point":"2e0","priority":"6","details":"137","howto":"26r"},"CWE-ID:553 Command Shell in Externally Accessible Directory",{"point":"39b","priority":"6","details":"13a","howto":"275"},"CWE-ID:554 ASP.NET Misconfiguration: Not Using Input Validation Framework",{"point":"39d","priority":"6","details":"13d","howto":"275"},"CWE-ID:555 J2EE Misconfiguration: Plaintext Password in Configuration File",{"point":"39f","priority":"6","details":"13g","howto":"275"},"CWE-ID:556 ASP.NET Misconfiguration: Use of Identity Impersonation",{"point":"39h","priority":"6","details":"13j","howto":"275"},"CWE-ID:558 Use of getlogin() in Multithreaded Application",{"point":"39j","priority":"6","details":"13m","howto":"275"},"CWE-ID:560 Use of umask() with chmod-style Argument",{"point":"39l","priority":"6","details":"13p","howto":"275"},"CWE-ID:561 Dead Code","::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Binary / Bytecode Quality Analysis Compare binary / bytecode to application permission manifest:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Automated Monitored Execution:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Permission Manifest Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source Code Quality Analyzer Cost effective for partial coverage: Warning Flags Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::",{"point":"39n","priority":"6","details":"13s","howto":"39o"},"CWE-ID:562 Return of Stack Variable Address",{"point":"39q","priority":"6","details":"13v","howto":"2tj"},"CWE-ID:563 Assignment to Variable without Use",{"point":"39s","priority":"6","details":"13y","howto":"26r"},"CWE-ID:564 SQL Injection: Hibernate",{"point":"39u","priority":"6","details":"141","howto":"275"},{"point":"2e2","priority":"6","details":"144","howto":"26r"},"CWE-ID:566 Authorization Bypass Through User-Controlled SQL Primary Key",{"point":"39x","priority":"6","details":"147","howto":"26r"},"CWE-ID:567 Unsynchronized Access to Shared Data in a Multithreaded Context",{"point":"39z","priority":"6","details":"14a","howto":"26r"},"CWE-ID:568 finalize() Method Without super.finalize()",{"point":"3a1","priority":"6","details":"14d","howto":"26r"},"CWE-ID:570 Expression is Always False",{"point":"3a3","priority":"6","details":"14g","howto":"26r"},"CWE-ID:571 Expression is Always True",{"point":"3a5","priority":"6","details":"14j","howto":"26r"},"CWE-ID:572 Call to Thread run() instead of start()",{"point":"3a7","priority":"6","details":"14m","howto":"26r"},"CWE-ID:573 Improper Following of Specification by Caller",{"point":"3a9","priority":"6","details":"14p","howto":"275"},"CWE-ID:574 EJB Bad Practices: Use of Synchronization Primitives",{"point":"3ab","priority":"6","details":"14s","howto":"275"},"CWE-ID:575 EJB Bad Practices: Use of AWT Swing",{"point":"3ad","priority":"6","details":"14v","howto":"275"},"CWE-ID:576 EJB Bad Practices: Use of Java I/O",{"point":"3af","priority":"6","details":"14y","howto":"275"},"CWE-ID:577 EJB Bad Practices: Use of Sockets",{"point":"3ah","priority":"6","details":"151","howto":"275"},"CWE-ID:578 EJB Bad Practices: Use of Class Loader",{"point":"3aj","priority":"6","details":"154","howto":"275"},"CWE-ID:579 J2EE Bad Practices: Non-serializable Object Stored in Session",{"point":"3al","priority":"6","details":"157","howto":"26r"},"CWE-ID:580 clone() Method Without super.clone()",{"point":"3an","priority":"6","details":"15a","howto":"26r"},"CWE-ID:581 Object Model Violation: Just One of Equals and Hashcode Defined",{"point":"3ap","priority":"6","details":"15d","howto":"26r"},"CWE-ID:582 Array Declared Public, Final, and Static",{"point":"3ar","priority":"6","details":"15g","howto":"275"},"CWE-ID:583 finalize() Method Declared Public",{"point":"3at","priority":"6","details":"15j","howto":"26r"},"CWE-ID:584 Return Inside Finally Block",{"point":"3av","priority":"6","details":"15m","howto":"26r"},"CWE-ID:585 Empty Synchronized Block",{"point":"3ax","priority":"6","details":"15p","howto":"26r"},"CWE-ID:586 Explicit Call to Finalize()",{"point":"3az","priority":"6","details":"15s","howto":"26r"},"CWE-ID:587 Assignment of a Fixed Address to a Pointer",{"point":"3b1","priority":"6","details":"15v","howto":"275"},"CWE-ID:588 Attempt to Access Child of a Non-structure Pointer",{"point":"3b3","priority":"6","details":"15y","howto":"275"},"CWE-ID:589 Call to Non-ubiquitous API",{"point":"3b5","priority":"6","details":"161","howto":"26r"},"CWE-ID:590 Free of Memory not on the Heap",{"point":"3b7","priority":"6","details":"164","howto":"2tj"},"CWE-ID:591 Sensitive Data Storage in Improperly Locked Memory",{"point":"3b9","priority":"6","details":"167","howto":"275"},"CWE-ID:593 Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created",{"point":"3bb","priority":"6","details":"16a","howto":"275"},"CWE-ID:594 J2EE Framework: Saving Unserializable Objects to Disk",{"point":"3bd","priority":"6","details":"16d","howto":"275"},"CWE-ID:595 Comparison of Object References Instead of Object Contents",{"point":"3bf","priority":"6","details":"16g","howto":"26r"},"CWE-ID:597 Use of Wrong Operator in String Comparison",{"point":"3bh","priority":"6","details":"16j","howto":"26r"},"CWE-ID:598 Use of GET Request Method With Sensitive Query Strings",{"point":"3bj","priority":"6","details":"16m","howto":"26r"},"CWE-ID:599 Missing Validation of OpenSSL Certificate",{"point":"3bl","priority":"6","details":"16p","howto":"275"},"CWE-ID:600 Uncaught Exception in Servlet ",{"point":"3bn","priority":"6","details":"16s","howto":"275"},{"point":"2e4","priority":"6","details":"16v","howto":"2e5"},{"point":"2e9","priority":"6","details":"171","howto":"275"},"CWE-ID:605 Multiple Binds to the Same Port",{"point":"3br","priority":"6","details":"174","howto":"275"},"CWE-ID:606 Unchecked Input for Loop Condition",{"point":"3bt","priority":"6","details":"177","howto":"26r"},"CWE-ID:607 Public Static Final Field References Mutable Object",{"point":"3bv","priority":"6","details":"17a","howto":"26r"},"CWE-ID:608 Struts: Non-private Field in ActionForm Class",{"point":"3bx","priority":"6","details":"17d","howto":"275"},"CWE-ID:609 Double-Checked Locking",{"point":"3bz","priority":"6","details":"17g","howto":"275"},"CWE-ID:611 Improper Restriction of XML External Entity Reference",{"point":"3c1","priority":"6","details":"17m","howto":"26r"},{"point":"2ed","priority":"6","details":"17p","howto":"275"},{"point":"2ef","priority":"6","details":"17s","howto":"26r"},"CWE-ID:614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute",{"point":"3c5","priority":"6","details":"17v","howto":"26r"},"CWE-ID:615 Inclusion of Sensitive Information in Source Code Comments",{"point":"3c7","priority":"6","details":"17y","howto":"26r"},"CWE-ID:616 Incomplete Identification of Uploaded File Variables (PHP)",{"point":"3c9","priority":"6","details":"181","howto":"275"},"CWE-ID:617 Reachable Assertion",{"point":"3cb","priority":"6","details":"184","howto":"26r"},"CWE-ID:618 Exposed Unsafe ActiveX Method",{"point":"3cd","priority":"6","details":"187","howto":"26r"},"CWE-ID:619 Dangling Database Cursor ('Cursor Injection')",{"point":"3cf","priority":"6","details":"18a","howto":"275"},{"point":"2eh","priority":"6","details":"18d","howto":"275"},"CWE-ID:621 Variable Extraction Error",{"point":"3ci","priority":"6","details":"18g","howto":"275"},"CWE-ID:622 Improper Validation of Function Hook Arguments",{"point":"3ck","priority":"6","details":"18j","howto":"275"},"CWE-ID:623 Unsafe ActiveX Control Marked Safe For Scripting",{"point":"3cm","priority":"6","details":"18m","howto":"275"},"CWE-ID:624 Executable Regular Expression Error",{"point":"3co","priority":"6","details":"18p","howto":"275"},"CWE-ID:625 Permissive Regular Expression",{"point":"3cq","priority":"6","details":"18s","howto":"26r"},"CWE-ID:626 Null Byte Interaction Error (Poison Null Byte)",{"point":"3cs","priority":"6","details":"18v","howto":"275"},"CWE-ID:627 Dynamic Variable Evaluation",{"point":"3cu","priority":"6","details":"18y","howto":"275"},"CWE-ID:628 Function Call with Incorrectly Specified Arguments","::METHOD:Other:DESCRIPTION:Since these bugs typically introduce incorrect behavior that is obvious to users, they are found quickly, unless they occur in rarely-tested code paths. Managing the correct number of arguments can be made more difficult in cases where format strings are used, or when variable numbers of arguments are supported.::",{"point":"3cw","priority":"6","details":"191","howto":"3cx"},{"point":"2ej","priority":"6","details":"194","howto":"275"},{"point":"2el","priority":"6","details":"197","howto":"275"},"CWE-ID:638 Not Using Complete Mediation",{"point":"3d1","priority":"6","details":"19a","howto":"275"},{"point":"2ep","priority":"6","details":"19g","howto":"275"},{"point":"2er","priority":"6","details":"19j","howto":"275"},{"point":"2et","priority":"6","details":"19m","howto":"26r"},"CWE-ID:643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')",{"point":"3d6","priority":"6","details":"19p","howto":"26r"},"CWE-ID:644 Improper Neutralization of HTTP Headers for Scripting Syntax",{"point":"3d8","priority":"6","details":"19s","howto":"275"},"CWE-ID:646 Reliance on File Name or Extension of Externally-Supplied File",{"point":"3da","priority":"6","details":"19y","howto":"275"},"CWE-ID:647 Use of Non-Canonical URL Paths for Authorization Decisions",{"point":"3dc","priority":"6","details":"1a1","howto":"26r"},{"point":"2ex","priority":"6","details":"1a4","howto":"275"},{"point":"2ez","priority":"6","details":"1a7","howto":"275"},"CWE-ID:650 Trusting HTTP Permission Methods on the Server Side",{"point":"3dg","priority":"6","details":"1aa","howto":"275"},"CWE-ID:651 Exposure of WSDL File Containing Sensitive Information",{"point":"3di","priority":"6","details":"1ad","howto":"275"},"CWE-ID:652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')",{"point":"3dk","priority":"6","details":"1ag","howto":"275"},{"point":"2f1","priority":"6","details":"1aj","howto":"2f2"},{"point":"2f4","priority":"6","details":"1am","howto":"275"},{"point":"2f8","priority":"6","details":"1as","howto":"275"},{"point":"2fa","priority":"6","details":"1av","howto":"275"},{"point":"2fc","priority":"6","details":"1ay","howto":"275"},"CWE-ID:663 Use of a Non-reentrant Function in a Concurrent Context",{"point":"3dr","priority":"6","details":"1b1","howto":"275"},"CWE-ID:664 Improper Control of a Resource Through its Lifetime",{"point":"3dt","priority":"6","details":"1b4","howto":"275"},"CWE-ID:665 Improper Initialization","::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Initialization problems may be detected with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"3dv","priority":"6","details":"1b7","howto":"3dw"},"CWE-ID:666 Operation on Resource in Wrong Phase of Lifetime",{"point":"3dy","priority":"6","details":"1ba","howto":"275"},{"point":"2fe","priority":"6","details":"1bd","howto":"26r"},{"point":"2fg","priority":"6","details":"1bg","howto":"275"},{"point":"2fi","priority":"6","details":"1bj","howto":"275"},"CWE-ID:670 Always-Incorrect Control Flow Implementation",{"point":"3e3","priority":"6","details":"1bm","howto":"275"},{"point":"2fk","priority":"6","details":"1bp","howto":"275"},"CWE-ID:672 Operation on a Resource after Expiration or Release",{"point":"3e6","priority":"6","details":"1bs","howto":"275"},{"point":"2fm","priority":"6","details":"1bv","howto":"275"},"CWE-ID:674 Uncontrolled Recursion",{"point":"3e9","priority":"6","details":"1by","howto":"26r"},"CWE-ID:675 Multiple Operations on Resource in Single-Operation Context",{"point":"3eb","priority":"6","details":"1c1","howto":"275"},"CWE-ID:676 Use of Potentially Dangerous Function","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary / Bytecode Quality Analysis Binary / Bytecode simple extractor - strings, ELF readers, etc.:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Debugger Cost effective for partial coverage: Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Warning Flags Source Code Quality Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Origin Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"3ed","priority":"6","details":"1c4","howto":"3ee"},"CWE-ID:681 Incorrect Conversion between Numeric Types",{"point":"3eg","priority":"6","details":"1ca","howto":"275"},"CWE-ID:682 Incorrect Calculation","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of allocation calculations. This can be useful for detecting overflow conditions (CWE-190) or similar weaknesses that might have serious security impacts on the program.:EFFECTIVENESS:High::",{"point":"3ei","priority":"6","details":"1cd","howto":"3ej"},"CWE-ID:683 Function Call With Incorrect Order of Arguments",{"point":"3el","priority":"6","details":"1cg","howto":"275"},"CWE-ID:684 Incorrect Provision of Specified Functionality",{"point":"3en","priority":"6","details":"1cj","howto":"275"},"CWE-ID:685 Function Call With Incorrect Number of Arguments","::METHOD:Other:DESCRIPTION:While this weakness might be caught by the compiler in some languages, it can occur more frequently in cases in which the called function accepts variable numbers of arguments, such as format strings in C. It also can occur in languages or environments that do not require that functions always be called with the correct number of arguments, such as Perl.::",{"point":"3ep","priority":"6","details":"1cm","howto":"3eq"},"CWE-ID:686 Function Call With Incorrect Argument Type",{"point":"3es","priority":"6","details":"1cp","howto":"275"},"CWE-ID:687 Function Call With Incorrectly Specified Argument Value","::METHOD:Manual Static Analysis:DESCRIPTION:This might require an understanding of intended program behavior or design to determine whether the value is incorrect.::",{"point":"3eu","priority":"6","details":"1cs","howto":"3ev"},"CWE-ID:688 Function Call With Incorrect Variable or Reference as Argument","::METHOD:Other:DESCRIPTION:While this weakness might be caught by the compiler in some languages, it can occur more frequently in cases in which the called function accepts variable numbers of arguments, such as format strings in C. It also can occur in loosely typed languages or environments. This might require an understanding of intended program behavior or design to determine whether the value is incorrect.::",{"point":"3ex","priority":"6","details":"1cv","howto":"3ey"},"CWE-ID:689 Permission Race Condition During Resource Copy",{"point":"3f0","priority":"6","details":"1cy","howto":"275"},"CWE-ID:690 Unchecked Return Value to NULL Pointer Dereference","::METHOD:Black Box:DESCRIPTION:This typically occurs in rarely-triggered error conditions, reducing the chances of detection during black box testing.::METHOD:White Box:DESCRIPTION:Code analysis can require knowledge of API behaviors for library functions that might return NULL, reducing the chances of detection when unknown libraries are used.::",{"point":"3f2","priority":"6","details":"1d1","howto":"3f3"},"CWE-ID:691 Insufficient Control Flow Management",{"point":"3f5","priority":"6","details":"1d4","howto":"275"},"CWE-ID:693 Protection Mechanism Failure",{"point":"3f7","priority":"6","details":"1da","howto":"275"},{"point":"2fo","priority":"6","details":"1dd","howto":"275"},"CWE-ID:695 Use of Low-Level Functionality",{"point":"3fa","priority":"6","details":"1dg","howto":"26r"},{"point":"2fq","priority":"6","details":"1dj","howto":"275"},"CWE-ID:697 Incorrect Comparison",{"point":"3fd","priority":"6","details":"1dm","howto":"275"},"CWE-ID:698 Execution After Redirect (EAR)","::METHOD:Black Box:DESCRIPTION:This issue might not be detected if testing is performed using a web browser, because the browser might obey the redirect and move the user to a different page before the application has produced outputs that indicate something is amiss.::",{"point":"3ff","priority":"6","details":"1dp","howto":"3fg"},"CWE-ID:703 Improper Check or Handling of Exceptional Conditions","::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fault Injection - source code Fault Injection - binary Cost effective for partial coverage: Forced Path Execution:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"3fi","priority":"6","details":"1ds","howto":"3fj"},"CWE-ID:704 Incorrect Type Conversion or Cast",{"point":"3fl","priority":"6","details":"1dv","howto":"26u"},"CWE-ID:705 Incorrect Control Flow Scoping",{"point":"3fn","priority":"6","details":"1dy","howto":"275"},{"point":"2fs","priority":"6","details":"1e1","howto":"275"},"CWE-ID:707 Improper Neutralization",{"point":"3fq","priority":"6","details":"1e4","howto":"275"},{"point":"2fu","priority":"6","details":"1e7","howto":"275"},"CWE-ID:710 Improper Adherence to Coding Standards",{"point":"3ft","priority":"6","details":"1ea","howto":"275"},{"point":"2fw","priority":"6","details":"1ed","howto":"2fx"},{"point":"2fz","priority":"6","details":"1ej","howto":"26r"},"CWE-ID:754 Improper Check for Unusual or Exceptional Conditions","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis may be useful for detecting unusual conditions involving system resources or common programming idioms, but not for violations of business rules.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::",{"point":"3fx","priority":"6","details":"1em","howto":"3fy"},"CWE-ID:755 Improper Handling of Exceptional Conditions",{"point":"3g0","priority":"6","details":"1ep","howto":"275"},"CWE-ID:759 Use of a One-Way Hash without a Salt",{"point":"3g2","priority":"6","details":"1f1","howto":"2gt"},"CWE-ID:760 Use of a One-Way Hash with a Predictable Salt",{"point":"3g4","priority":"6","details":"1f4","howto":"26r"},"CWE-ID:761 Free of Pointer not at Start of Buffer",{"point":"3g6","priority":"6","details":"1f7","howto":"275"},"CWE-ID:762 Mismatched Memory Management Routines",{"point":"3g8","priority":"6","details":"1fa","howto":"275"},"CWE-ID:763 Release of Invalid Pointer or Reference",{"point":"3ga","priority":"6","details":"1fd","howto":"26u"},"CWE-ID:764 Multiple Locks of a Critical Resource",{"point":"3gc","priority":"6","details":"1fg","howto":"275"},"CWE-ID:765 Multiple Unlocks of a Critical Resource",{"point":"3ge","priority":"6","details":"1fj","howto":"275"},"CWE-ID:766 Critical Data Element Declared Public",{"point":"3gg","priority":"6","details":"1fm","howto":"26r"},"CWE-ID:767 Access to Critical Private Variable via Public Method",{"point":"3gi","priority":"6","details":"1fp","howto":"275"},"CWE-ID:768 Incorrect Short Circuit Evaluation",{"point":"3gk","priority":"6","details":"1fs","howto":"275"},{"point":"2g3","priority":"6","details":"1fv","howto":"2g4"},"CWE-ID:771 Missing Reference to Active Allocated Resource",{"point":"3gn","priority":"6","details":"1fy","howto":"275"},"CWE-ID:772 Missing Release of Resource after Effective Lifetime",{"point":"3gp","priority":"6","details":"1g1","howto":"275"},"CWE-ID:773 Missing Reference to Active File Descriptor or Handle",{"point":"3gr","priority":"6","details":"1g4","howto":"275"},"CWE-ID:774 Allocation of File Descriptors or Handles Without Limits or Throttling",{"point":"3gt","priority":"6","details":"1g7","howto":"275"},"CWE-ID:775 Missing Release of File Descriptor or Handle after Effective Lifetime",{"point":"3gv","priority":"6","details":"1ga","howto":"275"},"CWE-ID:776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')",{"point":"3gx","priority":"6","details":"1gd","howto":"26r"},"CWE-ID:777 Regular Expression without Anchors",{"point":"3gz","priority":"6","details":"1gg","howto":"275"},"CWE-ID:780 Use of RSA Algorithm without OAEP",{"point":"3h1","priority":"6","details":"1gp","howto":"26r"},"CWE-ID:781 Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code",{"point":"3h3","priority":"6","details":"1gs","howto":"275"},"CWE-ID:782 Exposed IOCTL with Insufficient Access Control",{"point":"3h5","priority":"6","details":"1gv","howto":"275"},"CWE-ID:783 Operator Precedence Logic Error",{"point":"3h7","priority":"6","details":"1gy","howto":"275"},"CWE-ID:784 Reliance on Cookies without Validation and Integrity Checking in a Security Decision",{"point":"3h9","priority":"6","details":"1h1","howto":"275"},"CWE-ID:785 Use of Path Manipulation Function without Maximum-sized Buffer",{"point":"3hb","priority":"6","details":"1h4","howto":"275"},"CWE-ID:787 Out-of-bounds Write","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::",{"point":"3hd","priority":"6","details":"1ha","howto":"3he"},"CWE-ID:789 Memory Allocation with Excessive Size Value",{"point":"3hg","priority":"6","details":"1hg","howto":"2tj"},"CWE-ID:790 Improper Filtering of Special Elements",{"point":"3hi","priority":"6","details":"1hj","howto":"275"},"CWE-ID:791 Incomplete Filtering of Special Elements",{"point":"3hk","priority":"6","details":"1hm","howto":"275"},"CWE-ID:792 Incomplete Filtering of One or More Instances of Special Elements",{"point":"3hm","priority":"6","details":"1hp","howto":"275"},"CWE-ID:793 Only Filtering One Instance of a Special Element",{"point":"3ho","priority":"6","details":"1hs","howto":"275"},"CWE-ID:794 Incomplete Filtering of Multiple Instances of Special Elements",{"point":"3hq","priority":"6","details":"1hv","howto":"275"},"CWE-ID:795 Only Filtering Special Elements at a Specified Location",{"point":"3hs","priority":"6","details":"1hy","howto":"275"},"CWE-ID:796 Only Filtering Special Elements Relative to a Marker",{"point":"3hu","priority":"6","details":"1i1","howto":"275"},"CWE-ID:797 Only Filtering Special Elements at an Absolute Position",{"point":"3hw","priority":"6","details":"1i4","howto":"275"},{"point":"2g9","priority":"6","details":"1ia","howto":"275"},{"point":"2gb","priority":"6","details":"1id","howto":"275"},"CWE-ID:805 Buffer Access with Incorrect Length Value","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.::",{"point":"3i0","priority":"6","details":"1ig","howto":"3i1"},"CWE-ID:806 Buffer Access Using Size of Source Buffer",{"point":"3i3","priority":"6","details":"1ij","howto":"275"},{"point":"2gd","priority":"6","details":"1im","howto":"2ge"},"CWE-ID:827 Improper Control of Document Type Definition",{"point":"3i6","priority":"6","details":"1ja","howto":"275"},"CWE-ID:829 Inclusion of Functionality from Untrusted Control Sphere","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Forced Path Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"3i8","priority":"6","details":"1jg","howto":"3i9"},"CWE-ID:830 Inclusion of Web Functionality from an Untrusted Source",{"point":"3ib","priority":"6","details":"1jj","howto":"275"},"CWE-ID:836 Use of Password Hash Instead of Password for Authentication",{"point":"3id","priority":"6","details":"1k1","howto":"275"},"CWE-ID:841 Improper Enforcement of Behavioral Workflow",{"point":"3if","priority":"6","details":"1kd","howto":"275"},"CWE-ID:842 Placement of User into Incorrect Group",{"point":"3ih","priority":"6","details":"1kg","howto":"275"},"CWE-ID:843 Access of Resource Using Incompatible Type ('Type Confusion')",{"point":"3ij","priority":"6","details":"1kj","howto":"275"},{"point":"2gg","priority":"6","details":"1km","howto":"2gh"},{"point":"2gj","priority":"6","details":"1kp","howto":"2gk"},"CWE-ID:908 Use of Uninitialized Resource",{"point":"3in","priority":"6","details":"1ks","howto":"275"},"CWE-ID:909 Missing Initialization of Resource",{"point":"3ip","priority":"6","details":"1kv","howto":"275"},"CWE-ID:910 Use of Expired File Descriptor",{"point":"3ir","priority":"6","details":"1ky","howto":"275"},"CWE-ID:911 Improper Update of Reference Count",{"point":"3it","priority":"6","details":"1l1","howto":"275"},{"point":"2gm","priority":"6","details":"1l4","howto":"275"},{"point":"2go","priority":"6","details":"1l7","howto":"26u"},"CWE-ID:914 Improper Control of Dynamically-Identified Variables",{"point":"3ix","priority":"6","details":"1la","howto":"275"},{"point":"2gq","priority":"6","details":"1ld","howto":"26r"},{"point":"2gv","priority":"6","details":"1lj","howto":"26r"},{"point":"2gx","priority":"6","details":"1lm","howto":"26r"},{"point":"2h3","priority":"6","details":"1lv","howto":"26r"},"CWE-ID:939 Improper Authorization in Handler for Custom URL Scheme",{"point":"3j3","priority":"6","details":"1md","howto":"275"},{"point":"2h9","priority":"6","details":"1mg","howto":"275"},{"point":"2hb","priority":"6","details":"1mj","howto":"275"},"CWE-ID:942 Permissive Cross-domain Policy with Untrusted Domains",{"point":"3j7","priority":"6","details":"1mm","howto":"26r"},"CWE-ID:943 Improper Neutralization of Special Elements in Data Query Logic",{"point":"3j9","priority":"6","details":"1mp","howto":"26r"},"CWE-ID:1004 Sensitive Cookie Without 'HttpOnly' Flag",{"point":"3jb","priority":"6","details":"1ms","howto":"26r"},{"point":"2hd","priority":"6","details":"1mv","howto":"2he"},"CWE-ID:1021 Improper Restriction of Rendered UI Layers or Frames",{"point":"3je","priority":"6","details":"1my","howto":"26r"},"CWE-ID:1022 Use of Web Link to Untrusted Target with window.opener Access",{"point":"3jg","priority":"6","details":"1n1","howto":"26r"},"CWE-ID:1023 Incomplete Comparison with Missing Factors",{"point":"3ji","priority":"6","details":"1n4","howto":"275"},"CWE-ID:1024 Comparison of Incompatible Types",{"point":"3jk","priority":"6","details":"1n7","howto":"275"},"CWE-ID:1025 Comparison Using Wrong Factors",{"point":"3jm","priority":"6","details":"1na","howto":"275"},"CWE-ID:1068 Inconsistency Between Implementation and Documented Design",{"point":"3jo","priority":"6","details":"1pv","howto":"275"},{"point":"2hr","priority":"6","details":"1uv","howto":"2hs"},"CWE-ID:1174 ASP.NET Misconfiguration: Improper Model Validation",{"point":"3jr","priority":"6","details":"1uy","howto":"275"},{"point":"2hu","priority":"6","details":"1v1","howto":"275"},"CWE-ID:1177 Use of Prohibited Code",{"point":"3ju","priority":"6","details":"1v4","howto":"275"},{"point":"2hw","priority":"6","details":"1va","howto":"2hx"},{"point":"2i1","priority":"6","details":"1vg","howto":"2i2"},{"point":"2i4","priority":"6","details":"1vj","howto":"275"},"CWE-ID:1204 Generation of Weak Initialization Vector (IV)",{"point":"3jz","priority":"6","details":"1vp","howto":"275"},{"point":"2i6","priority":"6","details":"1vs","howto":"275"},{"point":"2i8","priority":"6","details":"1vv","howto":"275"},"CWE-ID:1221 Incorrect Register Defaults or Module Parameters",{"point":"3k3","priority":"6","details":"1vy","howto":"275"},{"point":"2ic","priority":"6","details":"1w7","howto":"275"},{"point":"2ig","priority":"6","details":"1wg","howto":"2ih"},{"point":"2ij","priority":"6","details":"1wj","howto":"275"},{"point":"2il","priority":"6","details":"1wm","howto":"2im"},{"point":"2io","priority":"6","details":"1wp","howto":"275"},"CWE-ID:1235 Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations",{"point":"3ka","priority":"6","details":"1ws","howto":"275"},"CWE-ID:1236 Improper Neutralization of Formula Elements in a CSV File",{"point":"3kc","priority":"6","details":"1wv","howto":"275"},"CWE-ID:1239 Improper Zeroization of Hardware Register",{"point":"3ke","priority":"6","details":"1wy","howto":"275"},{"point":"2iq","priority":"6","details":"1x1","howto":"2ir"},{"point":"2it","priority":"6","details":"1x4","howto":"275"},{"point":"2iv","priority":"6","details":"1x7","howto":"275"},{"point":"2ix","priority":"6","details":"1xa","howto":"275"},{"point":"2iz","priority":"6","details":"1xd","howto":"2j0"},{"point":"2j2","priority":"6","details":"1xg","howto":"275"},{"point":"2j4","priority":"6","details":"1xj","howto":"275"},{"point":"2j6","priority":"6","details":"1xs","howto":"275"},{"point":"2ja","priority":"6","details":"1y4","howto":"275"},{"point":"2jc","priority":"6","details":"1y7","howto":"275"},"CWE-ID:1255 Comparison Logic is Vulnerable to Power Side-Channel Attacks",{"point":"3kq","priority":"6","details":"1ya","howto":"275"},{"point":"2je","priority":"6","details":"1yd","howto":"2jf"},{"point":"2jh","priority":"6","details":"1yg","howto":"275"},{"point":"2jj","priority":"6","details":"1yj","howto":"275"},{"point":"2jl","priority":"6","details":"1ym","howto":"275"},{"point":"2jn","priority":"6","details":"1yp","howto":"2jo"},{"point":"2jq","priority":"6","details":"1ys","howto":"275"},{"point":"2js","priority":"6","details":"1yv","howto":"2jt"},{"point":"2jx","priority":"6","details":"1z1","howto":"275"},{"point":"2jz","priority":"6","details":"1z7","howto":"275"},{"point":"2k1","priority":"6","details":"1za","howto":"275"},{"point":"2k3","priority":"6","details":"1zd","howto":"275"},"CWE-ID:1269 Product Released in Non-Release Configuration",{"point":"3l3","priority":"6","details":"1zg","howto":"275"},{"point":"2k5","priority":"6","details":"1zj","howto":"275"},"CWE-ID:1271 Uninitialized Value on Reset for Registers Holding Security Settings",{"point":"3l6","priority":"6","details":"1zm","howto":"275"},"CWE-ID:1275 Sensitive Cookie with Improper SameSite Attribute",{"point":"3l8","priority":"6","details":"1zy","howto":"26r"},"CWE-ID:1276 Hardware Child Block Incorrectly Connected to Parent System",{"point":"3la","priority":"6","details":"201","howto":"275"},{"point":"2kd","priority":"6","details":"204","howto":"2ke"},{"point":"2ki","priority":"6","details":"20a","howto":"275"},"CWE-ID:1280 Access Control Check Implemented After Asset is Accessed",{"point":"3le","priority":"6","details":"20d","howto":"275"},{"point":"2kk","priority":"6","details":"20g","howto":"275"},"CWE-ID:1282 Assumed-Immutable Data is Stored in Writable Memory",{"point":"3lh","priority":"6","details":"20j","howto":"275"},{"point":"2km","priority":"6","details":"20m","howto":"275"},"CWE-ID:1284 Improper Validation of Specified Quantity in Input",{"point":"3lk","priority":"6","details":"20p","howto":"275"},"CWE-ID:1285 Improper Validation of Specified Index, Position, or Offset in Input",{"point":"3lm","priority":"6","details":"20s","howto":"275"},"CWE-ID:1286 Improper Validation of Syntactic Correctness of Input",{"point":"3lo","priority":"6","details":"20v","howto":"275"},"CWE-ID:1287 Improper Validation of Specified Type of Input",{"point":"3lq","priority":"6","details":"20y","howto":"275"},"CWE-ID:1288 Improper Validation of Consistency within Input",{"point":"3ls","priority":"6","details":"211","howto":"275"},"CWE-ID:1289 Improper Validation of Unsafe Equivalence in Input",{"point":"3lu","priority":"6","details":"214","howto":"275"},{"point":"2ko","priority":"6","details":"217","howto":"275"},"CWE-ID:1291 Public Key Re-Use for Signing both Debug and Production Code","::METHOD:Architecture or Design Review:DESCRIPTION:Compare the debug key with the production key to make sure that they are not the same.:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Compare the debug key with the production key to make sure that they are not the same.:EFFECTIVENESS:High::",{"point":"3lx","priority":"6","details":"21a","howto":"3ly"},{"point":"2kq","priority":"6","details":"21d","howto":"275"},{"point":"2ks","priority":"6","details":"21g","howto":"275"},{"point":"2ku","priority":"6","details":"21j","howto":"275"},"CWE-ID:1295 Debug Messages Revealing Unnecessary Information",{"point":"3m3","priority":"6","details":"21m","howto":"275"},"CWE-ID:1296 Incorrect Chaining or Granularity of Debug Components","::METHOD:Architecture or Design Review:DESCRIPTION:Appropriate Post-Si tests should be carried out at various authorization levels to ensure that debug components are properly chained and accessible only to users with appropriate credentials.:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Appropriate Post-Si tests should be carried out at various authorization levels to ensure that debug components are properly chained and accessible only to users with appropriate credentials.:EFFECTIVENESS:High::",{"point":"3m5","priority":"6","details":"21p","howto":"3m6"},"CWE-ID:1297 Unprotected Confidential Information on Device is Accessible by OSAT Vendors","::METHOD:Architecture or Design Review:DESCRIPTION:Appropriate Post-Si tests should be carried out to ensure that residual confidential information is not left on parts leaving one facility for another facility.:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Appropriate Post-Si tests should be carried out to ensure that residual confidential information is not left on parts leaving one facility for another facility.:EFFECTIVENESS:Moderate::",{"point":"3m8","priority":"6","details":"21s","howto":"3m9"},{"point":"2kw","priority":"6","details":"21v","howto":"275"},{"point":"2ky","priority":"6","details":"21y","howto":"275"},"CWE-ID:1300 Improper Protection of Physical Side Channels","::METHOD:Manual Analysis:DESCRIPTION:Perform a set of leakage detection tests such as the procedure outlined in the Test Vector Leakage Assessment (TVLA) test requirements for AES [REF-1230]. TVLA is the basis for the ISO standard 17825 [REF-1229]. A separate methodology is provided by [REF-1228]. Note that sole reliance on this method might not yield expected results [REF-1239] [REF-1240].:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Post-silicon, perform full side-channel attacks (penetration testing) covering as many known leakage models as possible against test code.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Pre-silicon - while the aforementioned TVLA methods can be performed post-silicon, models of device power consumption or other physical emanations can be built from information present at various stages of the hardware design process before fabrication. TVLA or known side-channel attacks can be applied to these simulated traces and countermeasures applied before tape-out. Academic research in this field includes [REF-1231] [REF-1232] [REF-1233].:EFFECTIVENESS:Moderate::",{"point":"3md","priority":"6","details":"221","howto":"3me"},"CWE-ID:1301 Insufficient or Incomplete Data Removal within Hardware Component",{"point":"3mg","priority":"6","details":"224","howto":"275"},{"point":"2l0","priority":"6","details":"227","howto":"275"},{"point":"2l2","priority":"6","details":"22a","howto":"275"},{"point":"2l6","priority":"6","details":"22g","howto":"275"},{"point":"2l8","priority":"6","details":"22j","howto":"275"},{"point":"2la","priority":"6","details":"22m","howto":"2lb"},{"point":"2ld","priority":"6","details":"22p","howto":"275"},{"point":"2lf","priority":"6","details":"22s","howto":"275"},{"point":"2lh","priority":"6","details":"22v","howto":"275"},{"point":"2lj","priority":"6","details":"22y","howto":"2lk"},{"point":"2lm","priority":"6","details":"231","howto":"2ln"},{"point":"2lp","priority":"6","details":"234","howto":"2lq"},{"point":"2ls","priority":"6","details":"237","howto":"275"},{"point":"2lu","priority":"6","details":"23a","howto":"275"},"CWE-ID:1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')",{"point":"3mv","priority":"6","details":"23d","howto":"275"},"CWE-ID:1322 Use of Blocking Code in Single-threaded, Non-blocking Context",{"point":"3mx","priority":"6","details":"23g","howto":"275"},{"point":"2lw","priority":"6","details":"23j","howto":"275"},"CWE-ID:1325 Improperly Controlled Sequential Memory Allocation",{"point":"3n0","priority":"6","details":"23m","howto":"275"},{"point":"2ly","priority":"6","details":"23p","howto":"2lz"},{"point":"2m1","priority":"6","details":"23v","howto":"2m2"},{"point":"2m4","priority":"6","details":"23y","howto":"2m5"},"CWE-ID:1330 Remanent Data Readable after Memory Erase","::METHOD:Architecture or Design Review:DESCRIPTION:Testing of memory-device contents after clearing or erase commands. Dynamic analysis of memory contents during device operation to detect specific, confidential assets. Architecture and design analysis of memory clear and erase operations.::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Testing of memory-device contents after clearing or erase commands. Dynamic analysis of memory contents during device operation to detect specific, confidential assets. Architecture and design analysis of memory clear and erase operations.::",{"point":"3n5","priority":"6","details":"241","howto":"3n6"},{"point":"2m7","priority":"6","details":"244","howto":"2m8"},{"point":"2ma","priority":"6","details":"247","howto":"2mb"},"CWE-ID:1333 Inefficient Regular Expression Complexity",{"point":"3na","priority":"6","details":"24a","howto":"275"},{"point":"2md","priority":"6","details":"24d","howto":"275"},"CWE-ID:1335 Incorrect Bitwise Shift of Integer",{"point":"3nd","priority":"6","details":"24g","howto":"275"},{"point":"2mf","priority":"6","details":"24j","howto":"275"},{"point":"2mh","priority":"6","details":"24m","howto":"2mi"},"CWE-ID:1339 Insufficient Precision or Accuracy of a Real Number",{"point":"3nh","priority":"6","details":"24p","howto":"275"},"CWE-ID:1341 Multiple Releases of Same Resource or Handle","::METHOD:Automated Static Analysis:DESCRIPTION:For commonly-used APIs and resource types, automated tools often have signatures that can spot this issue.::METHOD:Automated Dynamic Analysis:DESCRIPTION:Some compiler instrumentation tools such as AddressSanitizer (ASan) can indirectly detect some instances of this weakness.::",{"point":"3nj","priority":"6","details":"24s","howto":"3nk"},{"point":"2mm","priority":"6","details":"24y","howto":"275"},"CWE-ID:1385 Missing Origin Validation in WebSockets",{"point":"3nn","priority":"6","details":"257","howto":"275"},"CWE-ID:1386 Insecure Operation on Windows Junction / Mount Point",{"point":"3np","priority":"6","details":"25a","howto":"275"},"CWE-ID:1389 Incorrect Parsing of Numbers with Different Radices",{"point":"3nr","priority":"6","details":"25d","howto":"275"},{"point":"2ms","priority":"6","details":"25g","howto":"275"},{"point":"2n2","priority":"6","details":"25v","howto":"2n3"},"CWE-ID:1419 Incorrect Initialization of Resource",{"point":"3nv","priority":"6","details":"25y","howto":"275"},{"point":"2n5","priority":"6","details":"261","howto":"2n6"},{"point":"2n8","priority":"6","details":"264","howto":"2n9"},{"point":"2ne","priority":"6","details":"26a","howto":"2nf"},["2np","2nr","2nt","2nv","2nx","2nz","2o1","2o3","2o6","2o8","2o9","2oc","2oe","2og","2oi","2ok","2om","2oo","2oq","2os","2ou","2ow","2oy","2p1","2p3","2p5","2p7","2p9","2pb","2pd","2pg","2pi","2pk","2pm","2po","2pq","2ps","2pu","2pw","2py","2q0","2q2","2q4","2q6","2q8","2qa","2qc","2qe","2qg","2qi","2qk","2qm","2qo","2qq","2qs","2qu","2qv","2qx","2qz","2r1","2r3","2r6","2r9","2rb","2rd","2rf","2rh","2rj","2rl","2rn","2rp","2rr","2ru","2rw","2ry","2s0","2s2","2s4","2s6","2s8","2sb","2sc","2se","2sg","2si","2sk","2sm","2so","2sq","2ss","2sv","2sx","2sz","2t1","2t3","2t4","2t7","2t9","2tb","2te","2th","2tk","2tm","2to","2tq","2ts","2tu","2tw","2ty","2u1","2u3","2u6","2u9","2ub","2ud","2uf","2uh","2uj","2ul","2un","2up","2ur","2ut","2uv","2ux","2uz","2v1","2v3","2v5","2v7","2v9","2vb","2vd","2vf","2vh","2vj","2vl","2vn","2vp","2vr","2vt","2vv","2vx","2vz","2w1","2w3","2w5","2w7","2w9","2wb","2wd","2wf","2wh","2wj","2wl","2wn","2wp","2wq","2ws","2wu","2ww","2wy","2x1","2x3","2x5","2x7","2x9","2xb","2xd","2xf","2xi","2xj","2xk","2xl","2xm","2xn","2xo","2xq","2xs","2xt","2xu","2xv","2xw","2xx","2xy","2xz","2y1","2y3","2y4","2y6","2y7","2y9","2yc","2ye","2yg","2yi","2yk","2ym","2yo","2yq","2ys","2yu","2yw","2yy","2z0","2z2","2z4","2z6","2z8","2za","2zc","2ze","2zf","2zh","2zj","2zl","2zo","2zp","2zr","2zs","2zt","2zu","2zv","2zw","2zz","301","303","304","306","308","30a","30c","30e","30f","30g","30h","30i","30k","30l","30n","30q","30s","30u","30v","30x","30z","311","313","315","316","318","319","31a","31c","31e","31f","31h","31j","31l","31m","31o","31p","31q","31r","31s","31t","31u","31v","31w","31x","31z","321","322","323","324","325","326","327","328","329","32a","32c","32e","32g","32h","32k","32m","32o","32q","32s","32u","32w","32y","330","332","334","335","336","338","33a","33c","33e","33g","33j","33l","33n","33o","33q","33r","33t","33w","33x","33y","33z","340","341","342","343","344","345","347","349","34a","34b","34d","34g","34i","34k","34m","34o","34q","34s","34t","34v","34w","34x","34y","34z","351","352","354","356","358","35a","35b","35d","35e","35g","35i","35k","35m","35o","35q","35s","35u","35w","35y","360","362","363","364","366","368","36a","36b","36e","36h","36j","36l","36o","36q","36s","36u","36x","36z","371","373","375","377","379","37b","37c","37e","37g","37i","37k","37m","37o","37p","37s","37u","37w","37y","37z","380","381","384","386","388","389","38a","38c","38e","38g","38h","38j","38l","38n","38p","38r","38t","38v","38x","38z","391","393","395","397","399","39a","39c","39e","39g","39i","39k","39m","39p","39r","39t","39v","39w","39y","3a0","3a2","3a4","3a6","3a8","3aa","3ac","3ae","3ag","3ai","3ak","3am","3ao","3aq","3as","3au","3aw","3ay","3b0","3b2","3b4","3b6","3b8","3ba","3bc","3be","3bg","3bi","3bk","3bm","3bo","3bp","3bq","3bs","3bu","3bw","3by","3c0","3c2","3c3","3c4","3c6","3c8","3ca","3cc","3ce","3cg","3ch","3cj","3cl","3cn","3cp","3cr","3ct","3cv","3cy","3cz","3d0","3d2","3d3","3d4","3d5","3d7","3d9","3db","3dd","3de","3df","3dh","3dj","3dl","3dm","3dn","3do","3dp","3dq","3ds","3du","3dx","3dz","3e0","3e1","3e2","3e4","3e5","3e7","3e8","3ea","3ec","3ef","3eh","3ek","3em","3eo","3er","3et","3ew","3ez","3f1","3f4","3f6","3f8","3f9","3fb","3fc","3fe","3fh","3fk","3fm","3fo","3fp","3fr","3fs","3fu","3fv","3fw","3fz","3g1","3g3","3g5","3g7","3g9","3gb","3gd","3gf","3gh","3gj","3gl","3gm","3go","3gq","3gs","3gu","3gw","3gy","3h0","3h2","3h4","3h6","3h8","3ha","3hc","3hf","3hh","3hj","3hl","3hn","3hp","3hr","3ht","3hv","3hx","3hy","3hz","3i2","3i4","3i5","3i7","3ia","3ic","3ie","3ig","3ii","3ik","3il","3im","3io","3iq","3is","3iu","3iv","3iw","3iy","3iz","3j0","3j1","3j2","3j4","3j5","3j6","3j8","3ja","3jc","3jd","3jf","3jh","3jj","3jl","3jn","3jp","3jq","3js","3jt","3jv","3jw","3jx","3jy","3k0","3k1","3k2","3k4","3k5","3k6","3k7","3k8","3k9","3kb","3kd","3kf","3kg","3kh","3ki","3kj","3kk","3kl","3km","3kn","3ko","3kp","3kr","3ks","3kt","3ku","3kv","3kw","3kx","3ky","3kz","3l0","3l1","3l2","3l4","3l5","3l7","3l9","3lb","3lc","3ld","3lf","3lg","3li","3lj","3ll","3ln","3lp","3lr","3lt","3lv","3lw","3lz","3m0","3m1","3m2","3m4","3m7","3ma","3mb","3mc","3mf","3mh","3mi","3mj","3mk","3ml","3mm","3mn","3mo","3mp","3mq","3mr","3ms","3mt","3mu","3mw","3my","3mz","3n1","3n2","3n3","3n4","3n7","3n8","3n9","3nb","3nc","3ne","3nf","3ng","3ni","3nl","3nm","3no","3nq","3ns","3nt","3nu","3nw","3nx","3ny","3nz"],"pink",{"title":"2nk","slug":"2nl","description":"2nm","icon":"2nn","intro":"2nm","checklist":"3o0","color":"3o1"},["26e","2nj","3o2"],{"R4G1hVIrQpw":"3o3"},"\u0001",200,"/about/",{"loaders":"3o4","action":"3o5","status":"3o6","href":"3o7"}]} \ No newline at end of file diff --git a/dist/automation/index.html b/dist/automation/index.html index 10f2ae6..f5b06d8 100644 --- a/dist/automation/index.html +++ b/dist/automation/index.html @@ -1,4 +1,4 @@ -QA Supervisor - The ultimate quality checklist and framework

AI Accelerated Quality -PRO

Settings

About

SW Automation Testing

\ No newline at end of file +QA Supervisor - The ultimate quality checklist and framework

AI Accelerated Quality -PRO

Settings

About

SW Automation Testing

\ No newline at end of file diff --git a/dist/automation/q-data.json b/dist/automation/q-data.json index 86feb63..dc91b86 100644 --- a/dist/automation/q-data.json +++ b/dist/automation/q-data.json @@ -1 +1 @@ -{"_entry":"3o8","_objs":["CWE: Categorization for Assurance","cwe-security","Researchers can use this view to evaluate the breadth and depth of software assurance with respect to mitigating and managing weaknesses before they become vulnerabilities","dev","This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.","CWE-ID: 5J2EE Misconfiguration: Data Transmission Without Encryption","Essential","Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.Guidelines:::TYPE:Other:NOTE:If an application uses SSL to guarantee confidential communication with client browsers, the application configuration should make it impossible to view any access controlled page without SSL. There are three common ways for SSL to be bypassed: A user manually enters URL and types HTTP rather than HTTPS. Attackers intentionally send a user to an insecure URL. A programmer erroneously creates a relative link to a page in the application, which does not switch from HTTP to HTTPS. (This is particularly easy to do when the link moves between public and secured areas on a web site.)::",{"point":"5","priority":"6","details":"7"},"CWE-ID: 6J2EE Misconfiguration: Insufficient Session-ID Length","The J2EE application is configured to use an insufficient session ID length.Guidelines:",{"point":"9","priority":"6","details":"a"},"CWE-ID: 7J2EE Misconfiguration: Missing Custom Error Page","The default error page of a web application should not display sensitive information about the product.Guidelines:",{"point":"c","priority":"6","details":"d"},"CWE-ID: 8J2EE Misconfiguration: Entity Bean Declared Remote","When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean's data. These methods could be leveraged to read sensitive information, or to change data in ways that violate the application's expectations, potentially leading to other vulnerabilities.Guidelines:::TYPE:Other:NOTE:Entity beans that expose a remote interface become part of an application's attack surface. For performance reasons, an application should rarely use remote entity beans, so there is a good chance that a remote entity bean declaration is an error.::",{"point":"f","priority":"6","details":"g"},"CWE-ID: 9J2EE Misconfiguration: Weak Access Permissions for EJB Methods","If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the product.Guidelines:",{"point":"i","priority":"6","details":"j"},"CWE-ID: 11ASP.NET Misconfiguration: Creating Debug Binary","Debugging messages help attackers learn about the system and plan a form of attack.Guidelines:",{"point":"l","priority":"6","details":"m"},"CWE-ID: 12ASP.NET Misconfiguration: Missing Custom Error Page","An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses.Guidelines:",{"point":"o","priority":"6","details":"p"},"CWE-ID: 13ASP.NET Misconfiguration: Password in Configuration File","Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers.Guidelines:",{"point":"r","priority":"6","details":"s"},"CWE-ID: 14Compiler Removal of Code to Clear Buffers","Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka dead store removal.Guidelines:",{"point":"u","priority":"6","details":"v"},"CWE-ID: 15External Control of System or Configuration Setting","One or more system settings or configuration elements can be externally controlled by a user.Guidelines:",{"point":"x","priority":"6","details":"y"},"CWE-ID: 20Improper Input Validation","The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Guidelines:::TYPE:Relationship:NOTE:CWE-116 and CWE-20 have a close association because, depending on the nature of the structured message, proper input validation can indirectly prevent special characters from changing the meaning of a structured message. For example, by validating that a numeric ID field should only contain the 0-9 characters, the programmer effectively prevents injection attacks.::TYPE:Maintenance:NOTE:As of 2020, this entry is used more often than preferred, and it is a source of frequent confusion. It is being actively modified for CWE 4.1 and subsequent versions.::TYPE:Maintenance:NOTE:Concepts such as validation, data transformation, and neutralization are being refined, so relationships between CWE-20 and other entries such as CWE-707 may change in future versions, along with an update to the Vulnerability Theory document.::TYPE:Maintenance:NOTE:Input validation - whether missing or incorrect - is such an essential and widespread part of secure development that it is implicit in many different weaknesses. Traditionally, problems such as buffer overflows and XSS have been classified as input validation problems by many security professionals. However, input validation is not necessarily the only protection mechanism available for avoiding such problems, and in some cases it is not even sufficient. The CWE team has begun capturing these subtleties in chains within the Research Concepts view (CWE-1000), but more work is needed.::TYPE:Terminology:NOTE:The input validation term is extremely common, but it is used in many different ways. In some cases its usage can obscure the real underlying weakness or otherwise hide chaining and composite relationships. Some people use input validation as a general term that covers many different neutralization techniques for ensuring that input is appropriate, such as filtering, canonicalization, and escaping. Others use the term in a more narrow context to simply mean checking if an input conforms to expectations without changing it. CWE uses this more narrow interpretation.::",{"point":"10","priority":"6","details":"11"},"CWE-ID: 22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Guidelines:::TYPE:Relationship:NOTE:Pathname equivalence can be regarded as a type of canonicalization error.::TYPE:Relationship:NOTE:Some pathname equivalence issues are not directly related to directory traversal, rather are used to bypass security-relevant checks for whether a file/directory can be accessed by the attacker (e.g. a trailing / on a filename could bypass access rules that don't expect a trailing /, causing a server to provide the file when it normally would not).::TYPE:Terminology:NOTE:Like other weaknesses, terminology is often based on the types of manipulations used, instead of the underlying weaknesses. Some people use directory traversal only to refer to the injection of .. and equivalent sequences whose specific meaning is to traverse directories. Other variants like absolute pathname and drive letter have the *effect* of directory traversal, but some people may not call it such, since it doesn't involve .. or equivalent.::TYPE:Research Gap:NOTE:Many variants of path traversal attacks are probably under-studied with respect to root cause. CWE-790 and CWE-182 begin to cover part of this gap.::TYPE:Research Gap:NOTE:Incomplete diagnosis or reporting of vulnerabilities can make it difficult to know which variant is affected. For example, a researcher might say that .. is vulnerable, but not test ../ which may also be vulnerable. Any combination of directory separators (/, , etc.) and numbers of . (e.g. ....) can produce unique variants; for example, the //../ variant is not listed (CVE-2004-0325). See this entry's children and lower-level descendants.::",{"point":"13","priority":"6","details":"14"},"CWE-ID: 23Relative Path Traversal","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as .. that can resolve to a location that is outside of that directory.Guidelines:",{"point":"16","priority":"6","details":"17"},"CWE-ID: 24Path Traversal: '../filedir'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize ../ sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"19","priority":"6","details":"1a"},"CWE-ID: 25Path Traversal: '/../filedir'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize /../ sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1c","priority":"6","details":"1d"},"CWE-ID: 26Path Traversal: '/dir/../filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize /dir/../filename sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1f","priority":"6","details":"1g"},"CWE-ID: 27Path Traversal: 'dir/../../filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize multiple internal ../ sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1i","priority":"6","details":"1j"},"CWE-ID: 28Path Traversal: '..filedir'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize .. sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1l","priority":"6","details":"1m"},"CWE-ID: 29Path Traversal: '..filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '..filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1o","priority":"6","details":"1p"},"CWE-ID: 30Path Traversal: 'dir..filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize 'dir..filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1r","priority":"6","details":"1s"},"CWE-ID: 31Path Traversal: 'dir....filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize 'dir....filename' (multiple internal backslash dot dot) sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1u","priority":"6","details":"1v"},"CWE-ID: 32Path Traversal: '...' (Triple Dot)","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '...' (triple dot) sequences that can resolve to a location that is outside of that directory.Guidelines:::TYPE:Maintenance:NOTE:This manipulation-focused entry is currently hiding two distinct weaknesses, so it might need to be split. The manipulation is effective in two different contexts: it is equivalent to .... on Windows, or it can take advantage of incomplete filtering, e.g. if the programmer does a single-pass removal of ./ in a string (collapse of data into unsafe value, CWE-182).::",{"point":"1x","priority":"6","details":"1y"},"CWE-ID: 33Path Traversal: '....' (Multiple Dot)","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....' (multiple dot) sequences that can resolve to a location that is outside of that directory.Guidelines:::TYPE:Maintenance:NOTE:Like the triple-dot CWE-32, this manipulation probably hides multiple weaknesses that should be made more explicit.::",{"point":"20","priority":"6","details":"21"},"CWE-ID: 34Path Traversal: '....//'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....//' (doubled dot dot slash) sequences that can resolve to a location that is outside of that directory.Guidelines:::TYPE:Relationship:NOTE:This could occur due to a cleansing error that removes a single ../ from ....//::",{"point":"23","priority":"6","details":"24"},"CWE-ID: 35Path Traversal: '.../...//'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"26","priority":"6","details":"27"},"CWE-ID: 36Absolute Path Traversal","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as /abs/path that can resolve to a location that is outside of that directory.Guidelines:",{"point":"29","priority":"6","details":"2a"},"CWE-ID: 37Path Traversal: '/absolute/pathname/here'","The product accepts input in the form of a slash absolute path ('/absolute/pathname/here') without appropriate validation, which can allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"2c","priority":"6","details":"2d"},"CWE-ID: 38Path Traversal: 'absolutepathnamehere'","The product accepts input in the form of a backslash absolute path ('absolutepathnamehere') without appropriate validation, which can allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"2f","priority":"6","details":"2g"},"CWE-ID: 39Path Traversal: 'C:dirname'","The product accepts input that contains a drive letter or Windows volume letter ('C:dirname') that potentially redirects access to an unintended location or arbitrary file.Guidelines:",{"point":"2i","priority":"6","details":"2j"},"CWE-ID: 40Path Traversal: 'UNCsharename' (Windows UNC Share)","The product accepts input that identifies a Windows UNC share ('UNCsharename') that potentially redirects access to an unintended location or arbitrary file.Guidelines:",{"point":"2l","priority":"6","details":"2m"},"CWE-ID: 41Improper Resolution of Path Equivalence","The product is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object.Guidelines:::TYPE:Relationship:NOTE:Some of these manipulations could be effective in path traversal issues, too.::",{"point":"2o","priority":"6","details":"2p"},"CWE-ID: 42Path Equivalence: 'filename.' (Trailing Dot)","The product accepts path input in the form of trailing dot ('filedir.') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"2r","priority":"6","details":"2s"},"CWE-ID: 43Path Equivalence: 'filename....' (Multiple Trailing Dot)","The product accepts path input in the form of multiple trailing dot ('filedir....') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"2u","priority":"6","details":"2v"},"CWE-ID: 44Path Equivalence: 'file.name' (Internal Dot)","The product accepts path input in the form of internal dot ('file.ordir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:::TYPE:Relationship:NOTE:An improper attempt to remove the internal dots from the string could lead to CWE-181 (Incorrect Behavior Order: Validate Before Filter).::",{"point":"2x","priority":"6","details":"2y"},"CWE-ID: 45Path Equivalence: 'file...name' (Multiple Internal Dot)","The product accepts path input in the form of multiple internal dot ('file...dir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:::TYPE:Relationship:NOTE:An improper attempt to remove the internal dots from the string could lead to CWE-181 (Incorrect Behavior Order: Validate Before Filter).::",{"point":"30","priority":"6","details":"31"},"CWE-ID: 46Path Equivalence: 'filename ' (Trailing Space)","The product accepts path input in the form of trailing space ('filedir ') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"33","priority":"6","details":"34"},"CWE-ID: 47Path Equivalence: ' filename' (Leading Space)","The product accepts path input in the form of leading space (' filedir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"36","priority":"6","details":"37"},"CWE-ID: 48Path Equivalence: 'file name' (Internal Whitespace)","The product accepts path input in the form of internal space ('file(SPACE)name') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:::TYPE:Relationship:NOTE:This weakness is likely to overlap quoting problems, e.g. the Program Files unquoted search path (CWE-428). It also could be an equivalence issue if filtering removes all extraneous spaces.::TYPE:Relationship:NOTE:Whitespace can be a factor in other weaknesses not directly related to equivalence. It can also be used to spoof icons or hide files with dangerous names (see icon manipulation and visual truncation in CWE-451).::",{"point":"39","priority":"6","details":"3a"},"CWE-ID: 49Path Equivalence: 'filename/' (Trailing Slash)","The product accepts path input in the form of trailing slash ('filedir/') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3c","priority":"6","details":"3d"},"CWE-ID: 50Path Equivalence: '//multiple/leading/slash'","The product accepts path input in the form of multiple leading slash ('//multiple/leading/slash') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3f","priority":"6","details":"3g"},"CWE-ID: 51Path Equivalence: '/multiple//internal/slash'","The product accepts path input in the form of multiple internal slash ('/multiple//internal/slash/') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3i","priority":"6","details":"3j"},"CWE-ID: 52Path Equivalence: '/multiple/trailing/slash//'","The product accepts path input in the form of multiple trailing slash ('/multiple/trailing/slash//') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3l","priority":"6","details":"3m"},"CWE-ID: 53Path Equivalence: 'multipleinternalbackslash'","The product accepts path input in the form of multiple internal backslash ('multipletrailingslash') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3o","priority":"6","details":"3p"},"CWE-ID: 54Path Equivalence: 'filedir' (Trailing Backslash)","The product accepts path input in the form of trailing backslash ('filedir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3r","priority":"6","details":"3s"},"CWE-ID: 55Path Equivalence: '/./' (Single Dot Directory)","The product accepts path input in the form of single dot directory exploit ('/./') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3u","priority":"6","details":"3v"},"CWE-ID: 56Path Equivalence: 'filedir*' (Wildcard)","The product accepts path input in the form of asterisk wildcard ('filedir*') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3x","priority":"6","details":"3y"},"CWE-ID: 57Path Equivalence: 'fakedir/../realdir/filename'","The product contains protection mechanisms to restrict access to 'realdir/filename', but it constructs pathnames using external input in the form of 'fakedir/../realdir/filename' that are not handled by those mechanisms. This allows attackers to perform unauthorized actions against the targeted file.Guidelines:::TYPE:Theoretical:NOTE:This is a manipulation that uses an injection for one consequence (containment violation using relative path) to achieve a different consequence (equivalence by alternate name).::",{"point":"40","priority":"6","details":"41"},"CWE-ID: 58Path Equivalence: Windows 8.3 Filename","The product contains a protection mechanism that restricts access to a long filename on a Windows operating system, but it does not properly restrict access to the equivalent short 8.3 filename.Guidelines:::TYPE:Research Gap:NOTE:Probably under-studied.::",{"point":"43","priority":"6","details":"44"},"CWE-ID: 59Improper Link Resolution Before File Access ('Link Following')","The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.Guidelines:::TYPE:Theoretical:NOTE:Link following vulnerabilities are Multi-factor Vulnerabilities (MFV). They are the combination of multiple elements: file or directory permissions, filename predictability, race conditions, and in some cases, a design limitation in which there is no mechanism for performing atomic file creation operations. Some potential factors are race conditions, permissions, and predictability.::",{"point":"46","priority":"6","details":"47"},"CWE-ID: 61UNIX Symbolic Link (Symlink) Following","The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.Guidelines:::TYPE:Research Gap:NOTE:Symlink vulnerabilities are regularly found in C and shell programs, but all programming languages can have this problem. Even shell programs are probably under-reported. Second-order symlink vulnerabilities may exist in programs that invoke other programs that follow symlinks. They are rarely reported but are likely to be fairly common when process invocation is used [REF-493].::",{"point":"49","priority":"6","details":"4a"},"CWE-ID: 62UNIX Hard Link","The product, when opening a file or directory, does not sufficiently account for when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.Guidelines:",{"point":"4c","priority":"6","details":"4d"},"CWE-ID: 64Windows Shortcut Following (.LNK)","The product, when opening a file or directory, does not sufficiently handle when the file is a Windows shortcut (.LNK) whose target is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.Guidelines:::TYPE:Research Gap:NOTE:Under-studied. Windows .LNK files are more portable than Unix symlinks and have been used in remote exploits. Some Windows API's will access LNK's as if they are regular files, so one would expect that they would be reported more frequently.::",{"point":"4f","priority":"6","details":"4g"},"CWE-ID: 65Windows Hard Link","The product, when opening a file or directory, does not sufficiently handle when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.Guidelines:",{"point":"4i","priority":"6","details":"4j"},"CWE-ID: 66Improper Handling of File Names that Identify Virtual Resources","The product does not handle or incorrectly handles a file name that identifies a virtual resource that is not directly specified within the directory that is associated with the file name, causing the product to perform file-based operations on a resource that is not a file.Guidelines:",{"point":"4l","priority":"6","details":"4m"},"CWE-ID: 67Improper Handling of Windows Device Names","The product constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.Guidelines:",{"point":"4o","priority":"6","details":"4p"},"CWE-ID: 69Improper Handling of Windows ::DATA Alternate Data Stream","The product does not properly prevent access to, or detect usage of, alternate data streams (ADS).Guidelines:::TYPE:Theoretical:NOTE:This and similar problems exist because the same resource can have multiple identifiers that dictate which behavior can be performed on the resource.::",{"point":"4r","priority":"6","details":"4s"},"CWE-ID: 72Improper Handling of Apple HFS+ Alternate Data Stream Path","The product does not properly handle special paths that may identify the data or resource fork of a file on the HFS+ file system.Guidelines:::TYPE:Theoretical:NOTE:This and similar problems exist because the same resource can have multiple identifiers that dictate which behavior can be performed on the resource.::TYPE:Research Gap:NOTE:Under-studied::",{"point":"4u","priority":"6","details":"4v"},"CWE-ID: 73External Control of File Name or Path","The product allows user input to control or influence paths or file names that are used in filesystem operations.Guidelines:::TYPE:Maintenance:NOTE:CWE-114 is a Class, but it is listed a child of CWE-73 in view 1000. This suggests some abstraction problems that should be resolved in future versions.::TYPE:Relationship:NOTE:The external control of filenames can be the primary link in chains with other file-related weaknesses, as seen in the CanPrecede relationships. This is because software systems use files for many different purposes: to execute programs, load code libraries, to store application data, to store configuration settings, record temporary data, act as signals or semaphores to other processes, etc. However, those weaknesses do not always require external control. For example, link-following weaknesses (CWE-59) often involve pathnames that are not controllable by the attacker at all. The external control can be resultant from other issues. For example, in PHP applications, the register_globals setting can allow an attacker to modify variables that the programmer thought were immutable, enabling file inclusion (CWE-98) and path traversal (CWE-22). Operating with excessive privileges (CWE-250) might allow an attacker to specify an input filename that is not directly readable by the attacker, but is accessible to the privileged program. A buffer overflow (CWE-119) might give an attacker control over nearby memory locations that are related to pathnames, but were not directly modifiable by the attacker.::",{"point":"4x","priority":"6","details":"4y"},"CWE-ID: 74Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')","The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Guidelines:::TYPE:Theoretical:NOTE:Many people treat injection only as an input validation problem (CWE-20) because many people do not distinguish between the consequence/attack (injection) and the protection mechanism that prevents the attack from succeeding. However, input validation is only one potential protection mechanism (output encoding is another), and there is a chaining relationship between improper input validation and the improper enforcement of the structure of messages to other components. Other issues not directly related to input validation, such as race conditions, could similarly impact message structure.::",{"point":"50","priority":"6","details":"51"},"CWE-ID: 75Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)","The product does not adequately filter user-controlled input for special elements with control implications.Guidelines:",{"point":"53","priority":"6","details":"54"},"CWE-ID: 76Improper Neutralization of Equivalent Special Elements","The product correctly neutralizes certain special elements, but it improperly neutralizes equivalent special elements.Guidelines:",{"point":"56","priority":"6","details":"57"},"CWE-ID: 77Improper Neutralization of Special Elements used in a Command ('Command Injection')","The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.Guidelines:::TYPE:Terminology:NOTE:The command injection phrase carries different meanings to different people. For some people, it refers to any type of attack that can allow the attacker to execute commands of their own choosing, regardless of how those commands are inserted. The command injection could thus be resultant from another weakness. This usage also includes cases in which the functionality allows the user to specify an entire command, which is then executed; within CWE, this situation might be better regarded as an authorization problem (since an attacker should not be able to specify arbitrary commands.) Another common usage, which includes CWE-77 and its descendants, involves cases in which the attacker injects separators into the command being constructed.::",{"point":"59","priority":"6","details":"5a"},"CWE-ID: 78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Guidelines:::TYPE:Terminology:NOTE:The OS command injection phrase carries different meanings to different people. For some people, it only refers to cases in which the attacker injects command separators into arguments for an application-controlled program that is being invoked. For some people, it refers to any type of attack that can allow the attacker to execute OS commands of their own choosing. This usage could include untrusted search path weaknesses (CWE-426) that cause the application to find and execute an attacker-controlled program. Further complicating the issue is the case when argument injection (CWE-88) allows alternate command-line switches or options to be inserted into the command line, such as an -exec switch whose purpose may be to execute the subsequent argument as a command (this -exec switch exists in the UNIX find command, for example). In this latter case, however, CWE-88 could be regarded as the primary weakness in a chain with CWE-78.::TYPE:Research Gap:NOTE:More investigation is needed into the distinction between the OS command injection variants, including the role with argument injection (CWE-88). Equivalent distinctions may exist in other injection-related problems such as SQL injection.::",{"point":"5c","priority":"6","details":"5d"},"CWE-ID: 79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Guidelines:::TYPE:Relationship:NOTE:There can be a close relationship between XSS and CSRF (CWE-352). An attacker might use CSRF in order to trick the victim into submitting requests to the server in which the requests contain an XSS payload. A well-known example of this was the Samy worm on MySpace [REF-956]. The worm used XSS to insert malicious HTML sequences into a user's profile and add the attacker as a MySpace friend. MySpace friends of that victim would then execute the payload to modify their own profiles, causing the worm to propagate exponentially. Since the victims did not intentionally insert the malicious script themselves, CSRF was a root cause.::TYPE:Applicable Platform:NOTE:XSS flaws are very common in web applications, since they require a great deal of developer discipline to avoid them.::",{"point":"5f","priority":"6","details":"5g"},"CWE-ID: 80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as <, >, and & that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.Guidelines:",{"point":"5i","priority":"6","details":"5j"},"CWE-ID: 81Improper Neutralization of Script in an Error Message Web Page","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters that could be interpreted as web-scripting elements when they are sent to an error page.Guidelines:",{"point":"5l","priority":"6","details":"5m"},"CWE-ID: 82Improper Neutralization of Script in Attributes of IMG Tags in a Web Page","The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute.Guidelines:",{"point":"5o","priority":"6","details":"5p"},"CWE-ID: 83Improper Neutralization of Script in Attributes in a Web Page","The product does not neutralize or incorrectly neutralizes javascript: or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.Guidelines:",{"point":"5r","priority":"6","details":"5s"},"CWE-ID: 84Improper Neutralization of Encoded URI Schemes in a Web Page","The web application improperly neutralizes user-controlled input for executable script disguised with URI encodings.Guidelines:",{"point":"5u","priority":"6","details":"5v"},"CWE-ID: 85Doubled Character XSS Manipulations","The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters.Guidelines:",{"point":"5x","priority":"6","details":"5y"},"CWE-ID: 86Improper Neutralization of Invalid Characters in Identifiers in Web Pages","The product does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers.Guidelines:",{"point":"60","priority":"6","details":"61"},"CWE-ID: 87Improper Neutralization of Alternate XSS Syntax","The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.Guidelines:",{"point":"63","priority":"6","details":"64"},"CWE-ID: 88Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')","The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.Guidelines:::TYPE:Relationship:NOTE:At one layer of abstraction, this can overlap other weaknesses that have whitespace problems, e.g. injection of javascript into attributes of HTML tags.::",{"point":"66","priority":"6","details":"67"},"CWE-ID: 89Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:SQL injection can be resultant from special character mismanagement, MAID, or denylist/allowlist problems. It can be primary to authentication errors.::",{"point":"69","priority":"6","details":"6a"},"CWE-ID: 90Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')","The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:Factors: resultant to special character mismanagement, MAID, or denylist/allowlist problems. Can be primary to authentication and verification errors.::",{"point":"6c","priority":"6","details":"6d"},"CWE-ID: 91XML Injection (aka Blind XPath Injection)","The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.Guidelines:::TYPE:Maintenance:NOTE:The description for this entry is generally applicable to XML, but the name includes blind XPath injection which is more closely associated with CWE-643. Therefore this entry might need to be deprecated or converted to a general category - although injection into raw XML is not covered by CWE-643 or CWE-652.::TYPE:Theoretical:NOTE:In vulnerability theory terms, this is a representation-specific case of a Data/Directive Boundary Error.::TYPE:Research Gap:NOTE:Under-reported. This is likely found regularly by third party code auditors, but there are very few publicly reported examples.::",{"point":"6f","priority":"6","details":"6g"},"CWE-ID: 93Improper Neutralization of CRLF Sequences ('CRLF Injection')","The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.Guidelines:",{"point":"6i","priority":"6","details":"6j"},"CWE-ID: 94Improper Control of Generation of Code ('Code Injection')","The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.Guidelines:",{"point":"6l","priority":"6","details":"6m"},"CWE-ID: 95Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. eval).Guidelines:::TYPE:Other:NOTE:Factors: special character errors can play a role in increasing the variety of code that can be injected, although some vulnerabilities do not require special characters at all, e.g. when a single function without arguments can be referenced and a terminator character is not necessary.::",{"point":"6o","priority":"6","details":"6p"},"CWE-ID: 96Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.Guidelines:::TYPE:Relationship:NOTE:HTML injection (see CWE-79: XSS) could be thought of as an example of this, but the code is injected and executed on the client side, not the server side. Server-Side Includes (SSI) are an example of direct static code injection.::",{"point":"6r","priority":"6","details":"6s"},"CWE-ID: 97Improper Neutralization of Server-Side Includes (SSI) Within a Web Page","The product generates a web page, but does not neutralize or incorrectly neutralizes user-controllable input that could be interpreted as a server-side include (SSI) directive.Guidelines:::TYPE:Relationship:NOTE:This can be resultant from XSS/HTML injection because the same special characters can be involved. However, this is server-side code execution, not client-side.::",{"point":"6u","priority":"6","details":"6v"},"CWE-ID: 98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')","The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in require, include, or similar functions.Guidelines:::TYPE:Relationship:NOTE:This is frequently a functional consequence of other weaknesses. It is usually multi-factor with other factors (e.g. MAID), although not all inclusion bugs involve assumed-immutable data. Direct request weaknesses frequently play a role. Can overlap directory traversal in local inclusion problems.::",{"point":"6x","priority":"6","details":"6y"},"CWE-ID: 99Improper Control of Resource Identifiers ('Resource Injection')","The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.Guidelines:::TYPE:Relationship:NOTE:Resource injection that involves resources stored on the filesystem goes by the name path manipulation (CWE-73).::TYPE:Maintenance:NOTE:The relationship between CWE-99 and CWE-610 needs further investigation and clarification. They might be duplicates. CWE-99 Resource Injection, as originally defined in Seven Pernicious Kingdoms taxonomy, emphasizes the identifier used to access a system resource such as a file name or port number, yet it explicitly states that the resource injection term does not apply to path manipulation, which effectively identifies the path at which a resource can be found and could be considered to be one aspect of a resource identifier. Also, CWE-610 effectively covers any type of resource, whether that resource is at the system layer, the application layer, or the code layer.::",{"point":"70","priority":"6","details":"71"},"CWE-ID: 102Struts: Duplicate Validation Forms","The product uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not expect.Guidelines:",{"point":"73","priority":"6","details":"74"},"CWE-ID: 103Struts: Incomplete validate() Method Definition","The product has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate().Guidelines:::TYPE:Relationship:NOTE:This could introduce other weaknesses related to missing input validation.::TYPE:Maintenance:NOTE:The current description implies a loose composite of two separate weaknesses, so this node might need to be split or converted into a low-level category.::",{"point":"76","priority":"6","details":"77"},"CWE-ID: 104Struts: Form Bean Does Not Extend Validation Class","If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation.Guidelines:",{"point":"79","priority":"6","details":"7a"},"CWE-ID: 105Struts: Form Field Without Validator","The product has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation.Guidelines:",{"point":"7c","priority":"6","details":"7d"},"CWE-ID: 106Struts: Plug-in Framework not in Use","When an application does not use an input validation framework such as the Struts Validator, there is a greater risk of introducing weaknesses related to insufficient input validation.Guidelines:",{"point":"7f","priority":"6","details":"7g"},"CWE-ID: 107Struts: Unused Validation Form","An unused validation form indicates that validation logic is not up-to-date.Guidelines:",{"point":"7i","priority":"6","details":"7j"},"CWE-ID: 108Struts: Unvalidated Action Form","Every Action Form must have a corresponding validation form.Guidelines:",{"point":"7l","priority":"6","details":"7m"},"CWE-ID: 109Struts: Validator Turned Off","Automatic filtering via a Struts bean has been turned off, which disables the Struts Validator and custom validation logic. This exposes the application to other weaknesses related to insufficient input validation.Guidelines:::TYPE:Other:NOTE:The Action Form mapping in the demonstrative example disables the form's validate() method. The Struts bean: write tag automatically encodes special HTML characters, replacing a < with < and a > with >. This action can be disabled by specifying filter=false as an attribute of the tag to disable specified JSP pages. However, being disabled makes these pages susceptible to cross-site scripting attacks. An attacker may be able to insert malicious scripts as user input to write to these JSP pages.::",{"point":"7o","priority":"6","details":"7p"},"CWE-ID: 110Struts: Validator Without Form Field","Validation fields that do not appear in forms they are associated with indicate that the validation logic is out of date.Guidelines:",{"point":"7r","priority":"6","details":"7s"},"CWE-ID: 111Direct Use of Unsafe JNI","When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that code, even if those weaknesses cannot occur in Java.Guidelines:",{"point":"7u","priority":"6","details":"7v"},"CWE-ID: 112Missing XML Validation","The product accepts XML from an untrusted source but does not validate the XML against the proper schema.Guidelines:",{"point":"7x","priority":"6","details":"7y"},"CWE-ID: 113Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')","The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.Guidelines:",{"point":"80","priority":"6","details":"81"},"CWE-ID: 114Process Control","Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) on behalf of an attacker.Guidelines:::TYPE:Maintenance:NOTE:CWE-114 is a Class, but it is listed a child of CWE-73 in view 1000. This suggests some abstraction problems that should be resolved in future versions.::TYPE:Maintenance:NOTE:This entry seems to have close relationships with CWE-426/CWE-427. It seems more attack-oriented.::",{"point":"83","priority":"6","details":"84"},"CWE-ID: 115Misinterpretation of Input","The product misinterprets an input, whether from an attacker or another product, in a security-relevant fashion.Guidelines:::TYPE:Research Gap:NOTE:This concept needs further study. It is likely a factor in several weaknesses, possibly resultant as well. Overlaps Multiple Interpretation Errors (MIE).::",{"point":"86","priority":"6","details":"87"},"CWE-ID: 116Improper Encoding or Escaping of Output","The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.Guidelines:::TYPE:Relationship:NOTE:This weakness is primary to all weaknesses related to injection (CWE-74) since the inherent nature of injection involves the violation of structured messages.::TYPE:Relationship:NOTE:CWE-116 and CWE-20 have a close association because, depending on the nature of the structured message, proper input validation can indirectly prevent special characters from changing the meaning of a structured message. For example, by validating that a numeric ID field should only contain the 0-9 characters, the programmer effectively prevents injection attacks. However, input validation is not always sufficient, especially when less stringent data types must be supported, such as free-form text. Consider a SQL injection scenario in which a last name is inserted into a query. The name O'Reilly would likely pass the validation step since it is a common last name in the English language. However, it cannot be directly inserted into the database because it contains the ' apostrophe character, which would need to be escaped or otherwise neutralized. In this case, stripping the apostrophe might reduce the risk of SQL injection, but it would produce incorrect behavior because the wrong name would be recorded.::TYPE:Terminology:NOTE:The usage of the encoding and escaping terms varies widely. For example, in some programming languages, the terms are used interchangeably, while other languages provide APIs that use both terms for different tasks. This overlapping usage extends to the Web, such as the escape JavaScript function whose purpose is stated to be encoding. The concepts of encoding and escaping predate the Web by decades. Given such a context, it is difficult for CWE to adopt a consistent vocabulary that will not be misinterpreted by some constituency.::TYPE:Theoretical:NOTE:This is a data/directive boundary error in which data boundaries are not sufficiently enforced before it is sent to a different control sphere.::TYPE:Research Gap:NOTE:While many published vulnerabilities are related to insufficient output encoding, there is such an emphasis on input validation as a protection mechanism that the underlying causes are rarely described. Within CVE, the focus is primarily on well-understood issues like cross-site scripting and SQL injection. It is likely that this weakness frequently occurs in custom protocols that support multiple encodings, which are not necessarily detectable with automated techniques.::",{"point":"89","priority":"6","details":"8a"},"CWE-ID: 117Improper Output Neutralization for Logs","The product does not neutralize or incorrectly neutralizes output that is written to logs.Guidelines:",{"point":"8c","priority":"6","details":"8d"},"CWE-ID: 118Incorrect Access of Indexable Resource ('Range Error')","The product does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files.Guidelines:",{"point":"8f","priority":"6","details":"8g"},"CWE-ID: 119Improper Restriction of Operations within the Bounds of a Memory Buffer","The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.Guidelines:::TYPE:Applicable Platform:NOTE:It is possible in any programming languages without memory management support to attempt an operation outside of the bounds of a memory buffer, but the consequences will vary widely depending on the language, platform, and chip architecture.::",{"point":"8i","priority":"6","details":"8j"},"CWE-ID: 120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')","The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.Guidelines:::TYPE:Relationship:NOTE:At the code level, stack-based and heap-based overflows do not differ significantly, so there usually is not a need to distinguish them. From the attacker perspective, they can be quite different, since different techniques are required to exploit them.::TYPE:Terminology:NOTE:Many issues that are now called buffer overflows are substantively different than the classic overflow, including entirely different bug types that rely on overflow exploit techniques, such as integer signedness errors, integer overflows, and format string bugs. This imprecise terminology can make it difficult to determine which variant is being reported.::",{"point":"8l","priority":"6","details":"8m"},"CWE-ID: 121Stack-based Buffer Overflow","A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).Guidelines:::TYPE:Other:NOTE:Stack-based buffer overflows can instantiate in return address overwrites, stack pointer overwrites or frame pointer overwrites. They can also be considered function pointer overwrites, array indexer overwrites or write-what-where condition, etc.::",{"point":"8o","priority":"6","details":"8p"},"CWE-ID: 122Heap-based Buffer Overflow","A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().Guidelines:::TYPE:Relationship:NOTE:Heap-based buffer overflows are usually just as dangerous as stack-based buffer overflows.::",{"point":"8r","priority":"6","details":"8s"},"CWE-ID: 123Write-what-where Condition","Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow.Guidelines:",{"point":"8u","priority":"6","details":"8v"},"CWE-ID: 124Buffer Underwrite ('Buffer Underflow')","The product writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.Guidelines:::TYPE:Relationship:NOTE:This could be resultant from several errors, including a bad offset or an array index that decrements before the beginning of the buffer (see CWE-129).::",{"point":"8x","priority":"6","details":"8y"},"CWE-ID: 125Out-of-bounds Read","The product reads data past the end, or before the beginning, of the intended buffer.Guidelines:",{"point":"90","priority":"6","details":"91"},"CWE-ID: 126Buffer Over-read","The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.Guidelines:::TYPE:Relationship:NOTE:These problems may be resultant from missing sentinel values (CWE-463) or trusting a user-influenced input length variable.::",{"point":"93","priority":"6","details":"94"},"CWE-ID: 127Buffer Under-read","The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"96","priority":"6","details":"97"},"CWE-ID: 128Wrap-around Error","Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore wraps around to a very small, negative, or undefined value.Guidelines:::TYPE:Relationship:NOTE:The relationship between overflow and wrap-around needs to be examined more closely, since several entries (including CWE-190) are closely related.::",{"point":"99","priority":"6","details":"9a"},"CWE-ID: 129Improper Validation of Array Index","The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.Guidelines:::TYPE:Relationship:NOTE:This weakness can precede uncontrolled memory allocation (CWE-789) in languages that automatically expand an array when an index is used that is larger than the size of the array, such as JavaScript.::TYPE:Theoretical:NOTE:An improperly validated array index might lead directly to the always-incorrect behavior of access of array using out-of-bounds index.::",{"point":"9c","priority":"6","details":"9d"},"CWE-ID: 130Improper Handling of Length Parameter Inconsistency","The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.Guidelines:::TYPE:Relationship:NOTE:This probably overlaps other categories including zero-length issues.::",{"point":"9f","priority":"6","details":"9g"},"CWE-ID: 131Incorrect Calculation of Buffer Size","The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.Guidelines:::TYPE:Maintenance:NOTE:This is a broad category. Some examples include: simple math errors, incorrectly updating parallel counters, not accounting for size differences when transforming one input to another format (e.g. URL canonicalization or other transformation that can generate a result that's larger than the original input, i.e. expansion). This level of detail is rarely available in public reports, so it is difficult to find good examples.::TYPE:Maintenance:NOTE:This weakness may be a composite or a chain. It also may contain layering or perspective differences. This issue may be associated with many different types of incorrect calculations (CWE-682), although the integer overflow (CWE-190) is probably the most prevalent. This can be primary to resource consumption problems (CWE-400), including uncontrolled memory allocation (CWE-789). However, its relationship with out-of-bounds buffer access (CWE-119) must also be considered.::",{"point":"9i","priority":"6","details":"9j"},"CWE-ID: 134Use of Externally-Controlled Format String","The product uses a function that accepts a format string as an argument, but the format string originates from an external source.Guidelines:::TYPE:Applicable Platform:NOTE:This weakness is possible in any programming language that support format strings.::TYPE:Other:NOTE:While Format String vulnerabilities typically fall under the Buffer Overflow category, technically they are not overflowed buffers. The Format String vulnerability is fairly new (circa 1999) and stems from the fact that there is no realistic way for a function that takes a variable number of arguments to determine just how many arguments were passed in. The most common functions that take a variable number of arguments, including C-runtime functions, are the printf() family of calls. The Format String problem appears in a number of ways. A *printf() call without a format specifier is dangerous and can be exploited. For example, printf(input); is exploitable, while printf(y, input); is not exploitable in that context. The result of the first call, used incorrectly, allows for an attacker to be able to peek at stack memory since the input string will be used as the format specifier. The attacker can stuff the input string with format specifiers and begin reading stack values, since the remaining parameters will be pulled from the stack. Worst case, this improper use may give away enough control to allow an arbitrary value (or values in the case of an exploit program) to be written into the memory of the running program. Frequently targeted entities are file names, process names, identifiers. Format string problems are a classic C/C++ issue that are now rare due to the ease of discovery. One main reason format string vulnerabilities can be exploited is due to the %n operator. The %n operator will write the number of characters, which have been printed by the format string therefore far, to the memory pointed to by its argument. Through skilled creation of a format string, a malicious user may use values on the stack to create a write-what-where condition. Once this is achieved, they can execute arbitrary code. Other operators can be used as well; for example, a %9999s operator could also trigger a buffer overflow, or when used in file-formatting functions like fprintf, it can generate a much larger output than intended.::TYPE:Research Gap:NOTE:Format string issues are under-studied for languages other than C. Memory or disk consumption, control flow or variable alteration, and data corruption may result from format string exploitation in applications written in other languages such as Perl, PHP, Python, etc.::",{"point":"9l","priority":"6","details":"9m"},"CWE-ID: 135Incorrect Calculation of Multi-Byte String Length","The product does not correctly calculate the length of strings that can contain wide or multi-byte characters.Guidelines:",{"point":"9o","priority":"6","details":"9p"},"CWE-ID: 138Improper Neutralization of Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:This weakness can be related to interpretation conflicts or interaction errors in intermediaries (such as proxies or application firewalls) when the intermediary's model of an endpoint does not account for protocol-specific special elements.::TYPE:Relationship:NOTE:See this entry's children for different types of special elements that have been observed at one point or another. However, it can be difficult to find suitable CVE examples. In an attempt to be complete, CWE includes some types that do not have any associated observed example.::TYPE:Research Gap:NOTE:This weakness is probably under-studied for proprietary or custom formats. It is likely that these issues are fairly common in applications that use their own custom format for configuration files, logs, meta-data, messaging, etc. They would only be found by accident or with a focused effort based on an understanding of the format.::",{"point":"9r","priority":"6","details":"9s"},"CWE-ID: 140Improper Neutralization of Delimiters","The product does not neutralize or incorrectly neutralizes delimiters.Guidelines:",{"point":"9u","priority":"6","details":"9v"},"CWE-ID: 141Improper Neutralization of Parameter/Argument Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component.Guidelines:",{"point":"9x","priority":"6","details":"9y"},"CWE-ID: 142Improper Neutralization of Value Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component.Guidelines:",{"point":"a0","priority":"6","details":"a1"},"CWE-ID: 143Improper Neutralization of Record Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component.Guidelines:",{"point":"a3","priority":"6","details":"a4"},"CWE-ID: 144Improper Neutralization of Line Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as line delimiters when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:Depending on the language and syntax being used, this could be the same as the record delimiter (CWE-143).::",{"point":"a6","priority":"6","details":"a7"},"CWE-ID: 145Improper Neutralization of Section Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as section delimiters when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:Depending on the language and syntax being used, this could be the same as the record delimiter (CWE-143).::",{"point":"a9","priority":"6","details":"aa"},"CWE-ID: 146Improper Neutralization of Expression/Command Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:A shell metacharacter (covered in CWE-150) is one example of a potential delimiter that may need to be neutralized.::",{"point":"ac","priority":"6","details":"ad"},"CWE-ID: 147Improper Neutralization of Input Terminators","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as input terminators when they are sent to a downstream component.Guidelines:",{"point":"af","priority":"6","details":"ag"},"CWE-ID: 148Improper Neutralization of Input Leaders","The product does not properly handle when a leading character or sequence (leader) is missing or malformed, or if multiple leaders are used when only one should be allowed.Guidelines:",{"point":"ai","priority":"6","details":"aj"},"CWE-ID: 149Improper Neutralization of Quoting Syntax","Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.Guidelines:",{"point":"al","priority":"6","details":"am"},"CWE-ID: 150Improper Neutralization of Escape, Meta, or Control Sequences","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.Guidelines:",{"point":"ao","priority":"6","details":"ap"},"CWE-ID: 151Improper Neutralization of Comment Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as comment delimiters when they are sent to a downstream component.Guidelines:",{"point":"ar","priority":"6","details":"as"},"CWE-ID: 152Improper Neutralization of Macro Symbols","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as macro symbols when they are sent to a downstream component.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"au","priority":"6","details":"av"},"CWE-ID: 153Improper Neutralization of Substitution Characters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as substitution characters when they are sent to a downstream component.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"ax","priority":"6","details":"ay"},"CWE-ID: 154Improper Neutralization of Variable Name Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as variable name delimiters when they are sent to a downstream component.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"b0","priority":"6","details":"b1"},"CWE-ID: 155Improper Neutralization of Wildcards or Matching Symbols","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as wildcards or matching symbols when they are sent to a downstream component.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"b3","priority":"6","details":"b4"},"CWE-ID: 156Improper Neutralization of Whitespace","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as whitespace when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:Can overlap other separator characters or delimiters.::",{"point":"b6","priority":"6","details":"b7"},"CWE-ID: 157Failure to Sanitize Paired Delimiters","The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"b9","priority":"6","details":"ba"},"CWE-ID: 158Improper Neutralization of Null Byte or NUL Character","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:This can be a factor in multiple interpretation errors, other interaction errors, filename equivalence, etc.::",{"point":"bc","priority":"6","details":"bd"},"CWE-ID: 159Improper Handling of Invalid Use of Special Elements","The product does not properly filter, remove, quote, or otherwise manage the invalid use of special elements in user-controlled input, which could cause adverse effect on its behavior and integrity.Guidelines:::TYPE:Maintenance:NOTE:The list of children for this entry is far from complete. However, the types of special elements might be too precise for use within CWE.::TYPE:Terminology:NOTE:Precise terminology for the underlying weaknesses does not exist. Therefore, these weaknesses use the terminology associated with the manipulation.::TYPE:Research Gap:NOTE:Customized languages and grammars, even those that are specific to a particular product, are potential sources of weaknesses that are related to special elements. However, most researchers concentrate on the most commonly used representations for data transmission, such as HTML and SQL. Any representation that is commonly used is likely to be a rich source of weaknesses; researchers are encouraged to investigate previously unexplored representations.::",{"point":"bf","priority":"6","details":"bg"},"CWE-ID: 160Improper Neutralization of Leading Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes leading special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bi","priority":"6","details":"bj"},"CWE-ID: 161Improper Neutralization of Multiple Leading Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple leading special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bl","priority":"6","details":"bm"},"CWE-ID: 162Improper Neutralization of Trailing Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes trailing special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bo","priority":"6","details":"bp"},"CWE-ID: 163Improper Neutralization of Multiple Trailing Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple trailing special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"br","priority":"6","details":"bs"},"CWE-ID: 164Improper Neutralization of Internal Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes internal special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bu","priority":"6","details":"bv"},"CWE-ID: 165Improper Neutralization of Multiple Internal Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple internal special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bx","priority":"6","details":"by"},"CWE-ID: 166Improper Handling of Missing Special Element","The product receives input from an upstream component, but it does not handle or incorrectly handles when an expected special element is missing.Guidelines:",{"point":"c0","priority":"6","details":"c1"},"CWE-ID: 167Improper Handling of Additional Special Element","The product receives input from an upstream component, but it does not handle or incorrectly handles when an additional unexpected special element is provided.Guidelines:",{"point":"c3","priority":"6","details":"c4"},"CWE-ID: 168Improper Handling of Inconsistent Special Elements","The product does not properly handle input in which an inconsistency exists between two or more special characters or reserved words.Guidelines:",{"point":"c6","priority":"6","details":"c7"},"CWE-ID: 170Improper Null Termination","The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.Guidelines:::TYPE:Relationship:NOTE:Factors: this is usually resultant from other weaknesses such as off-by-one errors, but it can be primary to boundary condition violations such as buffer overflows. In buffer overflows, it can act as an expander for assumed-immutable data.::TYPE:Relationship:NOTE:Overlaps missing input terminator.::TYPE:Applicable Platform:NOTE:Conceptually, this does not just apply to the C language; any language or representation that involves a terminator could have this type of problem.::TYPE:Maintenance:NOTE:As currently described, this entry is more like a category than a weakness.::",{"point":"c9","priority":"6","details":"ca"},"CWE-ID: 172Encoding Error","The product does not properly encode or decode the data, resulting in unexpected values.Guidelines:::TYPE:Relationship:NOTE:Partially overlaps path traversal and equivalence weaknesses.::TYPE:Maintenance:NOTE:This is more like a category than a weakness.::TYPE:Maintenance:NOTE:Many other types of encodings should be listed in this category.::",{"point":"cc","priority":"6","details":"cd"},"CWE-ID: 173Improper Handling of Alternate Encoding","The product does not properly handle when an input uses an alternate encoding that is valid for the control sphere to which the input is being sent.Guidelines:",{"point":"cf","priority":"6","details":"cg"},"CWE-ID: 174Double Decoding of the Same Data","The product decodes the same input twice, which can limit the effectiveness of any protection mechanism that occurs in between the decoding operations.Guidelines:::TYPE:Research Gap:NOTE:Probably under-studied.::",{"point":"ci","priority":"6","details":"cj"},"CWE-ID: 175Improper Handling of Mixed Encoding","The product does not properly handle when the same input uses several different (mixed) encodings.Guidelines:",{"point":"cl","priority":"6","details":"cm"},"CWE-ID: 176Improper Handling of Unicode Encoding","The product does not properly handle when an input contains Unicode encoding.Guidelines:",{"point":"co","priority":"6","details":"cp"},"CWE-ID: 177Improper Handling of URL Encoding (Hex Encoding)","The product does not properly handle when all or part of an input has been URL encoded.Guidelines:",{"point":"cr","priority":"6","details":"cs"},"CWE-ID: 178Improper Handling of Case Sensitivity","The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.Guidelines:::TYPE:Research Gap:NOTE:These are probably under-studied in Windows and Mac environments, where file names are case-insensitive and thus are subject to equivalence manipulations involving case.::",{"point":"cu","priority":"6","details":"cv"},"CWE-ID: 179Incorrect Behavior Order: Early Validation","The product validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous inputs that only arise after the modification.Guidelines:::TYPE:Research Gap:NOTE:These errors are mostly reported in path traversal vulnerabilities, but the concept applies whenever validation occurs.::",{"point":"cx","priority":"6","details":"cy"},"CWE-ID: 180Incorrect Behavior Order: Validate Before Canonicalize","The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step.Guidelines:::TYPE:Relationship:NOTE:This overlaps other categories.::",{"point":"d0","priority":"6","details":"d1"},"CWE-ID: 181Incorrect Behavior Order: Validate Before Filter","The product validates data before it has been filtered, which prevents the product from detecting data that becomes invalid after the filtering step.Guidelines:::TYPE:Research Gap:NOTE:This category is probably under-studied.::",{"point":"d3","priority":"6","details":"d4"},"CWE-ID: 182Collapse of Data into Unsafe Value","The product filters data in a way that causes it to be reduced or collapsed into an unsafe value that violates an expected security property.Guidelines:::TYPE:Relationship:NOTE:Overlaps regular expressions, although an implementation might not necessarily use regexp's.::",{"point":"d6","priority":"6","details":"d7"},"CWE-ID: 183Permissive List of Allowed Inputs","The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.Guidelines:",{"point":"d9","priority":"6","details":"da"},"CWE-ID: 184Incomplete List of Disallowed Inputs","The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses.Guidelines:::TYPE:Relationship:NOTE:Multiple interpretation errors can indirectly introduce inputs that should be disallowed. For example, a list of dangerous shell metacharacters might not include a metacharacter that only has meaning in one particular shell, not all of them; or a check for XSS manipulations might ignore an unusual construct that is supported by one web browser, but not others.::",{"point":"dc","priority":"6","details":"dd"},"CWE-ID: 185Incorrect Regular Expression","The product specifies a regular expression in a way that causes data to be improperly matched or compared.Guidelines:::TYPE:Relationship:NOTE:While there is some overlap with allowlist/denylist problems, this entry is intended to deal with incorrectly written regular expressions, regardless of their intended use. Not every regular expression is intended for use as an allowlist or denylist. In addition, allowlists and denylists can be implemented using other mechanisms besides regular expressions.::TYPE:Research Gap:NOTE:Regexp errors are likely a primary factor in many MFVs, especially those that require multiple manipulations to exploit. However, they are rarely diagnosed at this level of detail.::",{"point":"df","priority":"6","details":"dg"},"CWE-ID: 186Overly Restrictive Regular Expression","A regular expression is overly restrictive, which prevents dangerous values from being detected.Guidelines:::TYPE:Relationship:NOTE:Can overlap allowlist/denylist errors (CWE-183/CWE-184)::",{"point":"di","priority":"6","details":"dj"},"CWE-ID: 187Partial String Comparison","The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.Guidelines:::TYPE:Relationship:NOTE:This is conceptually similar to other weaknesses, such as insufficient verification and regular expression errors. It is primary to some weaknesses.::",{"point":"dl","priority":"6","details":"dm"},"CWE-ID: 188Reliance on Data/Memory Layout","The product makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior.Guidelines:",{"point":"do","priority":"6","details":"dp"},"CWE-ID: 190Integer Overflow or Wraparound","The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.Guidelines:::TYPE:Relationship:NOTE:Integer overflows can be primary to buffer overflows.::TYPE:Terminology:NOTE:Integer overflow is sometimes used to cover several types of errors, including signedness errors, or buffer overflows that involve manipulation of integer data types instead of characters. Part of the confusion results from the fact that 0xffffffff is -1 in a signed context. Other confusion also arises because of the role that integer overflows have in chains.::",{"point":"dr","priority":"6","details":"ds"},"CWE-ID: 191Integer Underflow (Wrap or Wraparound)","The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.Guidelines:",{"point":"du","priority":"6","details":"dv"},"CWE-ID: 192Integer Coercion Error","Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types.Guidelines:::TYPE:Maintenance:NOTE:Within C, it might be that coercion is semantically different than casting, possibly depending on whether the programmer directly specifies the conversion, or if the compiler does it implicitly. This has implications for the presentation of this entry and others, such as CWE-681, and whether there is enough of a difference for these entries to be split.::",{"point":"dx","priority":"6","details":"dy"},"CWE-ID: 193Off-by-one Error","A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.Guidelines:::TYPE:Relationship:NOTE:This is not always a buffer overflow. For example, an off-by-one error could be a factor in a partial comparison, a read from the wrong memory location, an incorrect conditional, etc.::",{"point":"e0","priority":"6","details":"e1"},"CWE-ID: 194Unexpected Sign Extension","The product performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses.Guidelines:::TYPE:Relationship:NOTE:Sign extension errors can lead to buffer overflows and other memory-based problems. They are also likely to be factors in other weaknesses that are not based on memory operations, but rely on numeric calculation.::TYPE:Maintenance:NOTE:This entry is closely associated with signed-to-unsigned conversion errors (CWE-195) and other numeric errors. These relationships need to be more closely examined within CWE.::",{"point":"e3","priority":"6","details":"e4"},"CWE-ID: 195Signed to Unsigned Conversion Error","The product uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive.Guidelines:",{"point":"e6","priority":"6","details":"e7"},"CWE-ID: 196Unsigned to Signed Conversion Error","The product uses an unsigned primitive and performs a cast to a signed primitive, which can produce an unexpected value if the value of the unsigned primitive can not be represented using a signed primitive.Guidelines:",{"point":"e9","priority":"6","details":"ea"},"CWE-ID: 197Numeric Truncation Error","Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion.Guidelines:::TYPE:Research Gap:NOTE:This weakness has traditionally been under-studied and under-reported, although vulnerabilities in popular software have been published in 2008 and 2009.::",{"point":"ec","priority":"6","details":"ed"},"CWE-ID: 198Use of Incorrect Byte Ordering","The product receives input from an upstream component, but it does not account for byte ordering (e.g. big-endian and little-endian) when processing the input, causing an incorrect number or value to be used.Guidelines:::TYPE:Research Gap:NOTE:Under-reported.::",{"point":"ef","priority":"6","details":"eg"},"CWE-ID: 200Exposure of Sensitive Information to an Unauthorized Actor","The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Guidelines:::TYPE:Maintenance:NOTE:As a result of mapping analysis in the 2020 Top 25 and more recent versions, this weakness is under review, since it is frequently misused in mapping to cover many problems that lead to loss of confidentiality. See Mapping Notes, Extended Description, and Alternate Terms.::",{"point":"ei","priority":"6","details":"ej"},"CWE-ID: 201Insertion of Sensitive Information Into Sent Data","The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.Guidelines:",{"point":"el","priority":"6","details":"em"},"CWE-ID: 202Exposure of Sensitive Information Through Data Queries","When trying to keep information confidential, an attacker can often infer some of the information by using statistics.Guidelines:::TYPE:Maintenance:NOTE:The relationship between CWE-202 and CWE-612 needs to be investigated more closely, as they may be different descriptions of the same kind of problem. CWE-202 is also being considered for deprecation, as it is not clearly described and may have been misunderstood by CWE users. It could be argued that this issue is better covered by CAPEC; an attacker can utilize their data-query privileges to perform this kind of operation, and if the attacker should not be allowed to perform the operation - or if the sensitive data should not have been made accessible at all - then that is more appropriately classified as a separate CWE related to authorization (see the parent, CWE-1230).::",{"point":"eo","priority":"6","details":"ep"},"CWE-ID: 203Observable Discrepancy","The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.Guidelines:",{"point":"er","priority":"6","details":"es"},"CWE-ID: 204Observable Response Discrepancy","The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.Guidelines:::TYPE:Relationship:NOTE:can overlap errors related to escalated privileges::",{"point":"eu","priority":"6","details":"ev"},"CWE-ID: 205Observable Behavioral Discrepancy","The product's behaviors indicate important differences that may be observed by unauthorized actors in a way that reveals (1) its internal state or decision process, or (2) differences from other products with equivalent functionality.Guidelines:",{"point":"ex","priority":"6","details":"ey"},"CWE-ID: 206Observable Internal Behavioral Discrepancy","The product performs multiple behaviors that are combined to produce a single result, but the individual behaviors are observable separately in a way that allows attackers to reveal internal state or internal decision points.Guidelines:",{"point":"f0","priority":"6","details":"f1"},"CWE-ID: 207Observable Behavioral Discrepancy With Equivalent Products","The product operates in an environment in which its existence or specific identity should not be known, but it behaves differently than other products with equivalent functionality, in a way that is observable to an attacker.Guidelines:",{"point":"f3","priority":"6","details":"f4"},"CWE-ID: 208Observable Timing Discrepancy","Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.Guidelines:::TYPE:Relationship:NOTE:Often primary in cryptographic applications and algorithms.::",{"point":"f6","priority":"6","details":"f7"},"CWE-ID: 209Generation of Error Message Containing Sensitive Information","The product generates an error message that includes sensitive information about its environment, users, or associated data.Guidelines:",{"point":"f9","priority":"6","details":"fa"},"CWE-ID: 210Self-generated Error Message Containing Sensitive Information","The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.Guidelines:",{"point":"fc","priority":"6","details":"fd"},"CWE-ID: 211Externally-Generated Error Message Containing Sensitive Information","The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information.Guidelines:::TYPE:Relationship:NOTE:This is inherently a resultant vulnerability from a weakness within the product or an interaction error.::",{"point":"ff","priority":"6","details":"fg"},"CWE-ID: 212Improper Removal of Sensitive Information Before Storage or Transfer","The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.Guidelines:::TYPE:Relationship:NOTE:This entry is intended to be different from resultant information leaks, including those that occur from improper buffer initialization and reuse, improper encryption, interaction errors, and multiple interpretation errors. This entry could be regarded as a privacy leak, depending on the type of information that is leaked.::TYPE:Relationship:NOTE:There is a close association between CWE-226 and CWE-212. The difference is partially that of perspective. CWE-226 is geared towards the final stage of the resource lifecycle, in which the resource is deleted, eliminated, expired, or otherwise released for reuse. Technically, this involves a transfer to a different control sphere, in which the original contents of the resource are no longer relevant. CWE-212, however, is intended for sensitive data in resources that are intentionally shared with others, so they are still active. This distinction is useful from the perspective of the CWE research view (CWE-1000).::TYPE:Terminology:NOTE:The terms cleansing and scrubbing have multiple uses within computing. In information security, these are used for the removal of sensitive data, but they are also used for the modification of incoming/outgoing data so that it conforms to specifications.::",{"point":"fi","priority":"6","details":"fj"},"CWE-ID: 213Exposure of Sensitive Information Due to Incompatible Policies","The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product's administrator, users, or others whose information is being processed.Guidelines:::TYPE:Maintenance:NOTE:This entry is being considered for deprecation. It overlaps many other entries related to information exposures. It might not be essential to preserve this entry, since other key stakeholder policies are covered elsewhere, e.g. personal privacy leaks (CWE-359) and system-level exposures that are important to system administrators (CWE-497).::TYPE:Theoretical:NOTE:In vulnerability theory terms, this covers cases in which the developer's Intended Policy allows the information to be made available, but the information might be in violation of a Universal Policy in which the product's administrator should have control over which information is considered sensitive and therefore should not be exposed.::",{"point":"fl","priority":"6","details":"fm"},"CWE-ID: 214Invocation of Process Using Visible Sensitive Information","A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system.Guidelines:::TYPE:Research Gap:NOTE:Under-studied, especially environment variables.::",{"point":"fo","priority":"6","details":"fp"},"CWE-ID: 215Insertion of Sensitive Information Into Debugging Code","The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.Guidelines:::TYPE:Relationship:NOTE:This overlaps other categories.::",{"point":"fr","priority":"6","details":"fs"},"CWE-ID: 219Storage of File with Sensitive Data Under Web Root","The product stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties.Guidelines:",{"point":"fu","priority":"6","details":"fv"},"CWE-ID: 220Storage of File With Sensitive Data Under FTP Root","The product stores sensitive data under the FTP server root with insufficient access control, which might make it accessible to untrusted parties.Guidelines:",{"point":"fx","priority":"6","details":"fy"},"CWE-ID: 221Information Loss or Omission","The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.Guidelines:",{"point":"g0","priority":"6","details":"g1"},"CWE-ID: 222Truncation of Security-relevant Information","The product truncates the display, recording, or processing of security-relevant information in a way that can obscure the source or nature of an attack.Guidelines:",{"point":"g3","priority":"6","details":"g4"},"CWE-ID: 223Omission of Security-relevant Information","The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.Guidelines:",{"point":"g6","priority":"6","details":"g7"},"CWE-ID: 224Obscured Security-relevant Information by Alternate Name","The product records security-relevant information according to an alternate name of the affected entity, instead of the canonical name.Guidelines:",{"point":"g9","priority":"6","details":"ga"},"CWE-ID: 226Sensitive Information in Resource Not Removed Before Reuse","The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or zeroize the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.Guidelines:::TYPE:Relationship:NOTE:There is a close association between CWE-226 and CWE-212. The difference is partially that of perspective. CWE-226 is geared towards the final stage of the resource lifecycle, in which the resource is deleted, eliminated, expired, or otherwise released for reuse. Technically, this involves a transfer to a different control sphere, in which the original contents of the resource are no longer relevant. CWE-212, however, is intended for sensitive data in resources that are intentionally shared with others, so they are still active. This distinction is useful from the perspective of the CWE research view (CWE-1000).::TYPE:Maintenance:NOTE:This entry needs modification to clarify the differences with CWE-212. The description also combines two problems that are distinct from the CWE research perspective: the inadvertent transfer of information to another sphere, and improper initialization/shutdown. Some of the associated taxonomy mappings reflect these different uses.::TYPE:Research Gap:NOTE:This is frequently found for network packets, but it can also exist in local memory allocation, files, etc.::",{"point":"gc","priority":"6","details":"gd"},"CWE-ID: 228Improper Handling of Syntactically Invalid Structure","The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification.Guidelines:::TYPE:Maintenance:NOTE:This entry needs more investigation. Public vulnerability research generally focuses on the manipulations that generate invalid structure, instead of the weaknesses that are exploited by those manipulations. For example, a common attack involves making a request that omits a required field, which can trigger a crash in some cases. The crash could be due to a named chain such as CWE-690 (Unchecked Return Value to NULL Pointer Dereference), but public reports rarely cover this aspect of a vulnerability.::TYPE:Theoretical:NOTE:The validity of input could be roughly classified along syntactic, semantic, and lexical dimensions. If the specification requires that an input value should be delimited with the [ and ] square brackets, then any input that does not follow this specification would be syntactically invalid. If the input between the brackets is expected to be a number, but the letters aaa are provided, then the input is syntactically invalid. If the input is a number and enclosed in brackets, but the number is outside of the allowable range, then it is semantically invalid. The inter-relationships between these properties - and their associated weaknesses- need further exploration.::",{"point":"gf","priority":"6","details":"gg"},"CWE-ID: 229Improper Handling of Values","The product does not properly handle when the expected number of values for parameters, fields, or arguments is not provided in input, or if those values are undefined.Guidelines:",{"point":"gi","priority":"6","details":"gj"},"CWE-ID: 230Improper Handling of Missing Values","The product does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empty, blank, or null.Guidelines:::TYPE:Research Gap:NOTE:Some crash by port scan bugs are probably due to this, but lack of diagnosis makes it difficult to be certain.::",{"point":"gl","priority":"6","details":"gm"},"CWE-ID: 231Improper Handling of Extra Values","The product does not handle or incorrectly handles when more values are provided than expected.Guidelines:::TYPE:Relationship:NOTE:This can overlap buffer overflows.::",{"point":"go","priority":"6","details":"gp"},"CWE-ID: 232Improper Handling of Undefined Values","The product does not handle or incorrectly handles when a value is not defined or supported for the associated parameter, field, or argument name.Guidelines:",{"point":"gr","priority":"6","details":"gs"},"CWE-ID: 233Improper Handling of Parameters","The product does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined.Guidelines:",{"point":"gu","priority":"6","details":"gv"},"CWE-ID: 234Failure to Handle Missing Parameter","If too few arguments are sent to a function, the function will still pop the expected number of arguments from the stack. Potentially, a variable number of arguments could be exhausted in a function as well.Guidelines:::TYPE:Maintenance:NOTE:This entry will be deprecated in a future version of CWE. The term missing parameter was used in both PLOVER and CLASP, with completely different meanings. However, data from both taxonomies was merged into this entry. In PLOVER, it was meant to cover malformed inputs that do not contain required parameters, such as a missing parameter in a CGI request. This entry's observed examples and classification came from PLOVER. However, the description, demonstrative example, and other information are derived from CLASP. They are related to an incorrect number of function arguments, which is already covered by CWE-685.::",{"point":"gx","priority":"6","details":"gy"},"CWE-ID: 235Improper Handling of Extra Parameters","The product does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount.Guidelines:::TYPE:Relationship:NOTE:This type of problem has a big role in multiple interpretation vulnerabilities and various HTTP attacks.::",{"point":"h0","priority":"6","details":"h1"},"CWE-ID: 236Improper Handling of Undefined Parameters","The product does not handle or incorrectly handles when a particular parameter, field, or argument name is not defined or supported by the product.Guidelines:",{"point":"h3","priority":"6","details":"h4"},"CWE-ID: 237Improper Handling of Structural Elements","The product does not handle or incorrectly handles inputs that are related to complex structures.Guidelines:",{"point":"h6","priority":"6","details":"h7"},"CWE-ID: 238Improper Handling of Incomplete Structural Elements","The product does not handle or incorrectly handles when a particular structural element is not completely specified.Guidelines:::TYPE:Relationship:NOTE:Can be primary to other problems.::",{"point":"h9","priority":"6","details":"ha"},"CWE-ID: 239Failure to Handle Incomplete Element","The product does not properly handle when a particular element is not completely specified.Guidelines:",{"point":"hc","priority":"6","details":"hd"},"CWE-ID: 240Improper Handling of Inconsistent Structural Elements","The product does not handle or incorrectly handles when two or more structural elements should be consistent, but are not.Guidelines:",{"point":"hf","priority":"6","details":"hg"},"CWE-ID: 241Improper Handling of Unexpected Data Type","The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).Guidelines:::TYPE:Research Gap:NOTE:Probably under-studied.::",{"point":"hi","priority":"6","details":"hj"},"CWE-ID: 242Use of Inherently Dangerous Function","The product calls a function that can never be guaranteed to work safely.Guidelines:",{"point":"hl","priority":"6","details":"hm"},"CWE-ID: 243Creation of chroot Jail Without Changing Working Directory","The product uses the chroot() system call to create a jail, but does not change the working directory afterward. This does not prevent access to files outside of the jail.Guidelines:",{"point":"ho","priority":"6","details":"hp"},"CWE-ID: 244Improper Clearing of Heap Memory Before Release ('Heap Inspection')","Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory.Guidelines:",{"point":"hr","priority":"6","details":"hs"},"CWE-ID: 245J2EE Bad Practices: Direct Management of Connections","The J2EE application directly manages connections, instead of using the container's connection management facilities.Guidelines:",{"point":"hu","priority":"6","details":"hv"},"CWE-ID: 246J2EE Bad Practices: Direct Use of Sockets","The J2EE application directly uses sockets instead of using framework method calls.Guidelines:",{"point":"hx","priority":"6","details":"hy"},"CWE-ID: 248Uncaught Exception","An exception is thrown from a function, but it is not caught.Guidelines:",{"point":"i0","priority":"6","details":"i1"},"CWE-ID: 250Execution with Unnecessary Privileges","The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.Guidelines:::TYPE:Relationship:NOTE:There is a close association with CWE-653 (Insufficient Separation of Privileges). CWE-653 is about providing separate components for each privilege; CWE-250 is about ensuring that each component has the least amount of privileges possible.::TYPE:Maintenance:NOTE:CWE-271, CWE-272, and CWE-250 are all closely related and possibly overlapping. CWE-271 is probably better suited as a category. Both CWE-272 and CWE-250 are in active use by the community. The least privilege phrase has multiple interpretations.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"i3","priority":"6","details":"i4"},"CWE-ID: 252Unchecked Return Value","The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.Guidelines:",{"point":"i6","priority":"6","details":"i7"},"CWE-ID: 253Incorrect Check of Function Return Value","The product incorrectly checks a return value from a function, which prevents it from detecting errors or exceptional conditions.Guidelines:",{"point":"i9","priority":"6","details":"ia"},"CWE-ID: 256Plaintext Storage of a Password","Storing a password in plaintext may result in a system compromise.Guidelines:",{"point":"ic","priority":"6","details":"id"},"CWE-ID: 257Storing Passwords in a Recoverable Format","The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.Guidelines:::TYPE:Maintenance:NOTE:The meaning of this entry needs to be investigated more closely, especially with respect to what is meant by recoverable.::",{"point":"if","priority":"6","details":"ig"},"CWE-ID: 258Empty Password in Configuration File","Using an empty string as a password is insecure.Guidelines:",{"point":"ii","priority":"6","details":"ij"},"CWE-ID: 259Use of Hard-coded Password","The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.Guidelines:::TYPE:Maintenance:NOTE:This entry could be split into multiple variants: an inbound variant (as seen in the second demonstrative example) and an outbound variant (as seen in the first demonstrative example). These variants are likely to have different consequences, detectability, etc. More importantly, from a vulnerability theory perspective, they could be characterized as different behaviors.::",{"point":"il","priority":"6","details":"im"},"CWE-ID: 260Password in Configuration File","The product stores a password in a configuration file that might be accessible to actors who do not know the password.Guidelines:",{"point":"io","priority":"6","details":"ip"},"CWE-ID: 261Weak Encoding for Password","Obscuring a password with a trivial encoding does not protect the password.Guidelines:::TYPE:Other:NOTE:The crypt family of functions uses weak cryptographic algorithms and should be avoided. It may be present in some projects for compatibility.::",{"point":"ir","priority":"6","details":"is"},"CWE-ID: 262Not Using Password Aging","The product does not have a mechanism in place for managing password aging.Guidelines:",{"point":"iu","priority":"6","details":"iv"},"CWE-ID: 263Password Aging with Long Expiration","The product supports password aging, but the expiration period is too long.Guidelines:",{"point":"ix","priority":"6","details":"iy"},"CWE-ID: 266Incorrect Privilege Assignment","A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.Guidelines:",{"point":"j0","priority":"6","details":"j1"},"CWE-ID: 267Privilege Defined With Unsafe Actions","A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity.Guidelines:::TYPE:Maintenance:NOTE:Note: there are 2 separate sub-categories here: - privilege incorrectly allows entities to perform certain actions - object is incorrectly accessible to entities with a given privilege::",{"point":"j3","priority":"6","details":"j4"},"CWE-ID: 268Privilege Chaining","Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination.Guidelines:::TYPE:Relationship:NOTE:There is some conceptual overlap with Unsafe Privilege.::",{"point":"j6","priority":"6","details":"j7"},"CWE-ID: 269Improper Privilege Management","The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.Guidelines:::TYPE:Maintenance:NOTE:The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693).::",{"point":"j9","priority":"6","details":"ja"},"CWE-ID: 270Privilege Context Switching Error","The product does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control.Guidelines:::TYPE:Research Gap:NOTE:This concept needs more study.::",{"point":"jc","priority":"6","details":"jd"},"CWE-ID: 271Privilege Dropping / Lowering Errors","The product does not drop privileges before passing control of a resource to an actor that does not have those privileges.Guidelines:::TYPE:Maintenance:NOTE:CWE-271, CWE-272, and CWE-250 are all closely related and possibly overlapping. CWE-271 is probably better suited as a category.::",{"point":"jf","priority":"6","details":"jg"},"CWE-ID: 272Least Privilege Violation","The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.Guidelines:::TYPE:Maintenance:NOTE:CWE-271, CWE-272, and CWE-250 are all closely related and possibly overlapping. CWE-271 is probably better suited as a category.::TYPE:Other:NOTE:If system privileges are not dropped when it is reasonable to do so, this is not a vulnerability by itself. According to the principle of least privilege, access should be allowed only when it is absolutely necessary to the function of a given system, and only for the minimal necessary amount of time. Any further allowance of privilege widens the window of time during which a successful exploitation of the system will provide an attacker with that same privilege. If at all possible, limit the allowance of system privilege to small, simple sections of code that may be called atomically. When a program calls a privileged function, such as chroot(), it must first acquire root privilege. As soon as the privileged operation has completed, the program should drop root privilege and return to the privilege level of the invoking user.::",{"point":"ji","priority":"6","details":"jj"},"CWE-ID: 273Improper Check for Dropped Privileges","The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.Guidelines:",{"point":"jl","priority":"6","details":"jm"},"CWE-ID: 274Improper Handling of Insufficient Privileges","The product does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses.Guidelines:::TYPE:Maintenance:NOTE:CWE-280 and CWE-274 are too similar. It is likely that CWE-274 will be deprecated in the future.::TYPE:Relationship:NOTE:Overlaps dropped privileges, insufficient permissions.::TYPE:Theoretical:NOTE:This has a layering relationship with Unchecked Error Condition and Unchecked Return Value.::TYPE:Theoretical:NOTE:Within the context of vulnerability theory, privileges and permissions are two sides of the same coin. Privileges are associated with actors, and permissions are associated with resources. To perform access control, at some point the product makes a decision about whether the actor (and the privileges that have been assigned to that actor) is allowed to access the resource (based on the permissions that have been specified for that resource).::",{"point":"jo","priority":"6","details":"jp"},"CWE-ID: 276Incorrect Default Permissions","During installation, installed file permissions are set to allow anyone to modify those files.Guidelines:",{"point":"jr","priority":"6","details":"js"},"CWE-ID: 277Insecure Inherited Permissions","A product defines a set of insecure permissions that are inherited by objects that are created by the program.Guidelines:",{"point":"ju","priority":"6","details":"jv"},"CWE-ID: 278Insecure Preserved Inherited Permissions","A product inherits a set of insecure permissions for an object, e.g. when copying from an archive file, without user awareness or involvement.Guidelines:",{"point":"jx","priority":"6","details":"jy"},"CWE-ID: 279Incorrect Execution-Assigned Permissions","While it is executing, the product sets the permissions of an object in a way that violates the intended permissions that have been specified by the user.Guidelines:",{"point":"k0","priority":"6","details":"k1"},"CWE-ID: 280Improper Handling of Insufficient Permissions or Privileges","The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.Guidelines:::TYPE:Maintenance:NOTE:CWE-280 and CWE-274 are too similar. It is likely that CWE-274 will be deprecated in the future.::TYPE:Relationship:NOTE:This can be both primary and resultant. When primary, it can expose a variety of weaknesses because a resource might not have the expected state, and subsequent operations might fail. It is often resultant from Unchecked Error Condition (CWE-391).::TYPE:Theoretical:NOTE:Within the context of vulnerability theory, privileges and permissions are two sides of the same coin. Privileges are associated with actors, and permissions are associated with resources. To perform access control, at some point the software makes a decision about whether the actor (and the privileges that have been assigned to that actor) is allowed to access the resource (based on the permissions that have been specified for that resource).::TYPE:Research Gap:NOTE:This type of issue is under-studied, since researchers often concentrate on whether an object has too many permissions, instead of not enough. These weaknesses are likely to appear in environments with fine-grained models for permissions and privileges, which can include operating systems and other large-scale software packages. However, even highly simplistic permission/privilege models are likely to contain these issues if the developer has not considered the possibility of access failure.::",{"point":"k3","priority":"6","details":"k4"},"CWE-ID: 281Improper Preservation of Permissions","The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.Guidelines:",{"point":"k6","priority":"6","details":"k7"},"CWE-ID: 282Improper Ownership Management","The product assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.Guidelines:::TYPE:Maintenance:NOTE:The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693).::",{"point":"k9","priority":"6","details":"ka"},"CWE-ID: 283Unverified Ownership","The product does not properly verify that a critical resource is owned by the proper entity.Guidelines:::TYPE:Relationship:NOTE:This overlaps insufficient comparison, verification errors, permissions, and privileges.::",{"point":"kc","priority":"6","details":"kd"},"CWE-ID: 284Improper Access Control","The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.Guidelines:::TYPE:Maintenance:NOTE:This entry needs more work. Possible sub-categories include: Trusted group includes undesired entities (partially covered by CWE-286) Group can perform undesired actions ACL parse error does not fail closed::",{"point":"kf","priority":"6","details":"kg"},"CWE-ID: 285Improper Authorization","The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.Guidelines:",{"point":"ki","priority":"6","details":"kj"},"CWE-ID: 286Incorrect User Management","The product does not properly manage a user within its environment.Guidelines:::TYPE:Maintenance:NOTE:The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693).::TYPE:Maintenance:NOTE:This item needs more work. Possible sub-categories include: user in wrong group, and user with insecure profile or configuration. It also might be better expressed as a category than a weakness.::",{"point":"kl","priority":"6","details":"km"},"CWE-ID: 287Improper Authentication","When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Guidelines:::TYPE:Relationship:NOTE:This can be resultant from SQL injection vulnerabilities and other issues.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"ko","priority":"6","details":"kp"},"CWE-ID: 288Authentication Bypass Using an Alternate Path or Channel","A product requires authentication, but the product has an alternate path or channel that does not require authentication.Guidelines:::TYPE:Relationship:NOTE:overlaps Unprotected Alternate Channel::",{"point":"kr","priority":"6","details":"ks"},"CWE-ID: 289Authentication Bypass by Alternate Name","The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.Guidelines:::TYPE:Relationship:NOTE:Overlaps equivalent encodings, canonicalization, authorization, multiple trailing slash, trailing space, mixed case, and other equivalence issues.::TYPE:Theoretical:NOTE:Alternate names are useful in data driven manipulation attacks, not just for authentication.::",{"point":"ku","priority":"6","details":"kv"},"CWE-ID: 290Authentication Bypass by Spoofing","This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.Guidelines:::TYPE:Relationship:NOTE:This can be resultant from insufficient verification.::",{"point":"kx","priority":"6","details":"ky"},"CWE-ID: 291Reliance on IP Address for Authentication","The product uses an IP address for authentication.Guidelines:",{"point":"l0","priority":"6","details":"l1"},"CWE-ID: 293Using Referer Field for Authentication","The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking.Guidelines:",{"point":"l3","priority":"6","details":"l4"},"CWE-ID: 294Authentication Bypass by Capture-replay","A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).Guidelines:",{"point":"l6","priority":"6","details":"l7"},"CWE-ID: 295Improper Certificate Validation","The product does not validate, or incorrectly validates, a certificate.Guidelines:",{"point":"l9","priority":"6","details":"la"},"CWE-ID: 296Improper Following of a Certificate's Chain of Trust","The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.Guidelines:",{"point":"lc","priority":"6","details":"ld"},"CWE-ID: 297Improper Validation of Certificate with Host Mismatch","The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.Guidelines:",{"point":"lf","priority":"6","details":"lg"},"CWE-ID: 298Improper Validation of Certificate Expiration","A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age.Guidelines:",{"point":"li","priority":"6","details":"lj"},"CWE-ID: 299Improper Check for Certificate Revocation","The product does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised.Guidelines:",{"point":"ll","priority":"6","details":"lm"},"CWE-ID: 300Channel Accessible by Non-Endpoint","The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.Guidelines:::TYPE:Maintenance:NOTE:The summary identifies multiple distinct possibilities, suggesting that this is a category that must be broken into more specific weaknesses.::",{"point":"lo","priority":"6","details":"lp"},"CWE-ID: 301Reflection Attack in an Authentication Protocol","Simple authentication protocols are subject to reflection attacks if a malicious user can use the target machine to impersonate a trusted user.Guidelines:::TYPE:Maintenance:NOTE:The term reflection is used in multiple ways within CWE and the community, so its usage should be reviewed.::",{"point":"lr","priority":"6","details":"ls"},"CWE-ID: 302Authentication Bypass by Assumed-Immutable Data","The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.Guidelines:",{"point":"lu","priority":"6","details":"lv"},"CWE-ID: 303Incorrect Implementation of Authentication Algorithm","The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.Guidelines:",{"point":"lx","priority":"6","details":"ly"},"CWE-ID: 304Missing Critical Step in Authentication","The product implements an authentication technique, but it skips a step that weakens the technique.Guidelines:",{"point":"m0","priority":"6","details":"m1"},"CWE-ID: 305Authentication Bypass by Primary Weakness","The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.Guidelines:::TYPE:Relationship:NOTE:Most authentication bypass errors are resultant, not primary.::",{"point":"m3","priority":"6","details":"m4"},"CWE-ID: 306Missing Authentication for Critical Function","The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.Guidelines:",{"point":"m6","priority":"6","details":"m7"},"CWE-ID: 307Improper Restriction of Excessive Authentication Attempts","The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.Guidelines:",{"point":"m9","priority":"6","details":"ma"},"CWE-ID: 308Use of Single-factor Authentication","The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme.Guidelines:",{"point":"mc","priority":"6","details":"md"},"CWE-ID: 309Use of Password System for Primary Authentication","The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.Guidelines:",{"point":"mf","priority":"6","details":"mg"},"CWE-ID: 311Missing Encryption of Sensitive Data","The product does not encrypt sensitive or critical information before storage or transmission.Guidelines:::TYPE:Relationship:NOTE:There is an overlapping relationship between insecure storage of sensitive information (CWE-922) and missing encryption of sensitive information (CWE-311). Encryption is often used to prevent an attacker from reading the sensitive data. However, encryption does not prevent the attacker from erasing or overwriting the data.::",{"point":"mi","priority":"6","details":"mj"},"CWE-ID: 312Cleartext Storage of Sensitive Information","The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"ml","priority":"6","details":"mm"},"CWE-ID: 313Cleartext Storage in a File or on Disk","The product stores sensitive information in cleartext in a file, or on disk.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"mo","priority":"6","details":"mp"},"CWE-ID: 314Cleartext Storage in the Registry","The product stores sensitive information in cleartext in the registry.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"mr","priority":"6","details":"ms"},"CWE-ID: 315Cleartext Storage of Sensitive Information in a Cookie","The product stores sensitive information in cleartext in a cookie.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"mu","priority":"6","details":"mv"},"CWE-ID: 316Cleartext Storage of Sensitive Information in Memory","The product stores sensitive information in cleartext in memory.Guidelines:::TYPE:Relationship:NOTE:This could be a resultant weakness, e.g. if the compiler removes code that was intended to wipe memory.::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"mx","priority":"6","details":"my"},"CWE-ID: 317Cleartext Storage of Sensitive Information in GUI","The product stores sensitive information in cleartext within the GUI.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"n0","priority":"6","details":"n1"},"CWE-ID: 318Cleartext Storage of Sensitive Information in Executable","The product stores sensitive information in cleartext in an executable.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"n3","priority":"6","details":"n4"},"CWE-ID: 319Cleartext Transmission of Sensitive Information","The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.Guidelines:::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"n6","priority":"6","details":"n7"},"CWE-ID: 321Use of Hard-coded Cryptographic Key","The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.Guidelines:::TYPE:Other:NOTE:The main difference between the use of hard-coded passwords and the use of hard-coded cryptographic keys is the false sense of security that the former conveys. Many people believe that simply hashing a hard-coded password before storage will protect the information from malicious users. However, many hashes are reversible (or at least vulnerable to brute force attacks) -- and further, many authentication protocols simply request the hash itself, making it no better than a password.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"n9","priority":"6","details":"na"},"CWE-ID: 322Key Exchange without Entity Authentication","The product performs a key exchange with an actor without verifying the identity of that actor.Guidelines:",{"point":"nc","priority":"6","details":"nd"},"CWE-ID: 323Reusing a Nonce, Key Pair in Encryption","Nonces should be used for the present occasion and only once.Guidelines:",{"point":"nf","priority":"6","details":"ng"},"CWE-ID: 324Use of a Key Past its Expiration Date","The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.Guidelines:",{"point":"ni","priority":"6","details":"nj"},"CWE-ID: 325Missing Cryptographic Step","The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.Guidelines:::TYPE:Relationship:NOTE:Overlaps incomplete/missing security check.::TYPE:Relationship:NOTE:Can be resultant.::",{"point":"nl","priority":"6","details":"nm"},"CWE-ID: 326Inadequate Encryption Strength","The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.Guidelines:",{"point":"no","priority":"6","details":"np"},"CWE-ID: 327Use of a Broken or Risky Cryptographic Algorithm","The product uses a broken or risky cryptographic algorithm or protocol.Guidelines:::TYPE:Maintenance:NOTE:Since CWE 4.4, various cryptography-related entries, including CWE-327 and CWE-1240, have been slated for extensive research, analysis, and community consultation to define consistent terminology, improve relationships, and reduce overlap or duplication. As of CWE 4.6, this work is still ongoing.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"nr","priority":"6","details":"ns"},"CWE-ID: 328Use of Weak Hash","The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).Guidelines:::TYPE:Maintenance:NOTE:Since CWE 4.4, various cryptography-related entries including CWE-328 have been slated for extensive research, analysis, and community consultation to define consistent terminology, improve relationships, and reduce overlap or duplication. As of CWE 4.6, this work is still ongoing.::",{"point":"nu","priority":"6","details":"nv"},"CWE-ID: 329Generation of Predictable IV with CBC Mode","The product generates and uses a predictable initialization Vector (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible to dictionary attacks when they are encrypted under the same key.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"nx","priority":"6","details":"ny"},"CWE-ID: 330Use of Insufficiently Random Values","The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.Guidelines:::TYPE:Relationship:NOTE:This can be primary to many other weaknesses such as cryptographic errors, authentication errors, symlink following, information leaks, and others.::TYPE:Maintenance:NOTE:As of CWE 4.3, CWE-330 and its descendants are being investigated by the CWE crypto team to identify gaps related to randomness and unpredictability, as well as the relationships between randomness and cryptographic primitives. This subtree analysis might result in the addition or deprecation of existing entries; the reorganization of relationships in some views, e.g. the research view (CWE-1000); more consistent use of terminology; and/or significant modifications to related entries.::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"o0","priority":"6","details":"o1"},"CWE-ID: 331Insufficient Entropy","The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"o3","priority":"6","details":"o4"},"CWE-ID: 332Insufficient Entropy in PRNG","The lack of entropy available for, or used by, a Pseudo-Random Number Generator (PRNG) can be a stability and security threat.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"o6","priority":"6","details":"o7"},"CWE-ID: 333Improper Handling of Insufficient Entropy in TRNG","True random number generators (TRNG) generally have a limited source of entropy and therefore can fail or block.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"o9","priority":"6","details":"oa"},"CWE-ID: 334Small Space of Random Values","The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"oc","priority":"6","details":"od"},"CWE-ID: 335Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)","The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"of","priority":"6","details":"og"},"CWE-ID: 336Same Seed in Pseudo-Random Number Generator (PRNG)","A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"oi","priority":"6","details":"oj"},"CWE-ID: 337Predictable Seed in Pseudo-Random Number Generator (PRNG)","A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"ol","priority":"6","details":"om"},"CWE-ID: 338Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)","The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"oo","priority":"6","details":"op"},"CWE-ID: 339Small Seed Space in PRNG","A Pseudo-Random Number Generator (PRNG) uses a relatively small seed space, which makes it more susceptible to brute force attacks.Guidelines:::TYPE:Maintenance:NOTE:This entry may have a chaining relationship with predictable from observable state (CWE-341).::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"or","priority":"6","details":"os"},"CWE-ID: 340Generation of Predictable Numbers or Identifiers","The product uses a scheme that generates numbers or identifiers that are more predictable than required.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"ou","priority":"6","details":"ov"},"CWE-ID: 341Predictable from Observable State","A number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"ox","priority":"6","details":"oy"},"CWE-ID: 342Predictable Exact Value from Previous Values","An exact value or random number can be precisely predicted by observing previous values.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"p0","priority":"6","details":"p1"},"CWE-ID: 343Predictable Value Range from Previous Values","The product's random number generator produces a series of values which, when observed, can be used to infer a relatively small range of possibilities for the next value that could be generated.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"p3","priority":"6","details":"p4"},"CWE-ID: 344Use of Invariant Value in Dynamically Changing Context","The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.Guidelines:::TYPE:Relationship:NOTE:overlaps default configuration.::",{"point":"p6","priority":"6","details":"p7"},"CWE-ID: 345Insufficient Verification of Data Authenticity","The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.Guidelines:::TYPE:Relationship:NOTE:origin validation could fall under this.::TYPE:Maintenance:NOTE:The specific ways in which the origin is not properly identified should be laid out as separate weaknesses. In some sense, this is more like a category.::",{"point":"p9","priority":"6","details":"pa"},"CWE-ID: 346Origin Validation Error","The product does not properly verify that the source of data or communication is valid.Guidelines:::TYPE:Maintenance:NOTE:This entry has some significant overlap with other CWE entries and may need some clarification. See terminology notes.::TYPE:Terminology:NOTE:The Origin Validation Error term was originally used in a 1995 thesis [REF-324]. Although not formally defined, an issue is considered to be an origin validation error if either (1) an object [accepts] input from an unauthorized subject, or (2) the system [fails] to properly or completely authenticate a subject. A later section says that an origin validation error can occur when the system (1) does not properly authenticate a user or process or (2) does not properly authenticate the shared data or libraries. The only example provided in the thesis (covered by OSVDB:57615) involves a setuid program running command-line arguments without dropping privileges. So, this definition (and its examples in the thesis) effectively cover other weaknesses such as CWE-287 (Improper Authentication), CWE-285 (Improper Authorization), and CWE-250 (Execution with Unnecessary Privileges). There appears to be little usage of this term today, except in the SecurityFocus vulnerability database, where the term is used for a variety of issues, including web-browser problems that allow violation of the Same Origin Policy and improper validation of the source of an incoming message.::",{"point":"pc","priority":"6","details":"pd"},"CWE-ID: 347Improper Verification of Cryptographic Signature","The product does not verify, or incorrectly verifies, the cryptographic signature for data.Guidelines:",{"point":"pf","priority":"6","details":"pg"},"CWE-ID: 348Use of Less Trusted Source","The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.Guidelines:",{"point":"pi","priority":"6","details":"pj"},"CWE-ID: 349Acceptance of Extraneous Untrusted Data With Trusted Data","The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.Guidelines:",{"point":"pl","priority":"6","details":"pm"},"CWE-ID: 350Reliance on Reverse DNS Resolution for a Security-Critical Action","The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.Guidelines:::TYPE:Maintenance:NOTE:CWE-350, CWE-247, and CWE-292 were merged into CWE-350 in CWE 2.5. CWE-247 was originally derived from Seven Pernicious Kingdoms, CWE-350 from PLOVER, and CWE-292 from CLASP. All taxonomies focused closely on the use of reverse DNS for authentication of incoming requests.::",{"point":"po","priority":"6","details":"pp"},"CWE-ID: 351Insufficient Type Distinction","The product does not properly distinguish between different types of elements in a way that leads to insecure behavior.Guidelines:::TYPE:Relationship:NOTE:Overlaps others, e.g. Multiple Interpretation Errors.::",{"point":"pr","priority":"6","details":"ps"},"CWE-ID: 352Cross-Site Request Forgery (CSRF)","The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.Guidelines:::TYPE:Relationship:NOTE:There can be a close relationship between XSS and CSRF (CWE-352). An attacker might use CSRF in order to trick the victim into submitting requests to the server in which the requests contain an XSS payload. A well-known example of this was the Samy worm on MySpace [REF-956]. The worm used XSS to insert malicious HTML sequences into a user's profile and add the attacker as a MySpace friend. MySpace friends of that victim would then execute the payload to modify their own profiles, causing the worm to propagate exponentially. Since the victims did not intentionally insert the malicious script themselves, CSRF was a root cause.::TYPE:Theoretical:NOTE:The CSRF topology is multi-channel: Attacker (as outsider) to intermediary (as user). The interaction point is either an external or internal channel. Intermediary (as user) to server (as victim). The activation point is an internal channel.::",{"point":"pu","priority":"6","details":"pv"},"CWE-ID: 353Missing Support for Integrity Check","The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.Guidelines:",{"point":"px","priority":"6","details":"py"},"CWE-ID: 354Improper Validation of Integrity Check Value","The product does not validate or incorrectly validates the integrity check values or checksums of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.Guidelines:",{"point":"q0","priority":"6","details":"q1"},"CWE-ID: 356Product UI does not Warn User of Unsafe Actions","The product's user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick users into inflicting damage to their system.Guidelines:::TYPE:Relationship:NOTE:Often resultant, e.g. in unhandled error conditions.::TYPE:Relationship:NOTE:Can overlap privilege errors, conceptually at least.::",{"point":"q3","priority":"6","details":"q4"},"CWE-ID: 357Insufficient UI Warning of Dangerous Operations","The user interface provides a warning to a user regarding dangerous or sensitive operations, but the warning is not noticeable enough to warrant attention.Guidelines:",{"point":"q6","priority":"6","details":"q7"},"CWE-ID: 358Improperly Implemented Security Check for Standard","The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.Guidelines:::TYPE:Relationship:NOTE:This is a missing step error on the product side, which can overlap weaknesses such as insufficient verification and spoofing. It is frequently found in cryptographic and authentication errors. It is sometimes resultant.::",{"point":"q9","priority":"6","details":"qa"},"CWE-ID: 359Exposure of Private Personal Information to an Unauthorized Actor","The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.Guidelines:::TYPE:Maintenance:NOTE:This entry overlaps many other entries that are not organized around the kind of sensitive information that is exposed. However, because privacy is treated with such importance due to regulations and other factors, and it may be useful for weakness-finding tools to highlight capabilities that detect personal private information instead of system information, it is not clear whether - and how - this entry should be deprecated.::",{"point":"qc","priority":"6","details":"qd"},"CWE-ID: 360Trust of System Event Data","Security based on event locations are insecure and can be spoofed.Guidelines:",{"point":"qf","priority":"6","details":"qg"},"CWE-ID: 362Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')","The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.Guidelines:::TYPE:Maintenance:NOTE:The relationship between race conditions and synchronization problems (CWE-662) needs to be further developed. They are not necessarily two perspectives of the same core concept, since synchronization is only one technique for avoiding race conditions, and synchronization can be used for other purposes besides race condition prevention.::TYPE:Research Gap:NOTE:Race conditions in web applications are under-studied and probably under-reported. However, in 2008 there has been growing interest in this area.::TYPE:Research Gap:NOTE:Much of the focus of race condition research has been in Time-of-check Time-of-use (TOCTOU) variants (CWE-367), but many race conditions are related to synchronization problems that do not necessarily require a time-of-check.::TYPE:Research Gap:NOTE:From a classification/taxonomy perspective, the relationships between concurrency and program state need closer investigation and may be useful in organizing related issues.::",{"point":"qi","priority":"6","details":"qj"},"CWE-ID: 363Race Condition Enabling Link Following","The product checks the status of a file or directory before accessing it, which produces a race condition in which the file can be replaced with a link before the access is performed, causing the product to access the wrong file.Guidelines:::TYPE:Relationship:NOTE:This is already covered by the Link Following weakness (CWE-59). It is included here because so many people associate race conditions with link problems; however, not all link following issues involve race conditions.::",{"point":"ql","priority":"6","details":"qm"},"CWE-ID: 364Signal Handler Race Condition","The product uses a signal handler that introduces a race condition.Guidelines:",{"point":"qo","priority":"6","details":"qp"},"CWE-ID: 366Race Condition within a Thread","If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.Guidelines:",{"point":"qr","priority":"6","details":"qs"},"CWE-ID: 367Time-of-check Time-of-use (TOCTOU) Race Condition","The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.Guidelines:::TYPE:Relationship:NOTE:TOCTOU issues do not always involve symlinks, and not every symlink issue is a TOCTOU problem.::TYPE:Research Gap:NOTE:Non-symlink TOCTOU issues are not reported frequently, but they are likely to occur in code that attempts to be secure.::",{"point":"qu","priority":"6","details":"qv"},"CWE-ID: 368Context Switching Race Condition","A product performs a series of non-atomic actions to switch between contexts that cross privilege or other security boundaries, but a race condition allows an attacker to modify or misrepresent the product's behavior during the switch.Guidelines:::TYPE:Relationship:NOTE:Can overlap signal handler race conditions.::TYPE:Research Gap:NOTE:Under-studied as a concept. Frequency unknown; few vulnerability reports give enough detail to know when a context switching race condition is a factor.::",{"point":"qx","priority":"6","details":"qy"},"CWE-ID: 369Divide By Zero","The product divides a value by zero.Guidelines:",{"point":"r0","priority":"6","details":"r1"},"CWE-ID: 370Missing Check for Certificate Revocation after Initial Check","The product does not check the revocation status of a certificate after its initial revocation check, which can cause the product to perform privileged actions even after the certificate is revoked at a later time.Guidelines:",{"point":"r3","priority":"6","details":"r4"},"CWE-ID: 372Incomplete Internal State Distinction","The product does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect operations in a security-relevant manner.Guidelines:::TYPE:Relationship:NOTE:This conceptually overlaps other categories such as insufficient verification, but this entry refers to the product's incorrect perception of its own state.::TYPE:Relationship:NOTE:This is probably resultant from other weaknesses such as unhandled error conditions, inability to handle out-of-order steps, multiple interpretation errors, etc.::TYPE:Maintenance:NOTE:This entry is being considered for deprecation. It was poorly-defined in PLOVER and is not easily described using the behavior/resource/property model of vulnerability theory.::",{"point":"r6","priority":"6","details":"r7"},"CWE-ID: 374Passing Mutable Objects to an Untrusted Method","The product sends non-cloned mutable data as an argument to a method or function.Guidelines:",{"point":"r9","priority":"6","details":"ra"},"CWE-ID: 375Returning a Mutable Object to an Untrusted Caller","Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function.Guidelines:",{"point":"rc","priority":"6","details":"rd"},"CWE-ID: 377Insecure Temporary File","Creating and using insecure temporary files can leave application and system data vulnerable to attack.Guidelines:::TYPE:Other:NOTE:Applications require temporary files so frequently that many different mechanisms exist for creating them in the C Library and Windows(R) API. Most of these functions are vulnerable to various forms of attacks. The functions designed to aid in the creation of temporary files can be broken into two groups based whether they simply provide a filename or actually open a new file. - Group 1: Unique Filenames: The first group of C Library and WinAPI functions designed to help with the process of creating temporary files do so by generating a unique file name for a new temporary file, which the program is then supposed to open. This group includes C Library functions like tmpnam(), tempnam(), mktemp() and their C++ equivalents prefaced with an _ (underscore) as well as the GetTempFileName() function from the Windows API. This group of functions suffers from an underlying race condition on the filename chosen. Although the functions guarantee that the filename is unique at the time it is selected, there is no mechanism to prevent another process or an attacker from creating a file with the same name after it is selected but before the application attempts to open the file. Beyond the risk of a legitimate collision caused by another call to the same function, there is a high probability that an attacker will be able to create a malicious collision because the filenames generated by these functions are not sufficiently randomized to make them difficult to guess. If a file with the selected name is created, then depending on how the file is opened the existing contents or access permissions of the file may remain intact. If the existing contents of the file are malicious in nature, an attacker may be able to inject dangerous data into the application when it reads data back from the temporary file. If an attacker pre-creates the file with relaxed access permissions, then data stored in the temporary file by the application may be accessed, modified or corrupted by an attacker. On Unix based systems an even more insidious attack is possible if the attacker pre-creates the file as a link to another important file. Then, if the application truncates or writes data to the file, it may unwittingly perform damaging operations for the attacker. This is an especially serious threat if the program operates with elevated permissions. Finally, in the best case the file will be opened with the a call to open() using the O_CREAT and O_EXCL flags or to CreateFile() using the CREATE_NEW attribute, which will fail if the file already exists and therefore prevent the types of attacks described above. However, if an attacker is able to accurately predict a sequence of temporary file names, then the application may be prevented from opening necessary temporary storage causing a denial of service (DoS) attack. This type of attack would not be difficult to mount given the small amount of randomness used in the selection of the filenames generated by these functions. - Group 2: Unique Files: The second group of C Library functions attempts to resolve some of the security problems related to temporary files by not only generating a unique file name, but also opening the file. This group includes C Library functions like tmpfile() and its C++ equivalents prefaced with an _ (underscore), as well as the slightly better-behaved C Library function mkstemp(). The tmpfile() style functions construct a unique filename and open it in the same way that fopen() would if passed the flags wb+, that is, as a binary file in read/write mode. If the file already exists, tmpfile() will truncate it to size zero, possibly in an attempt to assuage the security concerns mentioned earlier regarding the race condition that exists between the selection of a supposedly unique filename and the subsequent opening of the selected file. However, this behavior clearly does not solve the function's security problems. First, an attacker can pre-create the file with relaxed access-permissions that will likely be retained by the file opened by tmpfile(). Furthermore, on Unix based systems if the attacker pre-creates the file as a link to another important file, the application may use its possibly elevated permissions to truncate that file, thereby doing damage on behalf of the attacker. Finally, if tmpfile() does create a new file, the access permissions applied to that file will vary from one operating system to another, which can leave application data vulnerable even if an attacker is unable to predict the filename to be used in advance. Finally, mkstemp() is a reasonably safe way create temporary files. It will attempt to create and open a unique file based on a filename template provided by the user combined with a series of randomly generated characters. If it is unable to create such a file, it will fail and return -1. On modern systems the file is opened using mode 0600, which means the file will be secure from tampering unless the user explicitly changes its access permissions. However, mkstemp() still suffers from the use of predictable file names and can leave an application vulnerable to denial of service attacks if an attacker causes mkstemp() to fail by predicting and pre-creating the filenames to be used.::",{"point":"rf","priority":"6","details":"rg"},"CWE-ID: 378Creation of Temporary File With Insecure Permissions","Opening temporary files without appropriate measures or controls can leave the file, its contents and any function that it impacts vulnerable to attack.Guidelines:",{"point":"ri","priority":"6","details":"rj"},"CWE-ID: 379Creation of Temporary File in Directory with Insecure Permissions","The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.Guidelines:",{"point":"rl","priority":"6","details":"rm"},"CWE-ID: 382J2EE Bad Practices: Use of System.exit()","A J2EE application uses System.exit(), which also shuts down its container.Guidelines:",{"point":"ro","priority":"6","details":"rp"},"CWE-ID: 383J2EE Bad Practices: Direct Use of Threads","Thread management in a Web application is forbidden in some circumstances and is always highly error prone.Guidelines:",{"point":"rr","priority":"6","details":"rs"},"CWE-ID: 384Session Fixation","Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.Guidelines:::TYPE:Other:NOTE:Other attack vectors include DNS poisoning and related network based attacks where an attacker causes the user to visit a malicious site by redirecting a request for a valid site. Network based attacks typically involve a physical presence on the victim's network or control of a compromised machine on the network, which makes them harder to exploit remotely, but their significance should not be overlooked. Less secure session management mechanisms, such as the default implementation in Apache Tomcat, allow session identifiers normally expected in a cookie to be specified on the URL as well, which enables an attacker to cause a victim to use a fixed session identifier simply by emailing a malicious URL.::",{"point":"ru","priority":"6","details":"rv"},"CWE-ID: 385Covert Timing Channel","Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are working to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks that create or exploit covert channels. As a result of that work, this entry might change in CWE 4.10.::",{"point":"rx","priority":"6","details":"ry"},"CWE-ID: 386Symbolic Name not Mapping to Correct Object","A constant symbolic reference to an object is used, even though the reference can resolve to a different object over time.Guidelines:",{"point":"s0","priority":"6","details":"s1"},"CWE-ID: 390Detection of Error Condition Without Action","The product detects a specific error, but takes no actions to handle the error.Guidelines:",{"point":"s3","priority":"6","details":"s4"},"CWE-ID: 391Unchecked Error Condition","[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.Guidelines:::TYPE:Maintenance:NOTE:This entry is slated for deprecation; it has multiple widespread interpretations by CWE analysts. It currently combines information from three different taxonomies, but each taxonomy is talking about a slightly different issue. CWE analysts might map to this entry based on any of these issues. 7PK has Empty Catch Block which has an association with empty exception block (CWE-1069); in this case, the exception has performed the check, but does not handle. In PLOVER there is Unchecked Return Value which is CWE-252, but unlike Empty Catch Block there isn't even a check of the issue - and Unchecked Error Condition implies lack of a check. For CLASP, Uncaught Exception (CWE-248) is associated with incorrect error propagation - uncovered in CWE 3.2 and earlier, at least. There are other issues related to error handling and checks.::TYPE:Other:NOTE:When a programmer ignores an exception, they implicitly state that they are operating under one of two assumptions: This method call can never fail. It doesn't matter if this call fails.::",{"point":"s6","priority":"6","details":"s7"},"CWE-ID: 392Missing Report of Error Condition","The product encounters an error but does not provide a status code or return value to indicate that an error has occurred.Guidelines:",{"point":"s9","priority":"6","details":"sa"},"CWE-ID: 393Return of Wrong Status Code","A function or operation returns an incorrect return value or status code that does not indicate an error, but causes the product to modify its behavior based on the incorrect result.Guidelines:::TYPE:Relationship:NOTE:This can be primary or resultant, but it is probably most often primary to other issues.::",{"point":"sc","priority":"6","details":"sd"},"CWE-ID: 394Unexpected Status Code or Return Value","The product does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the product.Guidelines:::TYPE:Relationship:NOTE:Usually primary, but can be resultant from issues such as behavioral change or API abuse. This can produce resultant vulnerabilities.::",{"point":"sf","priority":"6","details":"sg"},"CWE-ID: 395Use of NullPointerException Catch to Detect NULL Pointer Dereference","Catching NullPointerException should not be used as an alternative to programmatic checks to prevent dereferencing a null pointer.Guidelines:",{"point":"si","priority":"6","details":"sj"},"CWE-ID: 396Declaration of Catch for Generic Exception","Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.Guidelines:",{"point":"sl","priority":"6","details":"sm"},"CWE-ID: 397Declaration of Throws for Generic Exception","Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.Guidelines:::TYPE:Applicable Platform:NOTE:For C++, this weakness only applies to C++98, C++03, and C++11. It relies on a feature known as Dynamic Exception Specification, which was part of early versions of C++ but was deprecated in C++11. It has been removed for C++17 and later.::",{"point":"so","priority":"6","details":"sp"},"CWE-ID: 400Uncontrolled Resource Consumption","The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Guidelines:::TYPE:Maintenance:NOTE:Resource consumption could be interpreted as a consequence instead of an insecure behavior, so this entry is being considered for modification. It appears to be referenced too frequently when more precise mappings are available. Some of its children, such as CWE-771, might be better considered as a chain.::TYPE:Theoretical:NOTE:Vulnerability theory is largely about how behaviors and resources interact. Resource exhaustion can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect the underlying weaknesses that enable these attacks (or consequences) to take place.::TYPE:Other:NOTE:Database queries that take a long time to process are good DoS targets. An attacker would have to write a few lines of Perl code to generate enough traffic to exceed the site's ability to keep up. This would effectively prevent authorized users from using the site at all. Resources can be exploited simply by ensuring that the target machine must do much more work and consume more resources in order to service a request than the attacker must do to initiate a request. A prime example of this can be found in old switches that were vulnerable to macof attacks (so named for a tool developed by Dugsong). These attacks flooded a switch with random IP and MAC address combinations, therefore exhausting the switch's cache, which held the information of which port corresponded to which MAC addresses. Once this cache was exhausted, the switch would fail in an insecure way and would begin to act simply as a hub, broadcasting all traffic on all ports and allowing for basic sniffing attacks.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"sr","priority":"6","details":"ss"},"CWE-ID: 401Missing Release of Memory after Effective Lifetime","The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.Guidelines:::TYPE:Relationship:NOTE:This is often a resultant weakness due to improper handling of malformed data or early termination of sessions.::TYPE:Terminology:NOTE:memory leak has sometimes been used to describe other kinds of issues, e.g. for information leaks in which the contents of memory are inadvertently leaked (CVE-2003-0400 is one such example of this terminology conflict).::",{"point":"su","priority":"6","details":"sv"},"CWE-ID: 402Transmission of Private Resources into a New Sphere ('Resource Leak')","The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product.Guidelines:",{"point":"sx","priority":"6","details":"sy"},"CWE-ID: 403Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')","A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors.Guidelines:",{"point":"t0","priority":"6","details":"t1"},"CWE-ID: 404Improper Resource Shutdown or Release","The product does not release or incorrectly releases a resource before it is made available for re-use.Guidelines:::TYPE:Relationship:NOTE:Overlaps memory leaks, asymmetric resource consumption, malformed input errors.::",{"point":"t3","priority":"6","details":"t4"},"CWE-ID: 405Asymmetric Resource Consumption (Amplification)","The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is asymmetric.Guidelines:",{"point":"t6","priority":"6","details":"t7"},"CWE-ID: 406Insufficient Control of Network Message Volume (Network Amplification)","The product does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the product to transmit more traffic than should be allowed for that actor.Guidelines:::TYPE:Relationship:NOTE:This can be resultant from weaknesses that simplify spoofing attacks.::TYPE:Theoretical:NOTE:Network amplification, when performed with spoofing, is normally a multi-channel attack from attacker (acting as user) to amplifier, and amplifier to victim.::",{"point":"t9","priority":"6","details":"ta"},"CWE-ID: 407Inefficient Algorithmic Complexity","An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.Guidelines:",{"point":"tc","priority":"6","details":"td"},"CWE-ID: 408Incorrect Behavior Order: Early Amplification","The product allows an entity to perform a legitimate but expensive operation before authentication or authorization has taken place.Guidelines:::TYPE:Relationship:NOTE:Overlaps authentication errors.::",{"point":"tf","priority":"6","details":"tg"},"CWE-ID: 409Improper Handling of Highly Compressed Data (Data Amplification)","The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.Guidelines:",{"point":"ti","priority":"6","details":"tj"},"CWE-ID: 410Insufficient Resource Pool","The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.Guidelines:",{"point":"tl","priority":"6","details":"tm"},"CWE-ID: 412Unrestricted Externally Accessible Lock","The product properly checks for the existence of a lock, but the lock can be externally controlled or influenced by an actor that is outside of the intended sphere of control.Guidelines:::TYPE:Relationship:NOTE:This overlaps Insufficient Resource Pool when the pool is of size 1. It can also be resultant from race conditions, although the timing window could be quite large in some cases.::",{"point":"to","priority":"6","details":"tp"},"CWE-ID: 413Improper Resource Locking","The product does not lock or does not correctly lock a resource when the product must have exclusive access to the resource.Guidelines:",{"point":"tr","priority":"6","details":"ts"},"CWE-ID: 414Missing Lock Check","A product does not check to see if a lock is present before performing sensitive operations on a resource.Guidelines:",{"point":"tu","priority":"6","details":"tv"},"CWE-ID: 415Double Free","The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.Guidelines:::TYPE:Relationship:NOTE:This is usually resultant from another weakness, such as an unhandled error or race condition between threads. It could also be primary to weaknesses such as buffer overflows.::TYPE:Theoretical:NOTE:It could be argued that Double Free would be most appropriately located as a child of Use after Free, but Use and Release are considered to be distinct operations within vulnerability theory, therefore this is more accurately Release of a Resource after Expiration or Release, which doesn't exist yet.::",{"point":"tx","priority":"6","details":"ty"},"CWE-ID: 416Use After Free","Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.Guidelines:",{"point":"u0","priority":"6","details":"u1"},"CWE-ID: 419Unprotected Primary Channel","The product uses a primary channel for administration or restricted functionality, but it does not properly protect the channel.Guidelines:",{"point":"u3","priority":"6","details":"u4"},"CWE-ID: 420Unprotected Alternate Channel","The product protects a primary channel, but it does not use the same level of protection for an alternate channel.Guidelines:::TYPE:Relationship:NOTE:This can be primary to authentication errors, and resultant from unhandled error conditions.::",{"point":"u6","priority":"6","details":"u7"},"CWE-ID: 421Race Condition During Access to Alternate Channel","The product opens an alternate channel to communicate with an authorized user, but the channel is accessible to other actors.Guidelines:",{"point":"u9","priority":"6","details":"ua"},"CWE-ID: 422Unprotected Windows Messaging Channel ('Shatter')","The product does not properly verify the source of a message in the Windows Messaging System while running at elevated privileges, creating an alternate channel through which an attacker can directly send a message to the product.Guidelines:::TYPE:Relationship:NOTE:Overlaps privilege errors and UI errors.::TYPE:Research Gap:NOTE:Possibly under-reported, probably under-studied. It is suspected that a number of publicized vulnerabilities that involve local privilege escalation on Windows systems may be related to Shatter attacks, but they are not labeled as such. Alternate channel attacks likely exist in other operating systems and messaging models, e.g. in privileged X Windows applications, but examples are not readily available.::",{"point":"uc","priority":"6","details":"ud"},"CWE-ID: 424Improper Protection of Alternate Path","The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.Guidelines:",{"point":"uf","priority":"6","details":"ug"},"CWE-ID: 425Direct Request ('Forced Browsing')","The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.Guidelines:::TYPE:Relationship:NOTE:Overlaps Modification of Assumed-Immutable Data (MAID), authorization errors, container errors; often primary to other weaknesses such as XSS and SQL injection.::TYPE:Theoretical:NOTE:Forced browsing is a step-based manipulation involving the omission of one or more steps, whose order is assumed to be immutable. The application does not verify that the first step was performed successfully before the second step. The consequence is typically authentication bypass or path disclosure, although it can be primary to all kinds of weaknesses, especially in languages such as PHP, which allow external modification of assumed-immutable variables.::",{"point":"ui","priority":"6","details":"uj"},"CWE-ID: 426Untrusted Search Path","The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.Guidelines:",{"point":"ul","priority":"6","details":"um"},"CWE-ID: 427Uncontrolled Search Path Element","The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.Guidelines:::TYPE:Relationship:NOTE:Unlike untrusted search path (CWE-426), which inherently involves control over the definition of a control sphere (i.e., modification of a search path), this entry concerns a fixed control sphere in which some part of the sphere may be under attacker control (i.e., the search path cannot be modified by an attacker, but one element of the path can be under attacker control).::TYPE:Theoretical:NOTE:This weakness is not a clean fit under CWE-668 or CWE-610, which suggests that the control sphere model might need enhancement or clarification.::",{"point":"uo","priority":"6","details":"up"},"CWE-ID: 428Unquoted Search Path or Element","The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.Guidelines:::TYPE:Applicable Platform:NOTE:This weakness could apply to any OS that supports spaces in filenames, especially any OS that make it easy for a user to insert spaces into filenames or folders, such as Windows. While spaces are technically supported in Unix, the practice is generally avoided. .::TYPE:Maintenance:NOTE:This weakness primarily involves the lack of quoting, which is not explicitly stated as a part of CWE-116. CWE-116 also describes output in light of structured messages, but the generation of a filename or search path (as in this weakness) might not be considered a structured message. An additional complication is the relationship to control spheres. Unlike untrusted search path (CWE-426), which inherently involves control over the definition of a control sphere, this entry concerns a fixed control sphere in which some part of the sphere may be under attacker control. This is not a clean fit under CWE-668 or CWE-610, which suggests that the control sphere model needs enhancement or clarification.::",{"point":"ur","priority":"6","details":"us"},"CWE-ID: 430Deployment of Wrong Handler","The wrong handler is assigned to process an object.Guidelines:",{"point":"uu","priority":"6","details":"uv"},"CWE-ID: 431Missing Handler","A handler is not available or implemented.Guidelines:",{"point":"ux","priority":"6","details":"uy"},"CWE-ID: 432Dangerous Signal Handler not Disabled During Sensitive Operations","The product uses a signal handler that shares state with other signal handlers, but it does not properly mask or prevent those signal handlers from being invoked while the original signal handler is still running.Guidelines:",{"point":"v0","priority":"6","details":"v1"},"CWE-ID: 433Unparsed Raw Web Content Delivery","The product stores raw content or supporting code under the web document root with an extension that is not specifically handled by the server.Guidelines:::TYPE:Relationship:NOTE:This overlaps direct requests (CWE-425), alternate path (CWE-424), permissions (CWE-275), and sensitive file under web root (CWE-219).::",{"point":"v3","priority":"6","details":"v4"},"CWE-ID: 434Unrestricted Upload of File with Dangerous Type","The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.Guidelines:::TYPE:Relationship:NOTE:This can have a chaining relationship with incomplete denylist / permissive allowlist errors when the product tries, but fails, to properly limit which types of files are allowed (CWE-183, CWE-184). This can also overlap multiple interpretation errors for intermediaries, e.g. anti-virus products that do not remove or quarantine attachments with certain file extensions that can be processed by client systems.::",{"point":"v6","priority":"6","details":"v7"},"CWE-ID: 435Improper Interaction Between Multiple Correctly-Behaving Entities","An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses.Guidelines:::TYPE:Research Gap:NOTE:Weaknesses related to this Pillar appear to be under-studied, especially with respect to classification schemes. Input from academic and other communities could help identify and resolve gaps or organizational difficulties within CWE.::TYPE:Relationship:NOTE:The Interaction Error term, in CWE and elsewhere, is only intended to describe products that behave according to specification. When one or more of the products do not comply with specifications, then it is more likely to be API Abuse (CWE-227) or an interpretation conflict (CWE-436). This distinction can be blurred in real world scenarios, especially when de facto standards do not comply with specifications, or when there are no standards but there is widespread adoption. As a result, it can be difficult to distinguish these weaknesses during mapping and classification.::",{"point":"v9","priority":"6","details":"va"},"CWE-ID: 436Interpretation Conflict","Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.Guidelines:",{"point":"vc","priority":"6","details":"vd"},"CWE-ID: 437Incomplete Model of Endpoint Features","A product acts as an intermediary or monitor between two or more endpoints, but it does not have a complete model of an endpoint's features, behaviors, or state, potentially causing the product to perform incorrect actions based on this incomplete model.Guidelines:::TYPE:Relationship:NOTE:This can be related to interaction errors, although in some cases, one of the endpoints is not performing correctly according to specification.::",{"point":"vf","priority":"6","details":"vg"},"CWE-ID: 439Behavioral Change in New Version or Environment","A's behavior or functionality changes with a new version of A, or a new environment, which is not known (or manageable) by B.Guidelines:",{"point":"vi","priority":"6","details":"vj"},"CWE-ID: 440Expected Behavior Violation","A feature, API, or function does not perform according to its specification.Guidelines:::TYPE:Theoretical:NOTE:The behavior of an application that is not consistent with the expectations of the developer may lead to incorrect use of the software.::",{"point":"vl","priority":"6","details":"vm"},"CWE-ID: 441Unintended Proxy or Intermediary ('Confused Deputy')","The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.Guidelines:::TYPE:Relationship:NOTE:This weakness has a chaining relationship with CWE-668 (Exposure of Resource to Wrong Sphere) because the proxy effectively provides the attacker with access to the target's resources that the attacker cannot directly obtain.::TYPE:Maintenance:NOTE:This could possibly be considered as an emergent resource.::TYPE:Theoretical:NOTE:It could be argued that the confused deputy is a fundamental aspect of most vulnerabilities that require an active attacker. Even for common implementation issues such as buffer overflows, SQL injection, OS command injection, and path traversal, the vulnerable program already has the authorization to run code or access files. The vulnerability arises when the attacker causes the program to run unexpected code or access unexpected files.::",{"point":"vo","priority":"6","details":"vp"},"CWE-ID: 444Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')","The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.Guidelines:::TYPE:Theoretical:NOTE:Request smuggling can be performed due to a multiple interpretation error, where the target is an intermediary or monitor, via a consistency manipulation (Transfer-Encoding and Content-Length headers).::",{"point":"vr","priority":"6","details":"vs"},"CWE-ID: 446UI Discrepancy for Security Feature","The user interface does not correctly enable or configure a security feature, but the interface provides feedback that causes the user to believe that the feature is in a secure state.Guidelines:::TYPE:Maintenance:NOTE:This entry is likely a loose composite that could be broken down into the different types of errors that cause the user interface to have incorrect interactions with the underlying security feature.::",{"point":"vu","priority":"6","details":"vv"},"CWE-ID: 447Unimplemented or Unsupported Feature in UI","A UI function for a security feature appears to be supported and gives feedback to the user that suggests that it is supported, but the underlying functionality is not implemented.Guidelines:::TYPE:Research Gap:NOTE:This issue needs more study, as there are not many examples. It is not clear whether it is primary or resultant.::",{"point":"vx","priority":"6","details":"vy"},"CWE-ID: 448Obsolete Feature in UI","A UI function is obsolete and the product does not warn the user.Guidelines:",{"point":"w0","priority":"6","details":"w1"},"CWE-ID: 449The UI Performs the Wrong Action","The UI performs the wrong action with respect to the user's request.Guidelines:",{"point":"w3","priority":"6","details":"w4"},"CWE-ID: 450Multiple Interpretations of UI Input","The UI has multiple interpretations of user input but does not prompt the user when it selects the less secure interpretation.Guidelines:",{"point":"w6","priority":"6","details":"w7"},"CWE-ID: 451User Interface (UI) Misrepresentation of Critical Information","The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks.Guidelines:::TYPE:Maintenance:NOTE:This entry should be broken down into more precise entries. See extended description.::TYPE:Research Gap:NOTE:Misrepresentation problems are frequently studied in web browsers, but there are no known efforts for classifying these kinds of problems in terms of the shortcomings of the interface. In addition, many misrepresentation issues are resultant.::",{"point":"w9","priority":"6","details":"wa"},"CWE-ID: 453Insecure Default Variable Initialization","The product, by default, initializes an internal variable with an insecure or less secure value than is possible.Guidelines:::TYPE:Maintenance:NOTE:This overlaps other categories, probably should be split into separate items.::",{"point":"wc","priority":"6","details":"wd"},"CWE-ID: 454External Initialization of Trusted Variables or Data Stores","The product initializes critical internal variables or data stores using inputs that can be modified by untrusted actors.Guidelines:::TYPE:Relationship:NOTE:Overlaps Missing variable initialization, especially in PHP.::TYPE:Applicable Platform:NOTE:This is often found in PHP due to register_globals and the common practice of storing library/include files under the web document root so that they are available using a direct request.::",{"point":"wf","priority":"6","details":"wg"},"CWE-ID: 455Non-exit on Failed Initialization","The product does not exit or otherwise modify its operation when security-relevant errors occur during initialization, such as when a configuration file has a format error or a hardware security module (HSM) cannot be activated, which can cause the product to execute in a less secure fashion than intended by the administrator.Guidelines:::TYPE:Research Gap:NOTE:Under-studied. These issues are not frequently reported, and it is difficult to find published examples.::",{"point":"wi","priority":"6","details":"wj"},"CWE-ID: 456Missing Initialization of a Variable","The product does not initialize critical variables, which causes the execution environment to use unexpected values.Guidelines:::TYPE:Relationship:NOTE:This weakness is a major factor in a number of resultant weaknesses, especially in web applications that allow global variable initialization (such as PHP) with libraries that can be directly requested.::TYPE:Research Gap:NOTE:It is highly likely that a large number of resultant weaknesses have missing initialization as a primary factor, but researcher reports generally do not provide this level of detail.::",{"point":"wl","priority":"6","details":"wm"},"CWE-ID: 457Use of Uninitialized Variable","The code uses a variable that has not been initialized, leading to unpredictable or unintended results.Guidelines:",{"point":"wo","priority":"6","details":"wp"},"CWE-ID: 459Incomplete Cleanup","The product does not properly clean up and remove temporary or supporting resources after they have been used.Guidelines:::TYPE:Relationship:NOTE:CWE-459 is a child of CWE-404 because, while CWE-404 covers any type of improper shutdown or release of a resource, CWE-459 deals specifically with a multi-step shutdown process in which a crucial step for proper cleanup is omitted or impossible. That is, CWE-459 deals specifically with a cleanup or shutdown process that does not successfully remove all potentially sensitive data.::TYPE:Relationship:NOTE:Overlaps other categories such as permissions and containment. Concept needs further development. This could be primary (e.g. leading to infoleak) or resultant (e.g. resulting from unhandled error conditions or early termination).::",{"point":"wr","priority":"6","details":"ws"},"CWE-ID: 460Improper Cleanup on Thrown Exception","The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow.Guidelines:",{"point":"wu","priority":"6","details":"wv"},"CWE-ID: 462Duplicate Key in Associative List (Alist)","Duplicate keys in associative lists can lead to non-unique keys being mistaken for an error.Guidelines:",{"point":"wx","priority":"6","details":"wy"},"CWE-ID: 463Deletion of Data Structure Sentinel","The accidental deletion of a data-structure sentinel can cause serious programming logic problems.Guidelines:",{"point":"x0","priority":"6","details":"x1"},"CWE-ID: 464Addition of Data Structure Sentinel","The accidental addition of a data-structure sentinel can cause serious programming logic problems.Guidelines:",{"point":"x3","priority":"6","details":"x4"},"CWE-ID: 466Return of Pointer Value Outside of Expected Range","A function can return a pointer to memory that is outside of the buffer that the pointer is expected to reference.Guidelines:::TYPE:Maintenance:NOTE:This entry should have a chaining relationship with CWE-119 instead of a parent / child relationship, however the focus of this weakness does not map cleanly to any existing entries in CWE. A new parent is being considered which covers the more generic problem of incorrect return values. There is also an abstract relationship to weaknesses in which one component sends incorrect messages to another component; in this case, one routine is sending an incorrect value to another.::",{"point":"x6","priority":"6","details":"x7"},"CWE-ID: 467Use of sizeof() on a Pointer Type","The code calls sizeof() on a malloced pointer type, which always returns the wordsize/8. This can produce an unexpected result if the programmer intended to determine how much memory has been allocated.Guidelines:",{"point":"x9","priority":"6","details":"xa"},"CWE-ID: 468Incorrect Pointer Scaling","In C and C++, one may often accidentally refer to the wrong memory due to the semantics of when math operations are implicitly scaled.Guidelines:",{"point":"xc","priority":"6","details":"xd"},"CWE-ID: 469Use of Pointer Subtraction to Determine Size","The product subtracts one pointer from another in order to determine size, but this calculation can be incorrect if the pointers do not exist in the same memory chunk.Guidelines:",{"point":"xf","priority":"6","details":"xg"},"CWE-ID: 470Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')","The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.Guidelines:",{"point":"xi","priority":"6","details":"xj"},"CWE-ID: 471Modification of Assumed-Immutable Data (MAID)","The product does not properly protect an assumed-immutable element from being modified by an attacker.Guidelines:::TYPE:Relationship:NOTE:MAID issues can be primary to many other weaknesses, and they are a major factor in languages that provide easy access to internal program constructs, such as PHP's register_globals and similar features. However, MAID issues can also be resultant from weaknesses that modify internal state; for example, a program might validate some data and store it in memory, but a buffer overflow could overwrite that validated data, leading to a change in program logic.::TYPE:Theoretical:NOTE:There are many examples where the MUTABILITY property is a major factor in a vulnerability.::",{"point":"xl","priority":"6","details":"xm"},"CWE-ID: 472External Control of Assumed-Immutable Web Parameter","The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.Guidelines:::TYPE:Relationship:NOTE:This is a primary weakness for many other weaknesses and functional consequences, including XSS, SQL injection, path disclosure, and file inclusion.::TYPE:Theoretical:NOTE:This is a technology-specific MAID problem.::",{"point":"xo","priority":"6","details":"xp"},"CWE-ID: 473PHP External Variable Modification","A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies. This can expose the application to numerous weaknesses that would not exist otherwise.Guidelines:::TYPE:Relationship:NOTE:This is a language-specific instance of Modification of Assumed-Immutable Data (MAID). This can be resultant from direct request (alternate path) issues. It can be primary to weaknesses such as PHP file inclusion, SQL injection, XSS, authentication bypass, and others.::",{"point":"xr","priority":"6","details":"xs"},"CWE-ID: 474Use of Function with Inconsistent Implementations","The code uses a function that has inconsistent implementations across operating systems and versions.Guidelines:",{"point":"xu","priority":"6","details":"xv"},"CWE-ID: 475Undefined Behavior for Input to API","The behavior of this function is undefined unless its control parameter is set to a specific value.Guidelines:::TYPE:Other:NOTE:The Linux Standard Base Specification 2.0.1 for libc places constraints on the arguments to some internal functions [21]. If the constraints are not met, the behavior of the functions is not defined. It is unusual for this function to be called directly. It is almost always invoked through a macro defined in a system header file, and the macro ensures that the following constraints are met: The value 1 must be passed to the third parameter (the version number) of the following file system function: __xmknod The value 2 must be passed to the third parameter (the group argument) of the following wide character string functions: __wcstod_internal __wcstof_internal __wcstol_internal __wcstold_internal __wcstoul_internal The value 3 must be passed as the first parameter (the version number) of the following file system functions: __xstat __lxstat __fxstat __xstat64 __lxstat64 __fxstat64::",{"point":"xx","priority":"6","details":"xy"},"CWE-ID: 476NULL Pointer Dereference","A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.Guidelines:",{"point":"y0","priority":"6","details":"y1"},"CWE-ID: 477Use of Obsolete Function","The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained.Guidelines:",{"point":"y3","priority":"6","details":"y4"},"CWE-ID: 478Missing Default Case in Multiple Condition Expression","The code does not have a default case in an expression with multiple conditions, such as a switch statement.Guidelines:",{"point":"y6","priority":"6","details":"y7"},"CWE-ID: 479Signal Handler Use of a Non-reentrant Function","The product defines a signal handler that calls a non-reentrant function.Guidelines:",{"point":"y9","priority":"6","details":"ya"},"CWE-ID: 480Use of Incorrect Operator","The product accidentally uses the wrong operator, which changes the logic in security-relevant ways.Guidelines:",{"point":"yc","priority":"6","details":"yd"},"CWE-ID: 481Assigning instead of Comparing","The code uses an operator for assignment when the intention was to perform a comparison.Guidelines:",{"point":"yf","priority":"6","details":"yg"},"CWE-ID: 482Comparing instead of Assigning","The code uses an operator for comparison when the intention was to perform an assignment.Guidelines:",{"point":"yi","priority":"6","details":"yj"},"CWE-ID: 483Incorrect Block Delimitation","The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.Guidelines:",{"point":"yl","priority":"6","details":"ym"},"CWE-ID: 484Omitted Break Statement in Switch","The product omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition.Guidelines:",{"point":"yo","priority":"6","details":"yp"},"CWE-ID: 486Comparison of Classes by Name","The product compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name.Guidelines:",{"point":"yr","priority":"6","details":"ys"},"CWE-ID: 487Reliance on Package-level Scope","Java packages are not inherently closed; therefore, relying on them for code security is not a good practice.Guidelines:",{"point":"yu","priority":"6","details":"yv"},"CWE-ID: 488Exposure of Data Element to Wrong Session","The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.Guidelines:",{"point":"yx","priority":"6","details":"yy"},"CWE-ID: 489Active Debug Code","The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.Guidelines:::TYPE:Other:NOTE:In J2EE a main method may be a good indicator that debug code has been left in the application, although there may not be any direct security impact.::",{"point":"z0","priority":"6","details":"z1"},"CWE-ID: 491Public cloneable() Method Without Final ('Object Hijack')","A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state.Guidelines:",{"point":"z3","priority":"6","details":"z4"},"CWE-ID: 492Use of Inner Class Containing Sensitive Data","Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers.Guidelines:::TYPE:Other:NOTE:Mobile code, in this case a Java Applet, is code that is transmitted across a network and executed on a remote machine. Because mobile code developers have little if any control of the environment in which their code will execute, special security concerns become relevant. One of the biggest environmental threats results from the risk that the mobile code will run side-by-side with other, potentially malicious, mobile code. Because all of the popular web browsers execute code from multiple sources together in the same JVM, many of the security guidelines for mobile code are focused on preventing manipulation of your objects' state and behavior by adversaries who have access to the same virtual machine where your program is running.::",{"point":"z6","priority":"6","details":"z7"},"CWE-ID: 493Critical Public Variable Without Final Modifier","The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.Guidelines:",{"point":"z9","priority":"6","details":"za"},"CWE-ID: 494Download of Code Without Integrity Check","The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.Guidelines:::TYPE:Research Gap:NOTE:This is critical for mobile code, but it is likely to become more and more common as developers continue to adopt automated, network-based product distributions and upgrades. Software-as-a-Service (SaaS) might introduce additional subtleties. Common exploitation scenarios may include ad server compromises and bad upgrades.::",{"point":"zc","priority":"6","details":"zd"},"CWE-ID: 495Private Data Structure Returned From A Public Method","The product has a method that is declared public, but returns a reference to a private data structure, which could then be modified in unexpected ways.Guidelines:",{"point":"zf","priority":"6","details":"zg"},"CWE-ID: 496Public Data Assigned to Private Array-Typed Field","Assigning public data to a private array is equivalent to giving public access to the array.Guidelines:",{"point":"zi","priority":"6","details":"zj"},"CWE-ID: 497Exposure of Sensitive System Information to an Unauthorized Control Sphere","The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.Guidelines:",{"point":"zl","priority":"6","details":"zm"},"CWE-ID: 498Cloneable Class Containing Sensitive Information","The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class.Guidelines:",{"point":"zo","priority":"6","details":"zp"},"CWE-ID: 499Serializable Class Containing Sensitive Data","The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another class.Guidelines:",{"point":"zr","priority":"6","details":"zs"},"CWE-ID: 500Public Static Field Not Marked Final","An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways.Guidelines:",{"point":"zu","priority":"6","details":"zv"},"CWE-ID: 501Trust Boundary Violation","The product mixes trusted and untrusted data in the same data structure or structured message.Guidelines:",{"point":"zx","priority":"6","details":"zy"},"CWE-ID: 502Deserialization of Untrusted Data","The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.Guidelines:::TYPE:Maintenance:NOTE:The relationships between CWE-502 and CWE-915 need further exploration. CWE-915 is more narrowly scoped to object modification, and is not necessarily used for deserialization.::",{"point":"100","priority":"6","details":"101"},"CWE-ID: 506Embedded Malicious Code","The product contains code that appears to be malicious in nature.Guidelines:::TYPE:Terminology:NOTE:The term Trojan horse was introduced by Dan Edwards and recorded by James Anderson [18] to characterize a particular computer security threat; it has been redefined many times [4,18-20].::",{"point":"103","priority":"6","details":"104"},"CWE-ID: 507Trojan Horse","The product appears to contain benign or useful functionality, but it also contains code that is hidden from normal operation that violates the intended security policy of the user or the system administrator.Guidelines:::TYPE:Other:NOTE:Potentially malicious dynamic code compiled at runtime can conceal any number of attacks that will not appear in the baseline. The use of dynamically compiled code could also allow the injection of attacks on post-deployed applications.::TYPE:Terminology:NOTE:Definitions of Trojan horse and related terms have varied widely over the years, but common usage in 2008 generally refers to software that performs a legitimate function, but also contains malicious code. Almost any malicious code can be called a Trojan horse, since the author of malicious code needs to disguise it somehow so that it will be invoked by a nonmalicious user (unless the author means also to invoke the code, in which case they presumably already possess the authorization to perform the intended sabotage). A Trojan horse that replicates itself by copying its code into other program files (see case MA1) is commonly referred to as a virus. One that replicates itself by creating new processes or files to contain its code, instead of modifying existing storage entities, is often called a worm. Denning provides a general discussion of these terms; differences of opinion about the term applicable to a particular flaw or its exploitations sometimes occur.::",{"point":"106","priority":"6","details":"107"},"CWE-ID: 508Non-Replicating Malicious Code","Non-replicating malicious code only resides on the target system or product that is attacked; it does not attempt to spread to other systems.Guidelines:",{"point":"109","priority":"6","details":"10a"},"CWE-ID: 509Replicating Malicious Code (Virus or Worm)","Replicating malicious code, including viruses and worms, will attempt to attack other systems once it has successfully compromised the target system or the product.Guidelines:",{"point":"10c","priority":"6","details":"10d"},"CWE-ID: 510Trapdoor","A trapdoor is a hidden piece of code that responds to a special input, allowing its user access to resources without passing through the normal security enforcement mechanism.Guidelines:",{"point":"10f","priority":"6","details":"10g"},"CWE-ID: 511Logic/Time Bomb","The product contains code that is designed to disrupt the legitimate operation of the product (or its environment) when a certain time passes, or when a certain logical condition is met.Guidelines:",{"point":"10i","priority":"6","details":"10j"},"CWE-ID: 512Spyware","The product collects personally identifiable information about a human user or the user's activities, but the product accesses this information using other resources besides itself, and it does not require that user's explicit approval or direct input into the product.Guidelines:",{"point":"10l","priority":"6","details":"10m"},"CWE-ID: 514Covert Channel","A covert channel is a path that can be used to transfer information in a way not intended by the system's designers.Guidelines:::TYPE:Theoretical:NOTE:A covert channel can be thought of as an emergent resource, meaning that it was not an originally intended resource, however it exists due the application's behaviors.::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are working to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks that create or exploit covert channels. As a result of that work, this entry might change in CWE 4.10.::",{"point":"10o","priority":"6","details":"10p"},"CWE-ID: 515Covert Storage Channel","A covert storage channel transfers information through the setting of bits by one program and the reading of those bits by another. What distinguishes this case from that of ordinary operation is that the bits are used to convey encoded information.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are working to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks that create or exploit covert channels. As a result of that work, this entry might change in CWE 4.10.::",{"point":"10r","priority":"6","details":"10s"},"CWE-ID: 520.NET Misconfiguration: Use of Impersonation","Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms of attacks.Guidelines:",{"point":"10u","priority":"6","details":"10v"},"CWE-ID: 521Weak Password Requirements","The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.Guidelines:",{"point":"10x","priority":"6","details":"10y"},"CWE-ID: 522Insufficiently Protected Credentials","The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.Guidelines:",{"point":"110","priority":"6","details":"111"},"CWE-ID: 523Unprotected Transport of Credentials","Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.Guidelines:",{"point":"113","priority":"6","details":"114"},"CWE-ID: 524Use of Cache Containing Sensitive Information","The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.Guidelines:",{"point":"116","priority":"6","details":"117"},"CWE-ID: 525Use of Web Browser Cache Containing Sensitive Information","The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.Guidelines:",{"point":"119","priority":"6","details":"11a"},"CWE-ID: 526Cleartext Storage of Sensitive Information in an Environment Variable","The product uses an environment variable to store unencrypted sensitive information.Guidelines:",{"point":"11c","priority":"6","details":"11d"},"CWE-ID: 527Exposure of Version-Control Repository to an Unauthorized Control Sphere","The product stores a CVS, git, or other repository in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.Guidelines:",{"point":"11f","priority":"6","details":"11g"},"CWE-ID: 528Exposure of Core Dump File to an Unauthorized Control Sphere","The product generates a core dump file in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.Guidelines:",{"point":"11i","priority":"6","details":"11j"},"CWE-ID: 529Exposure of Access Control List Files to an Unauthorized Control Sphere","The product stores access control list files in a directory or other container that is accessible to actors outside of the intended control sphere.Guidelines:",{"point":"11l","priority":"6","details":"11m"},"CWE-ID: 530Exposure of Backup File to an Unauthorized Control Sphere","A backup file is stored in a directory or archive that is made accessible to unauthorized actors.Guidelines:",{"point":"11o","priority":"6","details":"11p"},"CWE-ID: 531Inclusion of Sensitive Information in Test Code","Accessible test applications can pose a variety of security risks. Since developers or administrators rarely consider that someone besides themselves would even know about the existence of these applications, it is common for them to contain sensitive information or functions.Guidelines:",{"point":"11r","priority":"6","details":"11s"},"CWE-ID: 532Insertion of Sensitive Information into Log File","Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.Guidelines:",{"point":"11u","priority":"6","details":"11v"},"CWE-ID: 535Exposure of Information Through Shell Error Message","A command shell error message indicates that there exists an unhandled exception in the web application code. In many cases, an attacker can leverage the conditions that cause these errors in order to gain unauthorized access to the system.Guidelines:",{"point":"11x","priority":"6","details":"11y"},"CWE-ID: 536Servlet Runtime Error Message Containing Sensitive Information","A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker.Guidelines:",{"point":"120","priority":"6","details":"121"},"CWE-ID: 537Java Runtime Error Message Containing Sensitive Information","In many cases, an attacker can leverage the conditions that cause unhandled exception errors in order to gain unauthorized access to the system.Guidelines:",{"point":"123","priority":"6","details":"124"},"CWE-ID: 538Insertion of Sensitive Information into Externally-Accessible File or Directory","The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.Guidelines:::TYPE:Maintenance:NOTE:Depending on usage, this could be a weakness or a category. Further study of all its children is needed, and the entire sub-tree may need to be clarified. The current organization is based primarily on the exposure of sensitive information as a consequence, instead of as a primary weakness.::TYPE:Maintenance:NOTE:There is a close relationship with CWE-552, which is more focused on weaknesses. As a result, it may be more appropriate to convert CWE-538 to a category.::",{"point":"126","priority":"6","details":"127"},"CWE-ID: 539Use of Persistent Cookies Containing Sensitive Information","The web application uses persistent cookies, but the cookies contain sensitive information.Guidelines:",{"point":"129","priority":"6","details":"12a"},"CWE-ID: 540Inclusion of Sensitive Information in Source Code","Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.Guidelines:",{"point":"12c","priority":"6","details":"12d"},"CWE-ID: 541Inclusion of Sensitive Information in an Include File","If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system.Guidelines:",{"point":"12f","priority":"6","details":"12g"},"CWE-ID: 543Use of Singleton Pattern Without Synchronization in a Multithreaded Context","The product uses the singleton pattern when creating a resource within a multithreaded environment.Guidelines:",{"point":"12i","priority":"6","details":"12j"},"CWE-ID: 544Missing Standardized Error Handling Mechanism","The product does not use a standardized method for handling errors throughout the code, which might introduce inconsistent error handling and resultant weaknesses.Guidelines:",{"point":"12l","priority":"6","details":"12m"},"CWE-ID: 546Suspicious Comment","The code contains comments that suggest the presence of bugs, incomplete functionality, or weaknesses.Guidelines:",{"point":"12o","priority":"6","details":"12p"},"CWE-ID: 547Use of Hard-coded, Security-relevant Constants","The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change.Guidelines:",{"point":"12r","priority":"6","details":"12s"},"CWE-ID: 548Exposure of Information Through Directory Listing","A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers.Guidelines:",{"point":"12u","priority":"6","details":"12v"},"CWE-ID: 549Missing Password Field Masking","The product does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords.Guidelines:",{"point":"12x","priority":"6","details":"12y"},"CWE-ID: 550Server-generated Error Message Containing Sensitive Information","Certain conditions, such as network failure, will cause a server error message to be displayed.Guidelines:",{"point":"130","priority":"6","details":"131"},"CWE-ID: 551Incorrect Behavior Order: Authorization Before Parsing and Canonicalization","If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.Guidelines:",{"point":"133","priority":"6","details":"134"},"CWE-ID: 552Files or Directories Accessible to External Parties","The product makes files or directories accessible to unauthorized actors, even though they should not be.Guidelines:",{"point":"136","priority":"6","details":"137"},"CWE-ID: 553Command Shell in Externally Accessible Directory","A possible shell file exists in /cgi-bin/ or other accessible directories. This is extremely dangerous and can be used by an attacker to execute commands on the web server.Guidelines:",{"point":"139","priority":"6","details":"13a"},"CWE-ID: 554ASP.NET Misconfiguration: Not Using Input Validation Framework","The ASP.NET application does not use an input validation framework.Guidelines:",{"point":"13c","priority":"6","details":"13d"},"CWE-ID: 555J2EE Misconfiguration: Plaintext Password in Configuration File","The J2EE application stores a plaintext password in a configuration file.Guidelines:",{"point":"13f","priority":"6","details":"13g"},"CWE-ID: 556ASP.NET Misconfiguration: Use of Identity Impersonation","Configuring an ASP.NET application to run with impersonated credentials may give the application unnecessary privileges.Guidelines:",{"point":"13i","priority":"6","details":"13j"},"CWE-ID: 558Use of getlogin() in Multithreaded Application","The product uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values.Guidelines:",{"point":"13l","priority":"6","details":"13m"},"CWE-ID: 560Use of umask() with chmod-style Argument","The product calls umask() with an incorrect argument that is specified as if it is an argument to chmod().Guidelines:::TYPE:Other:NOTE:Some umask() manual pages begin with the false statement: umask sets the umask to mask & 0777 Although this behavior would better align with the usage of chmod(), where the user provided argument specifies the bits to enable on the specified file, the behavior of umask() is in fact opposite: umask() sets the umask to ~mask & 0777. The documentation goes on to describe the correct usage of umask(): The umask is used by open() to set initial file permissions on a newly-created file. Specifically, permissions in the umask are turned off from the mode argument to open(2) (so, for example, the common umask default value of 022 results in new files being created with permissions 0666 & ~022 = 0644 = rw-r--r-- in the usual case where the mode is specified as 0666).::",{"point":"13o","priority":"6","details":"13p"},"CWE-ID: 561Dead Code","The product contains dead code, which can never be executed.Guidelines:",{"point":"13r","priority":"6","details":"13s"},"CWE-ID: 562Return of Stack Variable Address","A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.Guidelines:",{"point":"13u","priority":"6","details":"13v"},"CWE-ID: 563Assignment to Variable without Use","The variable's value is assigned but never used, making it a dead store.Guidelines:",{"point":"13x","priority":"6","details":"13y"},"CWE-ID: 564SQL Injection: Hibernate","Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.Guidelines:",{"point":"140","priority":"6","details":"141"},"CWE-ID: 565Reliance on Cookies without Validation and Integrity Checking","The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.Guidelines:::TYPE:Relationship:NOTE:This problem can be primary to many types of weaknesses in web applications. A developer may perform proper validation against URL parameters while assuming that attackers cannot modify cookies. As a result, the program might skip basic input validation to enable cross-site scripting, SQL injection, price tampering, and other attacks..::",{"point":"143","priority":"6","details":"144"},"CWE-ID: 566Authorization Bypass Through User-Controlled SQL Primary Key","The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.Guidelines:",{"point":"146","priority":"6","details":"147"},"CWE-ID: 567Unsynchronized Access to Shared Data in a Multithreaded Context","The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.Guidelines:",{"point":"149","priority":"6","details":"14a"},"CWE-ID: 568finalize() Method Without super.finalize()","The product contains a finalize() method that does not call super.finalize().Guidelines:",{"point":"14c","priority":"6","details":"14d"},"CWE-ID: 570Expression is Always False","The product contains an expression that will always evaluate to false.Guidelines:",{"point":"14f","priority":"6","details":"14g"},"CWE-ID: 571Expression is Always True","The product contains an expression that will always evaluate to true.Guidelines:",{"point":"14i","priority":"6","details":"14j"},"CWE-ID: 572Call to Thread run() instead of start()","The product calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee.Guidelines:",{"point":"14l","priority":"6","details":"14m"},"CWE-ID: 573Improper Following of Specification by Caller","The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.Guidelines:",{"point":"14o","priority":"6","details":"14p"},"CWE-ID: 574EJB Bad Practices: Use of Synchronization Primitives","The product violates the Enterprise JavaBeans (EJB) specification by using thread synchronization primitives.Guidelines:",{"point":"14r","priority":"6","details":"14s"},"CWE-ID: 575EJB Bad Practices: Use of AWT Swing","The product violates the Enterprise JavaBeans (EJB) specification by using AWT/Swing.Guidelines:",{"point":"14u","priority":"6","details":"14v"},"CWE-ID: 576EJB Bad Practices: Use of Java I/O","The product violates the Enterprise JavaBeans (EJB) specification by using the java.io package.Guidelines:",{"point":"14x","priority":"6","details":"14y"},"CWE-ID: 577EJB Bad Practices: Use of Sockets","The product violates the Enterprise JavaBeans (EJB) specification by using sockets.Guidelines:",{"point":"150","priority":"6","details":"151"},"CWE-ID: 578EJB Bad Practices: Use of Class Loader","The product violates the Enterprise JavaBeans (EJB) specification by using the class loader.Guidelines:",{"point":"153","priority":"6","details":"154"},"CWE-ID: 579J2EE Bad Practices: Non-serializable Object Stored in Session","The product stores a non-serializable object as an HttpSession attribute, which can hurt reliability.Guidelines:",{"point":"156","priority":"6","details":"157"},"CWE-ID: 580clone() Method Without super.clone()","The product contains a clone() method that does not call super.clone() to obtain the new object.Guidelines:",{"point":"159","priority":"6","details":"15a"},"CWE-ID: 581Object Model Violation: Just One of Equals and Hashcode Defined","The product does not maintain equal hashcodes for equal objects.Guidelines:",{"point":"15c","priority":"6","details":"15d"},"CWE-ID: 582Array Declared Public, Final, and Static","The product declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified.Guidelines:",{"point":"15f","priority":"6","details":"15g"},"CWE-ID: 583finalize() Method Declared Public","The product violates secure coding principles for mobile code by declaring a finalize() method public.Guidelines:",{"point":"15i","priority":"6","details":"15j"},"CWE-ID: 584Return Inside Finally Block","The code has a return statement inside a finally block, which will cause any thrown exception in the try block to be discarded.Guidelines:",{"point":"15l","priority":"6","details":"15m"},"CWE-ID: 585Empty Synchronized Block","The product contains an empty synchronized block.Guidelines:",{"point":"15o","priority":"6","details":"15p"},"CWE-ID: 586Explicit Call to Finalize()","The product makes an explicit call to the finalize() method from outside the finalizer.Guidelines:",{"point":"15r","priority":"6","details":"15s"},"CWE-ID: 587Assignment of a Fixed Address to a Pointer","The product sets a pointer to a specific address other than NULL or 0.Guidelines:",{"point":"15u","priority":"6","details":"15v"},"CWE-ID: 588Attempt to Access Child of a Non-structure Pointer","Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption.Guidelines:",{"point":"15x","priority":"6","details":"15y"},"CWE-ID: 589Call to Non-ubiquitous API","The product uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allow denial of service or other consequences.Guidelines:",{"point":"160","priority":"6","details":"161"},"CWE-ID: 590Free of Memory not on the Heap","The product calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc().Guidelines:::TYPE:Other:NOTE:In C++, if the new operator was used to allocate the memory, it may be allocated with the malloc(), calloc() or realloc() family of functions in the implementation. Someone aware of this behavior might choose to map this problem to CWE-590 or to its parent, CWE-762, depending on their perspective.::",{"point":"163","priority":"6","details":"164"},"CWE-ID: 591Sensitive Data Storage in Improperly Locked Memory","The product stores sensitive data in memory that is not locked, or that has been incorrectly locked, which might cause the memory to be written to swap files on disk by the virtual memory manager. This can make the data more accessible to external actors.Guidelines:",{"point":"166","priority":"6","details":"167"},"CWE-ID: 593Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created","The product modifies the SSL context after connection creation has begun.Guidelines:",{"point":"169","priority":"6","details":"16a"},"CWE-ID: 594J2EE Framework: Saving Unserializable Objects to Disk","When the J2EE container attempts to write unserializable objects to disk there is no guarantee that the process will complete successfully.Guidelines:",{"point":"16c","priority":"6","details":"16d"},"CWE-ID: 595Comparison of Object References Instead of Object Contents","The product compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects.Guidelines:",{"point":"16f","priority":"6","details":"16g"},"CWE-ID: 597Use of Wrong Operator in String Comparison","The product uses the wrong operator when comparing a string, such as using == when the .equals() method should be used instead.Guidelines:",{"point":"16i","priority":"6","details":"16j"},"CWE-ID: 598Use of GET Request Method With Sensitive Query Strings","The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.Guidelines:",{"point":"16l","priority":"6","details":"16m"},"CWE-ID: 599Missing Validation of OpenSSL Certificate","The product uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all necessary security requirements.Guidelines:::TYPE:Relationship:NOTE:CWE-295 and CWE-599 are very similar, although CWE-599 has a more narrow scope that is only applied to OpenSSL certificates. As a result, other children of CWE-295 can be regarded as children of CWE-599 as well. CWE's use of one-dimensional hierarchical relationships is not well-suited to handle different kinds of abstraction relationships based on concepts like types of resources (OpenSSL certificate as a child of any certificate) and types of behaviors (not validating expiration as a child of improper validation).::",{"point":"16o","priority":"6","details":"16p"},"CWE-ID: 600Uncaught Exception in Servlet","The Servlet does not catch all exceptions, which may reveal sensitive debugging information.Guidelines:::TYPE:Maintenance:NOTE:The Missing Catch Block concept is probably broader than just Servlets, but the broader concept is not sufficiently covered in CWE.::",{"point":"16r","priority":"6","details":"16s"},"CWE-ID: 601URL Redirection to Untrusted Site ('Open Redirect')","A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.Guidelines:",{"point":"16u","priority":"6","details":"16v"},"CWE-ID: 602Client-Side Enforcement of Server-Side Security","The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.Guidelines:",{"point":"16x","priority":"6","details":"16y"},"CWE-ID: 603Use of Client-Side Authentication","A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check.Guidelines:",{"point":"170","priority":"6","details":"171"},"CWE-ID: 605Multiple Binds to the Same Port","When multiple sockets are allowed to bind to the same port, other services on that port may be stolen or spoofed.Guidelines:",{"point":"173","priority":"6","details":"174"},"CWE-ID: 606Unchecked Input for Loop Condition","The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping.Guidelines:",{"point":"176","priority":"6","details":"177"},"CWE-ID: 607Public Static Final Field References Mutable Object","A public or protected static final field references a mutable object, which allows the object to be changed by malicious code, or accidentally from another package.Guidelines:",{"point":"179","priority":"6","details":"17a"},"CWE-ID: 608Struts: Non-private Field in ActionForm Class","An ActionForm class contains a field that has not been declared private, which can be accessed without using a setter or getter.Guidelines:",{"point":"17c","priority":"6","details":"17d"},"CWE-ID: 609Double-Checked Locking","The product uses double-checked locking to access a resource without the overhead of explicit synchronization, but the locking is insufficient.Guidelines:",{"point":"17f","priority":"6","details":"17g"},"CWE-ID: 610Externally Controlled Reference to a Resource in Another Sphere","The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.Guidelines:::TYPE:Relationship:NOTE:This is a general class of weakness, but most research is focused on more specialized cases, such as path traversal (CWE-22) and symlink following (CWE-61). A symbolic link has a name; in general, it appears like any other file in the file system. However, the link includes a reference to another file, often in another directory - perhaps in another sphere of control. Many common library functions that accept filenames will follow a symbolic link and use the link's target instead.::TYPE:Maintenance:NOTE:The relationship between CWE-99 and CWE-610 needs further investigation and clarification. They might be duplicates. CWE-99 Resource Injection, as originally defined in Seven Pernicious Kingdoms taxonomy, emphasizes the identifier used to access a system resource such as a file name or port number, yet it explicitly states that the resource injection term does not apply to path manipulation, which effectively identifies the path at which a resource can be found and could be considered to be one aspect of a resource identifier. Also, CWE-610 effectively covers any type of resource, whether that resource is at the system layer, the application layer, or the code layer.::",{"point":"17i","priority":"6","details":"17j"},"CWE-ID: 611Improper Restriction of XML External Entity Reference","The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.Guidelines:::TYPE:Relationship:NOTE:CWE-918 (SSRF) and CWE-611 (XXE) are closely related, because they both involve web-related technologies and can launch outbound requests to unexpected destinations. However, XXE can be performed client-side, or in other contexts in which the software is not acting directly as a server, so the Server portion of the SSRF acronym does not necessarily apply.::",{"point":"17l","priority":"6","details":"17m"},"CWE-ID: 612Improper Authorization of Index Containing Sensitive Information","The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the original information.Guidelines:::TYPE:Research Gap:NOTE:This weakness is probably under-studied and under-reported.::",{"point":"17o","priority":"6","details":"17p"},"CWE-ID: 613Insufficient Session Expiration","According to WASC, Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.Guidelines:::TYPE:Other:NOTE:The lack of proper session expiration may improve the likely success of certain attacks. For example, an attacker may intercept a session ID, possibly via a network sniffer or Cross-site Scripting attack. Although short session expiration times do not help if a stolen token is immediately used, they will protect against ongoing replaying of the session ID. In another scenario, a user might access a web site from a shared computer (such as at a library, Internet cafe, or open work environment). Insufficient Session Expiration could allow an attacker to use the browser's back button to access web pages previously accessed by the victim.::",{"point":"17r","priority":"6","details":"17s"},"CWE-ID: 614Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.Guidelines:",{"point":"17u","priority":"6","details":"17v"},"CWE-ID: 615Inclusion of Sensitive Information in Source Code Comments","While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc.Guidelines:",{"point":"17x","priority":"6","details":"17y"},"CWE-ID: 616Incomplete Identification of Uploaded File Variables (PHP)","The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files.Guidelines:",{"point":"180","priority":"6","details":"181"},"CWE-ID: 617Reachable Assertion","The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.Guidelines:",{"point":"183","priority":"6","details":"184"},"CWE-ID: 618Exposed Unsafe ActiveX Method","An ActiveX control is intended for use in a web browser, but it exposes dangerous methods that perform actions that are outside of the browser's security model (e.g. the zone or domain).Guidelines:",{"point":"186","priority":"6","details":"187"},"CWE-ID: 619Dangling Database Cursor ('Cursor Injection')","If a database cursor is not closed properly, then it could become accessible to other users while retaining the same privileges that were originally assigned, leaving the cursor dangling.Guidelines:",{"point":"189","priority":"6","details":"18a"},"CWE-ID: 620Unverified Password Change","When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.Guidelines:",{"point":"18c","priority":"6","details":"18d"},"CWE-ID: 621Variable Extraction Error","The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables.Guidelines:::TYPE:Research Gap:NOTE:Probably under-reported for PHP. Seems under-studied for other interpreted languages.::",{"point":"18f","priority":"6","details":"18g"},"CWE-ID: 622Improper Validation of Function Hook Arguments","The product adds hooks to user-accessible API functions, but it does not properly validate the arguments. This could lead to resultant vulnerabilities.Guidelines:",{"point":"18i","priority":"6","details":"18j"},"CWE-ID: 623Unsafe ActiveX Control Marked Safe For Scripting","An ActiveX control is intended for restricted use, but it has been marked as safe-for-scripting.Guidelines:",{"point":"18l","priority":"6","details":"18m"},"CWE-ID: 624Executable Regular Expression Error","The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.Guidelines:::TYPE:Research Gap:NOTE:Under-studied. The existing PHP reports are limited to highly skilled researchers, but there are few examples for other languages. It is suspected that this is under-reported for all languages. Usability factors might make it more prevalent in PHP, but this theory has not been investigated.::",{"point":"18o","priority":"6","details":"18p"},"CWE-ID: 625Permissive Regular Expression","The product uses a regular expression that does not sufficiently restrict the set of allowed values.Guidelines:",{"point":"18r","priority":"6","details":"18s"},"CWE-ID: 626Null Byte Interaction Error (Poison Null Byte)","The product does not properly handle null bytes or NUL characters when passing data between different representations or components.Guidelines:::TYPE:Terminology:NOTE:Current usage of poison null byte is typically related to this C/Perl/PHP interaction error, but the original term in 1998 was applied to an off-by-one buffer overflow involving a null byte.::TYPE:Research Gap:NOTE:There are not many CVE examples, because the poison NULL byte is a design limitation, which typically is not included in CVE by itself. It is typically used as a facilitator manipulation to widen the scope of potential attacks against other vulnerabilities.::",{"point":"18u","priority":"6","details":"18v"},"CWE-ID: 627Dynamic Variable Evaluation","In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions.Guidelines:::TYPE:Research Gap:NOTE:Under-studied, probably under-reported. Few researchers look for this issue; most public reports are for PHP, although other languages are affected. This issue is likely to grow in PHP as developers begin to implement functionality in place of register_globals.::",{"point":"18x","priority":"6","details":"18y"},"CWE-ID: 628Function Call with Incorrectly Specified Arguments","The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.Guidelines:",{"point":"190","priority":"6","details":"191"},"CWE-ID: 636Not Failing Securely ('Failing Open')","When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.Guidelines:::TYPE:Research Gap:NOTE:Since design issues are hard to fix, they are rarely publicly reported, so there are few CVE examples of this problem as of January 2008. Most publicly reported issues occur as the result of an implementation error instead of design, such as CVE-2005-3177 (Improper handling of large numbers of resources) or CVE-2005-2969 (inadvertently disabling a verification step, leading to selection of a weaker protocol).::",{"point":"193","priority":"6","details":"194"},"CWE-ID: 637Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')","The product uses a more complex mechanism than necessary, which could lead to resultant weaknesses when the mechanism is not correctly understood, modeled, configured, implemented, or used.Guidelines:",{"point":"196","priority":"6","details":"197"},"CWE-ID: 638Not Using Complete Mediation","The product does not perform access checks on a resource every time the resource is accessed by an entity, which can create resultant weaknesses if that entity's rights or privileges change over time.Guidelines:",{"point":"199","priority":"6","details":"19a"},"CWE-ID: 639Authorization Bypass Through User-Controlled Key","The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.Guidelines:",{"point":"19c","priority":"6","details":"19d"},"CWE-ID: 640Weak Password Recovery Mechanism for Forgotten Password","The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.Guidelines:::TYPE:Maintenance:NOTE:This entry might be reclassified as a category or loose composite, since it lists multiple specific errors that can make the mechanism weak. However, under view 1000, it could be a weakness under protection mechanism failure, although it is different from most PMF issues since it is related to a feature that is designed to bypass a protection mechanism (specifically, the lack of knowledge of a password).::TYPE:Maintenance:NOTE:This entry probably needs to be split; see extended description.::",{"point":"19f","priority":"6","details":"19g"},"CWE-ID: 641Improper Restriction of Names for Files and Other Resources","The product constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name.Guidelines:",{"point":"19i","priority":"6","details":"19j"},"CWE-ID: 642External Control of Critical State Data","The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.Guidelines:",{"point":"19l","priority":"6","details":"19m"},"CWE-ID: 643Improper Neutralization of Data within XPath Expressions ('XPath Injection')","The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.Guidelines:::TYPE:Relationship:NOTE:This weakness is similar to other weaknesses that enable injection style attacks, such as SQL injection, command injection and LDAP injection. The main difference is that the target of attack here is the XML database.::",{"point":"19o","priority":"6","details":"19p"},"CWE-ID: 644Improper Neutralization of HTTP Headers for Scripting Syntax","The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.Guidelines:",{"point":"19r","priority":"6","details":"19s"},"CWE-ID: 645Overly Restrictive Account Lockout Mechanism","The product contains an account lockout protection mechanism, but the mechanism is too restrictive and can be triggered too easily, which allows attackers to deny service to legitimate users by causing their accounts to be locked out.Guidelines:",{"point":"19u","priority":"6","details":"19v"},"CWE-ID: 646Reliance on File Name or Extension of Externally-Supplied File","The product allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attackers to cause the file to be misclassified and processed in a dangerous fashion.Guidelines:",{"point":"19x","priority":"6","details":"19y"},"CWE-ID: 647Use of Non-Canonical URL Paths for Authorization Decisions","The product defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization.Guidelines:",{"point":"1a0","priority":"6","details":"1a1"},"CWE-ID: 648Incorrect Use of Privileged APIs","The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.Guidelines:",{"point":"1a3","priority":"6","details":"1a4"},"CWE-ID: 649Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking","The product uses obfuscation or encryption of inputs that should not be mutable by an external actor, but the product does not use integrity checks to detect if those inputs have been modified.Guidelines:",{"point":"1a6","priority":"6","details":"1a7"},"CWE-ID: 650Trusting HTTP Permission Methods on the Server Side","The server contains a protection mechanism that assumes that any URI that is accessed using HTTP GET will not cause a state change to the associated resource. This might allow attackers to bypass intended access restrictions and conduct resource modification and deletion attacks, since some applications allow GET to modify state.Guidelines:",{"point":"1a9","priority":"6","details":"1aa"},"CWE-ID: 651Exposure of WSDL File Containing Sensitive Information","The Web services architecture may require exposing a Web Service Definition Language (WSDL) file that contains information on the publicly accessible services and how callers of these services should interact with them (e.g. what parameters they expect and what types they return).Guidelines:",{"point":"1ac","priority":"6","details":"1ad"},"CWE-ID: 652Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')","The product uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.Guidelines:::TYPE:Relationship:NOTE:This weakness is similar to other weaknesses that enable injection style attacks, such as SQL injection, command injection and LDAP injection. The main difference is that the target of attack here is the XML database.::",{"point":"1af","priority":"6","details":"1ag"},"CWE-ID: 653Improper Isolation or Compartmentalization","The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.Guidelines:::TYPE:Relationship:NOTE:There is a close association with CWE-250 (Execution with Unnecessary Privileges). CWE-653 is about providing separate components for each privilege; CWE-250 is about ensuring that each component has the least amount of privileges possible. In this fashion, compartmentalization becomes one mechanism for reducing privileges.::TYPE:Terminology:NOTE:The term Separation of Privilege is used in several different ways in the industry, but they generally combine two closely related principles: compartmentalization (this node) and using only one factor in a security decision (CWE-654). Proper compartmentalization implicitly introduces multiple factors into a security decision, but there can be cases in which multiple factors are required for authentication or other mechanisms that do not involve compartmentalization, such as performing all required checks on a submitted certificate. It is likely that CWE-653 and CWE-654 will provoke further discussion.::",{"point":"1ai","priority":"6","details":"1aj"},"CWE-ID: 654Reliance on a Single Factor in a Security Decision","A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality.Guidelines:::TYPE:Maintenance:NOTE:This entry is closely associated with the term Separation of Privilege. This term is used in several different ways in the industry, but they generally combine two closely related principles: compartmentalization (CWE-653) and using only one factor in a security decision (this entry). Proper compartmentalization implicitly introduces multiple factors into a security decision, but there can be cases in which multiple factors are required for authentication or other mechanisms that do not involve compartmentalization, such as performing all required checks on a submitted certificate. It is likely that CWE-653 and CWE-654 will provoke further discussion.::",{"point":"1al","priority":"6","details":"1am"},"CWE-ID: 655Insufficient Psychological Acceptability","The product has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose.Guidelines:::TYPE:Other:NOTE:This weakness covers many security measures causing user inconvenience, requiring effort or causing frustration, that are disproportionate to the risks or value of the protected assets, or that are perceived to be ineffective.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"1ao","priority":"6","details":"1ap"},"CWE-ID: 656Reliance on Security Through Obscurity","The product uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism.Guidelines:::TYPE:Relationship:NOTE:Note that there is a close relationship between this weakness and CWE-603 (Use of Client-Side Authentication). If developers do not believe that a user can reverse engineer a client, then they are more likely to choose client-side authentication in the belief that it is safe.::",{"point":"1ar","priority":"6","details":"1as"},"CWE-ID: 657Violation of Secure Design Principles","The product violates well-established principles for secure design.Guidelines:::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"1au","priority":"6","details":"1av"},"CWE-ID: 662Improper Synchronization","The product utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.Guidelines:::TYPE:Maintenance:NOTE:Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships.::",{"point":"1ax","priority":"6","details":"1ay"},"CWE-ID: 663Use of a Non-reentrant Function in a Concurrent Context","The product calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity to call the same function or otherwise influence its state.Guidelines:",{"point":"1b0","priority":"6","details":"1b1"},"CWE-ID: 664Improper Control of a Resource Through its Lifetime","The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.Guidelines:::TYPE:Maintenance:NOTE:More work is needed on this entry and its children. There are perspective/layering issues; for example, one breakdown is based on lifecycle phase (CWE-404, CWE-665), while other children are independent of lifecycle, such as CWE-400. Others do not specify as many bases or variants, such as CWE-704, which primarily covers numbers at this stage.::",{"point":"1b3","priority":"6","details":"1b4"},"CWE-ID: 665Improper Initialization","The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.Guidelines:",{"point":"1b6","priority":"6","details":"1b7"},"CWE-ID: 666Operation on Resource in Wrong Phase of Lifetime","The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors.Guidelines:",{"point":"1b9","priority":"6","details":"1ba"},"CWE-ID: 667Improper Locking","The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.Guidelines:::TYPE:Maintenance:NOTE:Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships.::",{"point":"1bc","priority":"6","details":"1bd"},"CWE-ID: 668Exposure of Resource to Wrong Sphere","The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.Guidelines:::TYPE:Theoretical:NOTE:A control sphere is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product's security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for administrators who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be users who are authenticated to the operating system on which the product is installed. Each sphere has different sets of actors and allowable behaviors.::",{"point":"1bf","priority":"6","details":"1bg"},"CWE-ID: 669Incorrect Resource Transfer Between Spheres","The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.Guidelines:",{"point":"1bi","priority":"6","details":"1bj"},"CWE-ID: 670Always-Incorrect Control Flow Implementation","The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.Guidelines:::TYPE:Maintenance:NOTE:This node could possibly be split into lower-level nodes. Early Return is for returning control to the caller too soon (e.g., CWE-584). Excess Return is when control is returned too far up the call stack (CWE-600, CWE-395). Improper control limitation occurs when the product maintains control at a lower level of execution, when control should be returned further up the call stack (CWE-455). Incorrect syntax covers code that's just plain wrong such as CWE-484 and CWE-483.::",{"point":"1bl","priority":"6","details":"1bm"},"CWE-ID: 671Lack of Administrator Control over Security","The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.Guidelines:",{"point":"1bo","priority":"6","details":"1bp"},"CWE-ID: 672Operation on a Resource after Expiration or Release","The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.Guidelines:",{"point":"1br","priority":"6","details":"1bs"},"CWE-ID: 673External Influence of Sphere Definition","The product does not prevent the definition of control spheres from external actors.Guidelines:::TYPE:Theoretical:NOTE:A control sphere is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product's security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for administrators who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be users who are authenticated to the operating system on which the product is installed. Each sphere has different sets of actors and allowable behaviors.::",{"point":"1bu","priority":"6","details":"1bv"},"CWE-ID: 674Uncontrolled Recursion","The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.Guidelines:",{"point":"1bx","priority":"6","details":"1by"},"CWE-ID: 675Multiple Operations on Resource in Single-Operation Context","The product performs the same operation on a resource two or more times, when the operation should only be applied once.Guidelines:::TYPE:Relationship:NOTE:This weakness is probably closely associated with other issues related to doubling, such as CWE-462 (duplicate key in alist) or CWE-102 (Struts duplicate validation forms). It's usually a case of an API contract violation (CWE-227).::",{"point":"1c0","priority":"6","details":"1c1"},"CWE-ID: 676Use of Potentially Dangerous Function","The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.Guidelines:::TYPE:Relationship:NOTE:This weakness is different than CWE-242 (Use of Inherently Dangerous Function). CWE-242 covers functions with such significant security problems that they can never be guaranteed to be safe. Some functions, if used properly, do not directly pose a security risk, but can introduce a weakness if not called correctly. These are regarded as potentially dangerous. A well-known example is the strcpy() function. When provided with a destination buffer that is larger than its source, strcpy() will not overflow. However, it is so often misused that some developers prohibit strcpy() entirely.::",{"point":"1c3","priority":"6","details":"1c4"},"CWE-ID: 680Integer Overflow to Buffer Overflow","The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow.Guidelines:",{"point":"1c6","priority":"6","details":"1c7"},"CWE-ID: 681Incorrect Conversion between Numeric Types","When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.Guidelines:",{"point":"1c9","priority":"6","details":"1ca"},"CWE-ID: 682Incorrect Calculation","The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.Guidelines:::TYPE:Research Gap:NOTE:Weaknesses related to this Pillar appear to be under-studied, especially with respect to classification schemes. Input from academic and other communities could help identify and resolve gaps or organizational difficulties within CWE.::",{"point":"1cc","priority":"6","details":"1cd"},"CWE-ID: 683Function Call With Incorrect Order of Arguments","The product calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses.Guidelines:",{"point":"1cf","priority":"6","details":"1cg"},"CWE-ID: 684Incorrect Provision of Specified Functionality","The code does not function according to its published specifications, potentially leading to incorrect usage.Guidelines:",{"point":"1ci","priority":"6","details":"1cj"},"CWE-ID: 685Function Call With Incorrect Number of Arguments","The product calls a function, procedure, or routine, but the caller specifies too many arguments, or too few arguments, which may lead to undefined behavior and resultant weaknesses.Guidelines:",{"point":"1cl","priority":"6","details":"1cm"},"CWE-ID: 686Function Call With Incorrect Argument Type","The product calls a function, procedure, or routine, but the caller specifies an argument that is the wrong data type, which may lead to resultant weaknesses.Guidelines:",{"point":"1co","priority":"6","details":"1cp"},"CWE-ID: 687Function Call With Incorrectly Specified Argument Value","The product calls a function, procedure, or routine, but the caller specifies an argument that contains the wrong value, which may lead to resultant weaknesses.Guidelines:::TYPE:Relationship:NOTE:When primary, this weakness is most likely to occur in rarely-tested code, since the wrong value can change the semantic meaning of the program's execution and lead to obviously-incorrect behavior. It can also be resultant from issues in which the program assigns the wrong value to a variable, and that variable is later used in a function call. In that sense, this issue could be argued as having chaining relationships with many implementation errors in CWE.::",{"point":"1cr","priority":"6","details":"1cs"},"CWE-ID: 688Function Call With Incorrect Variable or Reference as Argument","The product calls a function, procedure, or routine, but the caller specifies the wrong variable or reference as one of the arguments, which may lead to undefined behavior and resultant weaknesses.Guidelines:",{"point":"1cu","priority":"6","details":"1cv"},"CWE-ID: 689Permission Race Condition During Resource Copy","The product, while copying or cloning a resource, does not set the resource's permissions or access control until the copy is complete, leaving the resource exposed to other spheres while the copy is taking place.Guidelines:::TYPE:Research Gap:NOTE:Under-studied. It seems likely that this weakness could occur in any situation in which a complex or large copy operation occurs, when the resource can be made available to other spheres as soon as it is created, but before its initialization is complete.::",{"point":"1cx","priority":"6","details":"1cy"},"CWE-ID: 690Unchecked Return Value to NULL Pointer Dereference","The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference.Guidelines:",{"point":"1d0","priority":"6","details":"1d1"},"CWE-ID: 691Insufficient Control Flow Management","The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.Guidelines:",{"point":"1d3","priority":"6","details":"1d4"},"CWE-ID: 692Incomplete Denylist to Cross-Site Scripting","The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.Guidelines:",{"point":"1d6","priority":"6","details":"1d7"},"CWE-ID: 693Protection Mechanism Failure","The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.Guidelines:::TYPE:Research Gap:NOTE:The concept of protection mechanisms is well established, but protection mechanism failures have not been studied comprehensively. It is suspected that protection mechanisms can have significantly different types of weaknesses than the weaknesses that they are intended to prevent.::",{"point":"1d9","priority":"6","details":"1da"},"CWE-ID: 694Use of Multiple Resources with Duplicate Identifier","The product uses multiple resources that can have the same identifier, in a context in which unique identifiers are required.Guidelines:::TYPE:Relationship:NOTE:This weakness is probably closely associated with other issues related to doubling, such as CWE-675 (Duplicate Operations on Resource). It's often a case of an API contract violation (CWE-227).::",{"point":"1dc","priority":"6","details":"1dd"},"CWE-ID: 695Use of Low-Level Functionality","The product uses low-level functionality that is explicitly prohibited by the framework or specification under which the product is supposed to operate.Guidelines:",{"point":"1df","priority":"6","details":"1dg"},"CWE-ID: 696Incorrect Behavior Order","The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses.Guidelines:",{"point":"1di","priority":"6","details":"1dj"},"CWE-ID: 697Incorrect Comparison","The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.Guidelines:::TYPE:Research Gap:NOTE:Weaknesses related to this Pillar appear to be under-studied, especially with respect to classification schemes. Input from academic and other communities could help identify and resolve gaps or organizational difficulties within CWE.::TYPE:Maintenance:NOTE:This entry likely has some relationships with case sensitivity (CWE-178), but case sensitivity is a factor in other types of weaknesses besides comparison. Also, in cryptography, certain attacks are possible when certain comparison operations do not take place in constant time, causing a timing-related information leak (CWE-208).::",{"point":"1dl","priority":"6","details":"1dm"},"CWE-ID: 698Execution After Redirect (EAR)","The web application sends a redirect to another location, but instead of exiting, it executes additional code.Guidelines:",{"point":"1do","priority":"6","details":"1dp"},"CWE-ID: 703Improper Check or Handling of Exceptional Conditions","The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.Guidelines:::TYPE:Relationship:NOTE:This is a high-level class that might have some overlap with other classes. It could be argued that even normal weaknesses such as buffer overflows involve unusual or exceptional conditions. In that sense, this might be an inherent aspect of most other weaknesses within CWE, similar to API Abuse (CWE-227) and Indicator of Poor Code Quality (CWE-398). However, this entry is currently intended to unify disparate concepts that do not have other places within the Research Concepts view (CWE-1000).::",{"point":"1dr","priority":"6","details":"1ds"},"CWE-ID: 704Incorrect Type Conversion or Cast","The product does not correctly convert an object, resource, or structure from one type to a different type.Guidelines:",{"point":"1du","priority":"6","details":"1dv"},"CWE-ID: 705Incorrect Control Flow Scoping","The product does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.Guidelines:",{"point":"1dx","priority":"6","details":"1dy"},"CWE-ID: 706Use of Incorrectly-Resolved Name or Reference","The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.Guidelines:",{"point":"1e0","priority":"6","details":"1e1"},"CWE-ID: 707Improper Neutralization","The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.Guidelines:::TYPE:Maintenance:NOTE:Concepts such as validation, data transformation, and neutralization are being refined, so relationships between CWE-20 and other entries such as CWE-707 may change in future versions, along with an update to the Vulnerability Theory document.::",{"point":"1e3","priority":"6","details":"1e4"},"CWE-ID: 708Incorrect Ownership Assignment","The product assigns an owner to a resource, but the owner is outside of the intended control sphere.Guidelines:::TYPE:Maintenance:NOTE:This overlaps verification errors, permissions, and privileges. A closely related weakness is the incorrect assignment of groups to a resource. It is not clear whether it would fall under this entry or require a different entry.::",{"point":"1e6","priority":"6","details":"1e7"},"CWE-ID: 710Improper Adherence to Coding Standards","The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.Guidelines:",{"point":"1e9","priority":"6","details":"1ea"},"CWE-ID: 732Incorrect Permission Assignment for Critical Resource","The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.Guidelines:::TYPE:Maintenance:NOTE:The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693).::",{"point":"1ec","priority":"6","details":"1ed"},"CWE-ID: 733Compiler Optimization Removal or Modification of Security-critical Code","The developer builds a security-critical protection mechanism into the software, but the compiler optimizes the program such that the mechanism is removed or modified.Guidelines:",{"point":"1ef","priority":"6","details":"1eg"},"CWE-ID: 749Exposed Dangerous Method or Function","The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.Guidelines:::TYPE:Research Gap:NOTE:Under-reported and under-studied. This weakness could appear in any technology, language, or framework that allows the programmer to provide a functional interface to external parties, but it is not heavily reported. In 2007, CVE began showing a notable increase in reports of exposed method vulnerabilities in ActiveX applications, as well as IOCTL access to OS-level resources. These weaknesses have been documented for Java applications in various secure programming sources, but there are few reports in CVE, which suggests limited awareness in most parts of the vulnerability research community.::",{"point":"1ei","priority":"6","details":"1ej"},"CWE-ID: 754Improper Check for Unusual or Exceptional Conditions","The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.Guidelines:::TYPE:Relationship:NOTE:Sometimes, when a return value can be used to indicate an error, an unchecked return value is a code-layer instance of a missing application-layer check for exceptional conditions. However, return values are not always needed to communicate exceptional conditions. For example, expiration of resources, values passed by reference, asynchronously modified data, sockets, etc. may indicate exceptional conditions without the use of a return value.::",{"point":"1el","priority":"6","details":"1em"},"CWE-ID: 755Improper Handling of Exceptional Conditions","The product does not handle or incorrectly handles an exceptional condition.Guidelines:",{"point":"1eo","priority":"6","details":"1ep"},"CWE-ID: 756Missing Custom Error Page","The product does not return custom error pages to the user, possibly exposing sensitive information.Guidelines:",{"point":"1er","priority":"6","details":"1es"},"CWE-ID: 757Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')","A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties.Guidelines:::TYPE:Relationship:NOTE:This is related to CWE-300, although not all downgrade attacks necessarily require an entity that redirects or interferes with the network. See examples.::",{"point":"1eu","priority":"6","details":"1ev"},"CWE-ID: 758Reliance on Undefined, Unspecified, or Implementation-Defined Behavior","The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity.Guidelines:",{"point":"1ex","priority":"6","details":"1ey"},"CWE-ID: 759Use of a One-Way Hash without a Salt","The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.Guidelines:",{"point":"1f0","priority":"6","details":"1f1"},"CWE-ID: 760Use of a One-Way Hash with a Predictable Salt","The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"1f3","priority":"6","details":"1f4"},"CWE-ID: 761Free of Pointer not at Start of Buffer","The product calls free() on a pointer to a memory resource that was allocated on the heap, but the pointer is not at the start of the buffer.Guidelines:::TYPE:Maintenance:NOTE:Currently, CWE-763 is the parent, however it may be desirable to have an intermediate parent which is not function-specific, similar to how CWE-762 is an intermediate parent between CWE-763 and CWE-590.::",{"point":"1f6","priority":"6","details":"1f7"},"CWE-ID: 762Mismatched Memory Management Routines","The product attempts to return a memory resource to the system, but it calls a release function that is not compatible with the function that was originally used to allocate that resource.Guidelines:::TYPE:Applicable Platform:NOTE:This weakness is possible in any programming language that allows manual management of memory.::",{"point":"1f9","priority":"6","details":"1fa"},"CWE-ID: 763Release of Invalid Pointer or Reference","The product attempts to return a memory resource to the system, but it calls the wrong release function or calls the appropriate release function incorrectly.Guidelines:::TYPE:Maintenance:NOTE:The view-1000 subtree that is associated with this weakness needs additional work. Several entries will likely be created in this branch. Currently the focus is on free() of memory, but delete and other related release routines may require the creation of intermediate entries that are not specific to a particular function. In addition, the role of other types of invalid pointers, such as an expired pointer, i.e. CWE-415 Double Free and release of uninitialized pointers, related to CWE-457.::",{"point":"1fc","priority":"6","details":"1fd"},"CWE-ID: 764Multiple Locks of a Critical Resource","The product locks a critical resource more times than intended, leading to an unexpected state in the system.Guidelines:::TYPE:Maintenance:NOTE:An alternate way to think about this weakness is as an imbalance between the number of locks / unlocks in the control flow. Over the course of execution, if each lock call is not followed by a subsequent call to unlock in a reasonable amount of time, then system performance may be degraded or at least operating at less than peak levels if there is competition for the locks. This entry may need to be modified to reflect these concepts in the future.::",{"point":"1ff","priority":"6","details":"1fg"},"CWE-ID: 765Multiple Unlocks of a Critical Resource","The product unlocks a critical resource more times than intended, leading to an unexpected state in the system.Guidelines:::TYPE:Maintenance:NOTE:An alternate way to think about this weakness is as an imbalance between the number of locks / unlocks in the control flow. Over the course of execution, if each lock call is not followed by a subsequent call to unlock in a reasonable amount of time, then system performance may be degraded or at least operating at less than peak levels if there is competition for the locks. This entry may need to be modified to reflect these concepts in the future.::",{"point":"1fi","priority":"6","details":"1fj"},"CWE-ID: 766Critical Data Element Declared Public","The product declares a critical variable, field, or member to be public when intended security policy requires it to be private.Guidelines:",{"point":"1fl","priority":"6","details":"1fm"},"CWE-ID: 767Access to Critical Private Variable via Public Method","The product defines a public method that reads or modifies a private variable.Guidelines:::TYPE:Maintenance:NOTE:This entry is closely associated with access control for public methods. If the public methods are restricted with proper access controls, then the information in the private variable will not be exposed to unexpected parties. There may be chaining or composite relationships between improper access controls and this weakness.::",{"point":"1fo","priority":"6","details":"1fp"},"CWE-ID: 768Incorrect Short Circuit Evaluation","The product contains a conditional statement with multiple logical expressions in which one of the non-leading expressions may produce side effects. This may lead to an unexpected state in the program after the execution of the conditional, because short-circuiting logic may prevent the side effects from occurring.Guidelines:",{"point":"1fr","priority":"6","details":"1fs"},"CWE-ID: 770Allocation of Resources Without Limits or Throttling","The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.Guidelines:::TYPE:Relationship:NOTE:This entry is different from uncontrolled resource consumption (CWE-400) in that there are other weaknesses that are related to inability to control resource consumption, such as holding on to a resource too long after use, or not correctly keeping track of active resources so that they can be managed and released when they are finished (CWE-771).::TYPE:Theoretical:NOTE:Vulnerability theory is largely about how behaviors and resources interact. Resource exhaustion can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect one of the underlying weaknesses that enable these attacks (or consequences) to take place.::",{"point":"1fu","priority":"6","details":"1fv"},"CWE-ID: 771Missing Reference to Active Allocated Resource","The product does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed.Guidelines:",{"point":"1fx","priority":"6","details":"1fy"},"CWE-ID: 772Missing Release of Resource after Effective Lifetime","The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.Guidelines:::TYPE:Maintenance:NOTE:Resource exhaustion (CWE-400) is currently treated as a weakness, although it is more like a category of weaknesses that all have the same type of consequence. While this entry treats CWE-400 as a parent in view 1000, the relationship is probably more appropriately described as a chain.::TYPE:Theoretical:NOTE:Vulnerability theory is largely about how behaviors and resources interact. Resource exhaustion can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect one of the underlying weaknesses that enable these attacks (or consequences) to take place.::",{"point":"1g0","priority":"6","details":"1g1"},"CWE-ID: 773Missing Reference to Active File Descriptor or Handle","The product does not properly maintain references to a file descriptor or handle, which prevents that file descriptor/handle from being reclaimed.Guidelines:",{"point":"1g3","priority":"6","details":"1g4"},"CWE-ID: 774Allocation of File Descriptors or Handles Without Limits or Throttling","The product allocates file descriptors or handles on behalf of an actor without imposing any restrictions on how many descriptors can be allocated, in violation of the intended security policy for that actor.Guidelines:",{"point":"1g6","priority":"6","details":"1g7"},"CWE-ID: 775Missing Release of File Descriptor or Handle after Effective Lifetime","The product does not release a file descriptor or handle after its effective lifetime has ended, i.e., after the file descriptor/handle is no longer needed.Guidelines:",{"point":"1g9","priority":"6","details":"1ga"},"CWE-ID: 776Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.Guidelines:",{"point":"1gc","priority":"6","details":"1gd"},"CWE-ID: 777Regular Expression without Anchors","The product uses a regular expression to perform neutralization, but the regular expression is not anchored and may allow malicious or malformed data to slip through.Guidelines:",{"point":"1gf","priority":"6","details":"1gg"},"CWE-ID: 778Insufficient Logging","When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.Guidelines:",{"point":"1gi","priority":"6","details":"1gj"},"CWE-ID: 779Logging of Excessive Data","The product logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack.Guidelines:",{"point":"1gl","priority":"6","details":"1gm"},"CWE-ID: 780Use of RSA Algorithm without OAEP","The product uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption.Guidelines:::TYPE:Maintenance:NOTE:This entry could probably have a new parent related to improper padding, however the role of padding in cryptographic algorithms can vary, such as hiding the length of the plaintext and providing additional random bits for the cipher. In general, cryptographic problems in CWE are not well organized and further research is needed.::",{"point":"1go","priority":"6","details":"1gp"},"CWE-ID: 781Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code","The product defines an IOCTL that uses METHOD_NEITHER for I/O, but it does not validate or incorrectly validates the addresses that are provided.Guidelines:::TYPE:Applicable Platform:NOTE:Because IOCTL functionality is typically performing low-level actions and closely interacts with the operating system, this weakness may only appear in code that is written in low-level languages.::TYPE:Research Gap:NOTE:While this type of issue has been known since 2006, it is probably still under-studied and under-reported. Most of the focus has been on high-profile software and security products, but other kinds of system software also use drivers. Since exploitation requires the development of custom code, it requires some skill to find this weakness. Because exploitation typically requires local privileges, it might not be a priority for active attackers. However, remote exploitation may be possible for software such as device drivers. Even when remote vectors are not available, it may be useful as the final privilege-escalation step in multi-stage remote attacks against application-layer software, or as the primary attack by a local user on a multi-user system.::",{"point":"1gr","priority":"6","details":"1gs"},"CWE-ID: 782Exposed IOCTL with Insufficient Access Control","The product implements an IOCTL with functionality that should be restricted, but it does not properly enforce access control for the IOCTL.Guidelines:::TYPE:Relationship:NOTE:This can be primary to many other weaknesses when the programmer assumes that the IOCTL can only be accessed by trusted parties. For example, a program or driver might not validate incoming addresses in METHOD_NEITHER IOCTLs in Windows environments (CWE-781), which could allow buffer overflow and similar attacks to take place, even when the attacker never should have been able to access the IOCTL at all.::TYPE:Applicable Platform:NOTE:Because IOCTL functionality is typically performing low-level actions and closely interacts with the operating system, this weakness may only appear in code that is written in low-level languages.::",{"point":"1gu","priority":"6","details":"1gv"},"CWE-ID: 783Operator Precedence Logic Error","The product uses an expression in which operator precedence causes incorrect logic to be used.Guidelines:",{"point":"1gx","priority":"6","details":"1gy"},"CWE-ID: 784Reliance on Cookies without Validation and Integrity Checking in a Security Decision","The product uses a protection mechanism that relies on the existence or values of a cookie, but it does not properly ensure that the cookie is valid for the associated user.Guidelines:::TYPE:Maintenance:NOTE:A new parent might need to be defined for this entry. This entry is specific to cookies, which reflects the significant number of vulnerabilities being reported for cookie-based authentication in CVE during 2008 and 2009. However, other types of inputs - such as parameters or headers - could also be used for similar authentication or authorization. Similar issues (under the Research view) include CWE-247 and CWE-472.::",{"point":"1h0","priority":"6","details":"1h1"},"CWE-ID: 785Use of Path Manipulation Function without Maximum-sized Buffer","The product invokes a function for normalizing paths or file names, but it provides an output buffer that is smaller than the maximum possible size, such as PATH_MAX.Guidelines:::TYPE:Maintenance:NOTE:This entry is at a much lower level of abstraction than most entries because it is function-specific. It also has significant overlap with other entries that can vary depending on the perspective. For example, incorrect usage could trigger either a stack-based overflow (CWE-121) or a heap-based overflow (CWE-122). The CWE team has not decided how to handle such entries.::",{"point":"1h3","priority":"6","details":"1h4"},"CWE-ID: 786Access of Memory Location Before Start of Buffer","The product reads or writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.Guidelines:",{"point":"1h6","priority":"6","details":"1h7"},"CWE-ID: 787Out-of-bounds Write","The product writes data past the end, or before the beginning, of the intended buffer.Guidelines:",{"point":"1h9","priority":"6","details":"1ha"},"CWE-ID: 788Access of Memory Location After End of Buffer","The product reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer.Guidelines:",{"point":"1hc","priority":"6","details":"1hd"},"CWE-ID: 789Memory Allocation with Excessive Size Value","The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.Guidelines:::TYPE:Relationship:NOTE:This weakness can be closely associated with integer overflows (CWE-190). Integer overflow attacks would concentrate on providing an extremely large number that triggers an overflow that causes less memory to be allocated than expected. By providing a large value that does not trigger an integer overflow, the attacker could still cause excessive amounts of memory to be allocated.::TYPE:Applicable Platform:NOTE:Uncontrolled memory allocation is possible in many languages, such as dynamic array allocation in perl or initial size parameters in Collections in Java. However, languages like C and C++ where programmers have the power to more directly control memory management will be more susceptible.::",{"point":"1hf","priority":"6","details":"1hg"},"CWE-ID: 790Improper Filtering of Special Elements","The product receives data from an upstream component, but does not filter or incorrectly filters special elements before sending it to a downstream component.Guidelines:",{"point":"1hi","priority":"6","details":"1hj"},"CWE-ID: 791Incomplete Filtering of Special Elements","The product receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component.Guidelines:",{"point":"1hl","priority":"6","details":"1hm"},"CWE-ID: 792Incomplete Filtering of One or More Instances of Special Elements","The product receives data from an upstream component, but does not completely filter one or more instances of special elements before sending it to a downstream component.Guidelines:",{"point":"1ho","priority":"6","details":"1hp"},"CWE-ID: 793Only Filtering One Instance of a Special Element","The product receives data from an upstream component, but only filters a single instance of a special element before sending it to a downstream component.Guidelines:",{"point":"1hr","priority":"6","details":"1hs"},"CWE-ID: 794Incomplete Filtering of Multiple Instances of Special Elements","The product receives data from an upstream component, but does not filter all instances of a special element before sending it to a downstream component.Guidelines:",{"point":"1hu","priority":"6","details":"1hv"},"CWE-ID: 795Only Filtering Special Elements at a Specified Location","The product receives data from an upstream component, but only accounts for special elements at a specified location, thereby missing remaining special elements that may exist before sending it to a downstream component.Guidelines:",{"point":"1hx","priority":"6","details":"1hy"},"CWE-ID: 796Only Filtering Special Elements Relative to a Marker","The product receives data from an upstream component, but only accounts for special elements positioned relative to a marker (e.g. at the beginning/end of a string; the second argument), thereby missing remaining special elements that may exist before sending it to a downstream component.Guidelines:",{"point":"1i0","priority":"6","details":"1i1"},"CWE-ID: 797Only Filtering Special Elements at an Absolute Position","The product receives data from an upstream component, but only accounts for special elements at an absolute position (e.g. byte number 10), thereby missing remaining special elements that may exist before sending it to a downstream component.Guidelines:",{"point":"1i3","priority":"6","details":"1i4"},"CWE-ID: 798Use of Hard-coded Credentials","The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.Guidelines:::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"1i6","priority":"6","details":"1i7"},"CWE-ID: 799Improper Control of Interaction Frequency","The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.Guidelines:",{"point":"1i9","priority":"6","details":"1ia"},"CWE-ID: 804Guessable CAPTCHA","The product uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.Guidelines:",{"point":"1ic","priority":"6","details":"1id"},"CWE-ID: 805Buffer Access with Incorrect Length Value","The product uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer.Guidelines:",{"point":"1if","priority":"6","details":"1ig"},"CWE-ID: 806Buffer Access Using Size of Source Buffer","The product uses the size of a source buffer when reading from or writing to a destination buffer, which may cause it to access memory that is outside of the bounds of the buffer.Guidelines:",{"point":"1ii","priority":"6","details":"1ij"},"CWE-ID: 807Reliance on Untrusted Inputs in a Security Decision","The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.Guidelines:",{"point":"1il","priority":"6","details":"1im"},"CWE-ID: 820Missing Synchronization","The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.Guidelines:::TYPE:Maintenance:NOTE:Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships.::",{"point":"1io","priority":"6","details":"1ip"},"CWE-ID: 821Incorrect Synchronization","The product utilizes a shared resource in a concurrent manner, but it does not correctly synchronize access to the resource.Guidelines:::TYPE:Maintenance:NOTE:Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships.::",{"point":"1ir","priority":"6","details":"1is"},"CWE-ID: 822Untrusted Pointer Dereference","The product obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer.Guidelines:::TYPE:Maintenance:NOTE:There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.::TYPE:Terminology:NOTE:Many weaknesses related to pointer dereferences fall under the general term of memory corruption or memory safety. As of September 2010, there is no commonly-used terminology that covers the lower-level variants.::",{"point":"1iu","priority":"6","details":"1iv"},"CWE-ID: 823Use of Out-of-range Pointer Offset","The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.Guidelines:::TYPE:Maintenance:NOTE:There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.::TYPE:Terminology:NOTE:Many weaknesses related to pointer dereferences fall under the general term of memory corruption or memory safety. As of September 2010, there is no commonly-used terminology that covers the lower-level variants.::",{"point":"1ix","priority":"6","details":"1iy"},"CWE-ID: 824Access of Uninitialized Pointer","The product accesses or uses a pointer that has not been initialized.Guidelines:::TYPE:Maintenance:NOTE:There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.::TYPE:Terminology:NOTE:Many weaknesses related to pointer dereferences fall under the general term of memory corruption or memory safety. As of September 2010, there is no commonly-used terminology that covers the lower-level variants.::",{"point":"1j0","priority":"6","details":"1j1"},"CWE-ID: 825Expired Pointer Dereference","The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.Guidelines:::TYPE:Maintenance:NOTE:There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.::TYPE:Terminology:NOTE:Many weaknesses related to pointer dereferences fall under the general term of memory corruption or memory safety. As of September 2010, there is no commonly-used terminology that covers the lower-level variants.::",{"point":"1j3","priority":"6","details":"1j4"},"CWE-ID: 826Premature Release of Resource During Expected Lifetime","The product releases a resource that is still intended to be used by itself or another actor.Guidelines:::TYPE:Research Gap:NOTE:Under-studied and under-reported as of September 2010. This weakness has been reported in high-visibility software, although the focus has been primarily on memory allocation and de-allocation. There are very few examples of this weakness that are not directly related to memory management, although such weaknesses are likely to occur in real-world software for other types of resources.::",{"point":"1j6","priority":"6","details":"1j7"},"CWE-ID: 827Improper Control of Document Type Definition","The product does not restrict a reference to a Document Type Definition (DTD) to the intended control sphere. This might allow attackers to reference arbitrary DTDs, possibly causing the product to expose files, consume excessive system resources, or execute arbitrary http requests on behalf of the attacker.Guidelines:",{"point":"1j9","priority":"6","details":"1ja"},"CWE-ID: 828Signal Handler with Functionality that is not Asynchronous-Safe","The product defines a signal handler that contains code sequences that are not asynchronous-safe, i.e., the functionality is not reentrant, or it can be interrupted.Guidelines:",{"point":"1jc","priority":"6","details":"1jd"},"CWE-ID: 829Inclusion of Functionality from Untrusted Control Sphere","The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.Guidelines:",{"point":"1jf","priority":"6","details":"1jg"},"CWE-ID: 830Inclusion of Web Functionality from an Untrusted Source","The product includes web functionality (such as a web widget) from another domain, which causes it to operate within the domain of the product, potentially granting total access and control of the product to the untrusted source.Guidelines:",{"point":"1ji","priority":"6","details":"1jj"},"CWE-ID: 831Signal Handler Function Associated with Multiple Signals","The product defines a function that is used as a handler for more than one signal.Guidelines:",{"point":"1jl","priority":"6","details":"1jm"},"CWE-ID: 832Unlock of a Resource that is not Locked","The product attempts to unlock a resource that is not locked.Guidelines:",{"point":"1jo","priority":"6","details":"1jp"},"CWE-ID: 833Deadlock","The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.Guidelines:",{"point":"1jr","priority":"6","details":"1js"},"CWE-ID: 834Excessive Iteration","The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.Guidelines:",{"point":"1ju","priority":"6","details":"1jv"},"CWE-ID: 835Loop with Unreachable Exit Condition ('Infinite Loop')","The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.Guidelines:",{"point":"1jx","priority":"6","details":"1jy"},"CWE-ID: 836Use of Password Hash Instead of Password for Authentication","The product records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store.Guidelines:",{"point":"1k0","priority":"6","details":"1k1"},"CWE-ID: 837Improper Enforcement of a Single, Unique Action","The product requires that an actor should only be able to perform an action once, or to have only one unique action, but the product does not enforce or improperly enforces this restriction.Guidelines:",{"point":"1k3","priority":"6","details":"1k4"},"CWE-ID: 838Inappropriate Encoding for Output Context","The product uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is expected by the downstream component.Guidelines:",{"point":"1k6","priority":"6","details":"1k7"},"CWE-ID: 839Numeric Range Comparison Without Minimum Check","The product checks a value to ensure that it is less than or equal to a maximum, but it does not also verify that the value is greater than or equal to the minimum.Guidelines:",{"point":"1k9","priority":"6","details":"1ka"},"CWE-ID: 841Improper Enforcement of Behavioral Workflow","The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.Guidelines:::TYPE:Research Gap:NOTE:This weakness is typically associated with business logic flaws, except when it produces resultant weaknesses. The classification of business logic flaws has been under-studied, although exploitation of business flaws frequently happens in real-world systems, and many applied vulnerability researchers investigate them. The greatest focus is in web applications. There is debate within the community about whether these problems represent particularly new concepts, or if they are variations of well-known principles. Many business logic flaws appear to be oriented toward business processes, application flows, and sequences of behaviors, which are not as well-represented in CWE as weaknesses related to input validation, memory management, etc.::",{"point":"1kc","priority":"6","details":"1kd"},"CWE-ID: 842Placement of User into Incorrect Group","The product or the administrator places a user into an incorrect group.Guidelines:",{"point":"1kf","priority":"6","details":"1kg"},"CWE-ID: 843Access of Resource Using Incompatible Type ('Type Confusion')","The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.Guidelines:::TYPE:Applicable Platform:NOTE:This weakness is possible in any type-unsafe programming language.::TYPE:Research Gap:NOTE:Type confusion weaknesses have received some attention by applied researchers and major software vendors for C and C++ code. Some publicly-reported vulnerabilities probably have type confusion as a root-cause weakness, but these may be described as memory corruption instead. For other languages, there are very few public reports of type confusion weaknesses. These are probably under-studied. Since many programs rely directly or indirectly on loose typing, a potential type confusion behavior might be intentional, possibly requiring more manual analysis.::",{"point":"1ki","priority":"6","details":"1kj"},"CWE-ID: 862Missing Authorization","The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Guidelines:",{"point":"1kl","priority":"6","details":"1km"},"CWE-ID: 863Incorrect Authorization","The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.Guidelines:",{"point":"1ko","priority":"6","details":"1kp"},"CWE-ID: 908Use of Uninitialized Resource","The product uses or accesses a resource that has not been initialized.Guidelines:",{"point":"1kr","priority":"6","details":"1ks"},"CWE-ID: 909Missing Initialization of Resource","The product does not initialize a critical resource.Guidelines:",{"point":"1ku","priority":"6","details":"1kv"},"CWE-ID: 910Use of Expired File Descriptor","The product uses or accesses a file descriptor after it has been closed.Guidelines:",{"point":"1kx","priority":"6","details":"1ky"},"CWE-ID: 911Improper Update of Reference Count","The product uses a reference count to manage a resource, but it does not update or incorrectly updates the reference count.Guidelines:",{"point":"1l0","priority":"6","details":"1l1"},"CWE-ID: 912Hidden Functionality","The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the product's users or administrators.Guidelines:",{"point":"1l3","priority":"6","details":"1l4"},"CWE-ID: 913Improper Control of Dynamically-Managed Code Resources","The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.Guidelines:",{"point":"1l6","priority":"6","details":"1l7"},"CWE-ID: 914Improper Control of Dynamically-Identified Variables","The product does not properly restrict reading from or writing to dynamically-identified variables.Guidelines:",{"point":"1l9","priority":"6","details":"1la"},"CWE-ID: 915Improperly Controlled Modification of Dynamically-Determined Object Attributes","The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.Guidelines:::TYPE:Maintenance:NOTE:The relationships between CWE-502 and CWE-915 need further exploration. CWE-915 is more narrowly scoped to object modification, and is not necessarily used for deserialization.::",{"point":"1lc","priority":"6","details":"1ld"},"CWE-ID: 916Use of Password Hash With Insufficient Computational Effort","The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.Guidelines:",{"point":"1lf","priority":"6","details":"1lg"},"CWE-ID: 917Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')","The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.Guidelines:::TYPE:Maintenance:NOTE:The interrelationships and differences between CWE-917 and CWE-1336 need to be further clarified.::TYPE:Relationship:NOTE:In certain versions of Spring 3.0.5 and earlier, there was a vulnerability (CVE-2011-2730) in which Expression Language tags would be evaluated twice, which effectively exposed any application to EL injection. However, even for later versions, this weakness is still possible depending on configuration.::",{"point":"1li","priority":"6","details":"1lj"},"CWE-ID: 918Server-Side Request Forgery (SSRF)","The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.Guidelines:::TYPE:Relationship:NOTE:CWE-918 (SSRF) and CWE-611 (XXE) are closely related, because they both involve web-related technologies and can launch outbound requests to unexpected destinations. However, XXE can be performed client-side, or in other contexts in which the software is not acting directly as a server, so the Server portion of the SSRF acronym does not necessarily apply.::",{"point":"1ll","priority":"6","details":"1lm"},"CWE-ID: 920Improper Restriction of Power Consumption","The product operates in an environment in which power is a limited resource that cannot be automatically replenished, but the product does not properly restrict the amount of power that its operation consumes.Guidelines:",{"point":"1lo","priority":"6","details":"1lp"},"CWE-ID: 921Storage of Sensitive Data in a Mechanism without Access Control","The product stores sensitive information in a file system or device that does not have built-in access control.Guidelines:",{"point":"1lr","priority":"6","details":"1ls"},"CWE-ID: 922Insecure Storage of Sensitive Information","The product stores sensitive information without properly limiting read or write access by unauthorized actors.Guidelines:::TYPE:Relationship:NOTE:There is an overlapping relationship between insecure storage of sensitive information (CWE-922) and missing encryption of sensitive information (CWE-311). Encryption is often used to prevent an attacker from reading the sensitive data. However, encryption does not prevent the attacker from erasing or overwriting the data. While data tampering would be visible upon inspection, the integrity and availability of the data is compromised prior to the audit.::TYPE:Maintenance:NOTE:This is a high-level entry that includes children from various parts of the CWE research view (CWE-1000). Currently, most of the information is in these child entries. This entry will be made more comprehensive in later CWE versions.::",{"point":"1lu","priority":"6","details":"1lv"},"CWE-ID: 923Improper Restriction of Communication Channel to Intended Endpoints","The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.Guidelines:",{"point":"1lx","priority":"6","details":"1ly"},"CWE-ID: 924Improper Enforcement of Message Integrity During Transmission in a Communication Channel","The product establishes a communication channel with an endpoint and receives a message from that endpoint, but it does not sufficiently ensure that the message was not modified during transmission.Guidelines:::TYPE:Maintenance:NOTE:This entry should be made more comprehensive in later CWE versions, as it is likely an important design flaw that underlies (or chains to) other weaknesses.::",{"point":"1m0","priority":"6","details":"1m1"},"CWE-ID: 925Improper Verification of Intent by Broadcast Receiver","The Android application uses a Broadcast Receiver that receives an Intent but does not properly verify that the Intent came from an authorized source.Guidelines:::TYPE:Maintenance:NOTE:This entry will be made more comprehensive in later CWE versions.::",{"point":"1m3","priority":"6","details":"1m4"},"CWE-ID: 926Improper Export of Android Application Components","The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.Guidelines:",{"point":"1m6","priority":"6","details":"1m7"},"CWE-ID: 927Use of Implicit Intent for Sensitive Communication","The Android application uses an implicit intent for transmitting sensitive data to other applications.Guidelines:",{"point":"1m9","priority":"6","details":"1ma"},"CWE-ID: 939Improper Authorization in Handler for Custom URL Scheme","The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.Guidelines:",{"point":"1mc","priority":"6","details":"1md"},"CWE-ID: 940Improper Verification of Source of a Communication Channel","The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin.Guidelines:::TYPE:Relationship:NOTE:While many access control issues involve authenticating the user, this weakness is more about authenticating the actual source of the communication channel itself; there might not be any user in such cases.::",{"point":"1mf","priority":"6","details":"1mg"},"CWE-ID: 941Incorrectly Specified Destination in a Communication Channel","The product creates a communication channel to initiate an outgoing request to an actor, but it does not correctly specify the intended destination for that actor.Guidelines:",{"point":"1mi","priority":"6","details":"1mj"},"CWE-ID: 942Permissive Cross-domain Policy with Untrusted Domains","The product uses a cross-domain policy file that includes domains that should not be trusted.Guidelines:",{"point":"1ml","priority":"6","details":"1mm"},"CWE-ID: 943Improper Neutralization of Special Elements in Data Query Logic","The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.Guidelines:::TYPE:Relationship:NOTE:It could be argued that data query languages are effectively a command language - albeit with a limited set of commands - and thus any query-language injection issue could be treated as a child of CWE-74. However, CWE-943 is intended to better organize query-oriented issues to separate them from fully-functioning programming languages, and also to provide a more precise identifier for the many query languages that do not have their own CWE identifier.::",{"point":"1mo","priority":"6","details":"1mp"},"CWE-ID: 1004Sensitive Cookie Without 'HttpOnly' Flag","The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.Guidelines:",{"point":"1mr","priority":"6","details":"1ms"},"CWE-ID: 1007Insufficient Visual Distinction of Homoglyphs Presented to User","The product displays information or identifiers to a user, but the display mechanism does not make it easy for the user to distinguish between visually similar or identical glyphs (homoglyphs), which may cause the user to misinterpret a glyph and perform an unintended, insecure action.Guidelines:",{"point":"1mu","priority":"6","details":"1mv"},"CWE-ID: 1021Improper Restriction of Rendered UI Layers or Frames","The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.Guidelines:",{"point":"1mx","priority":"6","details":"1my"},"CWE-ID: 1022Use of Web Link to Untrusted Target with window.opener Access","The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property.Guidelines:",{"point":"1n0","priority":"6","details":"1n1"},"CWE-ID: 1023Incomplete Comparison with Missing Factors","The product performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors.Guidelines:",{"point":"1n3","priority":"6","details":"1n4"},"CWE-ID: 1024Comparison of Incompatible Types","The product performs a comparison between two entities, but the entities are of different, incompatible types that cannot be guaranteed to provide correct results when they are directly compared.Guidelines:",{"point":"1n6","priority":"6","details":"1n7"},"CWE-ID: 1025Comparison Using Wrong Factors","The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.Guidelines:",{"point":"1n9","priority":"6","details":"1na"},"CWE-ID: 1037Processor Optimization Removal or Modification of Security-critical Code","The developer builds a security-critical protection mechanism into the software, but the processor optimizes the execution of the program such that the mechanism is removed or modified.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. As a result, this entry might change significantly in CWE 4.10.::",{"point":"1nc","priority":"6","details":"1nd"},"CWE-ID: 1038Insecure Automated Optimizations","The product uses a mechanism that automatically optimizes code, e.g. to improve a characteristic such as performance, but the optimizations can have an unintended side effect that might violate an intended security assumption.Guidelines:",{"point":"1nf","priority":"6","details":"1ng"},"CWE-ID: 1039Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations","The product uses an automated mechanism such as machine learning to recognize complex data inputs (e.g. image or audio) as a particular concept or category, but it does not properly detect or handle inputs that have been modified or constructed in a way that causes the mechanism to detect a different, incorrect concept.Guidelines:::TYPE:Relationship:NOTE:Further investigation is needed to determine if better relationships exist or if additional organizational entries need to be created. For example, this issue might be better related to recognition of input as an incorrect type, which might place it as a sibling of CWE-704 (incorrect type conversion).::",{"point":"1ni","priority":"6","details":"1nj"},"CWE-ID: 1041Use of Redundant Code","The product has multiple functions, methods, procedures, macros, etc. that contain the same code.Guidelines:",{"point":"1nl","priority":"6","details":"1nm"},"CWE-ID: 1042Static Member Data Element outside of a Singleton Class Element","The code contains a member element that is declared as static (but not final), in which its parent class element is not a singleton class - that is, a class element that can be used only once in the 'to' association of a Create action.Guidelines:",{"point":"1no","priority":"6","details":"1np"},"CWE-ID: 1043Data Element Aggregating an Excessively Large Number of Non-Primitive Elements","The product uses a data element that has an excessively large number of sub-elements with non-primitive data types such as structures or aggregated objects.Guidelines:",{"point":"1nr","priority":"6","details":"1ns"},"CWE-ID: 1044Architecture with Number of Horizontal Layers Outside of Expected Range","The product's architecture contains too many - or too few - horizontal layers.Guidelines:",{"point":"1nu","priority":"6","details":"1nv"},"CWE-ID: 1045Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor","A parent class has a virtual destructor method, but the parent has a child class that does not have a virtual destructor.Guidelines:",{"point":"1nx","priority":"6","details":"1ny"},"CWE-ID: 1046Creation of Immutable Text Using String Concatenation","The product creates an immutable text string using string concatenation operations.Guidelines:",{"point":"1o0","priority":"6","details":"1o1"},"CWE-ID: 1047Modules with Circular Dependencies","The product contains modules in which one module has references that cycle back to itself, i.e., there are circular dependencies.Guidelines:",{"point":"1o3","priority":"6","details":"1o4"},"CWE-ID: 1048Invokable Control Element with Large Number of Outward Calls","The code contains callable control elements that contain an excessively large number of references to other application objects external to the context of the callable, i.e. a Fan-Out value that is excessively large.Guidelines:",{"point":"1o6","priority":"6","details":"1o7"},"CWE-ID: 1049Excessive Data Query Operations in a Large Data Table","The product performs a data query with a large number of joins and sub-queries on a large data table.Guidelines:",{"point":"1o9","priority":"6","details":"1oa"},"CWE-ID: 1050Excessive Platform Resource Consumption within a Loop","The product has a loop body or loop condition that contains a control element that directly or indirectly consumes platform resources, e.g. messaging, sessions, locks, or file descriptors.Guidelines:",{"point":"1oc","priority":"6","details":"1od"},"CWE-ID: 1051Initialization with Hard-Coded Network Resource Configuration Data","The product initializes data using hard-coded values that act as network resource identifiers.Guidelines:",{"point":"1of","priority":"6","details":"1og"},"CWE-ID: 1052Excessive Use of Hard-Coded Literals in Initialization","The product initializes a data element using a hard-coded literal that is not a simple integer or static constant element.Guidelines:",{"point":"1oi","priority":"6","details":"1oj"},"CWE-ID: 1053Missing Documentation for Design","The product does not have documentation that represents how it is designed.Guidelines:",{"point":"1ol","priority":"6","details":"1om"},"CWE-ID: 1054Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer","The code at one architectural layer invokes code that resides at a deeper layer than the adjacent layer, i.e., the invocation skips at least one layer, and the invoked code is not part of a vertical utility layer that can be referenced from any horizontal layer.Guidelines:",{"point":"1oo","priority":"6","details":"1op"},"CWE-ID: 1055Multiple Inheritance from Concrete Classes","The product contains a class with inheritance from more than one concrete class.Guidelines:",{"point":"1or","priority":"6","details":"1os"},"CWE-ID: 1056Invokable Control Element with Variadic Parameters","A named-callable or method control element has a signature that supports a variable (variadic) number of parameters or arguments.Guidelines:",{"point":"1ou","priority":"6","details":"1ov"},"CWE-ID: 1057Data Access Operations Outside of Expected Data Manager Component","The product uses a dedicated, central data manager component as required by design, but it contains code that performs data-access operations that do not use this data manager.Guidelines:",{"point":"1ox","priority":"6","details":"1oy"},"CWE-ID: 1058Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element","The code contains a function or method that operates in a multi-threaded environment but owns an unsafe non-final static storable or member data element.Guidelines:",{"point":"1p0","priority":"6","details":"1p1"},"CWE-ID: 1059Insufficient Technical Documentation","The product does not contain sufficient technical or engineering documentation (whether on paper or in electronic form) that contains descriptions of all the relevant software/hardware elements of the product, such as its usage, structure, architectural components, interfaces, design, implementation, configuration, operation, etc.Guidelines:",{"point":"1p3","priority":"6","details":"1p4"},"CWE-ID: 1060Excessive Number of Inefficient Server-Side Data Accesses","The product performs too many data queries without using efficient data processing functionality such as stored procedures.Guidelines:",{"point":"1p6","priority":"6","details":"1p7"},"CWE-ID: 1061Insufficient Encapsulation","The product does not sufficiently hide the internal representation and implementation details of data or methods, which might allow external components or modules to modify data unexpectedly, invoke unexpected functionality, or introduce dependencies that the programmer did not intend.Guidelines:",{"point":"1p9","priority":"6","details":"1pa"},"CWE-ID: 1062Parent Class with References to Child Class","The code has a parent class that contains references to a child class, its methods, or its members.Guidelines:",{"point":"1pc","priority":"6","details":"1pd"},"CWE-ID: 1063Creation of Class Instance within a Static Code Block","A static code block creates an instance of a class.Guidelines:",{"point":"1pf","priority":"6","details":"1pg"},"CWE-ID: 1064Invokable Control Element with Signature Containing an Excessive Number of Parameters","The product contains a function, subroutine, or method whose signature has an unnecessarily large number of parameters/arguments.Guidelines:",{"point":"1pi","priority":"6","details":"1pj"},"CWE-ID: 1065Runtime Resource Management Control Element in a Component Built to Run on Application Servers","The product uses deployed components from application servers, but it also uses low-level functions/methods for management of resources, instead of the API provided by the application server.Guidelines:",{"point":"1pl","priority":"6","details":"1pm"},"CWE-ID: 1066Missing Serialization Control Element","The product contains a serializable data element that does not have an associated serialization method.Guidelines:",{"point":"1po","priority":"6","details":"1pp"},"CWE-ID: 1067Excessive Execution of Sequential Searches of Data Resource","The product contains a data query against an SQL table or view that is configured in a way that does not utilize an index and may cause sequential searches to be performed.Guidelines:",{"point":"1pr","priority":"6","details":"1ps"},"CWE-ID: 1068Inconsistency Between Implementation and Documented Design","The implementation of the product is not consistent with the design as described within the relevant documentation.Guidelines:",{"point":"1pu","priority":"6","details":"1pv"},"CWE-ID: 1069Empty Exception Block","An invokable code block contains an exception handling block that does not contain any code, i.e. is empty.Guidelines:",{"point":"1px","priority":"6","details":"1py"},"CWE-ID: 1070Serializable Data Element Containing non-Serializable Item Elements","The product contains a serializable, storable data element such as a field or member, but the data element contains member elements that are not serializable.Guidelines:",{"point":"1q0","priority":"6","details":"1q1"},"CWE-ID: 1071Empty Code Block","The source code contains a block that does not contain any code, i.e., the block is empty.Guidelines:",{"point":"1q3","priority":"6","details":"1q4"},"CWE-ID: 1072Data Resource Access without Use of Connection Pooling","The product accesses a data resource through a database without using a connection pooling capability.Guidelines:",{"point":"1q6","priority":"6","details":"1q7"},"CWE-ID: 1073Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses","The product contains a client with a function or method that contains a large number of data accesses/queries that are sent through a data manager, i.e., does not use efficient database capabilities.Guidelines:",{"point":"1q9","priority":"6","details":"1qa"},"CWE-ID: 1074Class with Excessively Deep Inheritance","A class has an inheritance level that is too high, i.e., it has a large number of parent classes.Guidelines:",{"point":"1qc","priority":"6","details":"1qd"},"CWE-ID: 1075Unconditional Control Flow Transfer outside of Switch Block","The product performs unconditional control transfer (such as a goto) in code outside of a branching structure such as a switch block.Guidelines:",{"point":"1qf","priority":"6","details":"1qg"},"CWE-ID: 1076Insufficient Adherence to Expected Conventions","The product's architecture, source code, design, documentation, or other artifact does not follow required conventions.Guidelines:",{"point":"1qi","priority":"6","details":"1qj"},"CWE-ID: 1077Floating Point Comparison with Incorrect Operator","The code performs a comparison such as an equality test between two float (floating point) values, but it uses comparison operators that do not account for the possibility of loss of precision.Guidelines:",{"point":"1ql","priority":"6","details":"1qm"},"CWE-ID: 1078Inappropriate Source Code Style or Formatting","The source code does not follow desired style or formatting for indentation, white space, comments, etc.Guidelines:",{"point":"1qo","priority":"6","details":"1qp"},"CWE-ID: 1079Parent Class without Virtual Destructor Method","A parent class contains one or more child classes, but the parent class does not have a virtual destructor method.Guidelines:",{"point":"1qr","priority":"6","details":"1qs"},"CWE-ID: 1080Source Code File with Excessive Number of Lines of Code","A source code file has too many lines of code.Guidelines:",{"point":"1qu","priority":"6","details":"1qv"},"CWE-ID: 1082Class Instance Self Destruction Control Element","The code contains a class instance that calls the method or function to delete or destroy itself.Guidelines:",{"point":"1qx","priority":"6","details":"1qy"},"CWE-ID: 1083Data Access from Outside Expected Data Manager Component","The product is intended to manage data access through a particular data manager component such as a relational or non-SQL database, but it contains code that performs data access operations without using that component.Guidelines:",{"point":"1r0","priority":"6","details":"1r1"},"CWE-ID: 1084Invokable Control Element with Excessive File or Data Access Operations","A function or method contains too many operations that utilize a data manager or file resource.Guidelines:",{"point":"1r3","priority":"6","details":"1r4"},"CWE-ID: 1085Invokable Control Element with Excessive Volume of Commented-out Code","A function, method, procedure, etc. contains an excessive amount of code that has been commented out within its body.Guidelines:",{"point":"1r6","priority":"6","details":"1r7"},"CWE-ID: 1086Class with Excessive Number of Child Classes","A class contains an unnecessarily large number of children.Guidelines:",{"point":"1r9","priority":"6","details":"1ra"},"CWE-ID: 1087Class with Virtual Method without a Virtual Destructor","A class contains a virtual method, but the method does not have an associated virtual destructor.Guidelines:",{"point":"1rc","priority":"6","details":"1rd"},"CWE-ID: 1088Synchronous Access of Remote Resource without Timeout","The code has a synchronous call to a remote resource, but there is no timeout for the call, or the timeout is set to infinite.Guidelines:",{"point":"1rf","priority":"6","details":"1rg"},"CWE-ID: 1089Large Data Table with Excessive Number of Indices","The product uses a large data table that contains an excessively large number of indices.Guidelines:",{"point":"1ri","priority":"6","details":"1rj"},"CWE-ID: 1090Method Containing Access of a Member Element from Another Class","A method for a class performs an operation that directly accesses a member element from another class.Guidelines:",{"point":"1rl","priority":"6","details":"1rm"},"CWE-ID: 1091Use of Object without Invoking Destructor Method","The product contains a method that accesses an object but does not later invoke the element's associated finalize/destructor method.Guidelines:",{"point":"1ro","priority":"6","details":"1rp"},"CWE-ID: 1092Use of Same Invokable Control Element in Multiple Architectural Layers","The product uses the same control element across multiple architectural layers.Guidelines:",{"point":"1rr","priority":"6","details":"1rs"},"CWE-ID: 1093Excessively Complex Data Representation","The product uses an unnecessarily complex internal representation for its data structures or interrelationships between those structures.Guidelines:",{"point":"1ru","priority":"6","details":"1rv"},"CWE-ID: 1094Excessive Index Range Scan for a Data Resource","The product contains an index range scan for a large data table, but the scan can cover a large number of rows.Guidelines:",{"point":"1rx","priority":"6","details":"1ry"},"CWE-ID: 1095Loop Condition Value Update within the Loop","The product uses a loop with a control flow condition based on a value that is updated within the body of the loop.Guidelines:",{"point":"1s0","priority":"6","details":"1s1"},"CWE-ID: 1096Singleton Class Instance Creation without Proper Locking or Synchronization","The product implements a Singleton design pattern but does not use appropriate locking or other synchronization mechanism to ensure that the singleton class is only instantiated once.Guidelines:",{"point":"1s3","priority":"6","details":"1s4"},"CWE-ID: 1097Persistent Storable Data Element without Associated Comparison Control Element","The product uses a storable data element that does not have all of the associated functions or methods that are necessary to support comparison.Guidelines:",{"point":"1s6","priority":"6","details":"1s7"},"CWE-ID: 1098Data Element containing Pointer Item without Proper Copy Control Element","The code contains a data element with a pointer that does not have an associated copy or constructor method.Guidelines:",{"point":"1s9","priority":"6","details":"1sa"},"CWE-ID: 1099Inconsistent Naming Conventions for Identifiers","The product's code, documentation, or other artifacts do not consistently use the same naming conventions for variables, callables, groups of related callables, I/O capabilities, data types, file names, or similar types of elements.Guidelines:",{"point":"1sc","priority":"6","details":"1sd"},"CWE-ID: 1100Insufficient Isolation of System-Dependent Functions","The product or code does not isolate system-dependent functionality into separate standalone modules.Guidelines:",{"point":"1sf","priority":"6","details":"1sg"},"CWE-ID: 1101Reliance on Runtime Component in Generated Code","The product uses automatically-generated code that cannot be executed without a specific runtime support component.Guidelines:",{"point":"1si","priority":"6","details":"1sj"},"CWE-ID: 1102Reliance on Machine-Dependent Data Representation","The code uses a data representation that relies on low-level data representation or constructs that may vary across different processors, physical machines, OSes, or other physical components.Guidelines:",{"point":"1sl","priority":"6","details":"1sm"},"CWE-ID: 1103Use of Platform-Dependent Third Party Components","The product relies on third-party components that do not provide equivalent functionality across all desirable platforms.Guidelines:",{"point":"1so","priority":"6","details":"1sp"},"CWE-ID: 1104Use of Unmaintained Third Party Components","The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer.Guidelines:",{"point":"1sr","priority":"6","details":"1ss"},"CWE-ID: 1105Insufficient Encapsulation of Machine-Dependent Functionality","The product or code uses machine-dependent functionality, but it does not sufficiently encapsulate or isolate this functionality from the rest of the code.Guidelines:",{"point":"1su","priority":"6","details":"1sv"},"CWE-ID: 1106Insufficient Use of Symbolic Constants","The source code uses literal constants that may need to change or evolve over time, instead of using symbolic constants.Guidelines:",{"point":"1sx","priority":"6","details":"1sy"},"CWE-ID: 1107Insufficient Isolation of Symbolic Constant Definitions","The source code uses symbolic constants, but it does not sufficiently place the definitions of these constants into a more centralized or isolated location.Guidelines:",{"point":"1t0","priority":"6","details":"1t1"},"CWE-ID: 1108Excessive Reliance on Global Variables","The code is structured in a way that relies too much on using or setting global variables throughout various points in the code, instead of preserving the associated information in a narrower, more local context.Guidelines:",{"point":"1t3","priority":"6","details":"1t4"},"CWE-ID: 1109Use of Same Variable for Multiple Purposes","The code contains a callable, block, or other code element in which the same variable is used to control more than one unique task or store more than one instance of data.Guidelines:",{"point":"1t6","priority":"6","details":"1t7"},"CWE-ID: 1110Incomplete Design Documentation","The product's design documentation does not adequately describe control flow, data flow, system initialization, relationships between tasks, components, rationales, or other important aspects of the design.Guidelines:",{"point":"1t9","priority":"6","details":"1ta"},"CWE-ID: 1111Incomplete I/O Documentation","The product's documentation does not adequately define inputs, outputs, or system/software interfaces.Guidelines:",{"point":"1tc","priority":"6","details":"1td"},"CWE-ID: 1112Incomplete Documentation of Program Execution","The document does not fully define all mechanisms that are used to control or influence how product-specific programs are executed.Guidelines:",{"point":"1tf","priority":"6","details":"1tg"},"CWE-ID: 1113Inappropriate Comment Style","The source code uses comment styles or formats that are inconsistent or do not follow expected standards for the product.Guidelines:",{"point":"1ti","priority":"6","details":"1tj"},"CWE-ID: 1114Inappropriate Whitespace Style","The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product.Guidelines:",{"point":"1tl","priority":"6","details":"1tm"},"CWE-ID: 1115Source Code Element without Standard Prologue","The source code contains elements such as source files that do not consistently provide a prologue or header that has been standardized for the project.Guidelines:",{"point":"1to","priority":"6","details":"1tp"},"CWE-ID: 1116Inaccurate Comments","The source code contains comments that do not accurately describe or explain aspects of the portion of the code with which the comment is associated.Guidelines:",{"point":"1tr","priority":"6","details":"1ts"},"CWE-ID: 1117Callable with Insufficient Behavioral Summary","The code contains a function or method whose signature and/or associated inline documentation does not sufficiently describe the callable's inputs, outputs, side effects, assumptions, or return codes.Guidelines:",{"point":"1tu","priority":"6","details":"1tv"},"CWE-ID: 1118Insufficient Documentation of Error Handling Techniques","The documentation does not sufficiently describe the techniques that are used for error handling, exception processing, or similar mechanisms.Guidelines:",{"point":"1tx","priority":"6","details":"1ty"},"CWE-ID: 1119Excessive Use of Unconditional Branching","The code uses too many unconditional branches (such as goto).Guidelines:",{"point":"1u0","priority":"6","details":"1u1"},"CWE-ID: 1120Excessive Code Complexity","The code is too complex, as calculated using a well-defined, quantitative measure.Guidelines:",{"point":"1u3","priority":"6","details":"1u4"},"CWE-ID: 1121Excessive McCabe Cyclomatic Complexity","The code contains McCabe cyclomatic complexity that exceeds a desirable maximum.Guidelines:",{"point":"1u6","priority":"6","details":"1u7"},"CWE-ID: 1122Excessive Halstead Complexity","The code is structured in a way that a Halstead complexity measure exceeds a desirable maximum.Guidelines:",{"point":"1u9","priority":"6","details":"1ua"},"CWE-ID: 1123Excessive Use of Self-Modifying Code","The product uses too much self-modifying code.Guidelines:",{"point":"1uc","priority":"6","details":"1ud"},"CWE-ID: 1124Excessively Deep Nesting","The code contains a callable or other code grouping in which the nesting / branching is too deep.Guidelines:",{"point":"1uf","priority":"6","details":"1ug"},"CWE-ID: 1125Excessive Attack Surface","The product has an attack surface whose quantitative measurement exceeds a desirable maximum.Guidelines:",{"point":"1ui","priority":"6","details":"1uj"},"CWE-ID: 1126Declaration of Variable with Unnecessarily Wide Scope","The source code declares a variable in one scope, but the variable is only used within a narrower scope.Guidelines:",{"point":"1ul","priority":"6","details":"1um"},"CWE-ID: 1127Compilation with Insufficient Warnings or Errors","The code is compiled without sufficient warnings enabled, which may prevent the detection of subtle bugs or quality issues.Guidelines:",{"point":"1uo","priority":"6","details":"1up"},"CWE-ID: 1164Irrelevant Code","The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness.Guidelines:",{"point":"1ur","priority":"6","details":"1us"},"CWE-ID: 1173Improper Use of Validation Framework","The product does not use, or incorrectly uses, an input validation framework that is provided by the source language or an independent library.Guidelines:",{"point":"1uu","priority":"6","details":"1uv"},"CWE-ID: 1174ASP.NET Misconfiguration: Improper Model Validation","The ASP.NET application does not use, or incorrectly uses, the model validation framework.Guidelines:",{"point":"1ux","priority":"6","details":"1uy"},"CWE-ID: 1176Inefficient CPU Computation","The product performs CPU computations using algorithms that are not as efficient as they could be for the needs of the developer, i.e., the computations can be optimized further.Guidelines:",{"point":"1v0","priority":"6","details":"1v1"},"CWE-ID: 1177Use of Prohibited Code","The product uses a function, library, or third party component that has been explicitly prohibited, whether by the developer or the customer.Guidelines:",{"point":"1v3","priority":"6","details":"1v4"},"CWE-ID: 1188Initialization of a Resource with an Insecure Default","The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.Guidelines:::TYPE:Maintenance:NOTE:This entry improves organization of concepts under initialization. The typical CWE model is to cover Missing and Incorrect behaviors. Arguably, this entry could be named as Incorrect instead of Insecure. This might be changed in the near future.::",{"point":"1v6","priority":"6","details":"1v7"},"CWE-ID: 1189Improper Isolation of Shared Resources on System-on-a-Chip (SoC)","The System-On-a-Chip (SoC) does not properly isolate shared resources between trusted and untrusted agents.Guidelines:",{"point":"1v9","priority":"6","details":"1va"},"CWE-ID: 1190DMA Device Enabled Too Early in Boot Phase","The product enables a Direct Memory Access (DMA) capable device before the security configuration settings are established, which allows an attacker to extract data from or gain privileges on the product.Guidelines:",{"point":"1vc","priority":"6","details":"1vd"},"CWE-ID: 1191On-Chip Debug and Test Interface With Improper Access Control","The chip does not implement or does not correctly perform access control to check whether users are authorized to access internal registers and test modes through the physical debug/test interface.Guidelines:::TYPE:Relationship:NOTE:CWE-1191 and CWE-1244 both involve physical debug access, but the weaknesses are different. CWE-1191 is effectively about missing authorization for a debug interface, i.e. JTAG. CWE-1244 is about providing internal assets with the wrong debug access level, exposing the asset to untrusted debug agents.::",{"point":"1vf","priority":"6","details":"1vg"},"CWE-ID: 1192Improper Identifier for IP Block used in System-On-Chip (SOC)","The System-on-Chip (SoC) does not have unique, immutable identifiers for each of its components.Guidelines:",{"point":"1vi","priority":"6","details":"1vj"},"CWE-ID: 1193Power-On of Untrusted Execution Core Before Enabling Fabric Access Control","The product enables components that contain untrusted firmware before memory and fabric access controls have been enabled.Guidelines:",{"point":"1vl","priority":"6","details":"1vm"},"CWE-ID: 1204Generation of Weak Initialization Vector (IV)","The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or unique according to the expected cryptographic requirements for that primitive.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"1vo","priority":"6","details":"1vp"},"CWE-ID: 1209Failure to Disable Reserved Bits","The reserved bits in a hardware design are not disabled prior to production. Typically, reserved bits are used for future capabilities and should not support any functional logic in the design. However, designers might covertly use these bits to debug or further develop new capabilities in production hardware. Adversaries with access to these bits will write to them in hopes of compromising hardware state.Guidelines:",{"point":"1vr","priority":"6","details":"1vs"},"CWE-ID: 1220Insufficient Granularity of Access Control","The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.Guidelines:",{"point":"1vu","priority":"6","details":"1vv"},"CWE-ID: 1221Incorrect Register Defaults or Module Parameters","Hardware description language code incorrectly defines register defaults or hardware Intellectual Property (IP) parameters to insecure values.Guidelines:",{"point":"1vx","priority":"6","details":"1vy"},"CWE-ID: 1222Insufficient Granularity of Address Regions Protected by Register Locks","The product defines a large address region protected from modification by the same register lock control bit. This results in a conflict between the functional requirement that some addresses need to be writable by software during operation and the security requirement that the system configuration lock bit must be set during the boot process.Guidelines:",{"point":"1w0","priority":"6","details":"1w1"},"CWE-ID: 1223Race Condition for Write-Once Attributes","A write-once register in hardware design is programmable by an untrusted software component earlier than the trusted software component, resulting in a race condition issue.Guidelines:",{"point":"1w3","priority":"6","details":"1w4"},"CWE-ID: 1224Improper Restriction of Write-Once Bit Fields","The hardware design control register sticky bits or write-once bit fields are improperly implemented, such that they can be reprogrammed by software.Guidelines:",{"point":"1w6","priority":"6","details":"1w7"},"CWE-ID: 1229Creation of Emergent Resource","The product manages resources or behaves in a way that indirectly creates a new, distinct resource that can be used by attackers in violation of the intended policy.Guidelines:",{"point":"1w9","priority":"6","details":"1wa"},"CWE-ID: 1230Exposure of Sensitive Information Through Metadata","The product prevents direct access to a resource containing sensitive information, but it does not sufficiently limit access to metadata that is derived from the original, sensitive information.Guidelines:",{"point":"1wc","priority":"6","details":"1wd"},"CWE-ID: 1231Improper Prevention of Lock Bit Modification","The product uses a trusted lock bit for restricting access to registers, address regions, or other resources, but the product does not prevent the value of the lock bit from being modified after it has been set.Guidelines:",{"point":"1wf","priority":"6","details":"1wg"},"CWE-ID: 1232Improper Lock Behavior After Power State Transition","Register lock bit protection disables changes to system configuration once the bit is set. Some of the protected registers or lock bits become programmable after power state transitions (e.g., Entry and wake from low power sleep modes) causing the system configuration to be changeable.Guidelines:",{"point":"1wi","priority":"6","details":"1wj"},"CWE-ID: 1233Security-Sensitive Hardware Controls with Missing Lock Bit Protection","The product uses a register lock bit protection mechanism, but it does not ensure that the lock bit prevents modification of system registers or controls that perform changes to important hardware system configuration.Guidelines:",{"point":"1wl","priority":"6","details":"1wm"},"CWE-ID: 1234Hardware Internal or Debug Modes Allow Override of Locks","System configuration protection may be bypassed during debug mode.Guidelines:",{"point":"1wo","priority":"6","details":"1wp"},"CWE-ID: 1235Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations","The code uses boxed primitives, which may introduce inefficiencies into performance-critical operations.Guidelines:",{"point":"1wr","priority":"6","details":"1ws"},"CWE-ID: 1236Improper Neutralization of Formula Elements in a CSV File","The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.Guidelines:",{"point":"1wu","priority":"6","details":"1wv"},"CWE-ID: 1239Improper Zeroization of Hardware Register","The hardware product does not properly clear sensitive information from built-in registers when the user of the hardware block changes.Guidelines:",{"point":"1wx","priority":"6","details":"1wy"},"CWE-ID: 1240Use of a Cryptographic Primitive with a Risky Implementation","To fulfill the need for a cryptographic primitive, the product implements a cryptographic algorithm using a non-standard, unproven, or disallowed/non-compliant cryptographic implementation.Guidelines:::TYPE:Terminology:NOTE:Terminology for cryptography varies widely, from informal and colloquial to mathematically-defined, with different precision and formalism depending on whether the stakeholder is a developer, cryptologist, etc. Yet there is a need for CWE to be self-consistent while remaining understandable and acceptable to multiple audiences. As of CWE 4.6, CWE terminology around primitives and algorithms is emerging as shown by the following example, subject to future consultation and agreement within the CWE and cryptography communities. Suppose one wishes to send encrypted data using a CLI tool such as OpenSSL. One might choose to use AES with a 256-bit key and require tamper protection (GCM mode, for instance). For compatibility's sake, one might also choose the ciphertext to be formatted to the PKCS#5 standard. In this case, the cryptographic system would be AES-256-GCM with PKCS#5 formatting. The cryptographic function would be AES-256 in the GCM mode of operation, and the algorithm would be AES. Colloquially, one would say that AES (and sometimes AES-256) is the cryptographic primitive, because it is the algorithm that realizes the concept of symmetric encryption (without modes of operation or other protocol related modifications). In practice, developers and architects typically refer to base cryptographic algorithms (AES, SHA, etc.) as cryptographic primitives.::TYPE:Maintenance:NOTE:Since CWE 4.4, various cryptography-related entries, including CWE-327 and CWE-1240, have been slated for extensive research, analysis, and community consultation to define consistent terminology, improve relationships, and reduce overlap or duplication. As of CWE 4.6, this work is still ongoing.::",{"point":"1x0","priority":"6","details":"1x1"},"CWE-ID: 1241Use of Predictable Algorithm in Random Number Generator","The device uses an algorithm that is predictable and generates a pseudo-random number.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"1x3","priority":"6","details":"1x4"},"CWE-ID: 1242Inclusion of Undocumented Features or Chicken Bits","The device includes chicken bits or undocumented features that can create entry points for unauthorized actors.Guidelines:",{"point":"1x6","priority":"6","details":"1x7"},"CWE-ID: 1243Sensitive Non-Volatile Information Not Protected During Debug","Access to security-sensitive information stored in fuses is not limited during debug.Guidelines:",{"point":"1x9","priority":"6","details":"1xa"},"CWE-ID: 1244Internal Asset Exposed to Unsafe Debug Access Level or State","The product uses physical debug or test interfaces with support for multiple access levels, but it assigns the wrong debug access level to an internal asset, providing unintended access to the asset from untrusted debug agents.Guidelines:::TYPE:Relationship:NOTE:CWE-1191 and CWE-1244 both involve physical debug access, but the weaknesses are different. CWE-1191 is effectively about missing authorization for a debug interface, i.e. JTAG. CWE-1244 is about providing internal assets with the wrong debug access level, exposing the asset to untrusted debug agents.::",{"point":"1xc","priority":"6","details":"1xd"},"CWE-ID: 1245Improper Finite State Machines (FSMs) in Hardware Logic","Faulty finite state machines (FSMs) in the hardware logic allow an attacker to put the system in an undefined state, to cause a denial of service (DoS) or gain privileges on the victim's system.Guidelines:",{"point":"1xf","priority":"6","details":"1xg"},"CWE-ID: 1246Improper Write Handling in Limited-write Non-Volatile Memories","The product does not implement or incorrectly implements wear leveling operations in limited-write non-volatile memories.Guidelines:",{"point":"1xi","priority":"6","details":"1xj"},"CWE-ID: 1247Improper Protection Against Voltage and Clock Glitches","The device does not contain or contains incorrectly implemented circuitry or sensors to detect and mitigate voltage and clock glitches and protect sensitive information or software contained on the device.Guidelines:",{"point":"1xl","priority":"6","details":"1xm"},"CWE-ID: 1248Semiconductor Defects in Hardware Logic with Security-Sensitive Implications","The security-sensitive hardware module contains semiconductor defects.Guidelines:",{"point":"1xo","priority":"6","details":"1xp"},"CWE-ID: 1249Application-Level Admin Tool with Inconsistent View of Underlying Operating System","The product provides an application for administrators to manage parts of the underlying operating system, but the application does not accurately identify all of the relevant entities or resources that exist in the OS; that is, the application's model of the OS's state is inconsistent with the OS's actual state.Guidelines:",{"point":"1xr","priority":"6","details":"1xs"},"CWE-ID: 1250Improper Preservation of Consistency Between Independent Representations of Shared State","The product has or supports multiple distributed components or sub-systems that are each required to keep their own local copy of shared data - such as state or cache - but the product does not ensure that all local copies remain consistent with each other.Guidelines:::TYPE:Research Gap:NOTE:Issues related to state and cache - creation, preservation, and update - are a significant gap in CWE that is expected to be addressed in future versions. It likely has relationships to concurrency and synchronization, incorrect behavior order, and other areas that already have some coverage in CWE, although the focus has typically been on independent processes on the same operating system - not on independent systems that are all a part of a larger system-of-systems.::",{"point":"1xu","priority":"6","details":"1xv"},"CWE-ID: 1251Mirrored Regions with Different Values","The product's architecture mirrors regions without ensuring that their contents always stay in sync.Guidelines:::TYPE:Research Gap:NOTE:Issues related to state and cache - creation, preservation, and update - are a significant gap in CWE that is expected to be addressed in future versions. It has relationships to concurrency and synchronization, incorrect behavior order, and other areas that already have some coverage in CWE, although the focus has typically been on independent processes on the same operating system - not on independent systems that are all a part of a larger system-of-systems.::",{"point":"1xx","priority":"6","details":"1xy"},"CWE-ID: 1252CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations","The CPU is not configured to provide hardware support for exclusivity of write and execute operations on memory. This allows an attacker to execute data from all of memory.Guidelines:",{"point":"1y0","priority":"6","details":"1y1"},"CWE-ID: 1253Incorrect Selection of Fuse Values","The logic level used to set a system to a secure state relies on a fuse being unblown. An attacker can set the system to an insecure state merely by blowing the fuse.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1y3","priority":"6","details":"1y4"},"CWE-ID: 1254Incorrect Comparison Logic Granularity","The product's comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failure on one of these steps, the operation may be vulnerable to a timing attack that can result in the interception of the process for nefarious purposes.Guidelines:",{"point":"1y6","priority":"6","details":"1y7"},"CWE-ID: 1255Comparison Logic is Vulnerable to Power Side-Channel Attacks","A device's real time power consumption may be monitored during security token evaluation and the information gleaned may be used to determine the value of the reference token.Guidelines:",{"point":"1y9","priority":"6","details":"1ya"},"CWE-ID: 1256Improper Restriction of Software Interfaces to Hardware Features","The product provides software-controllable device functionality for capabilities such as power and clock management, but it does not properly limit functionality that can lead to modification of hardware memory or register bits, or the ability to observe physical side channels.Guidelines:",{"point":"1yc","priority":"6","details":"1yd"},"CWE-ID: 1257Improper Access Control Applied to Mirrored or Aliased Memory Regions","Aliased or mirrored memory regions in hardware designs may have inconsistent read/write permissions enforced by the hardware. A possible result is that an untrusted agent is blocked from accessing a memory region but is not blocked from accessing the corresponding aliased memory region.Guidelines:",{"point":"1yf","priority":"6","details":"1yg"},"CWE-ID: 1258Exposure of Sensitive System Information Due to Uncleared Debug Information","The hardware does not fully clear security-sensitive values, such as keys and intermediate values in cryptographic operations, when debug mode is entered.Guidelines:",{"point":"1yi","priority":"6","details":"1yj"},"CWE-ID: 1259Improper Restriction of Security Token Assignment","The System-On-A-Chip (SoC) implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens are improperly protected.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements. Currently it is expressed as a general absence of a protection mechanism as opposed to a specific mistake, and the entry's name and description could be interpreted as applying to software.::",{"point":"1yl","priority":"6","details":"1ym"},"CWE-ID: 1260Improper Handling of Overlap Between Protected Memory Ranges","The product allows address regions to overlap, which can result in the bypassing of intended memory protection.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.6, CWE-1260 and CWE-1316 are siblings under view 1000, but CWE-1260 might be a parent of CWE-1316. More analysis is warranted.::",{"point":"1yo","priority":"6","details":"1yp"},"CWE-ID: 1261Improper Handling of Single Event Upsets","The hardware logic does not effectively handle when single-event upsets (SEUs) occur.Guidelines:",{"point":"1yr","priority":"6","details":"1ys"},"CWE-ID: 1262Improper Access Control for Register Interface","The product uses memory-mapped I/O registers that act as an interface to hardware functionality from software, but there is improper access control to those registers.Guidelines:",{"point":"1yu","priority":"6","details":"1yv"},"CWE-ID: 1263Improper Physical Access Control","The product is designed with access restricted to certain information, but it does not sufficiently protect against an unauthorized actor with physical access to these areas.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1yx","priority":"6","details":"1yy"},"CWE-ID: 1264Hardware Logic with Insecure De-Synchronization between Control and Data Channels","The hardware logic for error handling and security checks can incorrectly forward data before the security check is complete.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. As a result, this entry might change significantly in CWE 4.10.::",{"point":"1z0","priority":"6","details":"1z1"},"CWE-ID: 1265Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls","During execution of non-reentrant code, the product performs a call that unintentionally produces a nested invocation of the non-reentrant code.Guidelines:",{"point":"1z3","priority":"6","details":"1z4"},"CWE-ID: 1266Improper Scrubbing of Sensitive Data from Decommissioned Device","The product does not properly provide a capability for the product administrator to remove sensitive data at the time the product is decommissioned. A scrubbing capability could be missing, insufficient, or incorrect.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1z6","priority":"6","details":"1z7"},"CWE-ID: 1267Policy Uses Obsolete Encoding","The product uses an obsolete encoding mechanism to implement access controls.Guidelines:",{"point":"1z9","priority":"6","details":"1za"},"CWE-ID: 1268Policy Privileges are not Assigned Consistently Between Control and Data Agents","The product's hardware-enforced access control for a particular resource improperly accounts for privilege discrepancies between control and write policies.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1zc","priority":"6","details":"1zd"},"CWE-ID: 1269Product Released in Non-Release Configuration","The product released to market is released in pre-production or manufacturing configuration.Guidelines:",{"point":"1zf","priority":"6","details":"1zg"},"CWE-ID: 1270Generation of Incorrect Security Tokens","The product implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens generated in the system are incorrect.Guidelines:",{"point":"1zi","priority":"6","details":"1zj"},"CWE-ID: 1271Uninitialized Value on Reset for Registers Holding Security Settings","Security-critical logic is not set to a known value on reset.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1zl","priority":"6","details":"1zm"},"CWE-ID: 1272Sensitive Information Uncleared Before Debug/Power State Transition","The product performs a power or debug state transition, but it does not clear sensitive information that should no longer be accessible due to changes to information access restrictions.Guidelines:",{"point":"1zo","priority":"6","details":"1zp"},"CWE-ID: 1273Device Unlock Credential Sharing","The credentials necessary for unlocking a device are shared across multiple parties and may expose sensitive information.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1zr","priority":"6","details":"1zs"},"CWE-ID: 1274Improper Access Control for Volatile Memory Containing Boot Code","The product conducts a secure-boot process that transfers bootloader code from Non-Volatile Memory (NVM) into Volatile Memory (VM), but it does not have sufficient access control or other protections for the Volatile Memory.Guidelines:",{"point":"1zu","priority":"6","details":"1zv"},"CWE-ID: 1275Sensitive Cookie with Improper SameSite Attribute","The SameSite attribute for sensitive cookies is not set, or an insecure value is used.Guidelines:",{"point":"1zx","priority":"6","details":"1zy"},"CWE-ID: 1276Hardware Child Block Incorrectly Connected to Parent System","Signals between a hardware IP and the parent system design are incorrectly connected causing security risks.Guidelines:",{"point":"200","priority":"6","details":"201"},"CWE-ID: 1277Firmware Not Updateable","The product does not provide its users with the ability to update or patch its firmware to address any vulnerabilities or weaknesses that may be present.Guidelines:::TYPE:Terminology:NOTE:The firmware term does not have a single commonly-shared definition, so there may be variations in how this CWE entry is interpreted during mapping.::",{"point":"203","priority":"6","details":"204"},"CWE-ID: 1278Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques","Information stored in hardware may be recovered by an attacker with the capability to capture and analyze images of the integrated circuit using techniques such as scanning electron microscopy.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements. It is more attack-oriented, so it might be more suited for CAPEC.::",{"point":"206","priority":"6","details":"207"},"CWE-ID: 1279Cryptographic Operations are run Before Supporting Units are Ready","Performing cryptographic operations without ensuring that the supporting inputs are ready to supply valid data may compromise the cryptographic result.Guidelines:",{"point":"209","priority":"6","details":"20a"},"CWE-ID: 1280Access Control Check Implemented After Asset is Accessed","A product's hardware-based access control check occurs after the asset has been accessed.Guidelines:",{"point":"20c","priority":"6","details":"20d"},"CWE-ID: 1281Sequence of Processor Instructions Leads to Unexpected Behavior","Specific combinations of processor instructions lead to undesirable behavior such as locking the processor until a hard reset performed.Guidelines:",{"point":"20f","priority":"6","details":"20g"},"CWE-ID: 1282Assumed-Immutable Data is Stored in Writable Memory","Immutable data, such as a first-stage bootloader, device identifiers, and write-once configuration settings are stored in writable memory that can be re-programmed or updated in the field.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::TYPE:Maintenance:NOTE:As of CWE 4.3, CWE-1282 and CWE-1233 are being investigated for potential duplication or overlap.::",{"point":"20i","priority":"6","details":"20j"},"CWE-ID: 1283Mutable Attestation or Measurement Reporting Data","The register contents used for attestation or measurement reporting data to verify boot flow are modifiable by an adversary.Guidelines:::TYPE:Maintenance:NOTE:This entry is still in development and will continue to see updates and content improvements.::",{"point":"20l","priority":"6","details":"20m"},"CWE-ID: 1284Improper Validation of Specified Quantity in Input","The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"20o","priority":"6","details":"20p"},"CWE-ID: 1285Improper Validation of Specified Index, Position, or Offset in Input","The product receives input that is expected to specify an index, position, or offset into an indexable resource such as a buffer or file, but it does not validate or incorrectly validates that the specified index/position/offset has the required properties.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"20r","priority":"6","details":"20s"},"CWE-ID: 1286Improper Validation of Syntactic Correctness of Input","The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"20u","priority":"6","details":"20v"},"CWE-ID: 1287Improper Validation of Specified Type of Input","The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"20x","priority":"6","details":"20y"},"CWE-ID: 1288Improper Validation of Consistency within Input","The product receives a complex input with multiple elements or fields that must be consistent with each other, but it does not validate or incorrectly validates that the input is actually consistent.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"210","priority":"6","details":"211"},"CWE-ID: 1289Improper Validation of Unsafe Equivalence in Input","The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"213","priority":"6","details":"214"},"CWE-ID: 1290Incorrect Decoding of Security Identifiers","The product implements a decoding mechanism to decode certain bus-transaction signals to security identifiers. If the decoding is implemented incorrectly, then untrusted agents can now gain unauthorized access to the asset.Guidelines:",{"point":"216","priority":"6","details":"217"},"CWE-ID: 1291Public Key Re-Use for Signing both Debug and Production Code","The same public key is used for signing both debug and production code.Guidelines:",{"point":"219","priority":"6","details":"21a"},"CWE-ID: 1292Incorrect Conversion of Security Identifiers","The product implements a conversion mechanism to map certain bus-transaction signals to security identifiers. However, if the conversion is incorrectly implemented, untrusted agents can gain unauthorized access to the asset.Guidelines:",{"point":"21c","priority":"6","details":"21d"},"CWE-ID: 1293Missing Source Correlation of Multiple Independent Data","The product relies on one source of data, preventing the ability to detect if an adversary has compromised a data source.Guidelines:",{"point":"21f","priority":"6","details":"21g"},"CWE-ID: 1294Insecure Security Identifier Mechanism","The System-on-Chip (SoC) implements a Security Identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Identifiers are not correctly implemented.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"21i","priority":"6","details":"21j"},"CWE-ID: 1295Debug Messages Revealing Unnecessary Information","The product fails to adequately prevent the revealing of unnecessary and potentially sensitive system information within debugging messages.Guidelines:",{"point":"21l","priority":"6","details":"21m"},"CWE-ID: 1296Incorrect Chaining or Granularity of Debug Components","The product's debug components contain incorrect chaining or granularity of debug components.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"21o","priority":"6","details":"21p"},"CWE-ID: 1297Unprotected Confidential Information on Device is Accessible by OSAT Vendors","The product does not adequately protect confidential information on the device from being accessed by Outsourced Semiconductor Assembly and Test (OSAT) vendors.Guidelines:::TYPE:Maintenance:NOTE:This entry might be subject to CWE Scope Exclusion SCOPE.SITUATIONS (Focus on situations in which weaknesses may appear); SCOPE.HUMANPROC (Human/organizational process; and/or SCOPE.CUSTREL (Not customer-relevant).::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"21r","priority":"6","details":"21s"},"CWE-ID: 1298Hardware Logic Contains Race Conditions","A race condition in the hardware logic results in undermining security guarantees of the system.Guidelines:",{"point":"21u","priority":"6","details":"21v"},"CWE-ID: 1299Missing Protection Mechanism for Alternate Hardware Interface","The lack of protections on alternate paths to access control-protected assets (such as unprotected shadow registers and other external facing unguarded interfaces) allows an attacker to bypass existing protections to the asset that are only performed against the primary path.Guidelines:",{"point":"21x","priority":"6","details":"21y"},"CWE-ID: 1300Improper Protection of Physical Side Channels","The device does not contain sufficient protection mechanisms to prevent physical side channels from exposing sensitive information due to patterns in physically observable phenomena such as variations in power consumption, electromagnetic emissions (EME), or acoustic emissions.Guidelines:",{"point":"220","priority":"6","details":"221"},"CWE-ID: 1301Insufficient or Incomplete Data Removal within Hardware Component","The product's data removal process does not completely delete all data and potentially sensitive information within hardware components.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"223","priority":"6","details":"224"},"CWE-ID: 1302Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)","The product implements a security identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. A transaction is sent without a security identifier.Guidelines:",{"point":"226","priority":"6","details":"227"},"CWE-ID: 1303Non-Transparent Sharing of Microarchitectural Resources","Hardware structures shared across execution contexts (e.g., caches and branch predictors) can violate the expected architecture isolation between contexts.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. Finally, this entry's demonstrative example might not be appropriate. As a result, this entry might change significantly in CWE 4.10.::",{"point":"229","priority":"6","details":"22a"},"CWE-ID: 1304Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation","The product performs a power save/restore operation, but it does not ensure that the integrity of the configuration state is maintained and/or verified between the beginning and ending of the operation.Guidelines:",{"point":"22c","priority":"6","details":"22d"},"CWE-ID: 1310Missing Ability to Patch ROM Code","Missing an ability to patch ROM code may leave a System or System-on-Chip (SoC) in a vulnerable state.Guidelines:",{"point":"22f","priority":"6","details":"22g"},"CWE-ID: 1311Improper Translation of Security Attributes by Fabric Bridge","The bridge incorrectly translates security attributes from either trusted to untrusted or from untrusted to trusted when converting from one fabric protocol to another.Guidelines:",{"point":"22i","priority":"6","details":"22j"},"CWE-ID: 1312Missing Protection for Mirrored Regions in On-Chip Fabric Firewall","The firewall in an on-chip fabric protects the main addressed region, but it does not protect any mirrored memory or memory-mapped-IO (MMIO) regions.Guidelines:",{"point":"22l","priority":"6","details":"22m"},"CWE-ID: 1313Hardware Allows Activation of Test or Debug Logic at Runtime","During runtime, the hardware allows for test or debug logic (feature) to be activated, which allows for changing the state of the hardware. This feature can alter the intended behavior of the system and allow for alteration and leakage of sensitive data by an adversary.Guidelines:",{"point":"22o","priority":"6","details":"22p"},"CWE-ID: 1314Missing Write Protection for Parametric Data Values","The device does not write-protect the parametric data values for sensors that scale the sensor value, allowing untrusted software to manipulate the apparent result and potentially damage hardware or cause operational failure.Guidelines:",{"point":"22r","priority":"6","details":"22s"},"CWE-ID: 1315Improper Setting of Bus Controlling Capability in Fabric End-point","The bus controller enables bits in the fabric end-point to allow responder devices to control transactions on the fabric.Guidelines:",{"point":"22u","priority":"6","details":"22v"},"CWE-ID: 1316Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges","The address map of the on-chip fabric has protected and unprotected regions overlapping, allowing an attacker to bypass access control to the overlapping portion of the protected region.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.6, CWE-1260 and CWE-1316 are siblings under view 1000, but CWE-1260 might be a parent of CWE-1316. More analysis is warranted.::",{"point":"22x","priority":"6","details":"22y"},"CWE-ID: 1317Improper Access Control in Fabric Bridge","The product uses a fabric bridge for transactions between two Intellectual Property (IP) blocks, but the bridge does not properly perform the expected privilege, identity, or other access control checks between those IP blocks.Guidelines:",{"point":"230","priority":"6","details":"231"},"CWE-ID: 1318Missing Support for Security Features in On-chip Fabrics or Buses","On-chip fabrics or buses either do not support or are not configured to support privilege separation or other security features, such as access control.Guidelines:",{"point":"233","priority":"6","details":"234"},"CWE-ID: 1319Improper Protection against Electromagnetic Fault Injection (EM-FI)","The device is susceptible to electromagnetic fault injection attacks, causing device internal information to be compromised or security mechanisms to be bypassed.Guidelines:::TYPE:Maintenance:NOTE:This entry is attack-oriented and may require significant modification in future versions, or even deprecation. It is not clear whether there is really a design mistake that enables such attacks, so this is not necessarily a weakness and may be more appropriate for CAPEC.::",{"point":"236","priority":"6","details":"237"},"CWE-ID: 1320Improper Protection for Outbound Error Messages and Alert Signals","Untrusted agents can disable alerts about signal conditions exceeding limits or the response mechanism that handles such alerts.Guidelines:",{"point":"239","priority":"6","details":"23a"},"CWE-ID: 1321Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')","The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.Guidelines:",{"point":"23c","priority":"6","details":"23d"},"CWE-ID: 1322Use of Blocking Code in Single-threaded, Non-blocking Context","The product uses a non-blocking model that relies on a single threaded process for features such as scalability, but it contains code that can block when it is invoked.Guidelines:",{"point":"23f","priority":"6","details":"23g"},"CWE-ID: 1323Improper Management of Sensitive Trace Data","Trace data collected from several sources on the System-on-Chip (SoC) is stored in unprotected locations or transported to untrusted agents.Guidelines:",{"point":"23i","priority":"6","details":"23j"},"CWE-ID: 1325Improperly Controlled Sequential Memory Allocation","The product manages a group of objects or resources and performs a separate memory allocation for each object, but it does not properly limit the total amount of memory that is consumed by all of the combined objects.Guidelines:",{"point":"23l","priority":"6","details":"23m"},"CWE-ID: 1326Missing Immutable Root of Trust in Hardware","A missing immutable root of trust in the hardware results in the ability to bypass secure boot or execute untrusted or adversarial boot code.Guidelines:",{"point":"23o","priority":"6","details":"23p"},"CWE-ID: 1327Binding to an Unrestricted IP Address","The product assigns the address 0.0.0.0 for a database server, a cloud service/instance, or any computing resource that communicates remotely.Guidelines:",{"point":"23r","priority":"6","details":"23s"},"CWE-ID: 1328Security Version Number Mutable to Older Versions","Security-version number in hardware is mutable, resulting in the ability to downgrade (roll-back) the boot firmware to vulnerable code versions.Guidelines:",{"point":"23u","priority":"6","details":"23v"},"CWE-ID: 1329Reliance on Component That is Not Updateable","The product contains a component that cannot be updated or patched in order to remove vulnerabilities or significant bugs.Guidelines:",{"point":"23x","priority":"6","details":"23y"},"CWE-ID: 1330Remanent Data Readable after Memory Erase","Confidential information stored in memory circuits is readable or recoverable after being cleared or erased.Guidelines:",{"point":"240","priority":"6","details":"241"},"CWE-ID: 1331Improper Isolation of Shared Resources in Network On Chip (NoC)","The Network On Chip (NoC) does not isolate or incorrectly isolates its on-chip-fabric and internal resources such that they are shared between trusted and untrusted agents, creating timing channels.Guidelines:",{"point":"243","priority":"6","details":"244"},"CWE-ID: 1332Improper Handling of Faults that Lead to Instruction Skips","The device is missing or incorrectly implements circuitry or sensors that detect and mitigate the skipping of security-critical CPU instructions when they occur.Guidelines:",{"point":"246","priority":"6","details":"247"},"CWE-ID: 1333Inefficient Regular Expression Complexity","The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.Guidelines:",{"point":"249","priority":"6","details":"24a"},"CWE-ID: 1334Unauthorized Error Injection Can Degrade Hardware Redundancy","An unauthorized agent can inject errors into a redundant block to deprive the system of redundancy or put the system in a degraded operating mode.Guidelines:",{"point":"24c","priority":"6","details":"24d"},"CWE-ID: 1335Incorrect Bitwise Shift of Integer","An integer value is specified to be shifted by a negative amount or an amount greater than or equal to the number of bits contained in the value causing an unexpected or indeterminate result.Guidelines:",{"point":"24f","priority":"6","details":"24g"},"CWE-ID: 1336Improper Neutralization of Special Elements Used in a Template Engine","The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.Guidelines:::TYPE:Relationship:NOTE:Since expression languages are often used in templating languages, there may be some overlap with CWE-917 (Expression Language Injection). XSS (CWE-79) is also co-located with template injection.::TYPE:Maintenance:NOTE:The interrelationships and differences between CWE-917 and CWE-1336 need to be further clarified.::",{"point":"24i","priority":"6","details":"24j"},"CWE-ID: 1338Improper Protections Against Hardware Overheating","A hardware device is missing or has inadequate protection features to prevent overheating.Guidelines:",{"point":"24l","priority":"6","details":"24m"},"CWE-ID: 1339Insufficient Precision or Accuracy of a Real Number","The product processes a real number with an implementation in which the number's representation does not preserve required accuracy and precision in its fractional part, causing an incorrect result.Guidelines:",{"point":"24o","priority":"6","details":"24p"},"CWE-ID: 1341Multiple Releases of Same Resource or Handle","The product attempts to close or release a resource or handle more than once, without any successful open between the close operations.Guidelines:::TYPE:Terminology:NOTE:The terms related to release may vary depending on the type of resource, programming language, specification, or framework. Close has been used synonymously for the release of resources like file descriptors and file handles. Return is sometimes used instead of Release. Free is typically used when releasing memory or buffers back into the system for reuse.::",{"point":"24r","priority":"6","details":"24s"},"CWE-ID: 1342Information Exposure through Microarchitectural State after Transient Execution","The processor does not properly clear microarchitectural state after incorrect microcode assists or speculative execution, resulting in transient execution.Guidelines:::TYPE:Relationship:NOTE:CWE-1342 differs from CWE-1303, which is related to misprediction and biasing microarchitectural components, while CWE-1342 addresses illegal data flows and retention. For example, Spectre is an instance of CWE-1303 biasing branch prediction to steer the transient execution indirectly.::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. As a result, this entry might change significantly in CWE 4.10.::",{"point":"24u","priority":"6","details":"24v"},"CWE-ID: 1351Improper Handling of Hardware Behavior in Exceptionally Cold Environments","A hardware device, or the firmware running on it, is missing or has incorrect protection features to maintain goals of security primitives when the device is cooled below standard operating temperatures.Guidelines:",{"point":"24x","priority":"6","details":"24y"},"CWE-ID: 1357Reliance on Insufficiently Trustworthy Component","The product is built from multiple separate components, but it uses a component that is not sufficiently trusted to meet expectations for security, reliability, updateability, and maintainability.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.10, the name and description for this entry has undergone significant change and is still under public discussion, especially by members of the HW SIG.::",{"point":"250","priority":"6","details":"251"},"CWE-ID: 1384Improper Handling of Physical or Environmental Conditions","The product does not properly handle unexpected physical or environmental conditions that occur naturally or are artificially induced.Guidelines:",{"point":"253","priority":"6","details":"254"},"CWE-ID: 1385Missing Origin Validation in WebSockets","The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid.Guidelines:",{"point":"256","priority":"6","details":"257"},"CWE-ID: 1386Insecure Operation on Windows Junction / Mount Point","The product opens a file or directory, but it does not properly prevent the name from being associated with a junction or mount point to a destination that is outside of the intended control sphere.Guidelines:::TYPE:Terminology:NOTE:Symbolic links, hard links, junctions, and mount points can be confusing terminology, as there are differences in how they operate between UNIX-based systems and Windows, and there are interactions between them.::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"259","priority":"6","details":"25a"},"CWE-ID: 1389Incorrect Parsing of Numbers with Different Radices","The product parses numeric input assuming base 10 (decimal) values, but it does not account for inputs that use a different base number (radix).Guidelines:",{"point":"25c","priority":"6","details":"25d"},"CWE-ID: 1390Weak Authentication","The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.Guidelines:",{"point":"25f","priority":"6","details":"25g"},"CWE-ID: 1391Use of Weak Credentials","The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker.Guidelines:",{"point":"25i","priority":"6","details":"25j"},"CWE-ID: 1392Use of Default Credentials","The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality.Guidelines:",{"point":"25l","priority":"6","details":"25m"},"CWE-ID: 1393Use of Default Password","The product uses default passwords for potentially critical functionality.Guidelines:",{"point":"25o","priority":"6","details":"25p"},"CWE-ID: 1394Use of Default Cryptographic Key","The product uses a default cryptographic key for potentially critical functionality.Guidelines:",{"point":"25r","priority":"6","details":"25s"},"CWE-ID: 1395Dependency on Vulnerable Third-Party Component","The product has a dependency on a third-party component that contains one or more known vulnerabilities.Guidelines:",{"point":"25u","priority":"6","details":"25v"},"CWE-ID: 1419Incorrect Initialization of Resource","The product attempts to initialize a resource but does not correctly do so, which might leave the resource in an unexpected, incorrect, or insecure state when it is accessed.Guidelines:",{"point":"25x","priority":"6","details":"25y"},"CWE-ID: 1420Exposure of Sensitive Information during Transient Execution","A processor event or prediction may allow incorrect operations (or correct operations with incorrect data) to execute transiently, potentially exposing data over a covert channel.Guidelines:",{"point":"260","priority":"6","details":"261"},"CWE-ID: 1421Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution","A processor event may allow transient operations to access architecturally restricted data (for example, in another address space) in a shared microarchitectural structure (for example, a CPU cache), potentially exposing the data over a covert channel.Guidelines:",{"point":"263","priority":"6","details":"264"},"CWE-ID: 1422Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution","A processor event or prediction may allow incorrect or stale data to be forwarded to transient operations, potentially exposing data over a covert channel.Guidelines:",{"point":"266","priority":"6","details":"267"},"CWE-ID: 1423Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution","Shared microarchitectural predictor state may allow code to influence transient execution across a hardware boundary, potentially exposing data that is accessible beyond the boundary over a covert channel.Guidelines:",{"point":"269","priority":"6","details":"26a"},["8","b","e","h","k","n","q","t","w","z","12","15","18","1b","1e","1h","1k","1n","1q","1t","1w","1z","22","25","28","2b","2e","2h","2k","2n","2q","2t","2w","2z","32","35","38","3b","3e","3h","3k","3n","3q","3t","3w","3z","42","45","48","4b","4e","4h","4k","4n","4q","4t","4w","4z","52","55","58","5b","5e","5h","5k","5n","5q","5t","5w","5z","62","65","68","6b","6e","6h","6k","6n","6q","6t","6w","6z","72","75","78","7b","7e","7h","7k","7n","7q","7t","7w","7z","82","85","88","8b","8e","8h","8k","8n","8q","8t","8w","8z","92","95","98","9b","9e","9h","9k","9n","9q","9t","9w","9z","a2","a5","a8","ab","ae","ah","ak","an","aq","at","aw","az","b2","b5","b8","bb","be","bh","bk","bn","bq","bt","bw","bz","c2","c5","c8","cb","ce","ch","ck","cn","cq","ct","cw","cz","d2","d5","d8","db","de","dh","dk","dn","dq","dt","dw","dz","e2","e5","e8","eb","ee","eh","ek","en","eq","et","ew","ez","f2","f5","f8","fb","fe","fh","fk","fn","fq","ft","fw","fz","g2","g5","g8","gb","ge","gh","gk","gn","gq","gt","gw","gz","h2","h5","h8","hb","he","hh","hk","hn","hq","ht","hw","hz","i2","i5","i8","ib","ie","ih","ik","in","iq","it","iw","iz","j2","j5","j8","jb","je","jh","jk","jn","jq","jt","jw","jz","k2","k5","k8","kb","ke","kh","kk","kn","kq","kt","kw","kz","l2","l5","l8","lb","le","lh","lk","ln","lq","lt","lw","lz","m2","m5","m8","mb","me","mh","mk","mn","mq","mt","mw","mz","n2","n5","n8","nb","ne","nh","nk","nn","nq","nt","nw","nz","o2","o5","o8","ob","oe","oh","ok","on","oq","ot","ow","oz","p2","p5","p8","pb","pe","ph","pk","pn","pq","pt","pw","pz","q2","q5","q8","qb","qe","qh","qk","qn","qq","qt","qw","qz","r2","r5","r8","rb","re","rh","rk","rn","rq","rt","rw","rz","s2","s5","s8","sb","se","sh","sk","sn","sq","st","sw","sz","t2","t5","t8","tb","te","th","tk","tn","tq","tt","tw","tz","u2","u5","u8","ub","ue","uh","uk","un","uq","ut","uw","uz","v2","v5","v8","vb","ve","vh","vk","vn","vq","vt","vw","vz","w2","w5","w8","wb","we","wh","wk","wn","wq","wt","ww","wz","x2","x5","x8","xb","xe","xh","xk","xn","xq","xt","xw","xz","y2","y5","y8","yb","ye","yh","yk","yn","yq","yt","yw","yz","z2","z5","z8","zb","ze","zh","zk","zn","zq","zt","zw","zz","102","105","108","10b","10e","10h","10k","10n","10q","10t","10w","10z","112","115","118","11b","11e","11h","11k","11n","11q","11t","11w","11z","122","125","128","12b","12e","12h","12k","12n","12q","12t","12w","12z","132","135","138","13b","13e","13h","13k","13n","13q","13t","13w","13z","142","145","148","14b","14e","14h","14k","14n","14q","14t","14w","14z","152","155","158","15b","15e","15h","15k","15n","15q","15t","15w","15z","162","165","168","16b","16e","16h","16k","16n","16q","16t","16w","16z","172","175","178","17b","17e","17h","17k","17n","17q","17t","17w","17z","182","185","188","18b","18e","18h","18k","18n","18q","18t","18w","18z","192","195","198","19b","19e","19h","19k","19n","19q","19t","19w","19z","1a2","1a5","1a8","1ab","1ae","1ah","1ak","1an","1aq","1at","1aw","1az","1b2","1b5","1b8","1bb","1be","1bh","1bk","1bn","1bq","1bt","1bw","1bz","1c2","1c5","1c8","1cb","1ce","1ch","1ck","1cn","1cq","1ct","1cw","1cz","1d2","1d5","1d8","1db","1de","1dh","1dk","1dn","1dq","1dt","1dw","1dz","1e2","1e5","1e8","1eb","1ee","1eh","1ek","1en","1eq","1et","1ew","1ez","1f2","1f5","1f8","1fb","1fe","1fh","1fk","1fn","1fq","1ft","1fw","1fz","1g2","1g5","1g8","1gb","1ge","1gh","1gk","1gn","1gq","1gt","1gw","1gz","1h2","1h5","1h8","1hb","1he","1hh","1hk","1hn","1hq","1ht","1hw","1hz","1i2","1i5","1i8","1ib","1ie","1ih","1ik","1in","1iq","1it","1iw","1iz","1j2","1j5","1j8","1jb","1je","1jh","1jk","1jn","1jq","1jt","1jw","1jz","1k2","1k5","1k8","1kb","1ke","1kh","1kk","1kn","1kq","1kt","1kw","1kz","1l2","1l5","1l8","1lb","1le","1lh","1lk","1ln","1lq","1lt","1lw","1lz","1m2","1m5","1m8","1mb","1me","1mh","1mk","1mn","1mq","1mt","1mw","1mz","1n2","1n5","1n8","1nb","1ne","1nh","1nk","1nn","1nq","1nt","1nw","1nz","1o2","1o5","1o8","1ob","1oe","1oh","1ok","1on","1oq","1ot","1ow","1oz","1p2","1p5","1p8","1pb","1pe","1ph","1pk","1pn","1pq","1pt","1pw","1pz","1q2","1q5","1q8","1qb","1qe","1qh","1qk","1qn","1qq","1qt","1qw","1qz","1r2","1r5","1r8","1rb","1re","1rh","1rk","1rn","1rq","1rt","1rw","1rz","1s2","1s5","1s8","1sb","1se","1sh","1sk","1sn","1sq","1st","1sw","1sz","1t2","1t5","1t8","1tb","1te","1th","1tk","1tn","1tq","1tt","1tw","1tz","1u2","1u5","1u8","1ub","1ue","1uh","1uk","1un","1uq","1ut","1uw","1uz","1v2","1v5","1v8","1vb","1ve","1vh","1vk","1vn","1vq","1vt","1vw","1vz","1w2","1w5","1w8","1wb","1we","1wh","1wk","1wn","1wq","1wt","1ww","1wz","1x2","1x5","1x8","1xb","1xe","1xh","1xk","1xn","1xq","1xt","1xw","1xz","1y2","1y5","1y8","1yb","1ye","1yh","1yk","1yn","1yq","1yt","1yw","1yz","1z2","1z5","1z8","1zb","1ze","1zh","1zk","1zn","1zq","1zt","1zw","1zz","202","205","208","20b","20e","20h","20k","20n","20q","20t","20w","20z","212","215","218","21b","21e","21h","21k","21n","21q","21t","21w","21z","222","225","228","22b","22e","22h","22k","22n","22q","22t","22w","22z","232","235","238","23b","23e","23h","23k","23n","23q","23t","23w","23z","242","245","248","24b","24e","24h","24k","24n","24q","24t","24w","24z","252","255","258","25b","25e","25h","25k","25n","25q","25t","25w","25z","262","265","268","26b"],"red",{"title":"0","slug":"1","description":"2","icon":"3","intro":"4","checklist":"26c","color":"26d"},"CWE: Weaknesses During Design","cwe-design","This view (slice) lists weaknesses that can be introduced during design.","physical","This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities.","CWE-ID:20 Improper Input Validation","::METHOD:Automated Static Analysis:DESCRIPTION:Some instances of improper input validation can be detected using automated static analysis. A static analysis tool might allow the user to specify which application-specific methods or functions perform input validation; the tool might also have built-in knowledge of validation frameworks such as Struts. The tool may then suppress or de-prioritize any associated warnings. This allows the analyst to focus on areas of the software in which input validation does not appear to be present. Except in the cases described in the previous paragraph, automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes.::METHOD:Manual Static Analysis:DESCRIPTION:When custom input validation is required, such as when enforcing business rules, manual analysis is necessary to ensure that the validation is properly implemented.::METHOD:Fuzzing:DESCRIPTION:Fuzzing techniques can be useful for detecting input validation errors. When unexpected inputs are provided to the software, the software should not crash or otherwise become unstable, and it should generate application-controlled error messages. If exceptions or interpreter-generated error messages occur, this indicates that the input was not detected and handled within the application logic itself.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer Cost effective for partial coverage: Host Application Interface Scanner Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"26k","priority":"6","details":"11","howto":"26l"},"CWE-ID:73 External Control of File Name or Path","::METHOD:Automated Static Analysis:DESCRIPTION:The external control or influence of filenames can often be detected using automated static analysis that models data flow within the product. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes.::",{"point":"26n","priority":"6","details":"4y","howto":"26o"},"CWE-ID:99 Improper Control of Resource Identifiers ('Resource Injection')","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"26q","priority":"6","details":"71","howto":"26r"},"CWE-ID:115 Misinterpretation of Input","::METHOD:Fuzzing:DESCRIPTION:Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.:EFFECTIVENESS:High::",{"point":"26t","priority":"6","details":"87","howto":"26u"},"CWE-ID:184 Incomplete List of Disallowed Inputs","::METHOD:Black Box:DESCRIPTION:Exploitation of a vulnerability with commonly-used manipulations might fail, but minor variations might succeed.::",{"point":"26w","priority":"6","details":"dd","howto":"26x"},"CWE-ID:200 Exposure of Sensitive Information to an Unauthorized Actor","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Inter-application Flow Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Source code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"26z","priority":"6","details":"ej","howto":"270"},"CWE-ID:201 Insertion of Sensitive Information Into Sent Data",{"point":"272","priority":"6","details":"em","howto":"26r"},"CWE-ID:202 Exposure of Sensitive Information Through Data Queries","",{"point":"274","priority":"6","details":"ep","howto":"275"},"CWE-ID:203 Observable Discrepancy",{"point":"277","priority":"6","details":"es","howto":"275"},"CWE-ID:204 Observable Response Discrepancy",{"point":"279","priority":"6","details":"ev","howto":"275"},"CWE-ID:205 Observable Behavioral Discrepancy",{"point":"27b","priority":"6","details":"ey","howto":"275"},"CWE-ID:208 Observable Timing Discrepancy",{"point":"27d","priority":"6","details":"f7","howto":"275"},"CWE-ID:209 Generation of Error Message Containing Sensitive Information","::METHOD:Manual Analysis:DESCRIPTION:This weakness generally requires domain-specific interpretation using manual analysis. However, the number of potential error conditions may be too large to cover completely within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Analysis:DESCRIPTION:Automated methods may be able to detect certain idioms automatically, such as exposed stack traces or pathnames, but violation of business rules or privacy requirements is not typically feasible.:EFFECTIVENESS:Moderate::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Error conditions may be triggered with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.)::",{"point":"27f","priority":"6","details":"fa","howto":"27g"},"CWE-ID:210 Self-generated Error Message Containing Sensitive Information",{"point":"27i","priority":"6","details":"fd","howto":"275"},"CWE-ID:211 Externally-Generated Error Message Containing Sensitive Information",{"point":"27k","priority":"6","details":"fg","howto":"275"},"CWE-ID:212 Improper Removal of Sensitive Information Before Storage or Transfer",{"point":"27m","priority":"6","details":"fj","howto":"275"},"CWE-ID:213 Exposure of Sensitive Information Due to Incompatible Policies",{"point":"27o","priority":"6","details":"fm","howto":"275"},"CWE-ID:214 Invocation of Process Using Visible Sensitive Information",{"point":"27q","priority":"6","details":"fp","howto":"275"},"CWE-ID:221 Information Loss or Omission",{"point":"27s","priority":"6","details":"g1","howto":"275"},"CWE-ID:223 Omission of Security-relevant Information",{"point":"27u","priority":"6","details":"g7","howto":"275"},"CWE-ID:250 Execution with Unnecessary Privileges","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and perform a login. Look for library functions and system calls that indicate when privileges are being raised or dropped. Look for accesses of resources that are restricted to normal users.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Compare binary / bytecode to application permission manifest Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker Permission Manifest Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"27w","priority":"6","details":"i4","howto":"27x"},"CWE-ID:256 Plaintext Storage of a Password",{"point":"27z","priority":"6","details":"id","howto":"26r"},"CWE-ID:257 Storing Passwords in a Recoverable Format",{"point":"281","priority":"6","details":"ig","howto":"26r"},"CWE-ID:260 Password in Configuration File",{"point":"283","priority":"6","details":"ip","howto":"26r"},"CWE-ID:261 Weak Encoding for Password",{"point":"285","priority":"6","details":"is","howto":"26r"},"CWE-ID:262 Not Using Password Aging",{"point":"287","priority":"6","details":"iv","howto":"275"},"CWE-ID:263 Password Aging with Long Expiration",{"point":"289","priority":"6","details":"iy","howto":"275"},"CWE-ID:267 Privilege Defined With Unsafe Actions",{"point":"28b","priority":"6","details":"j4","howto":"275"},"CWE-ID:268 Privilege Chaining",{"point":"28d","priority":"6","details":"j7","howto":"275"},"CWE-ID:269 Improper Privilege Management",{"point":"28f","priority":"6","details":"ja","howto":"26r"},"CWE-ID:270 Privilege Context Switching Error",{"point":"28h","priority":"6","details":"jd","howto":"275"},"CWE-ID:271 Privilege Dropping / Lowering Errors",{"point":"28j","priority":"6","details":"jg","howto":"275"},"CWE-ID:276 Incorrect Default Permissions","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Inter-application Flow Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Host Application Interface Scanner Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Forced Path Execution:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"28l","priority":"6","details":"js","howto":"28m"},"CWE-ID:282 Improper Ownership Management",{"point":"28o","priority":"6","details":"ka","howto":"26r"},"CWE-ID:283 Unverified Ownership",{"point":"28q","priority":"6","details":"kd","howto":"275"},"CWE-ID:285 Improper Authorization","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries. Generally, automated static analysis tools have difficulty detecting custom authorization schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an authorization check; an automated technique that detects the absence of authorization may report false positives.:EFFECTIVENESS:Limited::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated dynamic analysis may find many or all possible interfaces that do not require authorization, but manual analysis is required to determine if the lack of authorization violates business logic::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer Forced Path Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"28s","priority":"6","details":"kj","howto":"28t"},"CWE-ID:286 Incorrect User Management",{"point":"28v","priority":"6","details":"km","howto":"275"},"CWE-ID:287 Improper Authentication","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting certain types of authentication. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authentication libraries. Generally, automated static analysis tools have difficulty detecting custom authentication schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an established identity; an automated technique that detects the absence of authentication may report false positives.:EFFECTIVENESS:Limited::METHOD:Manual Static Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Manual static analysis is useful for evaluating the correctness of custom authentication mechanisms.:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"28x","priority":"6","details":"kp","howto":"28y"},"CWE-ID:288 Authentication Bypass Using an Alternate Path or Channel",{"point":"290","priority":"6","details":"ks","howto":"275"},"CWE-ID:289 Authentication Bypass by Alternate Name",{"point":"292","priority":"6","details":"kv","howto":"275"},"CWE-ID:294 Authentication Bypass by Capture-replay",{"point":"294","priority":"6","details":"l7","howto":"275"},"CWE-ID:295 Improper Certificate Validation","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Man-in-the-middle attack tool:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"296","priority":"6","details":"la","howto":"297"},"CWE-ID:300 Channel Accessible by Non-Endpoint",{"point":"299","priority":"6","details":"lp","howto":"26r"},"CWE-ID:301 Reflection Attack in an Authentication Protocol",{"point":"29b","priority":"6","details":"ls","howto":"275"},"CWE-ID:302 Authentication Bypass by Assumed-Immutable Data",{"point":"29d","priority":"6","details":"lv","howto":"275"},"CWE-ID:306 Missing Authentication for Critical Function","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authentication mechanisms.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting commonly-used idioms for authentication. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authentication libraries. Generally, automated static analysis tools have difficulty detecting custom authentication schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an established identity; an automated technique that detects the absence of authentication may report false positives.:EFFECTIVENESS:Limited::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"29f","priority":"6","details":"m7","howto":"29g"},"CWE-ID:307 Improper Restriction of Excessive Authentication Attempts","::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer Cost effective for partial coverage: Forced Path Execution:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"29i","priority":"6","details":"ma","howto":"29j"},"CWE-ID:308 Use of Single-factor Authentication",{"point":"29l","priority":"6","details":"md","howto":"275"},"CWE-ID:309 Use of Password System for Primary Authentication",{"point":"29n","priority":"6","details":"mg","howto":"275"},"CWE-ID:311 Missing Encryption of Sensitive Data","::METHOD:Manual Analysis:DESCRIPTION:The characterizaton of sensitive data often requires domain-specific understanding, so manual methods are useful. However, manual efforts might not achieve desired code coverage within limited time constraints. Black box methods may produce artifacts (e.g. stored data or unencrypted network transfer) that require manual evaluation.:EFFECTIVENESS:High::METHOD:Automated Analysis:DESCRIPTION:Automated measurement of the entropy of an input/output source may indicate the use or lack of encryption, but human analysis is still required to distinguish intentionally-unencrypted data (e.g. metadata) from sensitive data.::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Network Sniffer Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Man-in-the-middle attack tool:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"29p","priority":"6","details":"mj","howto":"29q"},"CWE-ID:312 Cleartext Storage of Sensitive Information",{"point":"29s","priority":"6","details":"mm","howto":"26r"},"CWE-ID:319 Cleartext Transmission of Sensitive Information","::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process, trigger the feature that sends the data, and look for the presence or absence of common cryptographic functions in the call tree. Monitor the network and determine if the data packets contain readable commands. Tools exist for detecting if certain encodings are in use. If the traffic contains high entropy, this might indicate the usage of encryption.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"29u","priority":"6","details":"n7","howto":"29v"},"CWE-ID:322 Key Exchange without Entity Authentication",{"point":"29x","priority":"6","details":"nd","howto":"275"},"CWE-ID:323 Reusing a Nonce, Key Pair in Encryption",{"point":"29z","priority":"6","details":"ng","howto":"275"},"CWE-ID:324 Use of a Key Past its Expiration Date",{"point":"2a1","priority":"6","details":"nj","howto":"275"},"CWE-ID:326 Inadequate Encryption Strength",{"point":"2a3","priority":"6","details":"np","howto":"26r"},"CWE-ID:327 Use of a Broken or Risky Cryptographic Algorithm","::METHOD:Automated Analysis:DESCRIPTION:Automated methods may be useful for recognizing commonly-used libraries or features that have become obsolete.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis Binary / Bytecode simple extractor - strings, ELF readers, etc.:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Man-in-the-middle attack tool Cost effective for partial coverage: Framework-based Fuzzer Automated Monitored Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2a5","priority":"6","details":"ns","howto":"2a6"},"CWE-ID:328 Use of Weak Hash",{"point":"2a8","priority":"6","details":"nv","howto":"26r"},"CWE-ID:330 Use of Insufficiently Random Values","::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and look for library functions that indicate when randomness is being used. Run the process multiple times to see if the seed changes. Look for accesses of devices or equivalent resources that are commonly used for strong (or weak) randomness, such as /dev/urandom on Linux. Look for library or system calls that access predictable information such as process IDs and system time.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Man-in-the-middle attack tool:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2aa","priority":"6","details":"o1","howto":"2ab"},"CWE-ID:331 Insufficient Entropy",{"point":"2ad","priority":"6","details":"o4","howto":"275"},"CWE-ID:334 Small Space of Random Values",{"point":"2af","priority":"6","details":"od","howto":"275"},"CWE-ID:338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",{"point":"2ah","priority":"6","details":"op","howto":"26r"},"CWE-ID:340 Generation of Predictable Numbers or Identifiers",{"point":"2aj","priority":"6","details":"ov","howto":"275"},"CWE-ID:341 Predictable from Observable State",{"point":"2al","priority":"6","details":"oy","howto":"275"},"CWE-ID:342 Predictable Exact Value from Previous Values",{"point":"2an","priority":"6","details":"p1","howto":"275"},"CWE-ID:343 Predictable Value Range from Previous Values",{"point":"2ap","priority":"6","details":"p4","howto":"275"},"CWE-ID:344 Use of Invariant Value in Dynamically Changing Context",{"point":"2ar","priority":"6","details":"p7","howto":"275"},"CWE-ID:345 Insufficient Verification of Data Authenticity",{"point":"2at","priority":"6","details":"pa","howto":"26r"},"CWE-ID:346 Origin Validation Error",{"point":"2av","priority":"6","details":"pd","howto":"275"},"CWE-ID:347 Improper Verification of Cryptographic Signature",{"point":"2ax","priority":"6","details":"pg","howto":"26r"},"CWE-ID:348 Use of Less Trusted Source",{"point":"2az","priority":"6","details":"pj","howto":"275"},"CWE-ID:353 Missing Support for Integrity Check",{"point":"2b1","priority":"6","details":"py","howto":"275"},"CWE-ID:354 Improper Validation of Integrity Check Value",{"point":"2b3","priority":"6","details":"q1","howto":"275"},"CWE-ID:356 Product UI does not Warn User of Unsafe Actions",{"point":"2b5","priority":"6","details":"q4","howto":"275"},"CWE-ID:357 Insufficient UI Warning of Dangerous Operations",{"point":"2b7","priority":"6","details":"q7","howto":"275"},"CWE-ID:358 Improperly Implemented Security Check for Standard",{"point":"2b9","priority":"6","details":"qa","howto":"275"},"CWE-ID:359 Exposure of Private Personal Information to an Unauthorized Actor","::METHOD:Architecture or Design Review:DESCRIPTION:Private personal data can enter a program in a variety of ways: Directly from the user in the form of a password or personal information Accessed from a database or other data store by the application Indirectly from a partner or other third party If the data is written to an external location - such as the console, file system, or network - a privacy violation may occur.:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2bb","priority":"6","details":"qd","howto":"2bc"},"CWE-ID:360 Trust of System Event Data",{"point":"2be","priority":"6","details":"qg","howto":"275"},"CWE-ID:362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')","::METHOD:Black Box:DESCRIPTION:Black box methods may be able to identify evidence of race conditions via methods such as multiple simultaneous connections, which may cause the software to become instable or crash. However, race conditions with very narrow timing windows would not be detectable.::METHOD:White Box:DESCRIPTION:Common idioms are detectable in white box analysis, such as time-of-check-time-of-use (TOCTOU) file operations (CWE-367), or double-checked locking (CWE-609).::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Race conditions may be detected with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior. Insert breakpoints or delays in between relevant code statements to artificially expand the race window so that it will be easier to detect.:EFFECTIVENESS:Moderate::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Framework-based Fuzzer Cost effective for partial coverage: Fuzz Tester Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2bg","priority":"6","details":"qj","howto":"2bh"},"CWE-ID:363 Race Condition Enabling Link Following",{"point":"2bj","priority":"6","details":"qm","howto":"275"},"CWE-ID:368 Context Switching Race Condition",{"point":"2bl","priority":"6","details":"qy","howto":"275"},"CWE-ID:385 Covert Timing Channel",{"point":"2bn","priority":"6","details":"ry","howto":"275"},"CWE-ID:386 Symbolic Name not Mapping to Correct Object",{"point":"2bp","priority":"6","details":"s1","howto":"275"},"CWE-ID:400 Uncontrolled Resource Consumption","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis typically has limited utility in recognizing resource exhaustion problems, except for program-independent system resources such as files, sockets, and processes. For system resources, automated static analysis may be able to detect circumstances in which resources are not released after they have expired. Automated analysis of configuration files may be able to detect settings that do not specify a maximum value. Automated static analysis tools will not be appropriate for detecting exhaustion of custom resources, such as an intended security policy in which a bulletin board user is only allowed to make a limited number of posts per day.:EFFECTIVENESS:Limited::METHOD:Automated Dynamic Analysis:DESCRIPTION:Certain automated dynamic analysis techniques may be effective in spotting resource exhaustion problems, especially with resources such as processes, memory, and connections. The technique may involve generating a large number of requests to the product within a short time frame.:EFFECTIVENESS:Moderate::METHOD:Fuzzing:DESCRIPTION:While fuzzing is typically geared toward finding low-level implementation bugs, it can inadvertently find resource exhaustion problems. This can occur when the fuzzer generates a large number of test cases but does not restart the targeted product in between test cases. If an individual test case produces a crash, but it does not do so reliably, then an inability to handle resource exhaustion may be the cause.:EFFECTIVENESS:Opportunistic::",{"point":"2br","priority":"6","details":"ss","howto":"2bs"},"CWE-ID:402 Transmission of Private Resources into a New Sphere ('Resource Leak')",{"point":"2bu","priority":"6","details":"sy","howto":"26r"},"CWE-ID:405 Asymmetric Resource Consumption (Amplification)",{"point":"2bw","priority":"6","details":"t7","howto":"275"},"CWE-ID:406 Insufficient Control of Network Message Volume (Network Amplification)",{"point":"2by","priority":"6","details":"ta","howto":"275"},"CWE-ID:407 Inefficient Algorithmic Complexity",{"point":"2c0","priority":"6","details":"td","howto":"275"},"CWE-ID:408 Incorrect Behavior Order: Early Amplification",{"point":"2c2","priority":"6","details":"tg","howto":"275"},"CWE-ID:409 Improper Handling of Highly Compressed Data (Data Amplification)",{"point":"2c4","priority":"6","details":"tj","howto":"275"},"CWE-ID:410 Insufficient Resource Pool",{"point":"2c6","priority":"6","details":"tm","howto":"275"},"CWE-ID:412 Unrestricted Externally Accessible Lock","::METHOD:White Box:DESCRIPTION:Automated code analysis techniques might not be able to reliably detect this weakness, since the application's behavior and general security model dictate which resource locks are critical. Interpretation of the weakness might require knowledge of the environment, e.g. if the existence of a file is used as a lock, but the file is created in a world-writable directory.::",{"point":"2c8","priority":"6","details":"tp","howto":"2c9"},"CWE-ID:413 Improper Resource Locking",{"point":"2cb","priority":"6","details":"ts","howto":"26r"},"CWE-ID:414 Missing Lock Check",{"point":"2cd","priority":"6","details":"tv","howto":"275"},"CWE-ID:419 Unprotected Primary Channel",{"point":"2cf","priority":"6","details":"u4","howto":"275"},"CWE-ID:420 Unprotected Alternate Channel",{"point":"2ch","priority":"6","details":"u7","howto":"275"},"CWE-ID:421 Race Condition During Access to Alternate Channel",{"point":"2cj","priority":"6","details":"ua","howto":"275"},"CWE-ID:424 Improper Protection of Alternate Path",{"point":"2cl","priority":"6","details":"ug","howto":"275"},"CWE-ID:434 Unrestricted Upload of File with Dangerous Type","::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2cn","priority":"6","details":"v7","howto":"2co"},"CWE-ID:436 Interpretation Conflict",{"point":"2cq","priority":"6","details":"vd","howto":"275"},"CWE-ID:437 Incomplete Model of Endpoint Features",{"point":"2cs","priority":"6","details":"vg","howto":"275"},"CWE-ID:439 Behavioral Change in New Version or Environment",{"point":"2cu","priority":"6","details":"vj","howto":"275"},"CWE-ID:440 Expected Behavior Violation",{"point":"2cw","priority":"6","details":"vm","howto":"275"},"CWE-ID:441 Unintended Proxy or Intermediary ('Confused Deputy')",{"point":"2cy","priority":"6","details":"vp","howto":"26r"},"CWE-ID:446 UI Discrepancy for Security Feature",{"point":"2d0","priority":"6","details":"vv","howto":"275"},"CWE-ID:451 User Interface (UI) Misrepresentation of Critical Information",{"point":"2d2","priority":"6","details":"wa","howto":"275"},"CWE-ID:454 External Initialization of Trusted Variables or Data Stores",{"point":"2d4","priority":"6","details":"wg","howto":"275"},"CWE-ID:470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')",{"point":"2d6","priority":"6","details":"xj","howto":"26r"},"CWE-ID:471 Modification of Assumed-Immutable Data (MAID)",{"point":"2d8","priority":"6","details":"xm","howto":"275"},"CWE-ID:475 Undefined Behavior for Input to API",{"point":"2da","priority":"6","details":"xy","howto":"26r"},"CWE-ID:494 Download of Code Without Integrity Check","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is typically required to find the behavior that triggers the download of code, and to determine whether integrity-checking methods are in use.::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and also sniff the network connection. Trigger features related to product updates or plugin installation, which is likely to force a code download. Monitor when files are downloaded and separately executed, or if they are otherwise read back into the process. Look for evidence of cryptographic library calls that use integrity checking.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2dc","priority":"6","details":"zd","howto":"2dd"},"CWE-ID:501 Trust Boundary Violation",{"point":"2df","priority":"6","details":"zy","howto":"26r"},"CWE-ID:502 Deserialization of Untrusted Data",{"point":"2dh","priority":"6","details":"101","howto":"26r"},"CWE-ID:510 Trapdoor","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Inter-application Flow Analysis Binary / Bytecode simple extractor - strings, ELF readers, etc.:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies Generated Code Inspection:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Automated Monitored Execution Forced Path Execution Debugger Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Cost effective for partial coverage: Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"2dj","priority":"6","details":"10g","howto":"2dk"},"CWE-ID:511 Logic/Time Bomb",{"point":"2dm","priority":"6","details":"10j","howto":"275"},"CWE-ID:512 Spyware",{"point":"2do","priority":"6","details":"10m","howto":"275"},"CWE-ID:521 Weak Password Requirements",{"point":"2dq","priority":"6","details":"10y","howto":"26r"},"CWE-ID:522 Insufficiently Protected Credentials",{"point":"2ds","priority":"6","details":"111","howto":"26r"},"CWE-ID:523 Unprotected Transport of Credentials",{"point":"2du","priority":"6","details":"114","howto":"26r"},"CWE-ID:532 Insertion of Sensitive Information into Log File",{"point":"2dw","priority":"6","details":"11v","howto":"26r"},"CWE-ID:544 Missing Standardized Error Handling Mechanism",{"point":"2dy","priority":"6","details":"12m","howto":"275"},"CWE-ID:552 Files or Directories Accessible to External Parties",{"point":"2e0","priority":"6","details":"137","howto":"26r"},"CWE-ID:565 Reliance on Cookies without Validation and Integrity Checking",{"point":"2e2","priority":"6","details":"144","howto":"26r"},"CWE-ID:601 URL Redirection to Untrusted Site ('Open Redirect')","::METHOD:Manual Static Analysis:DESCRIPTION:Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated black box tools that supply URLs to every input may be able to spot Location header modifications, but test case coverage is a factor, and custom redirects may not be detected.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis tools may not be able to determine whether input influences the beginning of a URL, which is important for reducing false positives.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2e4","priority":"6","details":"16v","howto":"2e5"},"CWE-ID:602 Client-Side Enforcement of Server-Side Security",{"point":"2e7","priority":"6","details":"16y","howto":"275"},"CWE-ID:603 Use of Client-Side Authentication",{"point":"2e9","priority":"6","details":"171","howto":"275"},"CWE-ID:610 Externally Controlled Reference to a Resource in Another Sphere",{"point":"2eb","priority":"6","details":"17j","howto":"275"},"CWE-ID:612 Improper Authorization of Index Containing Sensitive Information",{"point":"2ed","priority":"6","details":"17p","howto":"275"},"CWE-ID:613 Insufficient Session Expiration",{"point":"2ef","priority":"6","details":"17s","howto":"26r"},"CWE-ID:620 Unverified Password Change",{"point":"2eh","priority":"6","details":"18d","howto":"275"},"CWE-ID:636 Not Failing Securely ('Failing Open')",{"point":"2ej","priority":"6","details":"194","howto":"275"},"CWE-ID:637 Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')",{"point":"2el","priority":"6","details":"197","howto":"275"},"CWE-ID:639 Authorization Bypass Through User-Controlled Key",{"point":"2en","priority":"6","details":"19d","howto":"26r"},"CWE-ID:640 Weak Password Recovery Mechanism for Forgotten Password",{"point":"2ep","priority":"6","details":"19g","howto":"275"},"CWE-ID:641 Improper Restriction of Names for Files and Other Resources",{"point":"2er","priority":"6","details":"19j","howto":"275"},"CWE-ID:642 External Control of Critical State Data",{"point":"2et","priority":"6","details":"19m","howto":"26r"},"CWE-ID:645 Overly Restrictive Account Lockout Mechanism",{"point":"2ev","priority":"6","details":"19v","howto":"275"},"CWE-ID:648 Incorrect Use of Privileged APIs",{"point":"2ex","priority":"6","details":"1a4","howto":"275"},"CWE-ID:649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking",{"point":"2ez","priority":"6","details":"1a7","howto":"275"},"CWE-ID:653 Improper Isolation or Compartmentalization","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Compare binary / bytecode to application permission manifest:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"2f1","priority":"6","details":"1aj","howto":"2f2"},"CWE-ID:654 Reliance on a Single Factor in a Security Decision",{"point":"2f4","priority":"6","details":"1am","howto":"275"},"CWE-ID:655 Insufficient Psychological Acceptability",{"point":"2f6","priority":"6","details":"1ap","howto":"275"},"CWE-ID:656 Reliance on Security Through Obscurity",{"point":"2f8","priority":"6","details":"1as","howto":"275"},"CWE-ID:657 Violation of Secure Design Principles",{"point":"2fa","priority":"6","details":"1av","howto":"275"},"CWE-ID:662 Improper Synchronization",{"point":"2fc","priority":"6","details":"1ay","howto":"275"},"CWE-ID:667 Improper Locking",{"point":"2fe","priority":"6","details":"1bd","howto":"26r"},"CWE-ID:668 Exposure of Resource to Wrong Sphere",{"point":"2fg","priority":"6","details":"1bg","howto":"275"},"CWE-ID:669 Incorrect Resource Transfer Between Spheres",{"point":"2fi","priority":"6","details":"1bj","howto":"275"},"CWE-ID:671 Lack of Administrator Control over Security",{"point":"2fk","priority":"6","details":"1bp","howto":"275"},"CWE-ID:673 External Influence of Sphere Definition",{"point":"2fm","priority":"6","details":"1bv","howto":"275"},"CWE-ID:694 Use of Multiple Resources with Duplicate Identifier",{"point":"2fo","priority":"6","details":"1dd","howto":"275"},"CWE-ID:696 Incorrect Behavior Order",{"point":"2fq","priority":"6","details":"1dj","howto":"275"},"CWE-ID:706 Use of Incorrectly-Resolved Name or Reference",{"point":"2fs","priority":"6","details":"1e1","howto":"275"},"CWE-ID:708 Incorrect Ownership Assignment",{"point":"2fu","priority":"6","details":"1e7","howto":"275"},"CWE-ID:732 Incorrect Permission Assignment for Critical Resource","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis may be effective in detecting permission problems for system resources such as files, directories, shared memory, device interfaces, etc. Automated techniques may be able to detect the use of library functions that modify permissions, then analyze function calls for arguments that contain potentially insecure values. However, since the software's intended security policy might allow loose permissions for certain operations (such as publishing a file on a web server), automated static analysis may produce some false positives - i.e., warnings that do not have any security consequences or require any code changes. When custom permissions models are used - such as defining who can read messages in a particular forum in a bulletin board system - these can be difficult to detect using automated static analysis. It may be possible to define custom signatures that identify any custom functions that implement the permission checks and assignments.::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated dynamic analysis may be effective in detecting permission problems for system resources such as files, directories, shared memory, device interfaces, etc. However, since the software's intended security policy might allow loose permissions for certain operations (such as publishing a file on a web server), automated dynamic analysis may produce some false positives - i.e., warnings that do not have any security consequences or require any code changes. When custom permissions models are used - such as defining who can read messages in a particular forum in a bulletin board system - these can be difficult to detect using automated dynamic analysis. It may be possible to define custom signatures that identify any custom functions that implement the permission checks and assignments.::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.::METHOD:Manual Static Analysis:DESCRIPTION:Manual static analysis may be effective in detecting the use of custom permissions models and functions. The code could then be examined to identifying usage of the related functions. Then the human analyst could evaluate permission assignments in the context of the intended security model of the software.::METHOD:Manual Dynamic Analysis:DESCRIPTION:Manual dynamic analysis may be effective in detecting the use of custom permissions models and functions. The program could then be executed with a focus on exercising code paths that are related to the custom permissions. Then the human analyst could evaluate permission assignments in the context of the intended security model of the software.::METHOD:Fuzzing:DESCRIPTION:Fuzzing is not effective in detecting this weakness.::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and watch for library functions or system calls on OS resources such as files, directories, and shared memory. Examine the arguments to these calls to infer which permissions are being used.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Inter-application Flow Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Host Application Interface Scanner Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Forced Path Execution:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2fw","priority":"6","details":"1ed","howto":"2fx"},"CWE-ID:749 Exposed Dangerous Method or Function",{"point":"2fz","priority":"6","details":"1ej","howto":"26r"},"CWE-ID:757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')",{"point":"2g1","priority":"6","details":"1ev","howto":"26r"},"CWE-ID:770 Allocation of Resources Without Limits or Throttling","::METHOD:Manual Static Analysis:DESCRIPTION:Manual static analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. If denial-of-service is not considered a significant risk, or if there is strong emphasis on consequences such as code execution, then manual analysis may not focus on this weakness at all.::METHOD:Fuzzing:DESCRIPTION:While fuzzing is typically geared toward finding low-level implementation bugs, it can inadvertently find uncontrolled resource allocation problems. This can occur when the fuzzer generates a large number of test cases but does not restart the targeted product in between test cases. If an individual test case produces a crash, but it does not do so reliably, then an inability to limit resource allocation may be the cause. When the allocation is directly affected by numeric inputs, then fuzzing may produce indications of this weakness.:EFFECTIVENESS:Opportunistic::METHOD:Automated Dynamic Analysis:DESCRIPTION:Certain automated dynamic analysis techniques may be effective in producing side effects of uncontrolled resource allocation problems, especially with resources such as processes, memory, and connections. The technique may involve generating a large number of requests to the product within a short time frame. Manual analysis is likely required to interpret the results.::METHOD:Automated Static Analysis:DESCRIPTION:Specialized configuration or tuning may be required to train automated tools to recognize this weakness. Automated static analysis typically has limited utility in recognizing unlimited allocation problems, except for the missing release of program-independent system resources such as files, sockets, and processes, or unchecked arguments to memory. For system resources, automated static analysis may be able to detect circumstances in which resources are not released after they have expired, or if too much of a resource is requested at once, as can occur with memory. Automated analysis of configuration files may be able to detect settings that do not specify a maximum value. Automated static analysis tools will not be appropriate for detecting exhaustion of custom resources, such as an intended security policy in which a bulletin board user is only allowed to make a limited number of posts per day.::",{"point":"2g3","priority":"6","details":"1fv","howto":"2g4"},"CWE-ID:798 Use of Hard-coded Credentials","::METHOD:Black Box:DESCRIPTION:Credential storage in configuration files is findable using black box methods, but the use of hard-coded credentials for an incoming authentication routine typically involves an account that is not visible outside of the code.:EFFECTIVENESS:Moderate::METHOD:Automated Static Analysis:DESCRIPTION:Automated white box techniques have been published for detecting hard-coded credentials for incoming authentication, but there is some expert disagreement regarding their effectiveness and applicability to a broad range of methods.::METHOD:Manual Static Analysis:DESCRIPTION:This weakness may be detectable using manual code analysis. Unless authentication is decentralized and applied throughout the product, there can be sufficient time for the analyst to find incoming authentication routines and examine the program logic looking for usage of hard-coded credentials. Configuration files could also be analyzed.::METHOD:Manual Dynamic Analysis:DESCRIPTION:For hard-coded credentials in incoming authentication: use monitoring tools that examine the product's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the product was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and perform a login. Using call trees or similar artifacts from the output, examine the associated behaviors and see if any of them appear to be comparing the input to a fixed string or value.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Network Sniffer Forced Path Execution:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"2g6","priority":"6","details":"1i7","howto":"2g7"},"CWE-ID:799 Improper Control of Interaction Frequency",{"point":"2g9","priority":"6","details":"1ia","howto":"275"},"CWE-ID:804 Guessable CAPTCHA",{"point":"2gb","priority":"6","details":"1id","howto":"275"},"CWE-ID:807 Reliance on Untrusted Inputs in a Security Decision","::METHOD:Manual Static Analysis:DESCRIPTION:Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"2gd","priority":"6","details":"1im","howto":"2ge"},"CWE-ID:862 Missing Authorization","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries. Generally, automated static analysis tools have difficulty detecting custom authorization schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an authorization check; an automated technique that detects the absence of authorization may report false positives.:EFFECTIVENESS:Limited::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated dynamic analysis may find many or all possible interfaces that do not require authorization, but manual analysis is required to determine if the lack of authorization violates business logic.::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"2gg","priority":"6","details":"1km","howto":"2gh"},"CWE-ID:863 Incorrect Authorization","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries. Generally, automated static analysis tools have difficulty detecting custom authorization schemes. Even if they can be customized to recognize these schemes, they might not be able to tell whether the scheme correctly performs the authorization in a way that cannot be bypassed or subverted by an attacker.:EFFECTIVENESS:Limited::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated dynamic analysis may not be able to find interfaces that are protected by authorization checks, even if those checks contain weaknesses.::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer Forced Path Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2gj","priority":"6","details":"1kp","howto":"2gk"},"CWE-ID:912 Hidden Functionality",{"point":"2gm","priority":"6","details":"1l4","howto":"275"},"CWE-ID:913 Improper Control of Dynamically-Managed Code Resources",{"point":"2go","priority":"6","details":"1l7","howto":"26u"},"CWE-ID:915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",{"point":"2gq","priority":"6","details":"1ld","howto":"26r"},"CWE-ID:916 Use of Password Hash With Insufficient Computational Effort","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2gs","priority":"6","details":"1lg","howto":"2gt"},"CWE-ID:917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')",{"point":"2gv","priority":"6","details":"1lj","howto":"26r"},"CWE-ID:918 Server-Side Request Forgery (SSRF)",{"point":"2gx","priority":"6","details":"1lm","howto":"26r"},"CWE-ID:920 Improper Restriction of Power Consumption",{"point":"2gz","priority":"6","details":"1lp","howto":"275"},"CWE-ID:921 Storage of Sensitive Data in a Mechanism without Access Control",{"point":"2h1","priority":"6","details":"1ls","howto":"275"},"CWE-ID:922 Insecure Storage of Sensitive Information",{"point":"2h3","priority":"6","details":"1lv","howto":"26r"},"CWE-ID:923 Improper Restriction of Communication Channel to Intended Endpoints",{"point":"2h5","priority":"6","details":"1ly","howto":"26r"},"CWE-ID:924 Improper Enforcement of Message Integrity During Transmission in a Communication Channel",{"point":"2h7","priority":"6","details":"1m1","howto":"275"},"CWE-ID:940 Improper Verification of Source of a Communication Channel",{"point":"2h9","priority":"6","details":"1mg","howto":"275"},"CWE-ID:941 Incorrectly Specified Destination in a Communication Channel",{"point":"2hb","priority":"6","details":"1mj","howto":"275"},"CWE-ID:1007 Insufficient Visual Distinction of Homoglyphs Presented to User","::METHOD:Manual Dynamic Analysis:DESCRIPTION:If utilizing user accounts, attempt to submit a username that contains homoglyphs. Similarly, check to see if links containing homoglyphs can be sent via email, web browsers, or other mechanisms.:EFFECTIVENESS:Moderate::",{"point":"2hd","priority":"6","details":"1mv","howto":"2he"},"CWE-ID:1037 Processor Optimization Removal or Modification of Security-critical Code","::METHOD:White Box:DESCRIPTION:In theory this weakness can be detected through the use of white box testing techniques where specifically crafted test cases are used in conjunction with debuggers to verify the order of statements being executed.:EFFECTIVENESS:Opportunistic::",{"point":"2hg","priority":"6","details":"1nd","howto":"2hh"},"CWE-ID:1038 Insecure Automated Optimizations",{"point":"2hj","priority":"6","details":"1ng","howto":"275"},"CWE-ID:1039 Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations",{"point":"2hl","priority":"6","details":"1nj","howto":"275"},"CWE-ID:1044 Architecture with Number of Horizontal Layers Outside of Expected Range",{"point":"2hn","priority":"6","details":"1nv","howto":"275"},"CWE-ID:1059 Insufficient Technical Documentation",{"point":"2hp","priority":"6","details":"1p4","howto":"275"},"CWE-ID:1173 Improper Use of Validation Framework","::METHOD:Automated Static Analysis:DESCRIPTION:Some instances of improper input validation can be detected using automated static analysis. A static analysis tool might allow the user to specify which application-specific methods or functions perform input validation; the tool might also have built-in knowledge of validation frameworks such as Struts. The tool may then suppress or de-prioritize any associated warnings. This allows the analyst to focus on areas of the software in which input validation does not appear to be present. Except in the cases described in the previous paragraph, automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes.::",{"point":"2hr","priority":"6","details":"1uv","howto":"2hs"},"CWE-ID:1176 Inefficient CPU Computation",{"point":"2hu","priority":"6","details":"1v1","howto":"275"},"CWE-ID:1189 Improper Isolation of Shared Resources on System-on-a-Chip (SoC)","::METHOD:Automated Dynamic Analysis:DESCRIPTION:Pre-silicon / post-silicon: Test access to shared systems resources (memory ranges, control registers, etc.) from untrusted software to verify that the assets are not incorrectly exposed to untrusted agents. Note that access to shared resources can be dynamically allowed or revoked based on system flows. Security testing should cover such dynamic shared resource allocation and access control modification flows.:EFFECTIVENESS:High::",{"point":"2hw","priority":"6","details":"1va","howto":"2hx"},"CWE-ID:1190 DMA Device Enabled Too Early in Boot Phase",{"point":"2hz","priority":"6","details":"1vd","howto":"275"},"CWE-ID:1191 On-Chip Debug and Test Interface With Improper Access Control","::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Authentication and authorization of debug and test interfaces should be part of the architecture and design review process. Withholding of private register documentation from the debug and test interface public specification (Security by obscurity) should not be considered as sufficient security.::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Dynamic tests should be done in the pre-silicon and post-silicon stages to verify that the debug and test interfaces are not open by default.::METHOD:Fuzzing:DESCRIPTION:Tests that fuzz Debug and Test Interfaces should ensure that no access without appropriate authentication and authorization is possible.:EFFECTIVENESS:Moderate::",{"point":"2i1","priority":"6","details":"1vg","howto":"2i2"},"CWE-ID:1192 Improper Identifier for IP Block used in System-On-Chip (SOC)",{"point":"2i4","priority":"6","details":"1vj","howto":"275"},"CWE-ID:1209 Failure to Disable Reserved Bits",{"point":"2i6","priority":"6","details":"1vs","howto":"275"},"CWE-ID:1220 Insufficient Granularity of Access Control",{"point":"2i8","priority":"6","details":"1vv","howto":"275"},"CWE-ID:1223 Race Condition for Write-Once Attributes",{"point":"2ia","priority":"6","details":"1w4","howto":"275"},"CWE-ID:1224 Improper Restriction of Write-Once Bit Fields",{"point":"2ic","priority":"6","details":"1w7","howto":"275"},"CWE-ID:1230 Exposure of Sensitive Information Through Metadata",{"point":"2ie","priority":"6","details":"1wd","howto":"275"},"CWE-ID:1231 Improper Prevention of Lock Bit Modification","::METHOD:Manual Analysis:DESCRIPTION:Set the lock bit. Power cycle the device. Attempt to clear the lock bit. If the information is changed, implement a design fix. Retest. Also, attempt to indirectly clear the lock bit or bypass it.:EFFECTIVENESS:High::",{"point":"2ig","priority":"6","details":"1wg","howto":"2ih"},"CWE-ID:1232 Improper Lock Behavior After Power State Transition",{"point":"2ij","priority":"6","details":"1wj","howto":"275"},"CWE-ID:1233 Security-Sensitive Hardware Controls with Missing Lock Bit Protection","::METHOD:Manual Analysis:DESCRIPTION:Set the lock bit. Attempt to modify the information protected by the lock bit. If the information is changed, implement a design fix. Retest. Also, attempt to indirectly clear the lock bit or bypass it.:EFFECTIVENESS:High::",{"point":"2il","priority":"6","details":"1wm","howto":"2im"},"CWE-ID:1234 Hardware Internal or Debug Modes Allow Override of Locks",{"point":"2io","priority":"6","details":"1wp","howto":"275"},"CWE-ID:1240 Use of a Cryptographic Primitive with a Risky Implementation","::METHOD:Architecture or Design Review:DESCRIPTION:Review requirements, documentation, and product design to ensure that primitives are consistent with the strongest-available recommendations from trusted parties. If the product appears to be using custom or proprietary implementations that have not had sufficient public review and approval, then this is a significant concern.:EFFECTIVENESS:High::METHOD:Manual Analysis:DESCRIPTION:Analyze the product to ensure that implementations for each primitive do not contain any known vulnerabilities and are not using any known-weak algorithms, including MD4, MD5, SHA1, DES, etc.:EFFECTIVENESS:Moderate::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:For hardware, during the implementation (pre-Silicon / post-Silicon) phase, dynamic tests should be done to ensure that outputs from cryptographic routines are indeed working properly, such as test vectors provided by NIST [REF-1236].:EFFECTIVENESS:Moderate::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:It needs to be determined if the output of a cryptographic primitive is lacking entropy, which is one clear sign that something went wrong with the crypto implementation. There exist many methods of measuring the entropy of a bytestream, from sophisticated ones (like calculating Shannon's entropy of a sequence of characters) to crude ones (by compressing it and comparing the size of the original bytestream vs. the compressed - a truly random byte stream should not be compressible and hence the uncompressed and compressed bytestreams should be nearly identical in size).:EFFECTIVENESS:Moderate::",{"point":"2iq","priority":"6","details":"1x1","howto":"2ir"},"CWE-ID:1241 Use of Predictable Algorithm in Random Number Generator",{"point":"2it","priority":"6","details":"1x4","howto":"275"},"CWE-ID:1242 Inclusion of Undocumented Features or Chicken Bits",{"point":"2iv","priority":"6","details":"1x7","howto":"275"},"CWE-ID:1243 Sensitive Non-Volatile Information Not Protected During Debug",{"point":"2ix","priority":"6","details":"1xa","howto":"275"},"CWE-ID:1244 Internal Asset Exposed to Unsafe Debug Access Level or State","::METHOD:Manual Analysis:DESCRIPTION:Check 2 devices for their passcode to authenticate access to JTAG/debugging ports. If the passcodes are missing or the same, update the design to fix and retest. Check communications over JTAG/debugging ports for encryption. If the communications are not encrypted, fix the design and retest.:EFFECTIVENESS:Moderate::",{"point":"2iz","priority":"6","details":"1xd","howto":"2j0"},"CWE-ID:1245 Improper Finite State Machines (FSMs) in Hardware Logic",{"point":"2j2","priority":"6","details":"1xg","howto":"275"},"CWE-ID:1246 Improper Write Handling in Limited-write Non-Volatile Memories",{"point":"2j4","priority":"6","details":"1xj","howto":"275"},"CWE-ID:1249 Application-Level Admin Tool with Inconsistent View of Underlying Operating System",{"point":"2j6","priority":"6","details":"1xs","howto":"275"},"CWE-ID:1252 CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations",{"point":"2j8","priority":"6","details":"1y1","howto":"275"},"CWE-ID:1253 Incorrect Selection of Fuse Values",{"point":"2ja","priority":"6","details":"1y4","howto":"275"},"CWE-ID:1254 Incorrect Comparison Logic Granularity",{"point":"2jc","priority":"6","details":"1y7","howto":"275"},"CWE-ID:1256 Improper Restriction of Software Interfaces to Hardware Features","::METHOD:Manual Analysis:DESCRIPTION:Perform a security evaluation of system-level architecture and design with software-aided physical attacks in scope.::METHOD:Automated Dynamic Analysis:DESCRIPTION:Use custom software to change registers that control clock settings or power settings to try to bypass security locks, or repeatedly write DRAM to try to change adjacent locations. This can be effective in extracting or changing data. The drawback is that it cannot be run before manufacturing, and it may require specialized software.:EFFECTIVENESS:Moderate::",{"point":"2je","priority":"6","details":"1yd","howto":"2jf"},"CWE-ID:1257 Improper Access Control Applied to Mirrored or Aliased Memory Regions",{"point":"2jh","priority":"6","details":"1yg","howto":"275"},"CWE-ID:1258 Exposure of Sensitive System Information Due to Uncleared Debug Information",{"point":"2jj","priority":"6","details":"1yj","howto":"275"},"CWE-ID:1259 Improper Restriction of Security Token Assignment",{"point":"2jl","priority":"6","details":"1ym","howto":"275"},"CWE-ID:1260 Improper Handling of Overlap Between Protected Memory Ranges","::METHOD:Manual Analysis:DESCRIPTION:Create a high privilege memory block of any arbitrary size. Attempt to create a lower privilege memory block with an overlap of the high privilege memory block. If the creation attempt works, fix the hardware. Repeat the test.:EFFECTIVENESS:High::",{"point":"2jn","priority":"6","details":"1yp","howto":"2jo"},"CWE-ID:1261 Improper Handling of Single Event Upsets",{"point":"2jq","priority":"6","details":"1ys","howto":"275"},"CWE-ID:1262 Improper Access Control for Register Interface","::METHOD:Manual Analysis:DESCRIPTION:This is applicable in the Architecture phase before implementation started. Make sure access policy is specified for the entire memory map. Manual analysis may not ensure the implementation is correct.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Registers controlling hardware should have access control implemented. This access control may be checked manually for correct implementation. Items to check consist of how are trusted parties set, how are trusted parties verified, how are accesses verified, etc. Effectiveness of a manual analysis will vary depending upon how complicated the interface is constructed.:EFFECTIVENESS:Moderate::METHOD:Simulation / Emulation:DESCRIPTION:Functional simulation is applicable during the Implementation Phase. Testcases must be created and executed for memory mapped registers to verify adherence to the access control policy. This method can be effective, since functional verification needs to be performed on the design, and verification for this weakness will be included. There can be difficulty covering the entire memory space during the test.:EFFECTIVENESS:Moderate::METHOD:Formal Verification:DESCRIPTION:Formal verification is applicable during the Implementation phase. Assertions need to be created in order to capture illegal register access scenarios and prove that they cannot occur. Formal methods are exhaustive and can be very effective, but creating the cases for large designs may be complex and difficult.:EFFECTIVENESS:High::METHOD:Automated Analysis:DESCRIPTION:Information flow tracking can be applicable during the Implementation phase. Security sensitive data (assets) - for example, as stored in registers - is automatically tracked over time through the design to verify the data doesn't reach illegal destinations that violate the access policies for the memory map. This method can be very effective when used together with simulation and emulation, since detecting violations doesn't rely on specific scenarios or data values. This method does rely on simulation and emulation, so testcases must exist in order to use this method.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Manual documentation review of the system memory map, register specification, and permissions associated with accessing security-relevant functionality exposed via memory-mapped registers.:EFFECTIVENESS:Moderate::METHOD:Fuzzing:DESCRIPTION:Perform penetration testing (either manual or semi-automated with fuzzing) to verify that access control mechanisms such as the memory protection units or on-chip bus firewall settings adequately protect critical hardware registers from software access.:EFFECTIVENESS:Moderate::",{"point":"2js","priority":"6","details":"1yv","howto":"2jt"},"CWE-ID:1263 Improper Physical Access Control",{"point":"2jv","priority":"6","details":"1yy","howto":"275"},"CWE-ID:1264 Hardware Logic with Insecure De-Synchronization between Control and Data Channels",{"point":"2jx","priority":"6","details":"1z1","howto":"275"},"CWE-ID:1266 Improper Scrubbing of Sensitive Data from Decommissioned Device",{"point":"2jz","priority":"6","details":"1z7","howto":"275"},"CWE-ID:1267 Policy Uses Obsolete Encoding",{"point":"2k1","priority":"6","details":"1za","howto":"275"},"CWE-ID:1268 Policy Privileges are not Assigned Consistently Between Control and Data Agents",{"point":"2k3","priority":"6","details":"1zd","howto":"275"},"CWE-ID:1270 Generation of Incorrect Security Tokens",{"point":"2k5","priority":"6","details":"1zj","howto":"275"},"CWE-ID:1272 Sensitive Information Uncleared Before Debug/Power State Transition","::METHOD:Manual Analysis:DESCRIPTION:Write a known pattern into each sensitive location. Enter the power/debug state in question. Read data back from the sensitive locations. If the reads are successful, and the data is the same as the pattern that was originally written, the test fails and the device needs to be fixed. Note that this test can likely be automated.:EFFECTIVENESS:High::",{"point":"2k7","priority":"6","details":"1zp","howto":"2k8"},"CWE-ID:1274 Improper Access Control for Volatile Memory Containing Boot Code","::METHOD:Manual Analysis:DESCRIPTION:Ensure the volatile memory is lockable or has locks. Ensure the volatile memory is locked for writes from untrusted agents or adversaries. Try modifying the volatile memory from an untrusted agent, and ensure these writes are dropped.:EFFECTIVENESS:High::METHOD:Manual Analysis:DESCRIPTION:Analyze the device using the following steps: Identify all fabric master agents that are active during system Boot Flow when initial code is loaded from Non-volatile storage to volatile memory. Identify the volatile memory regions that are used for storing loaded system executable program. During system boot, test programming the identified memory regions in step 2 from all the masters identified in step 1. Only trusted masters should be allowed to write to the memory regions. For example, pluggable device peripherals should not have write access to program load memory regions.:EFFECTIVENESS:Moderate::",{"point":"2ka","priority":"6","details":"1zv","howto":"2kb"},"CWE-ID:1277 Firmware Not Updateable","::METHOD:Manual Analysis:DESCRIPTION:Create a new installable boot image of the current build with a minor version number change. Use the standard installation method to update the boot image. Verify that the minor version number has changed. Create a fake image. Verify that the boot updater will not install the fake image and generates an invalid image error message or equivalent.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Check the consumer or maintainer documentation, the architecture/design documentation, or the original requirements to ensure that the documentation includes details for how to update the firmware.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Determine if there is a lack of a capability to update read-only memory (ROM) structure. This could manifest as a difference between the latest firmware version and the current version within the device.:EFFECTIVENESS:High::",{"point":"2kd","priority":"6","details":"204","howto":"2ke"},"CWE-ID:1278 Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques",{"point":"2kg","priority":"6","details":"207","howto":"275"},"CWE-ID:1279 Cryptographic Operations are run Before Supporting Units are Ready",{"point":"2ki","priority":"6","details":"20a","howto":"275"},"CWE-ID:1281 Sequence of Processor Instructions Leads to Unexpected Behavior",{"point":"2kk","priority":"6","details":"20g","howto":"275"},"CWE-ID:1283 Mutable Attestation or Measurement Reporting Data",{"point":"2km","priority":"6","details":"20m","howto":"275"},"CWE-ID:1290 Incorrect Decoding of Security Identifiers ",{"point":"2ko","priority":"6","details":"217","howto":"275"},"CWE-ID:1292 Incorrect Conversion of Security Identifiers",{"point":"2kq","priority":"6","details":"21d","howto":"275"},"CWE-ID:1293 Missing Source Correlation of Multiple Independent Data",{"point":"2ks","priority":"6","details":"21g","howto":"275"},"CWE-ID:1294 Insecure Security Identifier Mechanism",{"point":"2ku","priority":"6","details":"21j","howto":"275"},"CWE-ID:1298 Hardware Logic Contains Race Conditions",{"point":"2kw","priority":"6","details":"21v","howto":"275"},"CWE-ID:1299 Missing Protection Mechanism for Alternate Hardware Interface",{"point":"2ky","priority":"6","details":"21y","howto":"275"},"CWE-ID:1302 Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)",{"point":"2l0","priority":"6","details":"227","howto":"275"},"CWE-ID:1303 Non-Transparent Sharing of Microarchitectural Resources",{"point":"2l2","priority":"6","details":"22a","howto":"275"},"CWE-ID:1304 Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation",{"point":"2l4","priority":"6","details":"22d","howto":"275"},"CWE-ID:1310 Missing Ability to Patch ROM Code",{"point":"2l6","priority":"6","details":"22g","howto":"275"},"CWE-ID:1311 Improper Translation of Security Attributes by Fabric Bridge",{"point":"2l8","priority":"6","details":"22j","howto":"275"},"CWE-ID:1312 Missing Protection for Mirrored Regions in On-Chip Fabric Firewall","::METHOD:Manual Dynamic Analysis:DESCRIPTION:Using an external debugger, send write transactions to mirrored regions to test if original, write-protected regions are modified. Similarly, send read transactions to mirrored regions to test if the original, read-protected signals can be read.:EFFECTIVENESS:High::",{"point":"2la","priority":"6","details":"22m","howto":"2lb"},"CWE-ID:1313 Hardware Allows Activation of Test or Debug Logic at Runtime",{"point":"2ld","priority":"6","details":"22p","howto":"275"},"CWE-ID:1314 Missing Write Protection for Parametric Data Values",{"point":"2lf","priority":"6","details":"22s","howto":"275"},"CWE-ID:1315 Improper Setting of Bus Controlling Capability in Fabric End-point",{"point":"2lh","priority":"6","details":"22v","howto":"275"},"CWE-ID:1316 Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges","::METHOD:Automated Dynamic Analysis:DESCRIPTION:Review address map in specification to see if there are any overlapping ranges.:EFFECTIVENESS:High::METHOD:Manual Static Analysis:DESCRIPTION:Negative testing of access control on overlapped ranges.:EFFECTIVENESS:High::",{"point":"2lj","priority":"6","details":"22y","howto":"2lk"},"CWE-ID:1317 Improper Access Control in Fabric Bridge","::METHOD:Simulation / Emulation:DESCRIPTION:RTL simulation to ensure that bridge-access controls are implemented properly.:EFFECTIVENESS:High::METHOD:Formal Verification:DESCRIPTION:Formal verification of bridge RTL to ensure that access control cannot be bypassed.:EFFECTIVENESS:High::",{"point":"2lm","priority":"6","details":"231","howto":"2ln"},"CWE-ID:1318 Missing Support for Security Features in On-chip Fabrics or Buses","::METHOD:Architecture or Design Review:DESCRIPTION:Review the fabric specification and ensure that it contains signals to transfer security-sensitive signals.:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:Lack of security features can also be confirmed through manual RTL review of the fabric RTL.:EFFECTIVENESS:High::",{"point":"2lp","priority":"6","details":"234","howto":"2lq"},"CWE-ID:1319 Improper Protection against Electromagnetic Fault Injection (EM-FI)",{"point":"2ls","priority":"6","details":"237","howto":"275"},"CWE-ID:1320 Improper Protection for Outbound Error Messages and Alert Signals",{"point":"2lu","priority":"6","details":"23a","howto":"275"},"CWE-ID:1323 Improper Management of Sensitive Trace Data",{"point":"2lw","priority":"6","details":"23j","howto":"275"},"CWE-ID:1326 Missing Immutable Root of Trust in Hardware","::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated testing can verify that RoT components are immutable.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Root of trust elements and memory should be part of architecture and design reviews.:EFFECTIVENESS:High::",{"point":"2ly","priority":"6","details":"23p","howto":"2lz"},"CWE-ID:1328 Security Version Number Mutable to Older Versions","::METHOD:Automated Dynamic Analysis:DESCRIPTION:Mutability of stored security version numbers and programming with older firmware images should be part of automated testing.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Anti-roll-back features should be reviewed as part of Architecture or Design review.:EFFECTIVENESS:High::",{"point":"2m1","priority":"6","details":"23v","howto":"2m2"},"CWE-ID:1329 Reliance on Component That is Not Updateable","::METHOD:Architecture or Design Review:DESCRIPTION:Check the consumer or maintainer documentation, the architecture/design documentation, or the original requirements to ensure that the documentation includes details for how to update the firmware.:EFFECTIVENESS:Moderate::",{"point":"2m4","priority":"6","details":"23y","howto":"2m5"},"CWE-ID:1331 Improper Isolation of Shared Resources in Network On Chip (NoC)","::METHOD:Manual Analysis:DESCRIPTION:Providing marker flags to send through the interfaces coupled with examination of which users are able to read or manipulate the flags will help verify that the proper isolation has been achieved and is effective.:EFFECTIVENESS:Moderate::",{"point":"2m7","priority":"6","details":"244","howto":"2m8"},"CWE-ID:1332 Improper Handling of Faults that Lead to Instruction Skips","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can be found using automated static analysis once a developer has indicated which code paths are critical to protect.:EFFECTIVENESS:Moderate::METHOD:Simulation / Emulation:DESCRIPTION:This weakness can be found using automated dynamic analysis. Both emulation of a CPU with instruction skips, as well as RTL simulation of a CPU IP, can indicate parts of the code that are sensitive to faults due to instruction skips.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:This weakness can be found using manual (static) analysis. The analyst has security objectives that are matched against the high-level code. This method is less precise than emulation, especially if the analysis is done at the higher level language rather than at assembly level.:EFFECTIVENESS:Moderate::",{"point":"2ma","priority":"6","details":"247","howto":"2mb"},"CWE-ID:1334 Unauthorized Error Injection Can Degrade Hardware Redundancy",{"point":"2md","priority":"6","details":"24d","howto":"275"},"CWE-ID:1336 Improper Neutralization of Special Elements Used in a Template Engine",{"point":"2mf","priority":"6","details":"24j","howto":"275"},"CWE-ID:1338 Improper Protections Against Hardware Overheating","::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Dynamic tests should be performed to stress-test temperature controls.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Power management controls should be part of Architecture and Design reviews.:EFFECTIVENESS:High::",{"point":"2mh","priority":"6","details":"24m","howto":"2mi"},"CWE-ID:1342 Information Exposure through Microarchitectural State after Transient Execution",{"point":"2mk","priority":"6","details":"24v","howto":"275"},"CWE-ID:1351 Improper Handling of Hardware Behavior in Exceptionally Cold Environments",{"point":"2mm","priority":"6","details":"24y","howto":"275"},"CWE-ID:1357 Reliance on Insufficiently Trustworthy Component",{"point":"2mo","priority":"6","details":"251","howto":"275"},"CWE-ID:1384 Improper Handling of Physical or Environmental Conditions",{"point":"2mq","priority":"6","details":"254","howto":"275"},"CWE-ID:1390 Weak Authentication",{"point":"2ms","priority":"6","details":"25g","howto":"275"},"CWE-ID:1391 Use of Weak Credentials",{"point":"2mu","priority":"6","details":"25j","howto":"275"},"CWE-ID:1392 Use of Default Credentials",{"point":"2mw","priority":"6","details":"25m","howto":"275"},"CWE-ID:1393 Use of Default Password",{"point":"2my","priority":"6","details":"25p","howto":"275"},"CWE-ID:1394 Use of Default Cryptographic Key",{"point":"2n0","priority":"6","details":"25s","howto":"275"},"CWE-ID:1395 Dependency on Vulnerable Third-Party Component","::METHOD:Automated Analysis:DESCRIPTION:For software, use Software Composition Analysis (SCA) tools, which automatically analyze products to identify third-party dependencies. Often, SCA tools can be used to link with known vulnerabilities in the dependencies that they detect. There are commercial and open-source alternatives, such as OWASP Dependency-Check [REF-1312]. Many languages or frameworks have package managers with similar capabilities, such as npm audit for JavaScript, pip-audit for Python, govulncheck for Go, and many others. Dynamic methods can detect loading of third-party components.:EFFECTIVENESS:High::",{"point":"2n2","priority":"6","details":"25v","howto":"2n3"},"CWE-ID:1420 Exposure of Sensitive Information during Transient Execution","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected in hardware by manually inspecting processor specifications. Features that exhibit this weakness may include microarchitectural predictors, access control checks that occur out-of-order, or any other features that can allow operations to execute without committing to architectural state. Academic researchers have demonstrated that new hardware weaknesses can be discovered by exhaustively analyzing a processor's machine clear (or nuke) conditions ([REF-1427]).:EFFECTIVENESS:Moderate::METHOD:Fuzzing:DESCRIPTION:Academic researchers have demonstrated that this weakness can be detected in hardware using software fuzzing tools that treat the underlying hardware as a black box ([REF-1428]).:EFFECTIVENESS:Opportunistic::METHOD:Fuzzing:DESCRIPTION:Academic researchers have demonstrated that this weakness can be detected in software using software fuzzing tools ([REF-1429]).:EFFECTIVENESS:Opportunistic::METHOD:Automated Static Analysis:DESCRIPTION:A variety of automated static analysis tools can identify potentially exploitable code sequences in software. These tools may perform the analysis on source code, on binary code, or on an intermediate code representation (for example, during compilation).:EFFECTIVENESS:Limited::METHOD:Automated Analysis:DESCRIPTION:Software vendors can release tools that detect presence of known weaknesses on a processor. For example, some of these tools can attempt to transiently execute a vulnerable code sequence and detect whether code successfully leaks data in a manner consistent with the weakness under test. Alternatively, some hardware vendors provide enumeration for the presence of a weakness (or lack of a weakness). These enumeration bits can be checked and reported by system software. For example, Linux supports these checks for many commodity processors: $ cat /proc/cpuinfo | grep bugs | head -n 1 bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit srbds mmio_stale_data retbleed:EFFECTIVENESS:High::",{"point":"2n5","priority":"6","details":"261","howto":"2n6"},"CWE-ID:1421 Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected in hardware by manually inspecting processor specifications. Features that exhibit this weakness may include microarchitectural predictors, access control checks that occur out-of-order, or any other features that can allow operations to execute without committing to architectural state. Academic researchers have demonstrated that new hardware weaknesses can be discovered by examining publicly available patent filings, for example [REF-1405] and [REF-1406]. Hardware designers can also scrutinize aspects of the instruction set architecture that have undefined behavior; these can become a focal point when applying other detection methods.:EFFECTIVENESS:Moderate::METHOD:Automated Analysis:DESCRIPTION:This weakness can be detected (pre-discovery) in hardware by employing static or dynamic taint analysis methods [REF-1401]. These methods can label data in one context (for example, kernel data) and perform information flow analysis (or a simulation, etc.) to determine whether tainted data can appear in another context (for example, user mode). Alternatively, stale or invalid data in shared microarchitectural resources can be marked as tainted, and the taint analysis framework can identify when transient operations encounter tainted data.:EFFECTIVENESS:Moderate::METHOD:Automated Analysis:DESCRIPTION:Software vendors can release tools that detect presence of known weaknesses (post-discovery) on a processor. For example, some of these tools can attempt to transiently execute a vulnerable code sequence and detect whether code successfully leaks data in a manner consistent with the weakness under test. Alternatively, some hardware vendors provide enumeration for the presence of a weakness (or lack of a weakness). These enumeration bits can be checked and reported by system software. For example, Linux supports these checks for many commodity processors: $ cat /proc/cpuinfo | grep bugs | head -n 1 bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit srbds mmio_stale_data retbleed:EFFECTIVENESS:High::METHOD:Fuzzing:DESCRIPTION:Academic researchers have demonstrated that this weakness can be detected in hardware using software fuzzing tools that treat the underlying hardware as a black box ([REF-1406], [REF-1430]):EFFECTIVENESS:Opportunistic::",{"point":"2n8","priority":"6","details":"264","howto":"2n9"},"CWE-ID:1422 Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution","::METHOD:Automated Static Analysis:DESCRIPTION:A variety of automated static analysis tools can identify potentially exploitable code sequences in software. These tools may perform the analysis on source code, on binary code, or on an intermediate code representation (for example, during compilation).:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected in hardware by manually inspecting processor specifications. Features that exhibit this weakness may include microarchitectural predictors, access control checks that occur out-of-order, or any other features that can allow operations to execute without committing to architectural state.Hardware designers can also scrutinize aspects of the instruction set architecture that have undefined behavior; these can become a focal point when applying other detection methods.:EFFECTIVENESS:Moderate::METHOD:Automated Analysis:DESCRIPTION:Software vendors can release tools that detect presence of known weaknesses on a processor. For example, some of these tools can attempt to transiently execute a vulnerable code sequence and detect whether code successfully leaks data in a manner consistent with the weakness under test. Alternatively, some hardware vendors provide enumeration for the presence of a weakness (or lack of a weakness). These enumeration bits can be checked and reported by system software. For example, Linux supports these checks for many commodity processors: $ cat /proc/cpuinfo | grep bugs | head -n 1 bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit srbds mmio_stale_data retbleed:EFFECTIVENESS:High::",{"point":"2nb","priority":"6","details":"267","howto":"2nc"},"CWE-ID:1423 Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected in hardware by manually inspecting processor specifications. Features that exhibit this weakness may have microarchitectural predictor state that is shared between hardware threads, execution contexts (for example, user and kernel), or other components that may host mutually distrusting software (or firmware, etc.).:EFFECTIVENESS:Moderate::METHOD:Automated Analysis:DESCRIPTION:Software vendors can release tools that detect presence of known weaknesses on a processor. For example, some of these tools can attempt to transiently execute a vulnerable code sequence and detect whether code successfully leaks data in a manner consistent with the weakness under test. Alternatively, some hardware vendors provide enumeration for the presence of a weakness (or lack of a weakness). These enumeration bits can be checked and reported by system software. For example, Linux supports these checks for many commodity processors: $ cat /proc/cpuinfo | grep bugs | head -n 1 bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit srbds mmio_stale_data retbleed:EFFECTIVENESS:High::METHOD:Automated Analysis:DESCRIPTION:This weakness can be detected in hardware by employing static or dynamic taint analysis methods [REF-1401]. These methods can label each predictor entry (or prediction history, etc.) according to the processor context that created it. Taint analysis or information flow analysis can then be applied to detect when predictor state created in one context can influence predictions made in another context.:EFFECTIVENESS:Moderate::",{"point":"2ne","priority":"6","details":"26a","howto":"2nf"},["26m","26p","26s","26v","26y","271","273","276","278","27a","27c","27e","27h","27j","27l","27n","27p","27r","27t","27v","27y","280","282","284","286","288","28a","28c","28e","28g","28i","28k","28n","28p","28r","28u","28w","28z","291","293","295","298","29a","29c","29e","29h","29k","29m","29o","29r","29t","29w","29y","2a0","2a2","2a4","2a7","2a9","2ac","2ae","2ag","2ai","2ak","2am","2ao","2aq","2as","2au","2aw","2ay","2b0","2b2","2b4","2b6","2b8","2ba","2bd","2bf","2bi","2bk","2bm","2bo","2bq","2bt","2bv","2bx","2bz","2c1","2c3","2c5","2c7","2ca","2cc","2ce","2cg","2ci","2ck","2cm","2cp","2cr","2ct","2cv","2cx","2cz","2d1","2d3","2d5","2d7","2d9","2db","2de","2dg","2di","2dl","2dn","2dp","2dr","2dt","2dv","2dx","2dz","2e1","2e3","2e6","2e8","2ea","2ec","2ee","2eg","2ei","2ek","2em","2eo","2eq","2es","2eu","2ew","2ey","2f0","2f3","2f5","2f7","2f9","2fb","2fd","2ff","2fh","2fj","2fl","2fn","2fp","2fr","2ft","2fv","2fy","2g0","2g2","2g5","2g8","2ga","2gc","2gf","2gi","2gl","2gn","2gp","2gr","2gu","2gw","2gy","2h0","2h2","2h4","2h6","2h8","2ha","2hc","2hf","2hi","2hk","2hm","2ho","2hq","2ht","2hv","2hy","2i0","2i3","2i5","2i7","2i9","2ib","2id","2if","2ii","2ik","2in","2ip","2is","2iu","2iw","2iy","2j1","2j3","2j5","2j7","2j9","2jb","2jd","2jg","2ji","2jk","2jm","2jp","2jr","2ju","2jw","2jy","2k0","2k2","2k4","2k6","2k9","2kc","2kf","2kh","2kj","2kl","2kn","2kp","2kr","2kt","2kv","2kx","2kz","2l1","2l3","2l5","2l7","2l9","2lc","2le","2lg","2li","2ll","2lo","2lr","2lt","2lv","2lx","2m0","2m3","2m6","2m9","2mc","2me","2mg","2mj","2ml","2mn","2mp","2mr","2mt","2mv","2mx","2mz","2n1","2n4","2n7","2na","2nd","2ng"],"magenta",{"title":"26f","slug":"26g","description":"26h","icon":"26i","intro":"26j","checklist":"2nh","color":"2ni"},"CWE :Weaknesses During Implementation","implementation-security","This view (slice) lists weaknesses that can be introduced during implementation.","shield","CWE-ID:5 J2EE Misconfiguration: Data Transmission Without Encryption",{"point":"2no","priority":"6","details":"7","howto":"275"},"CWE-ID:6 J2EE Misconfiguration: Insufficient Session-ID Length",{"point":"2nq","priority":"6","details":"a","howto":"275"},"CWE-ID:7 J2EE Misconfiguration: Missing Custom Error Page",{"point":"2ns","priority":"6","details":"d","howto":"275"},"CWE-ID:8 J2EE Misconfiguration: Entity Bean Declared Remote",{"point":"2nu","priority":"6","details":"g","howto":"275"},"CWE-ID:9 J2EE Misconfiguration: Weak Access Permissions for EJB Methods",{"point":"2nw","priority":"6","details":"j","howto":"275"},"CWE-ID:11 ASP.NET Misconfiguration: Creating Debug Binary",{"point":"2ny","priority":"6","details":"m","howto":"26r"},"CWE-ID:12 ASP.NET Misconfiguration: Missing Custom Error Page",{"point":"2o0","priority":"6","details":"p","howto":"275"},"CWE-ID:13 ASP.NET Misconfiguration: Password in Configuration File",{"point":"2o2","priority":"6","details":"s","howto":"275"},"CWE-ID:14 Compiler Removal of Code to Clear Buffers","::METHOD:Black Box:DESCRIPTION:This specific weakness is impossible to detect using black box methods. While an analyst could examine memory to see that it has not been scrubbed, an analysis of the executable would not be successful. This is because the compiler has already removed the relevant code. Only the source code shows whether the programmer intended to clear the memory or not, so this weakness is indistinguishable from others.::METHOD:White Box:DESCRIPTION:This weakness is only detectable using white box methods (see black box detection factor). Careful analysis is required to determine if the code is likely to be removed by the compiler.::",{"point":"2o4","priority":"6","details":"v","howto":"2o5"},"CWE-ID:15 External Control of System or Configuration Setting",{"point":"2o7","priority":"6","details":"y","howto":"26r"},{"point":"26k","priority":"6","details":"11","howto":"26l"},"CWE-ID:22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","::METHOD:Automated Static Analysis:DESCRIPTION:Automated techniques can find areas where path traversal weaknesses exist. However, tuning or customization may be required to remove or de-prioritize path-traversal problems that are only exploitable by the product's administrator - or other privileged users - and thus potentially valid behavior or, at worst, a bug instead of a vulnerability.:EFFECTIVENESS:High::METHOD:Manual Static Analysis:DESCRIPTION:Manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all file access operations can be assessed within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2oa","priority":"6","details":"14","howto":"2ob"},"CWE-ID:23 Relative Path Traversal",{"point":"2od","priority":"6","details":"17","howto":"26r"},"CWE-ID:24 Path Traversal: '../filedir'",{"point":"2of","priority":"6","details":"1a","howto":"275"},"CWE-ID:25 Path Traversal: '/../filedir'",{"point":"2oh","priority":"6","details":"1d","howto":"275"},"CWE-ID:26 Path Traversal: '/dir/../filename'",{"point":"2oj","priority":"6","details":"1g","howto":"275"},"CWE-ID:27 Path Traversal: 'dir/../../filename'",{"point":"2ol","priority":"6","details":"1j","howto":"275"},"CWE-ID:28 Path Traversal: '..filedir'",{"point":"2on","priority":"6","details":"1m","howto":"275"},"CWE-ID:29 Path Traversal: '..filename'",{"point":"2op","priority":"6","details":"1p","howto":"275"},"CWE-ID:30 Path Traversal: 'dir..filename'",{"point":"2or","priority":"6","details":"1s","howto":"275"},"CWE-ID:31 Path Traversal: 'dir....filename'",{"point":"2ot","priority":"6","details":"1v","howto":"275"},"CWE-ID:32 Path Traversal: '...' (Triple Dot)",{"point":"2ov","priority":"6","details":"1y","howto":"275"},"CWE-ID:33 Path Traversal: '....' (Multiple Dot)",{"point":"2ox","priority":"6","details":"21","howto":"275"},"CWE-ID:34 Path Traversal: '....//'","::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"2oz","priority":"6","details":"24","howto":"2p0"},"CWE-ID:35 Path Traversal: '.../...//'",{"point":"2p2","priority":"6","details":"27","howto":"275"},"CWE-ID:36 Absolute Path Traversal",{"point":"2p4","priority":"6","details":"2a","howto":"26r"},"CWE-ID:37 Path Traversal: '/absolute/pathname/here'",{"point":"2p6","priority":"6","details":"2d","howto":"275"},"CWE-ID:38 Path Traversal: 'absolutepathnamehere'",{"point":"2p8","priority":"6","details":"2g","howto":"275"},"CWE-ID:39 Path Traversal: 'C:dirname'",{"point":"2pa","priority":"6","details":"2j","howto":"275"},"CWE-ID:40 Path Traversal: 'UNCsharename' (Windows UNC Share)",{"point":"2pc","priority":"6","details":"2m","howto":"275"},"CWE-ID:41 Improper Resolution of Path Equivalence","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2pe","priority":"6","details":"2p","howto":"2pf"},"CWE-ID:42 Path Equivalence: 'filename.' (Trailing Dot)",{"point":"2ph","priority":"6","details":"2s","howto":"275"},"CWE-ID:43 Path Equivalence: 'filename....' (Multiple Trailing Dot)",{"point":"2pj","priority":"6","details":"2v","howto":"275"},"CWE-ID:44 Path Equivalence: 'file.name' (Internal Dot)",{"point":"2pl","priority":"6","details":"2y","howto":"275"},"CWE-ID:45 Path Equivalence: 'file...name' (Multiple Internal Dot)",{"point":"2pn","priority":"6","details":"31","howto":"275"},"CWE-ID:46 Path Equivalence: 'filename ' (Trailing Space)",{"point":"2pp","priority":"6","details":"34","howto":"275"},"CWE-ID:47 Path Equivalence: ' filename' (Leading Space)",{"point":"2pr","priority":"6","details":"37","howto":"275"},"CWE-ID:48 Path Equivalence: 'file name' (Internal Whitespace)",{"point":"2pt","priority":"6","details":"3a","howto":"275"},"CWE-ID:49 Path Equivalence: 'filename/' (Trailing Slash)",{"point":"2pv","priority":"6","details":"3d","howto":"275"},"CWE-ID:50 Path Equivalence: '//multiple/leading/slash'",{"point":"2px","priority":"6","details":"3g","howto":"275"},"CWE-ID:51 Path Equivalence: '/multiple//internal/slash'",{"point":"2pz","priority":"6","details":"3j","howto":"275"},"CWE-ID:52 Path Equivalence: '/multiple/trailing/slash//'",{"point":"2q1","priority":"6","details":"3m","howto":"275"},"CWE-ID:53 Path Equivalence: 'multipleinternalbackslash'",{"point":"2q3","priority":"6","details":"3p","howto":"275"},"CWE-ID:54 Path Equivalence: 'filedir' (Trailing Backslash)",{"point":"2q5","priority":"6","details":"3s","howto":"275"},"CWE-ID:55 Path Equivalence: '/./' (Single Dot Directory)",{"point":"2q7","priority":"6","details":"3v","howto":"275"},"CWE-ID:56 Path Equivalence: 'filedir*' (Wildcard)",{"point":"2q9","priority":"6","details":"3y","howto":"275"},"CWE-ID:57 Path Equivalence: 'fakedir/../realdir/filename'",{"point":"2qb","priority":"6","details":"41","howto":"275"},"CWE-ID:58 Path Equivalence: Windows 8.3 Filename",{"point":"2qd","priority":"6","details":"44","howto":"275"},"CWE-ID:59 Improper Link Resolution Before File Access ('Link Following')",{"point":"2qf","priority":"6","details":"47","howto":"2pf"},"CWE-ID:61 UNIX Symbolic Link (Symlink) Following",{"point":"2qh","priority":"6","details":"4a","howto":"275"},"CWE-ID:62 UNIX Hard Link",{"point":"2qj","priority":"6","details":"4d","howto":"275"},"CWE-ID:65 Windows Hard Link",{"point":"2ql","priority":"6","details":"4j","howto":"275"},"CWE-ID:66 Improper Handling of File Names that Identify Virtual Resources",{"point":"2qn","priority":"6","details":"4m","howto":"2pf"},"CWE-ID:67 Improper Handling of Windows Device Names",{"point":"2qp","priority":"6","details":"4p","howto":"275"},"CWE-ID:69 Improper Handling of Windows ::DATA Alternate Data Stream",{"point":"2qr","priority":"6","details":"4s","howto":"275"},"CWE-ID:72 Improper Handling of Apple HFS+ Alternate Data Stream Path",{"point":"2qt","priority":"6","details":"4v","howto":"275"},{"point":"26n","priority":"6","details":"4y","howto":"26o"},"CWE-ID:74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')",{"point":"2qw","priority":"6","details":"51","howto":"26r"},"CWE-ID:75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)",{"point":"2qy","priority":"6","details":"54","howto":"275"},"CWE-ID:76 Improper Neutralization of Equivalent Special Elements",{"point":"2r0","priority":"6","details":"57","howto":"275"},"CWE-ID:77 Improper Neutralization of Special Elements used in a Command ('Command Injection')",{"point":"2r2","priority":"6","details":"5a","howto":"26r"},"CWE-ID:78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes. Automated static analysis might not be able to detect the usage of custom API functions or third-party libraries that indirectly invoke OS commands, leading to false negatives - especially if the API/library code is not available for analysis.::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis:DESCRIPTION:Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2r4","priority":"6","details":"5d","howto":"2r5"},"CWE-ID:79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","::METHOD:Automated Static Analysis:DESCRIPTION:Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible, especially when multiple components are involved.:EFFECTIVENESS:Moderate::METHOD:Black Box:DESCRIPTION:Use the XSS Cheat Sheet [REF-714] or automated test-generation tools to help launch a wide variety of attacks against your web application. The Cheat Sheet contains many subtle XSS variations that are specifically targeted against weak XSS defenses.:EFFECTIVENESS:Moderate::",{"point":"2r7","priority":"6","details":"5g","howto":"2r8"},"CWE-ID:80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",{"point":"2ra","priority":"6","details":"5j","howto":"26r"},"CWE-ID:81 Improper Neutralization of Script in an Error Message Web Page",{"point":"2rc","priority":"6","details":"5m","howto":"275"},"CWE-ID:82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page",{"point":"2re","priority":"6","details":"5p","howto":"275"},"CWE-ID:83 Improper Neutralization of Script in Attributes in a Web Page",{"point":"2rg","priority":"6","details":"5s","howto":"26r"},"CWE-ID:84 Improper Neutralization of Encoded URI Schemes in a Web Page",{"point":"2ri","priority":"6","details":"5v","howto":"275"},"CWE-ID:85 Doubled Character XSS Manipulations",{"point":"2rk","priority":"6","details":"5y","howto":"275"},"CWE-ID:86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages",{"point":"2rm","priority":"6","details":"61","howto":"26r"},"CWE-ID:87 Improper Neutralization of Alternate XSS Syntax",{"point":"2ro","priority":"6","details":"64","howto":"275"},"CWE-ID:88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')",{"point":"2rq","priority":"6","details":"67","howto":"26r"},"CWE-ID:89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or do not require any code changes. Automated static analysis might not be able to detect the usage of custom API functions or third-party libraries that indirectly invoke SQL commands, leading to false negatives - especially if the API/library code is not available for analysis.::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Database Scanners Cost effective for partial coverage: Web Application Scanner Web Services Scanner:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2rs","priority":"6","details":"6a","howto":"2rt"},"CWE-ID:90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')",{"point":"2rv","priority":"6","details":"6d","howto":"26r"},"CWE-ID:91 XML Injection (aka Blind XPath Injection)",{"point":"2rx","priority":"6","details":"6g","howto":"26r"},"CWE-ID:93 Improper Neutralization of CRLF Sequences ('CRLF Injection')",{"point":"2rz","priority":"6","details":"6j","howto":"26r"},"CWE-ID:94 Improper Control of Generation of Code ('Code Injection')",{"point":"2s1","priority":"6","details":"6m","howto":"26r"},"CWE-ID:95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')",{"point":"2s3","priority":"6","details":"6p","howto":"26r"},"CWE-ID:96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')",{"point":"2s5","priority":"6","details":"6s","howto":"275"},"CWE-ID:97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page",{"point":"2s7","priority":"6","details":"6v","howto":"275"},"CWE-ID:98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')","::METHOD:Manual Analysis:DESCRIPTION:Manual white-box analysis can be very effective for finding this issue, since there is typically a relatively small number of include or require statements in each program.:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:The external control or influence of filenames can often be detected using automated static analysis that models data flow within the product. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes. If the program uses a customized input validation library, then some tools may allow the analyst to create custom signatures to detect usage of those routines.::",{"point":"2s9","priority":"6","details":"6y","howto":"2sa"},{"point":"26q","priority":"6","details":"71","howto":"26r"},"CWE-ID:102 Struts: Duplicate Validation Forms",{"point":"2sd","priority":"6","details":"74","howto":"275"},"CWE-ID:103 Struts: Incomplete validate() Method Definition",{"point":"2sf","priority":"6","details":"77","howto":"26r"},"CWE-ID:104 Struts: Form Bean Does Not Extend Validation Class",{"point":"2sh","priority":"6","details":"7a","howto":"26r"},"CWE-ID:105 Struts: Form Field Without Validator",{"point":"2sj","priority":"6","details":"7d","howto":"275"},"CWE-ID:106 Struts: Plug-in Framework not in Use",{"point":"2sl","priority":"6","details":"7g","howto":"275"},"CWE-ID:107 Struts: Unused Validation Form",{"point":"2sn","priority":"6","details":"7j","howto":"275"},"CWE-ID:108 Struts: Unvalidated Action Form",{"point":"2sp","priority":"6","details":"7m","howto":"275"},"CWE-ID:109 Struts: Validator Turned Off",{"point":"2sr","priority":"6","details":"7p","howto":"275"},"CWE-ID:110 Struts: Validator Without Form Field","::METHOD:Automated Static Analysis:DESCRIPTION:To find the issue in the implementation, manual checks or automated static analysis could be applied to the XML configuration files.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis:DESCRIPTION:To find the issue in the implementation, manual checks or automated static analysis could be applied to the XML configuration files.:EFFECTIVENESS:Moderate::",{"point":"2st","priority":"6","details":"7s","howto":"2su"},"CWE-ID:111 Direct Use of Unsafe JNI",{"point":"2sw","priority":"6","details":"7v","howto":"26r"},"CWE-ID:112 Missing XML Validation",{"point":"2sy","priority":"6","details":"7y","howto":"26r"},"CWE-ID:113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')",{"point":"2t0","priority":"6","details":"81","howto":"26r"},"CWE-ID:114 Process Control",{"point":"2t2","priority":"6","details":"84","howto":"26r"},{"point":"26t","priority":"6","details":"87","howto":"26u"},"CWE-ID:116 Improper Encoding or Escaping of Output","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.:EFFECTIVENESS:Moderate::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::",{"point":"2t5","priority":"6","details":"8a","howto":"2t6"},"CWE-ID:117 Improper Output Neutralization for Logs",{"point":"2t8","priority":"6","details":"8d","howto":"26r"},"CWE-ID:118 Incorrect Access of Indexable Resource ('Range Error')",{"point":"2ta","priority":"6","details":"8g","howto":"275"},"CWE-ID:119 Improper Restriction of Operations within the Bounds of a Memory Buffer","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode Quality Analysis Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Source Code Quality Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2tc","priority":"6","details":"8j","howto":"2td"},"CWE-ID:120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::METHOD:Manual Analysis:DESCRIPTION:Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2tf","priority":"6","details":"8m","howto":"2tg"},"CWE-ID:121 Stack-based Buffer Overflow","::METHOD:Fuzzing:DESCRIPTION:Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2ti","priority":"6","details":"8p","howto":"2tj"},"CWE-ID:122 Heap-based Buffer Overflow",{"point":"2tl","priority":"6","details":"8s","howto":"26u"},"CWE-ID:123 Write-what-where Condition",{"point":"2tn","priority":"6","details":"8v","howto":"275"},"CWE-ID:124 Buffer Underwrite ('Buffer Underflow')",{"point":"2tp","priority":"6","details":"8y","howto":"275"},"CWE-ID:125 Out-of-bounds Read",{"point":"2tr","priority":"6","details":"91","howto":"2tj"},"CWE-ID:126 Buffer Over-read",{"point":"2tt","priority":"6","details":"94","howto":"26r"},"CWE-ID:127 Buffer Under-read",{"point":"2tv","priority":"6","details":"97","howto":"275"},"CWE-ID:128 Wrap-around Error",{"point":"2tx","priority":"6","details":"9a","howto":"275"},"CWE-ID:129 Improper Validation of Array Index","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report array index errors that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::METHOD:Black Box:DESCRIPTION:Black box methods might not get the needed code coverage within limited time constraints, and a dynamic test might not produce any noticeable side effects even if it is successful.::",{"point":"2tz","priority":"6","details":"9d","howto":"2u0"},"CWE-ID:130 Improper Handling of Length Parameter Inconsistency",{"point":"2u2","priority":"6","details":"9g","howto":"275"},"CWE-ID:131 Incorrect Calculation of Buffer Size","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting potential errors in buffer calculations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of allocation calculations. This can be useful for detecting overflow conditions (CWE-190) or similar weaknesses that might have serious security impacts on the program.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Source Code Quality Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2u4","priority":"6","details":"9j","howto":"2u5"},"CWE-ID:134 Use of Externally-Controlled Format String","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.::METHOD:Black Box:DESCRIPTION:Since format strings often occur in rarely-occurring erroneous conditions (e.g. for error message logging), they can be difficult to detect using black box methods. It is highly likely that many latent issues exist in executables that do not have associated source code (or equivalent source.:EFFECTIVENESS:Limited::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary / Bytecode simple extractor - strings, ELF readers, etc.:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Warning Flags:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2u7","priority":"6","details":"9m","howto":"2u8"},"CWE-ID:135 Incorrect Calculation of Multi-Byte String Length",{"point":"2ua","priority":"6","details":"9p","howto":"26r"},"CWE-ID:138 Improper Neutralization of Special Elements",{"point":"2uc","priority":"6","details":"9s","howto":"275"},"CWE-ID:140 Improper Neutralization of Delimiters",{"point":"2ue","priority":"6","details":"9v","howto":"275"},"CWE-ID:141 Improper Neutralization of Parameter/Argument Delimiters",{"point":"2ug","priority":"6","details":"9y","howto":"275"},"CWE-ID:142 Improper Neutralization of Value Delimiters",{"point":"2ui","priority":"6","details":"a1","howto":"275"},"CWE-ID:143 Improper Neutralization of Record Delimiters",{"point":"2uk","priority":"6","details":"a4","howto":"275"},"CWE-ID:144 Improper Neutralization of Line Delimiters",{"point":"2um","priority":"6","details":"a7","howto":"275"},"CWE-ID:145 Improper Neutralization of Section Delimiters",{"point":"2uo","priority":"6","details":"aa","howto":"275"},"CWE-ID:146 Improper Neutralization of Expression/Command Delimiters",{"point":"2uq","priority":"6","details":"ad","howto":"275"},"CWE-ID:147 Improper Neutralization of Input Terminators",{"point":"2us","priority":"6","details":"ag","howto":"275"},"CWE-ID:148 Improper Neutralization of Input Leaders",{"point":"2uu","priority":"6","details":"aj","howto":"275"},"CWE-ID:149 Improper Neutralization of Quoting Syntax",{"point":"2uw","priority":"6","details":"am","howto":"275"},"CWE-ID:150 Improper Neutralization of Escape, Meta, or Control Sequences",{"point":"2uy","priority":"6","details":"ap","howto":"275"},"CWE-ID:151 Improper Neutralization of Comment Delimiters",{"point":"2v0","priority":"6","details":"as","howto":"275"},"CWE-ID:152 Improper Neutralization of Macro Symbols",{"point":"2v2","priority":"6","details":"av","howto":"275"},"CWE-ID:153 Improper Neutralization of Substitution Characters",{"point":"2v4","priority":"6","details":"ay","howto":"275"},"CWE-ID:154 Improper Neutralization of Variable Name Delimiters",{"point":"2v6","priority":"6","details":"b1","howto":"275"},"CWE-ID:155 Improper Neutralization of Wildcards or Matching Symbols",{"point":"2v8","priority":"6","details":"b4","howto":"275"},"CWE-ID:156 Improper Neutralization of Whitespace",{"point":"2va","priority":"6","details":"b7","howto":"275"},"CWE-ID:157 Failure to Sanitize Paired Delimiters",{"point":"2vc","priority":"6","details":"ba","howto":"275"},"CWE-ID:158 Improper Neutralization of Null Byte or NUL Character",{"point":"2ve","priority":"6","details":"bd","howto":"275"},"CWE-ID:159 Improper Handling of Invalid Use of Special Elements",{"point":"2vg","priority":"6","details":"bg","howto":"275"},"CWE-ID:160 Improper Neutralization of Leading Special Elements",{"point":"2vi","priority":"6","details":"bj","howto":"275"},"CWE-ID:161 Improper Neutralization of Multiple Leading Special Elements",{"point":"2vk","priority":"6","details":"bm","howto":"275"},"CWE-ID:162 Improper Neutralization of Trailing Special Elements",{"point":"2vm","priority":"6","details":"bp","howto":"275"},"CWE-ID:163 Improper Neutralization of Multiple Trailing Special Elements",{"point":"2vo","priority":"6","details":"bs","howto":"275"},"CWE-ID:164 Improper Neutralization of Internal Special Elements",{"point":"2vq","priority":"6","details":"bv","howto":"275"},"CWE-ID:165 Improper Neutralization of Multiple Internal Special Elements",{"point":"2vs","priority":"6","details":"by","howto":"275"},"CWE-ID:166 Improper Handling of Missing Special Element",{"point":"2vu","priority":"6","details":"c1","howto":"275"},"CWE-ID:167 Improper Handling of Additional Special Element",{"point":"2vw","priority":"6","details":"c4","howto":"275"},"CWE-ID:168 Improper Handling of Inconsistent Special Elements",{"point":"2vy","priority":"6","details":"c7","howto":"275"},"CWE-ID:170 Improper Null Termination",{"point":"2w0","priority":"6","details":"ca","howto":"26r"},"CWE-ID:172 Encoding Error",{"point":"2w2","priority":"6","details":"cd","howto":"275"},"CWE-ID:173 Improper Handling of Alternate Encoding",{"point":"2w4","priority":"6","details":"cg","howto":"275"},"CWE-ID:174 Double Decoding of the Same Data",{"point":"2w6","priority":"6","details":"cj","howto":"275"},"CWE-ID:175 Improper Handling of Mixed Encoding",{"point":"2w8","priority":"6","details":"cm","howto":"275"},"CWE-ID:176 Improper Handling of Unicode Encoding",{"point":"2wa","priority":"6","details":"cp","howto":"275"},"CWE-ID:177 Improper Handling of URL Encoding (Hex Encoding)",{"point":"2wc","priority":"6","details":"cs","howto":"275"},"CWE-ID:178 Improper Handling of Case Sensitivity",{"point":"2we","priority":"6","details":"cv","howto":"275"},"CWE-ID:179 Incorrect Behavior Order: Early Validation",{"point":"2wg","priority":"6","details":"cy","howto":"275"},"CWE-ID:180 Incorrect Behavior Order: Validate Before Canonicalize",{"point":"2wi","priority":"6","details":"d1","howto":"275"},"CWE-ID:181 Incorrect Behavior Order: Validate Before Filter",{"point":"2wk","priority":"6","details":"d4","howto":"275"},"CWE-ID:182 Collapse of Data into Unsafe Value",{"point":"2wm","priority":"6","details":"d7","howto":"26r"},"CWE-ID:183 Permissive List of Allowed Inputs",{"point":"2wo","priority":"6","details":"da","howto":"26r"},{"point":"26w","priority":"6","details":"dd","howto":"26x"},"CWE-ID:185 Incorrect Regular Expression",{"point":"2wr","priority":"6","details":"dg","howto":"26r"},"CWE-ID:186 Overly Restrictive Regular Expression",{"point":"2wt","priority":"6","details":"dj","howto":"275"},"CWE-ID:187 Partial String Comparison",{"point":"2wv","priority":"6","details":"dm","howto":"275"},"CWE-ID:188 Reliance on Data/Memory Layout",{"point":"2wx","priority":"6","details":"dp","howto":"26u"},"CWE-ID:190 Integer Overflow or Wraparound","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.:EFFECTIVENESS:High::METHOD:Black Box:DESCRIPTION:Sometimes, evidence of this weakness can be detected using dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of allocation calculations. This can be useful for detecting overflow conditions (CWE-190) or similar weaknesses that might have serious security impacts on the program.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2wz","priority":"6","details":"ds","howto":"2x0"},"CWE-ID:191 Integer Underflow (Wrap or Wraparound)",{"point":"2x2","priority":"6","details":"dv","howto":"26r"},"CWE-ID:192 Integer Coercion Error",{"point":"2x4","priority":"6","details":"dy","howto":"26r"},"CWE-ID:193 Off-by-one Error",{"point":"2x6","priority":"6","details":"e1","howto":"26r"},"CWE-ID:194 Unexpected Sign Extension",{"point":"2x8","priority":"6","details":"e4","howto":"275"},"CWE-ID:195 Signed to Unsigned Conversion Error",{"point":"2xa","priority":"6","details":"e7","howto":"26r"},"CWE-ID:196 Unsigned to Signed Conversion Error",{"point":"2xc","priority":"6","details":"ea","howto":"275"},"CWE-ID:197 Numeric Truncation Error",{"point":"2xe","priority":"6","details":"ed","howto":"2tj"},"CWE-ID:198 Use of Incorrect Byte Ordering","::METHOD:Black Box:DESCRIPTION:Because byte ordering bugs are usually very noticeable even with normal inputs, this bug is more likely to occur in rarely triggered error conditions, making them difficult to detect using black box methods.::",{"point":"2xg","priority":"6","details":"eg","howto":"2xh"},{"point":"26z","priority":"6","details":"ej","howto":"270"},{"point":"272","priority":"6","details":"em","howto":"26r"},{"point":"274","priority":"6","details":"ep","howto":"275"},{"point":"277","priority":"6","details":"es","howto":"275"},{"point":"279","priority":"6","details":"ev","howto":"275"},{"point":"27b","priority":"6","details":"ey","howto":"275"},"CWE-ID:206 Observable Internal Behavioral Discrepancy",{"point":"2xp","priority":"6","details":"f1","howto":"275"},"CWE-ID:207 Observable Behavioral Discrepancy With Equivalent Products",{"point":"2xr","priority":"6","details":"f4","howto":"275"},{"point":"27d","priority":"6","details":"f7","howto":"275"},{"point":"27f","priority":"6","details":"fa","howto":"27g"},{"point":"27i","priority":"6","details":"fd","howto":"275"},{"point":"27k","priority":"6","details":"fg","howto":"275"},{"point":"27m","priority":"6","details":"fj","howto":"275"},{"point":"27o","priority":"6","details":"fm","howto":"275"},{"point":"27q","priority":"6","details":"fp","howto":"275"},"CWE-ID:215 Insertion of Sensitive Information Into Debugging Code",{"point":"2y0","priority":"6","details":"fs","howto":"26r"},"CWE-ID:219 Storage of File with Sensitive Data Under Web Root",{"point":"2y2","priority":"6","details":"fv","howto":"275"},{"point":"27s","priority":"6","details":"g1","howto":"275"},"CWE-ID:222 Truncation of Security-relevant Information",{"point":"2y5","priority":"6","details":"g4","howto":"275"},{"point":"27u","priority":"6","details":"g7","howto":"275"},"CWE-ID:224 Obscured Security-relevant Information by Alternate Name",{"point":"2y8","priority":"6","details":"ga","howto":"275"},"CWE-ID:226 Sensitive Information in Resource Not Removed Before Reuse","::METHOD:Manual Analysis:DESCRIPTION:Write a known pattern into each sensitive location. Trigger the release of the resource or cause the desired state transition to occur. Read data back from the sensitive locations. If the reads are successful, and the data is the same as the pattern that was originally written, the test fails and the product needs to be fixed. Note that this test can likely be automated.:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2ya","priority":"6","details":"gd","howto":"2yb"},"CWE-ID:228 Improper Handling of Syntactically Invalid Structure",{"point":"2yd","priority":"6","details":"gg","howto":"26r"},"CWE-ID:229 Improper Handling of Values",{"point":"2yf","priority":"6","details":"gj","howto":"275"},"CWE-ID:230 Improper Handling of Missing Values",{"point":"2yh","priority":"6","details":"gm","howto":"275"},"CWE-ID:231 Improper Handling of Extra Values",{"point":"2yj","priority":"6","details":"gp","howto":"275"},"CWE-ID:232 Improper Handling of Undefined Values",{"point":"2yl","priority":"6","details":"gs","howto":"275"},"CWE-ID:233 Improper Handling of Parameters",{"point":"2yn","priority":"6","details":"gv","howto":"2tj"},"CWE-ID:234 Failure to Handle Missing Parameter",{"point":"2yp","priority":"6","details":"gy","howto":"275"},"CWE-ID:235 Improper Handling of Extra Parameters",{"point":"2yr","priority":"6","details":"h1","howto":"275"},"CWE-ID:236 Improper Handling of Undefined Parameters",{"point":"2yt","priority":"6","details":"h4","howto":"275"},"CWE-ID:238 Improper Handling of Incomplete Structural Elements",{"point":"2yv","priority":"6","details":"ha","howto":"275"},"CWE-ID:239 Failure to Handle Incomplete Element",{"point":"2yx","priority":"6","details":"hd","howto":"275"},"CWE-ID:240 Improper Handling of Inconsistent Structural Elements",{"point":"2yz","priority":"6","details":"hg","howto":"275"},"CWE-ID:241 Improper Handling of Unexpected Data Type",{"point":"2z1","priority":"6","details":"hj","howto":"275"},"CWE-ID:242 Use of Inherently Dangerous Function",{"point":"2z3","priority":"6","details":"hm","howto":"26r"},"CWE-ID:243 Creation of chroot Jail Without Changing Working Directory",{"point":"2z5","priority":"6","details":"hp","howto":"26r"},"CWE-ID:244 Improper Clearing of Heap Memory Before Release ('Heap Inspection')",{"point":"2z7","priority":"6","details":"hs","howto":"275"},"CWE-ID:245 J2EE Bad Practices: Direct Management of Connections",{"point":"2z9","priority":"6","details":"hv","howto":"26r"},"CWE-ID:246 J2EE Bad Practices: Direct Use of Sockets",{"point":"2zb","priority":"6","details":"hy","howto":"26r"},"CWE-ID:248 Uncaught Exception",{"point":"2zd","priority":"6","details":"i1","howto":"26r"},{"point":"27w","priority":"6","details":"i4","howto":"27x"},"CWE-ID:252 Unchecked Return Value",{"point":"2zg","priority":"6","details":"i7","howto":"26r"},"CWE-ID:253 Incorrect Check of Function Return Value",{"point":"2zi","priority":"6","details":"ia","howto":"275"},"CWE-ID:258 Empty Password in Configuration File",{"point":"2zk","priority":"6","details":"ij","howto":"275"},"CWE-ID:259 Use of Hard-coded Password","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and perform a login. Using disassembled code, look at the associated instructions and see if any of them appear to be comparing the input to a fixed string or value.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2zm","priority":"6","details":"im","howto":"2zn"},{"point":"283","priority":"6","details":"ip","howto":"26r"},"CWE-ID:266 Incorrect Privilege Assignment",{"point":"2zq","priority":"6","details":"j1","howto":"275"},{"point":"28b","priority":"6","details":"j4","howto":"275"},{"point":"28d","priority":"6","details":"j7","howto":"275"},{"point":"28f","priority":"6","details":"ja","howto":"26r"},{"point":"28h","priority":"6","details":"jd","howto":"275"},{"point":"28j","priority":"6","details":"jg","howto":"275"},"CWE-ID:272 Least Privilege Violation","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Compare binary / bytecode to application permission manifest:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Permission Manifest Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"2zx","priority":"6","details":"jj","howto":"2zy"},"CWE-ID:273 Improper Check for Dropped Privileges",{"point":"300","priority":"6","details":"jm","howto":"26r"},"CWE-ID:274 Improper Handling of Insufficient Privileges",{"point":"302","priority":"6","details":"jp","howto":"26r"},{"point":"28l","priority":"6","details":"js","howto":"28m"},"CWE-ID:277 Insecure Inherited Permissions",{"point":"305","priority":"6","details":"jv","howto":"275"},"CWE-ID:279 Incorrect Execution-Assigned Permissions",{"point":"307","priority":"6","details":"k1","howto":"275"},"CWE-ID:280 Improper Handling of Insufficient Permissions or Privileges ",{"point":"309","priority":"6","details":"k4","howto":"275"},"CWE-ID:281 Improper Preservation of Permissions",{"point":"30b","priority":"6","details":"k7","howto":"275"},"CWE-ID:284 Improper Access Control",{"point":"30d","priority":"6","details":"kg","howto":"275"},{"point":"28s","priority":"6","details":"kj","howto":"28t"},{"point":"28v","priority":"6","details":"km","howto":"275"},{"point":"28x","priority":"6","details":"kp","howto":"28y"},{"point":"292","priority":"6","details":"kv","howto":"275"},"CWE-ID:290 Authentication Bypass by Spoofing",{"point":"30j","priority":"6","details":"ky","howto":"275"},{"point":"296","priority":"6","details":"la","howto":"297"},"CWE-ID:296 Improper Following of a Certificate's Chain of Trust",{"point":"30m","priority":"6","details":"ld","howto":"26r"},"CWE-ID:297 Improper Validation of Certificate with Host Mismatch","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Set up an untrusted endpoint (e.g. a server) with which the product will connect. Create a test certificate that uses an invalid hostname but is signed by a trusted CA and provide this certificate from the untrusted endpoint. If the product performs any operations instead of disconnecting and reporting an error, then this indicates that the hostname is not being checked and the test certificate has been accepted.::METHOD:Black Box:DESCRIPTION:When Certificate Pinning is being used in a mobile application, consider using a tool such as Spinner [REF-955]. This methodology might be extensible to other technologies.::",{"point":"30o","priority":"6","details":"lg","howto":"30p"},"CWE-ID:298 Improper Validation of Certificate Expiration",{"point":"30r","priority":"6","details":"lj","howto":"275"},"CWE-ID:299 Improper Check for Certificate Revocation",{"point":"30t","priority":"6","details":"lm","howto":"26r"},{"point":"29d","priority":"6","details":"lv","howto":"275"},"CWE-ID:303 Incorrect Implementation of Authentication Algorithm",{"point":"30w","priority":"6","details":"ly","howto":"275"},"CWE-ID:304 Missing Critical Step in Authentication",{"point":"30y","priority":"6","details":"m1","howto":"26r"},"CWE-ID:305 Authentication Bypass by Primary Weakness",{"point":"310","priority":"6","details":"m4","howto":"275"},"CWE-ID:318 Cleartext Storage of Sensitive Information in Executable",{"point":"312","priority":"6","details":"n4","howto":"275"},"CWE-ID:325 Missing Cryptographic Step",{"point":"314","priority":"6","details":"nm","howto":"275"},{"point":"2a5","priority":"6","details":"ns","howto":"2a6"},"CWE-ID:329 Generation of Predictable IV with CBC Mode",{"point":"317","priority":"6","details":"ny","howto":"26r"},{"point":"2aa","priority":"6","details":"o1","howto":"2ab"},{"point":"2ad","priority":"6","details":"o4","howto":"275"},"CWE-ID:332 Insufficient Entropy in PRNG",{"point":"31b","priority":"6","details":"o7","howto":"275"},"CWE-ID:333 Improper Handling of Insufficient Entropy in TRNG",{"point":"31d","priority":"6","details":"oa","howto":"275"},{"point":"2af","priority":"6","details":"od","howto":"275"},"CWE-ID:335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)",{"point":"31g","priority":"6","details":"og","howto":"275"},"CWE-ID:336 Same Seed in Pseudo-Random Number Generator (PRNG)",{"point":"31i","priority":"6","details":"oj","howto":"26r"},"CWE-ID:337 Predictable Seed in Pseudo-Random Number Generator (PRNG)",{"point":"31k","priority":"6","details":"om","howto":"275"},{"point":"2ah","priority":"6","details":"op","howto":"26r"},"CWE-ID:339 Small Seed Space in PRNG",{"point":"31n","priority":"6","details":"os","howto":"275"},{"point":"2aj","priority":"6","details":"ov","howto":"275"},{"point":"2al","priority":"6","details":"oy","howto":"275"},{"point":"2an","priority":"6","details":"p1","howto":"275"},{"point":"2ap","priority":"6","details":"p4","howto":"275"},{"point":"2ar","priority":"6","details":"p7","howto":"275"},{"point":"2at","priority":"6","details":"pa","howto":"26r"},{"point":"2av","priority":"6","details":"pd","howto":"275"},{"point":"2ax","priority":"6","details":"pg","howto":"26r"},{"point":"2az","priority":"6","details":"pj","howto":"275"},"CWE-ID:349 Acceptance of Extraneous Untrusted Data With Trusted Data",{"point":"31y","priority":"6","details":"pm","howto":"275"},"CWE-ID:351 Insufficient Type Distinction",{"point":"320","priority":"6","details":"ps","howto":"275"},{"point":"2b1","priority":"6","details":"py","howto":"275"},{"point":"2b3","priority":"6","details":"q1","howto":"275"},{"point":"2b5","priority":"6","details":"q4","howto":"275"},{"point":"2b7","priority":"6","details":"q7","howto":"275"},{"point":"2b9","priority":"6","details":"qa","howto":"275"},{"point":"2bb","priority":"6","details":"qd","howto":"2bc"},{"point":"2be","priority":"6","details":"qg","howto":"275"},{"point":"2bg","priority":"6","details":"qj","howto":"2bh"},{"point":"2bj","priority":"6","details":"qm","howto":"275"},"CWE-ID:364 Signal Handler Race Condition",{"point":"32b","priority":"6","details":"qp","howto":"275"},"CWE-ID:366 Race Condition within a Thread",{"point":"32d","priority":"6","details":"qs","howto":"26r"},"CWE-ID:367 Time-of-check Time-of-use (TOCTOU) Race Condition",{"point":"32f","priority":"6","details":"qv","howto":"26r"},{"point":"2bl","priority":"6","details":"qy","howto":"275"},"CWE-ID:369 Divide By Zero","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::METHOD:Fuzzing:DESCRIPTION:Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.:EFFECTIVENESS:High::",{"point":"32i","priority":"6","details":"r1","howto":"32j"},"CWE-ID:370 Missing Check for Certificate Revocation after Initial Check",{"point":"32l","priority":"6","details":"r4","howto":"275"},"CWE-ID:372 Incomplete Internal State Distinction",{"point":"32n","priority":"6","details":"r7","howto":"275"},"CWE-ID:374 Passing Mutable Objects to an Untrusted Method",{"point":"32p","priority":"6","details":"ra","howto":"275"},"CWE-ID:375 Returning a Mutable Object to an Untrusted Caller",{"point":"32r","priority":"6","details":"rd","howto":"275"},"CWE-ID:377 Insecure Temporary File",{"point":"32t","priority":"6","details":"rg","howto":"26r"},"CWE-ID:378 Creation of Temporary File With Insecure Permissions",{"point":"32v","priority":"6","details":"rj","howto":"275"},"CWE-ID:379 Creation of Temporary File in Directory with Insecure Permissions",{"point":"32x","priority":"6","details":"rm","howto":"26r"},"CWE-ID:382 J2EE Bad Practices: Use of System.exit()",{"point":"32z","priority":"6","details":"rp","howto":"26r"},"CWE-ID:383 J2EE Bad Practices: Direct Use of Threads",{"point":"331","priority":"6","details":"rs","howto":"26r"},"CWE-ID:384 Session Fixation",{"point":"333","priority":"6","details":"rv","howto":"275"},{"point":"2bn","priority":"6","details":"ry","howto":"275"},{"point":"2bp","priority":"6","details":"s1","howto":"275"},"CWE-ID:390 Detection of Error Condition Without Action",{"point":"337","priority":"6","details":"s4","howto":"26r"},"CWE-ID:391 Unchecked Error Condition",{"point":"339","priority":"6","details":"s7","howto":"26r"},"CWE-ID:392 Missing Report of Error Condition",{"point":"33b","priority":"6","details":"sa","howto":"275"},"CWE-ID:393 Return of Wrong Status Code",{"point":"33d","priority":"6","details":"sd","howto":"26u"},"CWE-ID:394 Unexpected Status Code or Return Value",{"point":"33f","priority":"6","details":"sg","howto":"275"},"CWE-ID:395 Use of NullPointerException Catch to Detect NULL Pointer Dereference","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"33h","priority":"6","details":"sj","howto":"33i"},"CWE-ID:396 Declaration of Catch for Generic Exception",{"point":"33k","priority":"6","details":"sm","howto":"26r"},"CWE-ID:397 Declaration of Throws for Generic Exception",{"point":"33m","priority":"6","details":"sp","howto":"26r"},{"point":"2br","priority":"6","details":"ss","howto":"2bs"},"CWE-ID:401 Missing Release of Memory after Effective Lifetime",{"point":"33p","priority":"6","details":"sv","howto":"2tj"},{"point":"2bu","priority":"6","details":"sy","howto":"26r"},"CWE-ID:403 Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')",{"point":"33s","priority":"6","details":"t1","howto":"275"},"CWE-ID:404 Improper Resource Shutdown or Release","::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Resource clean up errors might be detected with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the product under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"33u","priority":"6","details":"t4","howto":"33v"},{"point":"2bw","priority":"6","details":"t7","howto":"275"},{"point":"2by","priority":"6","details":"ta","howto":"275"},{"point":"2c0","priority":"6","details":"td","howto":"275"},{"point":"2c2","priority":"6","details":"tg","howto":"275"},{"point":"2c4","priority":"6","details":"tj","howto":"275"},{"point":"2c6","priority":"6","details":"tm","howto":"275"},{"point":"2c8","priority":"6","details":"tp","howto":"2c9"},{"point":"2cb","priority":"6","details":"ts","howto":"26r"},{"point":"2cd","priority":"6","details":"tv","howto":"275"},"CWE-ID:415 Double Free",{"point":"346","priority":"6","details":"ty","howto":"2tj"},"CWE-ID:416 Use After Free",{"point":"348","priority":"6","details":"u1","howto":"2tj"},{"point":"2cf","priority":"6","details":"u4","howto":"275"},{"point":"2ch","priority":"6","details":"u7","howto":"275"},"CWE-ID:425 Direct Request ('Forced Browsing')",{"point":"34c","priority":"6","details":"uj","howto":"275"},"CWE-ID:426 Untrusted Search Path","::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and look for library functions and system calls that suggest when a search path is being used. One pattern is when the program performs multiple accesses of the same file but in different directories, with repeated failures until the proper filename is found. Library calls such as getenv() or their equivalent can be checked to see if any path-related variables are being accessed.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::METHOD:Manual Analysis:DESCRIPTION:Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.::",{"point":"34e","priority":"6","details":"um","howto":"34f"},"CWE-ID:427 Uncontrolled Search Path Element",{"point":"34h","priority":"6","details":"up","howto":"26r"},"CWE-ID:428 Unquoted Search Path or Element",{"point":"34j","priority":"6","details":"us","howto":"275"},"CWE-ID:430 Deployment of Wrong Handler",{"point":"34l","priority":"6","details":"uv","howto":"275"},"CWE-ID:431 Missing Handler",{"point":"34n","priority":"6","details":"uy","howto":"275"},"CWE-ID:432 Dangerous Signal Handler not Disabled During Sensitive Operations",{"point":"34p","priority":"6","details":"v1","howto":"275"},"CWE-ID:433 Unparsed Raw Web Content Delivery",{"point":"34r","priority":"6","details":"v4","howto":"275"},{"point":"2cn","priority":"6","details":"v7","howto":"2co"},"CWE-ID:435 Improper Interaction Between Multiple Correctly-Behaving Entities",{"point":"34u","priority":"6","details":"va","howto":"275"},{"point":"2cq","priority":"6","details":"vd","howto":"275"},{"point":"2cs","priority":"6","details":"vg","howto":"275"},{"point":"2cu","priority":"6","details":"vj","howto":"275"},{"point":"2cw","priority":"6","details":"vm","howto":"275"},"CWE-ID:444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')",{"point":"350","priority":"6","details":"vs","howto":"275"},{"point":"2d0","priority":"6","details":"vv","howto":"275"},"CWE-ID:447 Unimplemented or Unsupported Feature in UI",{"point":"353","priority":"6","details":"vy","howto":"275"},"CWE-ID:448 Obsolete Feature in UI",{"point":"355","priority":"6","details":"w1","howto":"275"},"CWE-ID:449 The UI Performs the Wrong Action",{"point":"357","priority":"6","details":"w4","howto":"275"},"CWE-ID:450 Multiple Interpretations of UI Input",{"point":"359","priority":"6","details":"w7","howto":"275"},{"point":"2d2","priority":"6","details":"wa","howto":"275"},"CWE-ID:453 Insecure Default Variable Initialization",{"point":"35c","priority":"6","details":"wd","howto":"275"},{"point":"2d4","priority":"6","details":"wg","howto":"275"},"CWE-ID:455 Non-exit on Failed Initialization",{"point":"35f","priority":"6","details":"wj","howto":"275"},"CWE-ID:456 Missing Initialization of a Variable",{"point":"35h","priority":"6","details":"wm","howto":"26r"},"CWE-ID:457 Use of Uninitialized Variable",{"point":"35j","priority":"6","details":"wp","howto":"2tj"},"CWE-ID:459 Incomplete Cleanup",{"point":"35l","priority":"6","details":"ws","howto":"26r"},"CWE-ID:460 Improper Cleanup on Thrown Exception",{"point":"35n","priority":"6","details":"wv","howto":"26r"},"CWE-ID:462 Duplicate Key in Associative List (Alist)",{"point":"35p","priority":"6","details":"wy","howto":"275"},"CWE-ID:463 Deletion of Data Structure Sentinel",{"point":"35r","priority":"6","details":"x1","howto":"275"},"CWE-ID:464 Addition of Data Structure Sentinel",{"point":"35t","priority":"6","details":"x4","howto":"275"},"CWE-ID:466 Return of Pointer Value Outside of Expected Range",{"point":"35v","priority":"6","details":"x7","howto":"275"},"CWE-ID:467 Use of sizeof() on a Pointer Type",{"point":"35x","priority":"6","details":"xa","howto":"26r"},"CWE-ID:468 Incorrect Pointer Scaling",{"point":"35z","priority":"6","details":"xd","howto":"275"},"CWE-ID:469 Use of Pointer Subtraction to Determine Size",{"point":"361","priority":"6","details":"xg","howto":"2tj"},{"point":"2d6","priority":"6","details":"xj","howto":"26r"},{"point":"2d8","priority":"6","details":"xm","howto":"275"},"CWE-ID:472 External Control of Assumed-Immutable Web Parameter",{"point":"365","priority":"6","details":"xp","howto":"26r"},"CWE-ID:473 PHP External Variable Modification",{"point":"367","priority":"6","details":"xs","howto":"275"},"CWE-ID:474 Use of Function with Inconsistent Implementations",{"point":"369","priority":"6","details":"xv","howto":"26r"},{"point":"2da","priority":"6","details":"xy","howto":"26r"},"CWE-ID:476 NULL Pointer Dereference","::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"36c","priority":"6","details":"y1","howto":"36d"},"CWE-ID:477 Use of Obsolete Function","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Binary / Bytecode Quality Analysis Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Debugger:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source Code Quality Analyzer Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Origin Analysis:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"36f","priority":"6","details":"y4","howto":"36g"},"CWE-ID:478 Missing Default Case in Multiple Condition Expression",{"point":"36i","priority":"6","details":"y7","howto":"26r"},"CWE-ID:479 Signal Handler Use of a Non-reentrant Function",{"point":"36k","priority":"6","details":"ya","howto":"26r"},"CWE-ID:480 Use of Incorrect Operator","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can be found easily using static analysis. However in some cases an operator might appear to be incorrect, but is actually correct and reflects unusual logic within the program.::METHOD:Manual Static Analysis:DESCRIPTION:This weakness can be found easily using static analysis. However in some cases an operator might appear to be incorrect, but is actually correct and reflects unusual logic within the program.::",{"point":"36m","priority":"6","details":"yd","howto":"36n"},"CWE-ID:481 Assigning instead of Comparing",{"point":"36p","priority":"6","details":"yg","howto":"26r"},"CWE-ID:482 Comparing instead of Assigning",{"point":"36r","priority":"6","details":"yj","howto":"26r"},"CWE-ID:483 Incorrect Block Delimitation",{"point":"36t","priority":"6","details":"ym","howto":"26r"},"CWE-ID:484 Omitted Break Statement in Switch","::METHOD:White Box:DESCRIPTION:Omission of a break statement might be intentional, in order to support fallthrough. Automated detection methods might therefore be erroneous. Semantic understanding of expected product behavior is required to interpret whether the code is correct.::METHOD:Black Box:DESCRIPTION:Since this weakness is associated with a code construct, it would be indistinguishable from other errors that produce the same behavior.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"36v","priority":"6","details":"yp","howto":"36w"},"CWE-ID:486 Comparison of Classes by Name",{"point":"36y","priority":"6","details":"ys","howto":"26r"},"CWE-ID:487 Reliance on Package-level Scope",{"point":"370","priority":"6","details":"yv","howto":"275"},"CWE-ID:488 Exposure of Data Element to Wrong Session",{"point":"372","priority":"6","details":"yy","howto":"26r"},"CWE-ID:489 Active Debug Code",{"point":"374","priority":"6","details":"z1","howto":"26r"},"CWE-ID:491 Public cloneable() Method Without Final ('Object Hijack')",{"point":"376","priority":"6","details":"z4","howto":"275"},"CWE-ID:492 Use of Inner Class Containing Sensitive Data",{"point":"378","priority":"6","details":"z7","howto":"26r"},"CWE-ID:493 Critical Public Variable Without Final Modifier",{"point":"37a","priority":"6","details":"za","howto":"26r"},{"point":"2dc","priority":"6","details":"zd","howto":"2dd"},"CWE-ID:495 Private Data Structure Returned From A Public Method",{"point":"37d","priority":"6","details":"zg","howto":"26r"},"CWE-ID:496 Public Data Assigned to Private Array-Typed Field",{"point":"37f","priority":"6","details":"zj","howto":"26r"},"CWE-ID:497 Exposure of Sensitive System Information to an Unauthorized Control Sphere",{"point":"37h","priority":"6","details":"zm","howto":"26r"},"CWE-ID:498 Cloneable Class Containing Sensitive Information",{"point":"37j","priority":"6","details":"zp","howto":"275"},"CWE-ID:499 Serializable Class Containing Sensitive Data",{"point":"37l","priority":"6","details":"zs","howto":"26r"},"CWE-ID:500 Public Static Field Not Marked Final",{"point":"37n","priority":"6","details":"zv","howto":"26r"},{"point":"2dh","priority":"6","details":"101","howto":"26r"},"CWE-ID:506 Embedded Malicious Code","::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies Generated Code Inspection:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Automated Monitored Execution:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Origin Analysis:EFFECTIVENESS:SOAR Partial::",{"point":"37q","priority":"6","details":"104","howto":"37r"},"CWE-ID:507 Trojan Horse",{"point":"37t","priority":"6","details":"107","howto":"275"},"CWE-ID:508 Non-Replicating Malicious Code",{"point":"37v","priority":"6","details":"10a","howto":"275"},"CWE-ID:509 Replicating Malicious Code (Virus or Worm)",{"point":"37x","priority":"6","details":"10d","howto":"275"},{"point":"2dj","priority":"6","details":"10g","howto":"2dk"},{"point":"2dm","priority":"6","details":"10j","howto":"275"},{"point":"2do","priority":"6","details":"10m","howto":"275"},"CWE-ID:514 Covert Channel","::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:SOAR Partial::",{"point":"382","priority":"6","details":"10p","howto":"383"},"CWE-ID:515 Covert Storage Channel",{"point":"385","priority":"6","details":"10s","howto":"275"},"CWE-ID:520 .NET Misconfiguration: Use of Impersonation",{"point":"387","priority":"6","details":"10v","howto":"275"},{"point":"2dq","priority":"6","details":"10y","howto":"26r"},{"point":"2ds","priority":"6","details":"111","howto":"26r"},"CWE-ID:524 Use of Cache Containing Sensitive Information",{"point":"38b","priority":"6","details":"117","howto":"26r"},"CWE-ID:525 Use of Web Browser Cache Containing Sensitive Information",{"point":"38d","priority":"6","details":"11a","howto":"275"},"CWE-ID:526 Cleartext Storage of Sensitive Information in an Environment Variable",{"point":"38f","priority":"6","details":"11d","howto":"26r"},{"point":"2dw","priority":"6","details":"11v","howto":"26r"},"CWE-ID:535 Exposure of Information Through Shell Error Message",{"point":"38i","priority":"6","details":"11y","howto":"26r"},"CWE-ID:536 Servlet Runtime Error Message Containing Sensitive Information",{"point":"38k","priority":"6","details":"121","howto":"275"},"CWE-ID:537 Java Runtime Error Message Containing Sensitive Information",{"point":"38m","priority":"6","details":"124","howto":"275"},"CWE-ID:538 Insertion of Sensitive Information into Externally-Accessible File or Directory",{"point":"38o","priority":"6","details":"127","howto":"26r"},"CWE-ID:539 Use of Persistent Cookies Containing Sensitive Information",{"point":"38q","priority":"6","details":"12a","howto":"26r"},"CWE-ID:540 Inclusion of Sensitive Information in Source Code",{"point":"38s","priority":"6","details":"12d","howto":"275"},"CWE-ID:541 Inclusion of Sensitive Information in an Include File",{"point":"38u","priority":"6","details":"12g","howto":"275"},"CWE-ID:543 Use of Singleton Pattern Without Synchronization in a Multithreaded Context",{"point":"38w","priority":"6","details":"12j","howto":"275"},"CWE-ID:546 Suspicious Comment",{"point":"38y","priority":"6","details":"12p","howto":"275"},"CWE-ID:547 Use of Hard-coded, Security-relevant Constants",{"point":"390","priority":"6","details":"12s","howto":"26r"},"CWE-ID:548 Exposure of Information Through Directory Listing",{"point":"392","priority":"6","details":"12v","howto":"26r"},"CWE-ID:549 Missing Password Field Masking",{"point":"394","priority":"6","details":"12y","howto":"26r"},"CWE-ID:550 Server-generated Error Message Containing Sensitive Information",{"point":"396","priority":"6","details":"131","howto":"275"},"CWE-ID:551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization",{"point":"398","priority":"6","details":"134","howto":"275"},{"point":"2e0","priority":"6","details":"137","howto":"26r"},"CWE-ID:553 Command Shell in Externally Accessible Directory",{"point":"39b","priority":"6","details":"13a","howto":"275"},"CWE-ID:554 ASP.NET Misconfiguration: Not Using Input Validation Framework",{"point":"39d","priority":"6","details":"13d","howto":"275"},"CWE-ID:555 J2EE Misconfiguration: Plaintext Password in Configuration File",{"point":"39f","priority":"6","details":"13g","howto":"275"},"CWE-ID:556 ASP.NET Misconfiguration: Use of Identity Impersonation",{"point":"39h","priority":"6","details":"13j","howto":"275"},"CWE-ID:558 Use of getlogin() in Multithreaded Application",{"point":"39j","priority":"6","details":"13m","howto":"275"},"CWE-ID:560 Use of umask() with chmod-style Argument",{"point":"39l","priority":"6","details":"13p","howto":"275"},"CWE-ID:561 Dead Code","::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Binary / Bytecode Quality Analysis Compare binary / bytecode to application permission manifest:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Automated Monitored Execution:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Permission Manifest Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source Code Quality Analyzer Cost effective for partial coverage: Warning Flags Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::",{"point":"39n","priority":"6","details":"13s","howto":"39o"},"CWE-ID:562 Return of Stack Variable Address",{"point":"39q","priority":"6","details":"13v","howto":"2tj"},"CWE-ID:563 Assignment to Variable without Use",{"point":"39s","priority":"6","details":"13y","howto":"26r"},"CWE-ID:564 SQL Injection: Hibernate",{"point":"39u","priority":"6","details":"141","howto":"275"},{"point":"2e2","priority":"6","details":"144","howto":"26r"},"CWE-ID:566 Authorization Bypass Through User-Controlled SQL Primary Key",{"point":"39x","priority":"6","details":"147","howto":"26r"},"CWE-ID:567 Unsynchronized Access to Shared Data in a Multithreaded Context",{"point":"39z","priority":"6","details":"14a","howto":"26r"},"CWE-ID:568 finalize() Method Without super.finalize()",{"point":"3a1","priority":"6","details":"14d","howto":"26r"},"CWE-ID:570 Expression is Always False",{"point":"3a3","priority":"6","details":"14g","howto":"26r"},"CWE-ID:571 Expression is Always True",{"point":"3a5","priority":"6","details":"14j","howto":"26r"},"CWE-ID:572 Call to Thread run() instead of start()",{"point":"3a7","priority":"6","details":"14m","howto":"26r"},"CWE-ID:573 Improper Following of Specification by Caller",{"point":"3a9","priority":"6","details":"14p","howto":"275"},"CWE-ID:574 EJB Bad Practices: Use of Synchronization Primitives",{"point":"3ab","priority":"6","details":"14s","howto":"275"},"CWE-ID:575 EJB Bad Practices: Use of AWT Swing",{"point":"3ad","priority":"6","details":"14v","howto":"275"},"CWE-ID:576 EJB Bad Practices: Use of Java I/O",{"point":"3af","priority":"6","details":"14y","howto":"275"},"CWE-ID:577 EJB Bad Practices: Use of Sockets",{"point":"3ah","priority":"6","details":"151","howto":"275"},"CWE-ID:578 EJB Bad Practices: Use of Class Loader",{"point":"3aj","priority":"6","details":"154","howto":"275"},"CWE-ID:579 J2EE Bad Practices: Non-serializable Object Stored in Session",{"point":"3al","priority":"6","details":"157","howto":"26r"},"CWE-ID:580 clone() Method Without super.clone()",{"point":"3an","priority":"6","details":"15a","howto":"26r"},"CWE-ID:581 Object Model Violation: Just One of Equals and Hashcode Defined",{"point":"3ap","priority":"6","details":"15d","howto":"26r"},"CWE-ID:582 Array Declared Public, Final, and Static",{"point":"3ar","priority":"6","details":"15g","howto":"275"},"CWE-ID:583 finalize() Method Declared Public",{"point":"3at","priority":"6","details":"15j","howto":"26r"},"CWE-ID:584 Return Inside Finally Block",{"point":"3av","priority":"6","details":"15m","howto":"26r"},"CWE-ID:585 Empty Synchronized Block",{"point":"3ax","priority":"6","details":"15p","howto":"26r"},"CWE-ID:586 Explicit Call to Finalize()",{"point":"3az","priority":"6","details":"15s","howto":"26r"},"CWE-ID:587 Assignment of a Fixed Address to a Pointer",{"point":"3b1","priority":"6","details":"15v","howto":"275"},"CWE-ID:588 Attempt to Access Child of a Non-structure Pointer",{"point":"3b3","priority":"6","details":"15y","howto":"275"},"CWE-ID:589 Call to Non-ubiquitous API",{"point":"3b5","priority":"6","details":"161","howto":"26r"},"CWE-ID:590 Free of Memory not on the Heap",{"point":"3b7","priority":"6","details":"164","howto":"2tj"},"CWE-ID:591 Sensitive Data Storage in Improperly Locked Memory",{"point":"3b9","priority":"6","details":"167","howto":"275"},"CWE-ID:593 Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created",{"point":"3bb","priority":"6","details":"16a","howto":"275"},"CWE-ID:594 J2EE Framework: Saving Unserializable Objects to Disk",{"point":"3bd","priority":"6","details":"16d","howto":"275"},"CWE-ID:595 Comparison of Object References Instead of Object Contents",{"point":"3bf","priority":"6","details":"16g","howto":"26r"},"CWE-ID:597 Use of Wrong Operator in String Comparison",{"point":"3bh","priority":"6","details":"16j","howto":"26r"},"CWE-ID:598 Use of GET Request Method With Sensitive Query Strings",{"point":"3bj","priority":"6","details":"16m","howto":"26r"},"CWE-ID:599 Missing Validation of OpenSSL Certificate",{"point":"3bl","priority":"6","details":"16p","howto":"275"},"CWE-ID:600 Uncaught Exception in Servlet ",{"point":"3bn","priority":"6","details":"16s","howto":"275"},{"point":"2e4","priority":"6","details":"16v","howto":"2e5"},{"point":"2e9","priority":"6","details":"171","howto":"275"},"CWE-ID:605 Multiple Binds to the Same Port",{"point":"3br","priority":"6","details":"174","howto":"275"},"CWE-ID:606 Unchecked Input for Loop Condition",{"point":"3bt","priority":"6","details":"177","howto":"26r"},"CWE-ID:607 Public Static Final Field References Mutable Object",{"point":"3bv","priority":"6","details":"17a","howto":"26r"},"CWE-ID:608 Struts: Non-private Field in ActionForm Class",{"point":"3bx","priority":"6","details":"17d","howto":"275"},"CWE-ID:609 Double-Checked Locking",{"point":"3bz","priority":"6","details":"17g","howto":"275"},"CWE-ID:611 Improper Restriction of XML External Entity Reference",{"point":"3c1","priority":"6","details":"17m","howto":"26r"},{"point":"2ed","priority":"6","details":"17p","howto":"275"},{"point":"2ef","priority":"6","details":"17s","howto":"26r"},"CWE-ID:614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute",{"point":"3c5","priority":"6","details":"17v","howto":"26r"},"CWE-ID:615 Inclusion of Sensitive Information in Source Code Comments",{"point":"3c7","priority":"6","details":"17y","howto":"26r"},"CWE-ID:616 Incomplete Identification of Uploaded File Variables (PHP)",{"point":"3c9","priority":"6","details":"181","howto":"275"},"CWE-ID:617 Reachable Assertion",{"point":"3cb","priority":"6","details":"184","howto":"26r"},"CWE-ID:618 Exposed Unsafe ActiveX Method",{"point":"3cd","priority":"6","details":"187","howto":"26r"},"CWE-ID:619 Dangling Database Cursor ('Cursor Injection')",{"point":"3cf","priority":"6","details":"18a","howto":"275"},{"point":"2eh","priority":"6","details":"18d","howto":"275"},"CWE-ID:621 Variable Extraction Error",{"point":"3ci","priority":"6","details":"18g","howto":"275"},"CWE-ID:622 Improper Validation of Function Hook Arguments",{"point":"3ck","priority":"6","details":"18j","howto":"275"},"CWE-ID:623 Unsafe ActiveX Control Marked Safe For Scripting",{"point":"3cm","priority":"6","details":"18m","howto":"275"},"CWE-ID:624 Executable Regular Expression Error",{"point":"3co","priority":"6","details":"18p","howto":"275"},"CWE-ID:625 Permissive Regular Expression",{"point":"3cq","priority":"6","details":"18s","howto":"26r"},"CWE-ID:626 Null Byte Interaction Error (Poison Null Byte)",{"point":"3cs","priority":"6","details":"18v","howto":"275"},"CWE-ID:627 Dynamic Variable Evaluation",{"point":"3cu","priority":"6","details":"18y","howto":"275"},"CWE-ID:628 Function Call with Incorrectly Specified Arguments","::METHOD:Other:DESCRIPTION:Since these bugs typically introduce incorrect behavior that is obvious to users, they are found quickly, unless they occur in rarely-tested code paths. Managing the correct number of arguments can be made more difficult in cases where format strings are used, or when variable numbers of arguments are supported.::",{"point":"3cw","priority":"6","details":"191","howto":"3cx"},{"point":"2ej","priority":"6","details":"194","howto":"275"},{"point":"2el","priority":"6","details":"197","howto":"275"},"CWE-ID:638 Not Using Complete Mediation",{"point":"3d1","priority":"6","details":"19a","howto":"275"},{"point":"2ep","priority":"6","details":"19g","howto":"275"},{"point":"2er","priority":"6","details":"19j","howto":"275"},{"point":"2et","priority":"6","details":"19m","howto":"26r"},"CWE-ID:643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')",{"point":"3d6","priority":"6","details":"19p","howto":"26r"},"CWE-ID:644 Improper Neutralization of HTTP Headers for Scripting Syntax",{"point":"3d8","priority":"6","details":"19s","howto":"275"},"CWE-ID:646 Reliance on File Name or Extension of Externally-Supplied File",{"point":"3da","priority":"6","details":"19y","howto":"275"},"CWE-ID:647 Use of Non-Canonical URL Paths for Authorization Decisions",{"point":"3dc","priority":"6","details":"1a1","howto":"26r"},{"point":"2ex","priority":"6","details":"1a4","howto":"275"},{"point":"2ez","priority":"6","details":"1a7","howto":"275"},"CWE-ID:650 Trusting HTTP Permission Methods on the Server Side",{"point":"3dg","priority":"6","details":"1aa","howto":"275"},"CWE-ID:651 Exposure of WSDL File Containing Sensitive Information",{"point":"3di","priority":"6","details":"1ad","howto":"275"},"CWE-ID:652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')",{"point":"3dk","priority":"6","details":"1ag","howto":"275"},{"point":"2f1","priority":"6","details":"1aj","howto":"2f2"},{"point":"2f4","priority":"6","details":"1am","howto":"275"},{"point":"2f8","priority":"6","details":"1as","howto":"275"},{"point":"2fa","priority":"6","details":"1av","howto":"275"},{"point":"2fc","priority":"6","details":"1ay","howto":"275"},"CWE-ID:663 Use of a Non-reentrant Function in a Concurrent Context",{"point":"3dr","priority":"6","details":"1b1","howto":"275"},"CWE-ID:664 Improper Control of a Resource Through its Lifetime",{"point":"3dt","priority":"6","details":"1b4","howto":"275"},"CWE-ID:665 Improper Initialization","::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Initialization problems may be detected with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"3dv","priority":"6","details":"1b7","howto":"3dw"},"CWE-ID:666 Operation on Resource in Wrong Phase of Lifetime",{"point":"3dy","priority":"6","details":"1ba","howto":"275"},{"point":"2fe","priority":"6","details":"1bd","howto":"26r"},{"point":"2fg","priority":"6","details":"1bg","howto":"275"},{"point":"2fi","priority":"6","details":"1bj","howto":"275"},"CWE-ID:670 Always-Incorrect Control Flow Implementation",{"point":"3e3","priority":"6","details":"1bm","howto":"275"},{"point":"2fk","priority":"6","details":"1bp","howto":"275"},"CWE-ID:672 Operation on a Resource after Expiration or Release",{"point":"3e6","priority":"6","details":"1bs","howto":"275"},{"point":"2fm","priority":"6","details":"1bv","howto":"275"},"CWE-ID:674 Uncontrolled Recursion",{"point":"3e9","priority":"6","details":"1by","howto":"26r"},"CWE-ID:675 Multiple Operations on Resource in Single-Operation Context",{"point":"3eb","priority":"6","details":"1c1","howto":"275"},"CWE-ID:676 Use of Potentially Dangerous Function","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary / Bytecode Quality Analysis Binary / Bytecode simple extractor - strings, ELF readers, etc.:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Debugger Cost effective for partial coverage: Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Warning Flags Source Code Quality Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Origin Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"3ed","priority":"6","details":"1c4","howto":"3ee"},"CWE-ID:681 Incorrect Conversion between Numeric Types",{"point":"3eg","priority":"6","details":"1ca","howto":"275"},"CWE-ID:682 Incorrect Calculation","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of allocation calculations. This can be useful for detecting overflow conditions (CWE-190) or similar weaknesses that might have serious security impacts on the program.:EFFECTIVENESS:High::",{"point":"3ei","priority":"6","details":"1cd","howto":"3ej"},"CWE-ID:683 Function Call With Incorrect Order of Arguments",{"point":"3el","priority":"6","details":"1cg","howto":"275"},"CWE-ID:684 Incorrect Provision of Specified Functionality",{"point":"3en","priority":"6","details":"1cj","howto":"275"},"CWE-ID:685 Function Call With Incorrect Number of Arguments","::METHOD:Other:DESCRIPTION:While this weakness might be caught by the compiler in some languages, it can occur more frequently in cases in which the called function accepts variable numbers of arguments, such as format strings in C. It also can occur in languages or environments that do not require that functions always be called with the correct number of arguments, such as Perl.::",{"point":"3ep","priority":"6","details":"1cm","howto":"3eq"},"CWE-ID:686 Function Call With Incorrect Argument Type",{"point":"3es","priority":"6","details":"1cp","howto":"275"},"CWE-ID:687 Function Call With Incorrectly Specified Argument Value","::METHOD:Manual Static Analysis:DESCRIPTION:This might require an understanding of intended program behavior or design to determine whether the value is incorrect.::",{"point":"3eu","priority":"6","details":"1cs","howto":"3ev"},"CWE-ID:688 Function Call With Incorrect Variable or Reference as Argument","::METHOD:Other:DESCRIPTION:While this weakness might be caught by the compiler in some languages, it can occur more frequently in cases in which the called function accepts variable numbers of arguments, such as format strings in C. It also can occur in loosely typed languages or environments. This might require an understanding of intended program behavior or design to determine whether the value is incorrect.::",{"point":"3ex","priority":"6","details":"1cv","howto":"3ey"},"CWE-ID:689 Permission Race Condition During Resource Copy",{"point":"3f0","priority":"6","details":"1cy","howto":"275"},"CWE-ID:690 Unchecked Return Value to NULL Pointer Dereference","::METHOD:Black Box:DESCRIPTION:This typically occurs in rarely-triggered error conditions, reducing the chances of detection during black box testing.::METHOD:White Box:DESCRIPTION:Code analysis can require knowledge of API behaviors for library functions that might return NULL, reducing the chances of detection when unknown libraries are used.::",{"point":"3f2","priority":"6","details":"1d1","howto":"3f3"},"CWE-ID:691 Insufficient Control Flow Management",{"point":"3f5","priority":"6","details":"1d4","howto":"275"},"CWE-ID:693 Protection Mechanism Failure",{"point":"3f7","priority":"6","details":"1da","howto":"275"},{"point":"2fo","priority":"6","details":"1dd","howto":"275"},"CWE-ID:695 Use of Low-Level Functionality",{"point":"3fa","priority":"6","details":"1dg","howto":"26r"},{"point":"2fq","priority":"6","details":"1dj","howto":"275"},"CWE-ID:697 Incorrect Comparison",{"point":"3fd","priority":"6","details":"1dm","howto":"275"},"CWE-ID:698 Execution After Redirect (EAR)","::METHOD:Black Box:DESCRIPTION:This issue might not be detected if testing is performed using a web browser, because the browser might obey the redirect and move the user to a different page before the application has produced outputs that indicate something is amiss.::",{"point":"3ff","priority":"6","details":"1dp","howto":"3fg"},"CWE-ID:703 Improper Check or Handling of Exceptional Conditions","::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fault Injection - source code Fault Injection - binary Cost effective for partial coverage: Forced Path Execution:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"3fi","priority":"6","details":"1ds","howto":"3fj"},"CWE-ID:704 Incorrect Type Conversion or Cast",{"point":"3fl","priority":"6","details":"1dv","howto":"26u"},"CWE-ID:705 Incorrect Control Flow Scoping",{"point":"3fn","priority":"6","details":"1dy","howto":"275"},{"point":"2fs","priority":"6","details":"1e1","howto":"275"},"CWE-ID:707 Improper Neutralization",{"point":"3fq","priority":"6","details":"1e4","howto":"275"},{"point":"2fu","priority":"6","details":"1e7","howto":"275"},"CWE-ID:710 Improper Adherence to Coding Standards",{"point":"3ft","priority":"6","details":"1ea","howto":"275"},{"point":"2fw","priority":"6","details":"1ed","howto":"2fx"},{"point":"2fz","priority":"6","details":"1ej","howto":"26r"},"CWE-ID:754 Improper Check for Unusual or Exceptional Conditions","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis may be useful for detecting unusual conditions involving system resources or common programming idioms, but not for violations of business rules.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::",{"point":"3fx","priority":"6","details":"1em","howto":"3fy"},"CWE-ID:755 Improper Handling of Exceptional Conditions",{"point":"3g0","priority":"6","details":"1ep","howto":"275"},"CWE-ID:759 Use of a One-Way Hash without a Salt",{"point":"3g2","priority":"6","details":"1f1","howto":"2gt"},"CWE-ID:760 Use of a One-Way Hash with a Predictable Salt",{"point":"3g4","priority":"6","details":"1f4","howto":"26r"},"CWE-ID:761 Free of Pointer not at Start of Buffer",{"point":"3g6","priority":"6","details":"1f7","howto":"275"},"CWE-ID:762 Mismatched Memory Management Routines",{"point":"3g8","priority":"6","details":"1fa","howto":"275"},"CWE-ID:763 Release of Invalid Pointer or Reference",{"point":"3ga","priority":"6","details":"1fd","howto":"26u"},"CWE-ID:764 Multiple Locks of a Critical Resource",{"point":"3gc","priority":"6","details":"1fg","howto":"275"},"CWE-ID:765 Multiple Unlocks of a Critical Resource",{"point":"3ge","priority":"6","details":"1fj","howto":"275"},"CWE-ID:766 Critical Data Element Declared Public",{"point":"3gg","priority":"6","details":"1fm","howto":"26r"},"CWE-ID:767 Access to Critical Private Variable via Public Method",{"point":"3gi","priority":"6","details":"1fp","howto":"275"},"CWE-ID:768 Incorrect Short Circuit Evaluation",{"point":"3gk","priority":"6","details":"1fs","howto":"275"},{"point":"2g3","priority":"6","details":"1fv","howto":"2g4"},"CWE-ID:771 Missing Reference to Active Allocated Resource",{"point":"3gn","priority":"6","details":"1fy","howto":"275"},"CWE-ID:772 Missing Release of Resource after Effective Lifetime",{"point":"3gp","priority":"6","details":"1g1","howto":"275"},"CWE-ID:773 Missing Reference to Active File Descriptor or Handle",{"point":"3gr","priority":"6","details":"1g4","howto":"275"},"CWE-ID:774 Allocation of File Descriptors or Handles Without Limits or Throttling",{"point":"3gt","priority":"6","details":"1g7","howto":"275"},"CWE-ID:775 Missing Release of File Descriptor or Handle after Effective Lifetime",{"point":"3gv","priority":"6","details":"1ga","howto":"275"},"CWE-ID:776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')",{"point":"3gx","priority":"6","details":"1gd","howto":"26r"},"CWE-ID:777 Regular Expression without Anchors",{"point":"3gz","priority":"6","details":"1gg","howto":"275"},"CWE-ID:780 Use of RSA Algorithm without OAEP",{"point":"3h1","priority":"6","details":"1gp","howto":"26r"},"CWE-ID:781 Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code",{"point":"3h3","priority":"6","details":"1gs","howto":"275"},"CWE-ID:782 Exposed IOCTL with Insufficient Access Control",{"point":"3h5","priority":"6","details":"1gv","howto":"275"},"CWE-ID:783 Operator Precedence Logic Error",{"point":"3h7","priority":"6","details":"1gy","howto":"275"},"CWE-ID:784 Reliance on Cookies without Validation and Integrity Checking in a Security Decision",{"point":"3h9","priority":"6","details":"1h1","howto":"275"},"CWE-ID:785 Use of Path Manipulation Function without Maximum-sized Buffer",{"point":"3hb","priority":"6","details":"1h4","howto":"275"},"CWE-ID:787 Out-of-bounds Write","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::",{"point":"3hd","priority":"6","details":"1ha","howto":"3he"},"CWE-ID:789 Memory Allocation with Excessive Size Value",{"point":"3hg","priority":"6","details":"1hg","howto":"2tj"},"CWE-ID:790 Improper Filtering of Special Elements",{"point":"3hi","priority":"6","details":"1hj","howto":"275"},"CWE-ID:791 Incomplete Filtering of Special Elements",{"point":"3hk","priority":"6","details":"1hm","howto":"275"},"CWE-ID:792 Incomplete Filtering of One or More Instances of Special Elements",{"point":"3hm","priority":"6","details":"1hp","howto":"275"},"CWE-ID:793 Only Filtering One Instance of a Special Element",{"point":"3ho","priority":"6","details":"1hs","howto":"275"},"CWE-ID:794 Incomplete Filtering of Multiple Instances of Special Elements",{"point":"3hq","priority":"6","details":"1hv","howto":"275"},"CWE-ID:795 Only Filtering Special Elements at a Specified Location",{"point":"3hs","priority":"6","details":"1hy","howto":"275"},"CWE-ID:796 Only Filtering Special Elements Relative to a Marker",{"point":"3hu","priority":"6","details":"1i1","howto":"275"},"CWE-ID:797 Only Filtering Special Elements at an Absolute Position",{"point":"3hw","priority":"6","details":"1i4","howto":"275"},{"point":"2g9","priority":"6","details":"1ia","howto":"275"},{"point":"2gb","priority":"6","details":"1id","howto":"275"},"CWE-ID:805 Buffer Access with Incorrect Length Value","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.::",{"point":"3i0","priority":"6","details":"1ig","howto":"3i1"},"CWE-ID:806 Buffer Access Using Size of Source Buffer",{"point":"3i3","priority":"6","details":"1ij","howto":"275"},{"point":"2gd","priority":"6","details":"1im","howto":"2ge"},"CWE-ID:827 Improper Control of Document Type Definition",{"point":"3i6","priority":"6","details":"1ja","howto":"275"},"CWE-ID:829 Inclusion of Functionality from Untrusted Control Sphere","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Forced Path Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"3i8","priority":"6","details":"1jg","howto":"3i9"},"CWE-ID:830 Inclusion of Web Functionality from an Untrusted Source",{"point":"3ib","priority":"6","details":"1jj","howto":"275"},"CWE-ID:836 Use of Password Hash Instead of Password for Authentication",{"point":"3id","priority":"6","details":"1k1","howto":"275"},"CWE-ID:841 Improper Enforcement of Behavioral Workflow",{"point":"3if","priority":"6","details":"1kd","howto":"275"},"CWE-ID:842 Placement of User into Incorrect Group",{"point":"3ih","priority":"6","details":"1kg","howto":"275"},"CWE-ID:843 Access of Resource Using Incompatible Type ('Type Confusion')",{"point":"3ij","priority":"6","details":"1kj","howto":"275"},{"point":"2gg","priority":"6","details":"1km","howto":"2gh"},{"point":"2gj","priority":"6","details":"1kp","howto":"2gk"},"CWE-ID:908 Use of Uninitialized Resource",{"point":"3in","priority":"6","details":"1ks","howto":"275"},"CWE-ID:909 Missing Initialization of Resource",{"point":"3ip","priority":"6","details":"1kv","howto":"275"},"CWE-ID:910 Use of Expired File Descriptor",{"point":"3ir","priority":"6","details":"1ky","howto":"275"},"CWE-ID:911 Improper Update of Reference Count",{"point":"3it","priority":"6","details":"1l1","howto":"275"},{"point":"2gm","priority":"6","details":"1l4","howto":"275"},{"point":"2go","priority":"6","details":"1l7","howto":"26u"},"CWE-ID:914 Improper Control of Dynamically-Identified Variables",{"point":"3ix","priority":"6","details":"1la","howto":"275"},{"point":"2gq","priority":"6","details":"1ld","howto":"26r"},{"point":"2gv","priority":"6","details":"1lj","howto":"26r"},{"point":"2gx","priority":"6","details":"1lm","howto":"26r"},{"point":"2h3","priority":"6","details":"1lv","howto":"26r"},"CWE-ID:939 Improper Authorization in Handler for Custom URL Scheme",{"point":"3j3","priority":"6","details":"1md","howto":"275"},{"point":"2h9","priority":"6","details":"1mg","howto":"275"},{"point":"2hb","priority":"6","details":"1mj","howto":"275"},"CWE-ID:942 Permissive Cross-domain Policy with Untrusted Domains",{"point":"3j7","priority":"6","details":"1mm","howto":"26r"},"CWE-ID:943 Improper Neutralization of Special Elements in Data Query Logic",{"point":"3j9","priority":"6","details":"1mp","howto":"26r"},"CWE-ID:1004 Sensitive Cookie Without 'HttpOnly' Flag",{"point":"3jb","priority":"6","details":"1ms","howto":"26r"},{"point":"2hd","priority":"6","details":"1mv","howto":"2he"},"CWE-ID:1021 Improper Restriction of Rendered UI Layers or Frames",{"point":"3je","priority":"6","details":"1my","howto":"26r"},"CWE-ID:1022 Use of Web Link to Untrusted Target with window.opener Access",{"point":"3jg","priority":"6","details":"1n1","howto":"26r"},"CWE-ID:1023 Incomplete Comparison with Missing Factors",{"point":"3ji","priority":"6","details":"1n4","howto":"275"},"CWE-ID:1024 Comparison of Incompatible Types",{"point":"3jk","priority":"6","details":"1n7","howto":"275"},"CWE-ID:1025 Comparison Using Wrong Factors",{"point":"3jm","priority":"6","details":"1na","howto":"275"},"CWE-ID:1068 Inconsistency Between Implementation and Documented Design",{"point":"3jo","priority":"6","details":"1pv","howto":"275"},{"point":"2hr","priority":"6","details":"1uv","howto":"2hs"},"CWE-ID:1174 ASP.NET Misconfiguration: Improper Model Validation",{"point":"3jr","priority":"6","details":"1uy","howto":"275"},{"point":"2hu","priority":"6","details":"1v1","howto":"275"},"CWE-ID:1177 Use of Prohibited Code",{"point":"3ju","priority":"6","details":"1v4","howto":"275"},{"point":"2hw","priority":"6","details":"1va","howto":"2hx"},{"point":"2i1","priority":"6","details":"1vg","howto":"2i2"},{"point":"2i4","priority":"6","details":"1vj","howto":"275"},"CWE-ID:1204 Generation of Weak Initialization Vector (IV)",{"point":"3jz","priority":"6","details":"1vp","howto":"275"},{"point":"2i6","priority":"6","details":"1vs","howto":"275"},{"point":"2i8","priority":"6","details":"1vv","howto":"275"},"CWE-ID:1221 Incorrect Register Defaults or Module Parameters",{"point":"3k3","priority":"6","details":"1vy","howto":"275"},{"point":"2ic","priority":"6","details":"1w7","howto":"275"},{"point":"2ig","priority":"6","details":"1wg","howto":"2ih"},{"point":"2ij","priority":"6","details":"1wj","howto":"275"},{"point":"2il","priority":"6","details":"1wm","howto":"2im"},{"point":"2io","priority":"6","details":"1wp","howto":"275"},"CWE-ID:1235 Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations",{"point":"3ka","priority":"6","details":"1ws","howto":"275"},"CWE-ID:1236 Improper Neutralization of Formula Elements in a CSV File",{"point":"3kc","priority":"6","details":"1wv","howto":"275"},"CWE-ID:1239 Improper Zeroization of Hardware Register",{"point":"3ke","priority":"6","details":"1wy","howto":"275"},{"point":"2iq","priority":"6","details":"1x1","howto":"2ir"},{"point":"2it","priority":"6","details":"1x4","howto":"275"},{"point":"2iv","priority":"6","details":"1x7","howto":"275"},{"point":"2ix","priority":"6","details":"1xa","howto":"275"},{"point":"2iz","priority":"6","details":"1xd","howto":"2j0"},{"point":"2j2","priority":"6","details":"1xg","howto":"275"},{"point":"2j4","priority":"6","details":"1xj","howto":"275"},{"point":"2j6","priority":"6","details":"1xs","howto":"275"},{"point":"2ja","priority":"6","details":"1y4","howto":"275"},{"point":"2jc","priority":"6","details":"1y7","howto":"275"},"CWE-ID:1255 Comparison Logic is Vulnerable to Power Side-Channel Attacks",{"point":"3kq","priority":"6","details":"1ya","howto":"275"},{"point":"2je","priority":"6","details":"1yd","howto":"2jf"},{"point":"2jh","priority":"6","details":"1yg","howto":"275"},{"point":"2jj","priority":"6","details":"1yj","howto":"275"},{"point":"2jl","priority":"6","details":"1ym","howto":"275"},{"point":"2jn","priority":"6","details":"1yp","howto":"2jo"},{"point":"2jq","priority":"6","details":"1ys","howto":"275"},{"point":"2js","priority":"6","details":"1yv","howto":"2jt"},{"point":"2jx","priority":"6","details":"1z1","howto":"275"},{"point":"2jz","priority":"6","details":"1z7","howto":"275"},{"point":"2k1","priority":"6","details":"1za","howto":"275"},{"point":"2k3","priority":"6","details":"1zd","howto":"275"},"CWE-ID:1269 Product Released in Non-Release Configuration",{"point":"3l3","priority":"6","details":"1zg","howto":"275"},{"point":"2k5","priority":"6","details":"1zj","howto":"275"},"CWE-ID:1271 Uninitialized Value on Reset for Registers Holding Security Settings",{"point":"3l6","priority":"6","details":"1zm","howto":"275"},"CWE-ID:1275 Sensitive Cookie with Improper SameSite Attribute",{"point":"3l8","priority":"6","details":"1zy","howto":"26r"},"CWE-ID:1276 Hardware Child Block Incorrectly Connected to Parent System",{"point":"3la","priority":"6","details":"201","howto":"275"},{"point":"2kd","priority":"6","details":"204","howto":"2ke"},{"point":"2ki","priority":"6","details":"20a","howto":"275"},"CWE-ID:1280 Access Control Check Implemented After Asset is Accessed",{"point":"3le","priority":"6","details":"20d","howto":"275"},{"point":"2kk","priority":"6","details":"20g","howto":"275"},"CWE-ID:1282 Assumed-Immutable Data is Stored in Writable Memory",{"point":"3lh","priority":"6","details":"20j","howto":"275"},{"point":"2km","priority":"6","details":"20m","howto":"275"},"CWE-ID:1284 Improper Validation of Specified Quantity in Input",{"point":"3lk","priority":"6","details":"20p","howto":"275"},"CWE-ID:1285 Improper Validation of Specified Index, Position, or Offset in Input",{"point":"3lm","priority":"6","details":"20s","howto":"275"},"CWE-ID:1286 Improper Validation of Syntactic Correctness of Input",{"point":"3lo","priority":"6","details":"20v","howto":"275"},"CWE-ID:1287 Improper Validation of Specified Type of Input",{"point":"3lq","priority":"6","details":"20y","howto":"275"},"CWE-ID:1288 Improper Validation of Consistency within Input",{"point":"3ls","priority":"6","details":"211","howto":"275"},"CWE-ID:1289 Improper Validation of Unsafe Equivalence in Input",{"point":"3lu","priority":"6","details":"214","howto":"275"},{"point":"2ko","priority":"6","details":"217","howto":"275"},"CWE-ID:1291 Public Key Re-Use for Signing both Debug and Production Code","::METHOD:Architecture or Design Review:DESCRIPTION:Compare the debug key with the production key to make sure that they are not the same.:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Compare the debug key with the production key to make sure that they are not the same.:EFFECTIVENESS:High::",{"point":"3lx","priority":"6","details":"21a","howto":"3ly"},{"point":"2kq","priority":"6","details":"21d","howto":"275"},{"point":"2ks","priority":"6","details":"21g","howto":"275"},{"point":"2ku","priority":"6","details":"21j","howto":"275"},"CWE-ID:1295 Debug Messages Revealing Unnecessary Information",{"point":"3m3","priority":"6","details":"21m","howto":"275"},"CWE-ID:1296 Incorrect Chaining or Granularity of Debug Components","::METHOD:Architecture or Design Review:DESCRIPTION:Appropriate Post-Si tests should be carried out at various authorization levels to ensure that debug components are properly chained and accessible only to users with appropriate credentials.:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Appropriate Post-Si tests should be carried out at various authorization levels to ensure that debug components are properly chained and accessible only to users with appropriate credentials.:EFFECTIVENESS:High::",{"point":"3m5","priority":"6","details":"21p","howto":"3m6"},"CWE-ID:1297 Unprotected Confidential Information on Device is Accessible by OSAT Vendors","::METHOD:Architecture or Design Review:DESCRIPTION:Appropriate Post-Si tests should be carried out to ensure that residual confidential information is not left on parts leaving one facility for another facility.:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Appropriate Post-Si tests should be carried out to ensure that residual confidential information is not left on parts leaving one facility for another facility.:EFFECTIVENESS:Moderate::",{"point":"3m8","priority":"6","details":"21s","howto":"3m9"},{"point":"2kw","priority":"6","details":"21v","howto":"275"},{"point":"2ky","priority":"6","details":"21y","howto":"275"},"CWE-ID:1300 Improper Protection of Physical Side Channels","::METHOD:Manual Analysis:DESCRIPTION:Perform a set of leakage detection tests such as the procedure outlined in the Test Vector Leakage Assessment (TVLA) test requirements for AES [REF-1230]. TVLA is the basis for the ISO standard 17825 [REF-1229]. A separate methodology is provided by [REF-1228]. Note that sole reliance on this method might not yield expected results [REF-1239] [REF-1240].:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Post-silicon, perform full side-channel attacks (penetration testing) covering as many known leakage models as possible against test code.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Pre-silicon - while the aforementioned TVLA methods can be performed post-silicon, models of device power consumption or other physical emanations can be built from information present at various stages of the hardware design process before fabrication. TVLA or known side-channel attacks can be applied to these simulated traces and countermeasures applied before tape-out. Academic research in this field includes [REF-1231] [REF-1232] [REF-1233].:EFFECTIVENESS:Moderate::",{"point":"3md","priority":"6","details":"221","howto":"3me"},"CWE-ID:1301 Insufficient or Incomplete Data Removal within Hardware Component",{"point":"3mg","priority":"6","details":"224","howto":"275"},{"point":"2l0","priority":"6","details":"227","howto":"275"},{"point":"2l2","priority":"6","details":"22a","howto":"275"},{"point":"2l6","priority":"6","details":"22g","howto":"275"},{"point":"2l8","priority":"6","details":"22j","howto":"275"},{"point":"2la","priority":"6","details":"22m","howto":"2lb"},{"point":"2ld","priority":"6","details":"22p","howto":"275"},{"point":"2lf","priority":"6","details":"22s","howto":"275"},{"point":"2lh","priority":"6","details":"22v","howto":"275"},{"point":"2lj","priority":"6","details":"22y","howto":"2lk"},{"point":"2lm","priority":"6","details":"231","howto":"2ln"},{"point":"2lp","priority":"6","details":"234","howto":"2lq"},{"point":"2ls","priority":"6","details":"237","howto":"275"},{"point":"2lu","priority":"6","details":"23a","howto":"275"},"CWE-ID:1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')",{"point":"3mv","priority":"6","details":"23d","howto":"275"},"CWE-ID:1322 Use of Blocking Code in Single-threaded, Non-blocking Context",{"point":"3mx","priority":"6","details":"23g","howto":"275"},{"point":"2lw","priority":"6","details":"23j","howto":"275"},"CWE-ID:1325 Improperly Controlled Sequential Memory Allocation",{"point":"3n0","priority":"6","details":"23m","howto":"275"},{"point":"2ly","priority":"6","details":"23p","howto":"2lz"},{"point":"2m1","priority":"6","details":"23v","howto":"2m2"},{"point":"2m4","priority":"6","details":"23y","howto":"2m5"},"CWE-ID:1330 Remanent Data Readable after Memory Erase","::METHOD:Architecture or Design Review:DESCRIPTION:Testing of memory-device contents after clearing or erase commands. Dynamic analysis of memory contents during device operation to detect specific, confidential assets. Architecture and design analysis of memory clear and erase operations.::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Testing of memory-device contents after clearing or erase commands. Dynamic analysis of memory contents during device operation to detect specific, confidential assets. Architecture and design analysis of memory clear and erase operations.::",{"point":"3n5","priority":"6","details":"241","howto":"3n6"},{"point":"2m7","priority":"6","details":"244","howto":"2m8"},{"point":"2ma","priority":"6","details":"247","howto":"2mb"},"CWE-ID:1333 Inefficient Regular Expression Complexity",{"point":"3na","priority":"6","details":"24a","howto":"275"},{"point":"2md","priority":"6","details":"24d","howto":"275"},"CWE-ID:1335 Incorrect Bitwise Shift of Integer",{"point":"3nd","priority":"6","details":"24g","howto":"275"},{"point":"2mf","priority":"6","details":"24j","howto":"275"},{"point":"2mh","priority":"6","details":"24m","howto":"2mi"},"CWE-ID:1339 Insufficient Precision or Accuracy of a Real Number",{"point":"3nh","priority":"6","details":"24p","howto":"275"},"CWE-ID:1341 Multiple Releases of Same Resource or Handle","::METHOD:Automated Static Analysis:DESCRIPTION:For commonly-used APIs and resource types, automated tools often have signatures that can spot this issue.::METHOD:Automated Dynamic Analysis:DESCRIPTION:Some compiler instrumentation tools such as AddressSanitizer (ASan) can indirectly detect some instances of this weakness.::",{"point":"3nj","priority":"6","details":"24s","howto":"3nk"},{"point":"2mm","priority":"6","details":"24y","howto":"275"},"CWE-ID:1385 Missing Origin Validation in WebSockets",{"point":"3nn","priority":"6","details":"257","howto":"275"},"CWE-ID:1386 Insecure Operation on Windows Junction / Mount Point",{"point":"3np","priority":"6","details":"25a","howto":"275"},"CWE-ID:1389 Incorrect Parsing of Numbers with Different Radices",{"point":"3nr","priority":"6","details":"25d","howto":"275"},{"point":"2ms","priority":"6","details":"25g","howto":"275"},{"point":"2n2","priority":"6","details":"25v","howto":"2n3"},"CWE-ID:1419 Incorrect Initialization of Resource",{"point":"3nv","priority":"6","details":"25y","howto":"275"},{"point":"2n5","priority":"6","details":"261","howto":"2n6"},{"point":"2n8","priority":"6","details":"264","howto":"2n9"},{"point":"2ne","priority":"6","details":"26a","howto":"2nf"},["2np","2nr","2nt","2nv","2nx","2nz","2o1","2o3","2o6","2o8","2o9","2oc","2oe","2og","2oi","2ok","2om","2oo","2oq","2os","2ou","2ow","2oy","2p1","2p3","2p5","2p7","2p9","2pb","2pd","2pg","2pi","2pk","2pm","2po","2pq","2ps","2pu","2pw","2py","2q0","2q2","2q4","2q6","2q8","2qa","2qc","2qe","2qg","2qi","2qk","2qm","2qo","2qq","2qs","2qu","2qv","2qx","2qz","2r1","2r3","2r6","2r9","2rb","2rd","2rf","2rh","2rj","2rl","2rn","2rp","2rr","2ru","2rw","2ry","2s0","2s2","2s4","2s6","2s8","2sb","2sc","2se","2sg","2si","2sk","2sm","2so","2sq","2ss","2sv","2sx","2sz","2t1","2t3","2t4","2t7","2t9","2tb","2te","2th","2tk","2tm","2to","2tq","2ts","2tu","2tw","2ty","2u1","2u3","2u6","2u9","2ub","2ud","2uf","2uh","2uj","2ul","2un","2up","2ur","2ut","2uv","2ux","2uz","2v1","2v3","2v5","2v7","2v9","2vb","2vd","2vf","2vh","2vj","2vl","2vn","2vp","2vr","2vt","2vv","2vx","2vz","2w1","2w3","2w5","2w7","2w9","2wb","2wd","2wf","2wh","2wj","2wl","2wn","2wp","2wq","2ws","2wu","2ww","2wy","2x1","2x3","2x5","2x7","2x9","2xb","2xd","2xf","2xi","2xj","2xk","2xl","2xm","2xn","2xo","2xq","2xs","2xt","2xu","2xv","2xw","2xx","2xy","2xz","2y1","2y3","2y4","2y6","2y7","2y9","2yc","2ye","2yg","2yi","2yk","2ym","2yo","2yq","2ys","2yu","2yw","2yy","2z0","2z2","2z4","2z6","2z8","2za","2zc","2ze","2zf","2zh","2zj","2zl","2zo","2zp","2zr","2zs","2zt","2zu","2zv","2zw","2zz","301","303","304","306","308","30a","30c","30e","30f","30g","30h","30i","30k","30l","30n","30q","30s","30u","30v","30x","30z","311","313","315","316","318","319","31a","31c","31e","31f","31h","31j","31l","31m","31o","31p","31q","31r","31s","31t","31u","31v","31w","31x","31z","321","322","323","324","325","326","327","328","329","32a","32c","32e","32g","32h","32k","32m","32o","32q","32s","32u","32w","32y","330","332","334","335","336","338","33a","33c","33e","33g","33j","33l","33n","33o","33q","33r","33t","33w","33x","33y","33z","340","341","342","343","344","345","347","349","34a","34b","34d","34g","34i","34k","34m","34o","34q","34s","34t","34v","34w","34x","34y","34z","351","352","354","356","358","35a","35b","35d","35e","35g","35i","35k","35m","35o","35q","35s","35u","35w","35y","360","362","363","364","366","368","36a","36b","36e","36h","36j","36l","36o","36q","36s","36u","36x","36z","371","373","375","377","379","37b","37c","37e","37g","37i","37k","37m","37o","37p","37s","37u","37w","37y","37z","380","381","384","386","388","389","38a","38c","38e","38g","38h","38j","38l","38n","38p","38r","38t","38v","38x","38z","391","393","395","397","399","39a","39c","39e","39g","39i","39k","39m","39p","39r","39t","39v","39w","39y","3a0","3a2","3a4","3a6","3a8","3aa","3ac","3ae","3ag","3ai","3ak","3am","3ao","3aq","3as","3au","3aw","3ay","3b0","3b2","3b4","3b6","3b8","3ba","3bc","3be","3bg","3bi","3bk","3bm","3bo","3bp","3bq","3bs","3bu","3bw","3by","3c0","3c2","3c3","3c4","3c6","3c8","3ca","3cc","3ce","3cg","3ch","3cj","3cl","3cn","3cp","3cr","3ct","3cv","3cy","3cz","3d0","3d2","3d3","3d4","3d5","3d7","3d9","3db","3dd","3de","3df","3dh","3dj","3dl","3dm","3dn","3do","3dp","3dq","3ds","3du","3dx","3dz","3e0","3e1","3e2","3e4","3e5","3e7","3e8","3ea","3ec","3ef","3eh","3ek","3em","3eo","3er","3et","3ew","3ez","3f1","3f4","3f6","3f8","3f9","3fb","3fc","3fe","3fh","3fk","3fm","3fo","3fp","3fr","3fs","3fu","3fv","3fw","3fz","3g1","3g3","3g5","3g7","3g9","3gb","3gd","3gf","3gh","3gj","3gl","3gm","3go","3gq","3gs","3gu","3gw","3gy","3h0","3h2","3h4","3h6","3h8","3ha","3hc","3hf","3hh","3hj","3hl","3hn","3hp","3hr","3ht","3hv","3hx","3hy","3hz","3i2","3i4","3i5","3i7","3ia","3ic","3ie","3ig","3ii","3ik","3il","3im","3io","3iq","3is","3iu","3iv","3iw","3iy","3iz","3j0","3j1","3j2","3j4","3j5","3j6","3j8","3ja","3jc","3jd","3jf","3jh","3jj","3jl","3jn","3jp","3jq","3js","3jt","3jv","3jw","3jx","3jy","3k0","3k1","3k2","3k4","3k5","3k6","3k7","3k8","3k9","3kb","3kd","3kf","3kg","3kh","3ki","3kj","3kk","3kl","3km","3kn","3ko","3kp","3kr","3ks","3kt","3ku","3kv","3kw","3kx","3ky","3kz","3l0","3l1","3l2","3l4","3l5","3l7","3l9","3lb","3lc","3ld","3lf","3lg","3li","3lj","3ll","3ln","3lp","3lr","3lt","3lv","3lw","3lz","3m0","3m1","3m2","3m4","3m7","3ma","3mb","3mc","3mf","3mh","3mi","3mj","3mk","3ml","3mm","3mn","3mo","3mp","3mq","3mr","3ms","3mt","3mu","3mw","3my","3mz","3n1","3n2","3n3","3n4","3n7","3n8","3n9","3nb","3nc","3ne","3nf","3ng","3ni","3nl","3nm","3no","3nq","3ns","3nt","3nu","3nw","3nx","3ny","3nz"],"pink",{"title":"2nk","slug":"2nl","description":"2nm","icon":"2nn","intro":"2nm","checklist":"3o0","color":"3o1"},["26e","2nj","3o2"],{"uzXTlLKitXg":"3o3"},"\u0001",200,"/automation/",{"loaders":"3o4","action":"3o5","status":"3o6","href":"3o7"}]} \ No newline at end of file +{"_entry":"3o8","_objs":["CWE: Categorization for Assurance","cwe-security","Researchers can use this view to evaluate the breadth and depth of software assurance with respect to mitigating and managing weaknesses before they become vulnerabilities","dev","This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.","CWE-ID: 5J2EE Misconfiguration: Data Transmission Without Encryption","Essential","Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.Guidelines:::TYPE:Other:NOTE:If an application uses SSL to guarantee confidential communication with client browsers, the application configuration should make it impossible to view any access controlled page without SSL. There are three common ways for SSL to be bypassed: A user manually enters URL and types HTTP rather than HTTPS. Attackers intentionally send a user to an insecure URL. A programmer erroneously creates a relative link to a page in the application, which does not switch from HTTP to HTTPS. (This is particularly easy to do when the link moves between public and secured areas on a web site.)::",{"point":"5","priority":"6","details":"7"},"CWE-ID: 6J2EE Misconfiguration: Insufficient Session-ID Length","The J2EE application is configured to use an insufficient session ID length.Guidelines:",{"point":"9","priority":"6","details":"a"},"CWE-ID: 7J2EE Misconfiguration: Missing Custom Error Page","The default error page of a web application should not display sensitive information about the product.Guidelines:",{"point":"c","priority":"6","details":"d"},"CWE-ID: 8J2EE Misconfiguration: Entity Bean Declared Remote","When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean's data. These methods could be leveraged to read sensitive information, or to change data in ways that violate the application's expectations, potentially leading to other vulnerabilities.Guidelines:::TYPE:Other:NOTE:Entity beans that expose a remote interface become part of an application's attack surface. For performance reasons, an application should rarely use remote entity beans, so there is a good chance that a remote entity bean declaration is an error.::",{"point":"f","priority":"6","details":"g"},"CWE-ID: 9J2EE Misconfiguration: Weak Access Permissions for EJB Methods","If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the product.Guidelines:",{"point":"i","priority":"6","details":"j"},"CWE-ID: 11ASP.NET Misconfiguration: Creating Debug Binary","Debugging messages help attackers learn about the system and plan a form of attack.Guidelines:",{"point":"l","priority":"6","details":"m"},"CWE-ID: 12ASP.NET Misconfiguration: Missing Custom Error Page","An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses.Guidelines:",{"point":"o","priority":"6","details":"p"},"CWE-ID: 13ASP.NET Misconfiguration: Password in Configuration File","Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers.Guidelines:",{"point":"r","priority":"6","details":"s"},"CWE-ID: 14Compiler Removal of Code to Clear Buffers","Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka dead store removal.Guidelines:",{"point":"u","priority":"6","details":"v"},"CWE-ID: 15External Control of System or Configuration Setting","One or more system settings or configuration elements can be externally controlled by a user.Guidelines:",{"point":"x","priority":"6","details":"y"},"CWE-ID: 20Improper Input Validation","The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Guidelines:::TYPE:Relationship:NOTE:CWE-116 and CWE-20 have a close association because, depending on the nature of the structured message, proper input validation can indirectly prevent special characters from changing the meaning of a structured message. For example, by validating that a numeric ID field should only contain the 0-9 characters, the programmer effectively prevents injection attacks.::TYPE:Maintenance:NOTE:As of 2020, this entry is used more often than preferred, and it is a source of frequent confusion. It is being actively modified for CWE 4.1 and subsequent versions.::TYPE:Maintenance:NOTE:Concepts such as validation, data transformation, and neutralization are being refined, so relationships between CWE-20 and other entries such as CWE-707 may change in future versions, along with an update to the Vulnerability Theory document.::TYPE:Maintenance:NOTE:Input validation - whether missing or incorrect - is such an essential and widespread part of secure development that it is implicit in many different weaknesses. Traditionally, problems such as buffer overflows and XSS have been classified as input validation problems by many security professionals. However, input validation is not necessarily the only protection mechanism available for avoiding such problems, and in some cases it is not even sufficient. The CWE team has begun capturing these subtleties in chains within the Research Concepts view (CWE-1000), but more work is needed.::TYPE:Terminology:NOTE:The input validation term is extremely common, but it is used in many different ways. In some cases its usage can obscure the real underlying weakness or otherwise hide chaining and composite relationships. Some people use input validation as a general term that covers many different neutralization techniques for ensuring that input is appropriate, such as filtering, canonicalization, and escaping. Others use the term in a more narrow context to simply mean checking if an input conforms to expectations without changing it. CWE uses this more narrow interpretation.::",{"point":"10","priority":"6","details":"11"},"CWE-ID: 22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Guidelines:::TYPE:Relationship:NOTE:Pathname equivalence can be regarded as a type of canonicalization error.::TYPE:Relationship:NOTE:Some pathname equivalence issues are not directly related to directory traversal, rather are used to bypass security-relevant checks for whether a file/directory can be accessed by the attacker (e.g. a trailing / on a filename could bypass access rules that don't expect a trailing /, causing a server to provide the file when it normally would not).::TYPE:Terminology:NOTE:Like other weaknesses, terminology is often based on the types of manipulations used, instead of the underlying weaknesses. Some people use directory traversal only to refer to the injection of .. and equivalent sequences whose specific meaning is to traverse directories. Other variants like absolute pathname and drive letter have the *effect* of directory traversal, but some people may not call it such, since it doesn't involve .. or equivalent.::TYPE:Research Gap:NOTE:Many variants of path traversal attacks are probably under-studied with respect to root cause. CWE-790 and CWE-182 begin to cover part of this gap.::TYPE:Research Gap:NOTE:Incomplete diagnosis or reporting of vulnerabilities can make it difficult to know which variant is affected. For example, a researcher might say that .. is vulnerable, but not test ../ which may also be vulnerable. Any combination of directory separators (/, , etc.) and numbers of . (e.g. ....) can produce unique variants; for example, the //../ variant is not listed (CVE-2004-0325). See this entry's children and lower-level descendants.::",{"point":"13","priority":"6","details":"14"},"CWE-ID: 23Relative Path Traversal","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as .. that can resolve to a location that is outside of that directory.Guidelines:",{"point":"16","priority":"6","details":"17"},"CWE-ID: 24Path Traversal: '../filedir'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize ../ sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"19","priority":"6","details":"1a"},"CWE-ID: 25Path Traversal: '/../filedir'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize /../ sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1c","priority":"6","details":"1d"},"CWE-ID: 26Path Traversal: '/dir/../filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize /dir/../filename sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1f","priority":"6","details":"1g"},"CWE-ID: 27Path Traversal: 'dir/../../filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize multiple internal ../ sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1i","priority":"6","details":"1j"},"CWE-ID: 28Path Traversal: '..filedir'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize .. sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1l","priority":"6","details":"1m"},"CWE-ID: 29Path Traversal: '..filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '..filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1o","priority":"6","details":"1p"},"CWE-ID: 30Path Traversal: 'dir..filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize 'dir..filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1r","priority":"6","details":"1s"},"CWE-ID: 31Path Traversal: 'dir....filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize 'dir....filename' (multiple internal backslash dot dot) sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1u","priority":"6","details":"1v"},"CWE-ID: 32Path Traversal: '...' (Triple Dot)","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '...' (triple dot) sequences that can resolve to a location that is outside of that directory.Guidelines:::TYPE:Maintenance:NOTE:This manipulation-focused entry is currently hiding two distinct weaknesses, so it might need to be split. The manipulation is effective in two different contexts: it is equivalent to .... on Windows, or it can take advantage of incomplete filtering, e.g. if the programmer does a single-pass removal of ./ in a string (collapse of data into unsafe value, CWE-182).::",{"point":"1x","priority":"6","details":"1y"},"CWE-ID: 33Path Traversal: '....' (Multiple Dot)","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....' (multiple dot) sequences that can resolve to a location that is outside of that directory.Guidelines:::TYPE:Maintenance:NOTE:Like the triple-dot CWE-32, this manipulation probably hides multiple weaknesses that should be made more explicit.::",{"point":"20","priority":"6","details":"21"},"CWE-ID: 34Path Traversal: '....//'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....//' (doubled dot dot slash) sequences that can resolve to a location that is outside of that directory.Guidelines:::TYPE:Relationship:NOTE:This could occur due to a cleansing error that removes a single ../ from ....//::",{"point":"23","priority":"6","details":"24"},"CWE-ID: 35Path Traversal: '.../...//'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"26","priority":"6","details":"27"},"CWE-ID: 36Absolute Path Traversal","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as /abs/path that can resolve to a location that is outside of that directory.Guidelines:",{"point":"29","priority":"6","details":"2a"},"CWE-ID: 37Path Traversal: '/absolute/pathname/here'","The product accepts input in the form of a slash absolute path ('/absolute/pathname/here') without appropriate validation, which can allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"2c","priority":"6","details":"2d"},"CWE-ID: 38Path Traversal: 'absolutepathnamehere'","The product accepts input in the form of a backslash absolute path ('absolutepathnamehere') without appropriate validation, which can allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"2f","priority":"6","details":"2g"},"CWE-ID: 39Path Traversal: 'C:dirname'","The product accepts input that contains a drive letter or Windows volume letter ('C:dirname') that potentially redirects access to an unintended location or arbitrary file.Guidelines:",{"point":"2i","priority":"6","details":"2j"},"CWE-ID: 40Path Traversal: 'UNCsharename' (Windows UNC Share)","The product accepts input that identifies a Windows UNC share ('UNCsharename') that potentially redirects access to an unintended location or arbitrary file.Guidelines:",{"point":"2l","priority":"6","details":"2m"},"CWE-ID: 41Improper Resolution of Path Equivalence","The product is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object.Guidelines:::TYPE:Relationship:NOTE:Some of these manipulations could be effective in path traversal issues, too.::",{"point":"2o","priority":"6","details":"2p"},"CWE-ID: 42Path Equivalence: 'filename.' (Trailing Dot)","The product accepts path input in the form of trailing dot ('filedir.') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"2r","priority":"6","details":"2s"},"CWE-ID: 43Path Equivalence: 'filename....' (Multiple Trailing Dot)","The product accepts path input in the form of multiple trailing dot ('filedir....') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"2u","priority":"6","details":"2v"},"CWE-ID: 44Path Equivalence: 'file.name' (Internal Dot)","The product accepts path input in the form of internal dot ('file.ordir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:::TYPE:Relationship:NOTE:An improper attempt to remove the internal dots from the string could lead to CWE-181 (Incorrect Behavior Order: Validate Before Filter).::",{"point":"2x","priority":"6","details":"2y"},"CWE-ID: 45Path Equivalence: 'file...name' (Multiple Internal Dot)","The product accepts path input in the form of multiple internal dot ('file...dir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:::TYPE:Relationship:NOTE:An improper attempt to remove the internal dots from the string could lead to CWE-181 (Incorrect Behavior Order: Validate Before Filter).::",{"point":"30","priority":"6","details":"31"},"CWE-ID: 46Path Equivalence: 'filename ' (Trailing Space)","The product accepts path input in the form of trailing space ('filedir ') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"33","priority":"6","details":"34"},"CWE-ID: 47Path Equivalence: ' filename' (Leading Space)","The product accepts path input in the form of leading space (' filedir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"36","priority":"6","details":"37"},"CWE-ID: 48Path Equivalence: 'file name' (Internal Whitespace)","The product accepts path input in the form of internal space ('file(SPACE)name') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:::TYPE:Relationship:NOTE:This weakness is likely to overlap quoting problems, e.g. the Program Files unquoted search path (CWE-428). It also could be an equivalence issue if filtering removes all extraneous spaces.::TYPE:Relationship:NOTE:Whitespace can be a factor in other weaknesses not directly related to equivalence. It can also be used to spoof icons or hide files with dangerous names (see icon manipulation and visual truncation in CWE-451).::",{"point":"39","priority":"6","details":"3a"},"CWE-ID: 49Path Equivalence: 'filename/' (Trailing Slash)","The product accepts path input in the form of trailing slash ('filedir/') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3c","priority":"6","details":"3d"},"CWE-ID: 50Path Equivalence: '//multiple/leading/slash'","The product accepts path input in the form of multiple leading slash ('//multiple/leading/slash') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3f","priority":"6","details":"3g"},"CWE-ID: 51Path Equivalence: '/multiple//internal/slash'","The product accepts path input in the form of multiple internal slash ('/multiple//internal/slash/') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3i","priority":"6","details":"3j"},"CWE-ID: 52Path Equivalence: '/multiple/trailing/slash//'","The product accepts path input in the form of multiple trailing slash ('/multiple/trailing/slash//') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3l","priority":"6","details":"3m"},"CWE-ID: 53Path Equivalence: 'multipleinternalbackslash'","The product accepts path input in the form of multiple internal backslash ('multipletrailingslash') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3o","priority":"6","details":"3p"},"CWE-ID: 54Path Equivalence: 'filedir' (Trailing Backslash)","The product accepts path input in the form of trailing backslash ('filedir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3r","priority":"6","details":"3s"},"CWE-ID: 55Path Equivalence: '/./' (Single Dot Directory)","The product accepts path input in the form of single dot directory exploit ('/./') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3u","priority":"6","details":"3v"},"CWE-ID: 56Path Equivalence: 'filedir*' (Wildcard)","The product accepts path input in the form of asterisk wildcard ('filedir*') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3x","priority":"6","details":"3y"},"CWE-ID: 57Path Equivalence: 'fakedir/../realdir/filename'","The product contains protection mechanisms to restrict access to 'realdir/filename', but it constructs pathnames using external input in the form of 'fakedir/../realdir/filename' that are not handled by those mechanisms. This allows attackers to perform unauthorized actions against the targeted file.Guidelines:::TYPE:Theoretical:NOTE:This is a manipulation that uses an injection for one consequence (containment violation using relative path) to achieve a different consequence (equivalence by alternate name).::",{"point":"40","priority":"6","details":"41"},"CWE-ID: 58Path Equivalence: Windows 8.3 Filename","The product contains a protection mechanism that restricts access to a long filename on a Windows operating system, but it does not properly restrict access to the equivalent short 8.3 filename.Guidelines:::TYPE:Research Gap:NOTE:Probably under-studied.::",{"point":"43","priority":"6","details":"44"},"CWE-ID: 59Improper Link Resolution Before File Access ('Link Following')","The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.Guidelines:::TYPE:Theoretical:NOTE:Link following vulnerabilities are Multi-factor Vulnerabilities (MFV). They are the combination of multiple elements: file or directory permissions, filename predictability, race conditions, and in some cases, a design limitation in which there is no mechanism for performing atomic file creation operations. Some potential factors are race conditions, permissions, and predictability.::",{"point":"46","priority":"6","details":"47"},"CWE-ID: 61UNIX Symbolic Link (Symlink) Following","The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.Guidelines:::TYPE:Research Gap:NOTE:Symlink vulnerabilities are regularly found in C and shell programs, but all programming languages can have this problem. Even shell programs are probably under-reported. Second-order symlink vulnerabilities may exist in programs that invoke other programs that follow symlinks. They are rarely reported but are likely to be fairly common when process invocation is used [REF-493].::",{"point":"49","priority":"6","details":"4a"},"CWE-ID: 62UNIX Hard Link","The product, when opening a file or directory, does not sufficiently account for when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.Guidelines:",{"point":"4c","priority":"6","details":"4d"},"CWE-ID: 64Windows Shortcut Following (.LNK)","The product, when opening a file or directory, does not sufficiently handle when the file is a Windows shortcut (.LNK) whose target is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.Guidelines:::TYPE:Research Gap:NOTE:Under-studied. Windows .LNK files are more portable than Unix symlinks and have been used in remote exploits. Some Windows API's will access LNK's as if they are regular files, so one would expect that they would be reported more frequently.::",{"point":"4f","priority":"6","details":"4g"},"CWE-ID: 65Windows Hard Link","The product, when opening a file or directory, does not sufficiently handle when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.Guidelines:",{"point":"4i","priority":"6","details":"4j"},"CWE-ID: 66Improper Handling of File Names that Identify Virtual Resources","The product does not handle or incorrectly handles a file name that identifies a virtual resource that is not directly specified within the directory that is associated with the file name, causing the product to perform file-based operations on a resource that is not a file.Guidelines:",{"point":"4l","priority":"6","details":"4m"},"CWE-ID: 67Improper Handling of Windows Device Names","The product constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.Guidelines:",{"point":"4o","priority":"6","details":"4p"},"CWE-ID: 69Improper Handling of Windows ::DATA Alternate Data Stream","The product does not properly prevent access to, or detect usage of, alternate data streams (ADS).Guidelines:::TYPE:Theoretical:NOTE:This and similar problems exist because the same resource can have multiple identifiers that dictate which behavior can be performed on the resource.::",{"point":"4r","priority":"6","details":"4s"},"CWE-ID: 72Improper Handling of Apple HFS+ Alternate Data Stream Path","The product does not properly handle special paths that may identify the data or resource fork of a file on the HFS+ file system.Guidelines:::TYPE:Theoretical:NOTE:This and similar problems exist because the same resource can have multiple identifiers that dictate which behavior can be performed on the resource.::TYPE:Research Gap:NOTE:Under-studied::",{"point":"4u","priority":"6","details":"4v"},"CWE-ID: 73External Control of File Name or Path","The product allows user input to control or influence paths or file names that are used in filesystem operations.Guidelines:::TYPE:Maintenance:NOTE:CWE-114 is a Class, but it is listed a child of CWE-73 in view 1000. This suggests some abstraction problems that should be resolved in future versions.::TYPE:Relationship:NOTE:The external control of filenames can be the primary link in chains with other file-related weaknesses, as seen in the CanPrecede relationships. This is because software systems use files for many different purposes: to execute programs, load code libraries, to store application data, to store configuration settings, record temporary data, act as signals or semaphores to other processes, etc. However, those weaknesses do not always require external control. For example, link-following weaknesses (CWE-59) often involve pathnames that are not controllable by the attacker at all. The external control can be resultant from other issues. For example, in PHP applications, the register_globals setting can allow an attacker to modify variables that the programmer thought were immutable, enabling file inclusion (CWE-98) and path traversal (CWE-22). Operating with excessive privileges (CWE-250) might allow an attacker to specify an input filename that is not directly readable by the attacker, but is accessible to the privileged program. A buffer overflow (CWE-119) might give an attacker control over nearby memory locations that are related to pathnames, but were not directly modifiable by the attacker.::",{"point":"4x","priority":"6","details":"4y"},"CWE-ID: 74Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')","The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Guidelines:::TYPE:Theoretical:NOTE:Many people treat injection only as an input validation problem (CWE-20) because many people do not distinguish between the consequence/attack (injection) and the protection mechanism that prevents the attack from succeeding. However, input validation is only one potential protection mechanism (output encoding is another), and there is a chaining relationship between improper input validation and the improper enforcement of the structure of messages to other components. Other issues not directly related to input validation, such as race conditions, could similarly impact message structure.::",{"point":"50","priority":"6","details":"51"},"CWE-ID: 75Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)","The product does not adequately filter user-controlled input for special elements with control implications.Guidelines:",{"point":"53","priority":"6","details":"54"},"CWE-ID: 76Improper Neutralization of Equivalent Special Elements","The product correctly neutralizes certain special elements, but it improperly neutralizes equivalent special elements.Guidelines:",{"point":"56","priority":"6","details":"57"},"CWE-ID: 77Improper Neutralization of Special Elements used in a Command ('Command Injection')","The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.Guidelines:::TYPE:Terminology:NOTE:The command injection phrase carries different meanings to different people. For some people, it refers to any type of attack that can allow the attacker to execute commands of their own choosing, regardless of how those commands are inserted. The command injection could thus be resultant from another weakness. This usage also includes cases in which the functionality allows the user to specify an entire command, which is then executed; within CWE, this situation might be better regarded as an authorization problem (since an attacker should not be able to specify arbitrary commands.) Another common usage, which includes CWE-77 and its descendants, involves cases in which the attacker injects separators into the command being constructed.::",{"point":"59","priority":"6","details":"5a"},"CWE-ID: 78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Guidelines:::TYPE:Terminology:NOTE:The OS command injection phrase carries different meanings to different people. For some people, it only refers to cases in which the attacker injects command separators into arguments for an application-controlled program that is being invoked. For some people, it refers to any type of attack that can allow the attacker to execute OS commands of their own choosing. This usage could include untrusted search path weaknesses (CWE-426) that cause the application to find and execute an attacker-controlled program. Further complicating the issue is the case when argument injection (CWE-88) allows alternate command-line switches or options to be inserted into the command line, such as an -exec switch whose purpose may be to execute the subsequent argument as a command (this -exec switch exists in the UNIX find command, for example). In this latter case, however, CWE-88 could be regarded as the primary weakness in a chain with CWE-78.::TYPE:Research Gap:NOTE:More investigation is needed into the distinction between the OS command injection variants, including the role with argument injection (CWE-88). Equivalent distinctions may exist in other injection-related problems such as SQL injection.::",{"point":"5c","priority":"6","details":"5d"},"CWE-ID: 79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Guidelines:::TYPE:Relationship:NOTE:There can be a close relationship between XSS and CSRF (CWE-352). An attacker might use CSRF in order to trick the victim into submitting requests to the server in which the requests contain an XSS payload. A well-known example of this was the Samy worm on MySpace [REF-956]. The worm used XSS to insert malicious HTML sequences into a user's profile and add the attacker as a MySpace friend. MySpace friends of that victim would then execute the payload to modify their own profiles, causing the worm to propagate exponentially. Since the victims did not intentionally insert the malicious script themselves, CSRF was a root cause.::TYPE:Applicable Platform:NOTE:XSS flaws are very common in web applications, since they require a great deal of developer discipline to avoid them.::",{"point":"5f","priority":"6","details":"5g"},"CWE-ID: 80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as <, >, and & that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.Guidelines:",{"point":"5i","priority":"6","details":"5j"},"CWE-ID: 81Improper Neutralization of Script in an Error Message Web Page","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters that could be interpreted as web-scripting elements when they are sent to an error page.Guidelines:",{"point":"5l","priority":"6","details":"5m"},"CWE-ID: 82Improper Neutralization of Script in Attributes of IMG Tags in a Web Page","The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute.Guidelines:",{"point":"5o","priority":"6","details":"5p"},"CWE-ID: 83Improper Neutralization of Script in Attributes in a Web Page","The product does not neutralize or incorrectly neutralizes javascript: or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.Guidelines:",{"point":"5r","priority":"6","details":"5s"},"CWE-ID: 84Improper Neutralization of Encoded URI Schemes in a Web Page","The web application improperly neutralizes user-controlled input for executable script disguised with URI encodings.Guidelines:",{"point":"5u","priority":"6","details":"5v"},"CWE-ID: 85Doubled Character XSS Manipulations","The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters.Guidelines:",{"point":"5x","priority":"6","details":"5y"},"CWE-ID: 86Improper Neutralization of Invalid Characters in Identifiers in Web Pages","The product does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers.Guidelines:",{"point":"60","priority":"6","details":"61"},"CWE-ID: 87Improper Neutralization of Alternate XSS Syntax","The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.Guidelines:",{"point":"63","priority":"6","details":"64"},"CWE-ID: 88Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')","The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.Guidelines:::TYPE:Relationship:NOTE:At one layer of abstraction, this can overlap other weaknesses that have whitespace problems, e.g. injection of javascript into attributes of HTML tags.::",{"point":"66","priority":"6","details":"67"},"CWE-ID: 89Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:SQL injection can be resultant from special character mismanagement, MAID, or denylist/allowlist problems. It can be primary to authentication errors.::",{"point":"69","priority":"6","details":"6a"},"CWE-ID: 90Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')","The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:Factors: resultant to special character mismanagement, MAID, or denylist/allowlist problems. Can be primary to authentication and verification errors.::",{"point":"6c","priority":"6","details":"6d"},"CWE-ID: 91XML Injection (aka Blind XPath Injection)","The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.Guidelines:::TYPE:Maintenance:NOTE:The description for this entry is generally applicable to XML, but the name includes blind XPath injection which is more closely associated with CWE-643. Therefore this entry might need to be deprecated or converted to a general category - although injection into raw XML is not covered by CWE-643 or CWE-652.::TYPE:Theoretical:NOTE:In vulnerability theory terms, this is a representation-specific case of a Data/Directive Boundary Error.::TYPE:Research Gap:NOTE:Under-reported. This is likely found regularly by third party code auditors, but there are very few publicly reported examples.::",{"point":"6f","priority":"6","details":"6g"},"CWE-ID: 93Improper Neutralization of CRLF Sequences ('CRLF Injection')","The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.Guidelines:",{"point":"6i","priority":"6","details":"6j"},"CWE-ID: 94Improper Control of Generation of Code ('Code Injection')","The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.Guidelines:",{"point":"6l","priority":"6","details":"6m"},"CWE-ID: 95Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. eval).Guidelines:::TYPE:Other:NOTE:Factors: special character errors can play a role in increasing the variety of code that can be injected, although some vulnerabilities do not require special characters at all, e.g. when a single function without arguments can be referenced and a terminator character is not necessary.::",{"point":"6o","priority":"6","details":"6p"},"CWE-ID: 96Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.Guidelines:::TYPE:Relationship:NOTE:HTML injection (see CWE-79: XSS) could be thought of as an example of this, but the code is injected and executed on the client side, not the server side. Server-Side Includes (SSI) are an example of direct static code injection.::",{"point":"6r","priority":"6","details":"6s"},"CWE-ID: 97Improper Neutralization of Server-Side Includes (SSI) Within a Web Page","The product generates a web page, but does not neutralize or incorrectly neutralizes user-controllable input that could be interpreted as a server-side include (SSI) directive.Guidelines:::TYPE:Relationship:NOTE:This can be resultant from XSS/HTML injection because the same special characters can be involved. However, this is server-side code execution, not client-side.::",{"point":"6u","priority":"6","details":"6v"},"CWE-ID: 98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')","The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in require, include, or similar functions.Guidelines:::TYPE:Relationship:NOTE:This is frequently a functional consequence of other weaknesses. It is usually multi-factor with other factors (e.g. MAID), although not all inclusion bugs involve assumed-immutable data. Direct request weaknesses frequently play a role. Can overlap directory traversal in local inclusion problems.::",{"point":"6x","priority":"6","details":"6y"},"CWE-ID: 99Improper Control of Resource Identifiers ('Resource Injection')","The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.Guidelines:::TYPE:Relationship:NOTE:Resource injection that involves resources stored on the filesystem goes by the name path manipulation (CWE-73).::TYPE:Maintenance:NOTE:The relationship between CWE-99 and CWE-610 needs further investigation and clarification. They might be duplicates. CWE-99 Resource Injection, as originally defined in Seven Pernicious Kingdoms taxonomy, emphasizes the identifier used to access a system resource such as a file name or port number, yet it explicitly states that the resource injection term does not apply to path manipulation, which effectively identifies the path at which a resource can be found and could be considered to be one aspect of a resource identifier. Also, CWE-610 effectively covers any type of resource, whether that resource is at the system layer, the application layer, or the code layer.::",{"point":"70","priority":"6","details":"71"},"CWE-ID: 102Struts: Duplicate Validation Forms","The product uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not expect.Guidelines:",{"point":"73","priority":"6","details":"74"},"CWE-ID: 103Struts: Incomplete validate() Method Definition","The product has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate().Guidelines:::TYPE:Relationship:NOTE:This could introduce other weaknesses related to missing input validation.::TYPE:Maintenance:NOTE:The current description implies a loose composite of two separate weaknesses, so this node might need to be split or converted into a low-level category.::",{"point":"76","priority":"6","details":"77"},"CWE-ID: 104Struts: Form Bean Does Not Extend Validation Class","If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation.Guidelines:",{"point":"79","priority":"6","details":"7a"},"CWE-ID: 105Struts: Form Field Without Validator","The product has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation.Guidelines:",{"point":"7c","priority":"6","details":"7d"},"CWE-ID: 106Struts: Plug-in Framework not in Use","When an application does not use an input validation framework such as the Struts Validator, there is a greater risk of introducing weaknesses related to insufficient input validation.Guidelines:",{"point":"7f","priority":"6","details":"7g"},"CWE-ID: 107Struts: Unused Validation Form","An unused validation form indicates that validation logic is not up-to-date.Guidelines:",{"point":"7i","priority":"6","details":"7j"},"CWE-ID: 108Struts: Unvalidated Action Form","Every Action Form must have a corresponding validation form.Guidelines:",{"point":"7l","priority":"6","details":"7m"},"CWE-ID: 109Struts: Validator Turned Off","Automatic filtering via a Struts bean has been turned off, which disables the Struts Validator and custom validation logic. This exposes the application to other weaknesses related to insufficient input validation.Guidelines:::TYPE:Other:NOTE:The Action Form mapping in the demonstrative example disables the form's validate() method. The Struts bean: write tag automatically encodes special HTML characters, replacing a < with < and a > with >. This action can be disabled by specifying filter=false as an attribute of the tag to disable specified JSP pages. However, being disabled makes these pages susceptible to cross-site scripting attacks. An attacker may be able to insert malicious scripts as user input to write to these JSP pages.::",{"point":"7o","priority":"6","details":"7p"},"CWE-ID: 110Struts: Validator Without Form Field","Validation fields that do not appear in forms they are associated with indicate that the validation logic is out of date.Guidelines:",{"point":"7r","priority":"6","details":"7s"},"CWE-ID: 111Direct Use of Unsafe JNI","When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that code, even if those weaknesses cannot occur in Java.Guidelines:",{"point":"7u","priority":"6","details":"7v"},"CWE-ID: 112Missing XML Validation","The product accepts XML from an untrusted source but does not validate the XML against the proper schema.Guidelines:",{"point":"7x","priority":"6","details":"7y"},"CWE-ID: 113Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')","The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.Guidelines:",{"point":"80","priority":"6","details":"81"},"CWE-ID: 114Process Control","Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) on behalf of an attacker.Guidelines:::TYPE:Maintenance:NOTE:CWE-114 is a Class, but it is listed a child of CWE-73 in view 1000. This suggests some abstraction problems that should be resolved in future versions.::TYPE:Maintenance:NOTE:This entry seems to have close relationships with CWE-426/CWE-427. It seems more attack-oriented.::",{"point":"83","priority":"6","details":"84"},"CWE-ID: 115Misinterpretation of Input","The product misinterprets an input, whether from an attacker or another product, in a security-relevant fashion.Guidelines:::TYPE:Research Gap:NOTE:This concept needs further study. It is likely a factor in several weaknesses, possibly resultant as well. Overlaps Multiple Interpretation Errors (MIE).::",{"point":"86","priority":"6","details":"87"},"CWE-ID: 116Improper Encoding or Escaping of Output","The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.Guidelines:::TYPE:Relationship:NOTE:This weakness is primary to all weaknesses related to injection (CWE-74) since the inherent nature of injection involves the violation of structured messages.::TYPE:Relationship:NOTE:CWE-116 and CWE-20 have a close association because, depending on the nature of the structured message, proper input validation can indirectly prevent special characters from changing the meaning of a structured message. For example, by validating that a numeric ID field should only contain the 0-9 characters, the programmer effectively prevents injection attacks. However, input validation is not always sufficient, especially when less stringent data types must be supported, such as free-form text. Consider a SQL injection scenario in which a last name is inserted into a query. The name O'Reilly would likely pass the validation step since it is a common last name in the English language. However, it cannot be directly inserted into the database because it contains the ' apostrophe character, which would need to be escaped or otherwise neutralized. In this case, stripping the apostrophe might reduce the risk of SQL injection, but it would produce incorrect behavior because the wrong name would be recorded.::TYPE:Terminology:NOTE:The usage of the encoding and escaping terms varies widely. For example, in some programming languages, the terms are used interchangeably, while other languages provide APIs that use both terms for different tasks. This overlapping usage extends to the Web, such as the escape JavaScript function whose purpose is stated to be encoding. The concepts of encoding and escaping predate the Web by decades. Given such a context, it is difficult for CWE to adopt a consistent vocabulary that will not be misinterpreted by some constituency.::TYPE:Theoretical:NOTE:This is a data/directive boundary error in which data boundaries are not sufficiently enforced before it is sent to a different control sphere.::TYPE:Research Gap:NOTE:While many published vulnerabilities are related to insufficient output encoding, there is such an emphasis on input validation as a protection mechanism that the underlying causes are rarely described. Within CVE, the focus is primarily on well-understood issues like cross-site scripting and SQL injection. It is likely that this weakness frequently occurs in custom protocols that support multiple encodings, which are not necessarily detectable with automated techniques.::",{"point":"89","priority":"6","details":"8a"},"CWE-ID: 117Improper Output Neutralization for Logs","The product does not neutralize or incorrectly neutralizes output that is written to logs.Guidelines:",{"point":"8c","priority":"6","details":"8d"},"CWE-ID: 118Incorrect Access of Indexable Resource ('Range Error')","The product does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files.Guidelines:",{"point":"8f","priority":"6","details":"8g"},"CWE-ID: 119Improper Restriction of Operations within the Bounds of a Memory Buffer","The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.Guidelines:::TYPE:Applicable Platform:NOTE:It is possible in any programming languages without memory management support to attempt an operation outside of the bounds of a memory buffer, but the consequences will vary widely depending on the language, platform, and chip architecture.::",{"point":"8i","priority":"6","details":"8j"},"CWE-ID: 120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')","The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.Guidelines:::TYPE:Relationship:NOTE:At the code level, stack-based and heap-based overflows do not differ significantly, so there usually is not a need to distinguish them. From the attacker perspective, they can be quite different, since different techniques are required to exploit them.::TYPE:Terminology:NOTE:Many issues that are now called buffer overflows are substantively different than the classic overflow, including entirely different bug types that rely on overflow exploit techniques, such as integer signedness errors, integer overflows, and format string bugs. This imprecise terminology can make it difficult to determine which variant is being reported.::",{"point":"8l","priority":"6","details":"8m"},"CWE-ID: 121Stack-based Buffer Overflow","A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).Guidelines:::TYPE:Other:NOTE:Stack-based buffer overflows can instantiate in return address overwrites, stack pointer overwrites or frame pointer overwrites. They can also be considered function pointer overwrites, array indexer overwrites or write-what-where condition, etc.::",{"point":"8o","priority":"6","details":"8p"},"CWE-ID: 122Heap-based Buffer Overflow","A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().Guidelines:::TYPE:Relationship:NOTE:Heap-based buffer overflows are usually just as dangerous as stack-based buffer overflows.::",{"point":"8r","priority":"6","details":"8s"},"CWE-ID: 123Write-what-where Condition","Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow.Guidelines:",{"point":"8u","priority":"6","details":"8v"},"CWE-ID: 124Buffer Underwrite ('Buffer Underflow')","The product writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.Guidelines:::TYPE:Relationship:NOTE:This could be resultant from several errors, including a bad offset or an array index that decrements before the beginning of the buffer (see CWE-129).::",{"point":"8x","priority":"6","details":"8y"},"CWE-ID: 125Out-of-bounds Read","The product reads data past the end, or before the beginning, of the intended buffer.Guidelines:",{"point":"90","priority":"6","details":"91"},"CWE-ID: 126Buffer Over-read","The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.Guidelines:::TYPE:Relationship:NOTE:These problems may be resultant from missing sentinel values (CWE-463) or trusting a user-influenced input length variable.::",{"point":"93","priority":"6","details":"94"},"CWE-ID: 127Buffer Under-read","The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"96","priority":"6","details":"97"},"CWE-ID: 128Wrap-around Error","Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore wraps around to a very small, negative, or undefined value.Guidelines:::TYPE:Relationship:NOTE:The relationship between overflow and wrap-around needs to be examined more closely, since several entries (including CWE-190) are closely related.::",{"point":"99","priority":"6","details":"9a"},"CWE-ID: 129Improper Validation of Array Index","The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.Guidelines:::TYPE:Relationship:NOTE:This weakness can precede uncontrolled memory allocation (CWE-789) in languages that automatically expand an array when an index is used that is larger than the size of the array, such as JavaScript.::TYPE:Theoretical:NOTE:An improperly validated array index might lead directly to the always-incorrect behavior of access of array using out-of-bounds index.::",{"point":"9c","priority":"6","details":"9d"},"CWE-ID: 130Improper Handling of Length Parameter Inconsistency","The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.Guidelines:::TYPE:Relationship:NOTE:This probably overlaps other categories including zero-length issues.::",{"point":"9f","priority":"6","details":"9g"},"CWE-ID: 131Incorrect Calculation of Buffer Size","The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.Guidelines:::TYPE:Maintenance:NOTE:This is a broad category. Some examples include: simple math errors, incorrectly updating parallel counters, not accounting for size differences when transforming one input to another format (e.g. URL canonicalization or other transformation that can generate a result that's larger than the original input, i.e. expansion). This level of detail is rarely available in public reports, so it is difficult to find good examples.::TYPE:Maintenance:NOTE:This weakness may be a composite or a chain. It also may contain layering or perspective differences. This issue may be associated with many different types of incorrect calculations (CWE-682), although the integer overflow (CWE-190) is probably the most prevalent. This can be primary to resource consumption problems (CWE-400), including uncontrolled memory allocation (CWE-789). However, its relationship with out-of-bounds buffer access (CWE-119) must also be considered.::",{"point":"9i","priority":"6","details":"9j"},"CWE-ID: 134Use of Externally-Controlled Format String","The product uses a function that accepts a format string as an argument, but the format string originates from an external source.Guidelines:::TYPE:Applicable Platform:NOTE:This weakness is possible in any programming language that support format strings.::TYPE:Other:NOTE:While Format String vulnerabilities typically fall under the Buffer Overflow category, technically they are not overflowed buffers. The Format String vulnerability is fairly new (circa 1999) and stems from the fact that there is no realistic way for a function that takes a variable number of arguments to determine just how many arguments were passed in. The most common functions that take a variable number of arguments, including C-runtime functions, are the printf() family of calls. The Format String problem appears in a number of ways. A *printf() call without a format specifier is dangerous and can be exploited. For example, printf(input); is exploitable, while printf(y, input); is not exploitable in that context. The result of the first call, used incorrectly, allows for an attacker to be able to peek at stack memory since the input string will be used as the format specifier. The attacker can stuff the input string with format specifiers and begin reading stack values, since the remaining parameters will be pulled from the stack. Worst case, this improper use may give away enough control to allow an arbitrary value (or values in the case of an exploit program) to be written into the memory of the running program. Frequently targeted entities are file names, process names, identifiers. Format string problems are a classic C/C++ issue that are now rare due to the ease of discovery. One main reason format string vulnerabilities can be exploited is due to the %n operator. The %n operator will write the number of characters, which have been printed by the format string therefore far, to the memory pointed to by its argument. Through skilled creation of a format string, a malicious user may use values on the stack to create a write-what-where condition. Once this is achieved, they can execute arbitrary code. Other operators can be used as well; for example, a %9999s operator could also trigger a buffer overflow, or when used in file-formatting functions like fprintf, it can generate a much larger output than intended.::TYPE:Research Gap:NOTE:Format string issues are under-studied for languages other than C. Memory or disk consumption, control flow or variable alteration, and data corruption may result from format string exploitation in applications written in other languages such as Perl, PHP, Python, etc.::",{"point":"9l","priority":"6","details":"9m"},"CWE-ID: 135Incorrect Calculation of Multi-Byte String Length","The product does not correctly calculate the length of strings that can contain wide or multi-byte characters.Guidelines:",{"point":"9o","priority":"6","details":"9p"},"CWE-ID: 138Improper Neutralization of Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:This weakness can be related to interpretation conflicts or interaction errors in intermediaries (such as proxies or application firewalls) when the intermediary's model of an endpoint does not account for protocol-specific special elements.::TYPE:Relationship:NOTE:See this entry's children for different types of special elements that have been observed at one point or another. However, it can be difficult to find suitable CVE examples. In an attempt to be complete, CWE includes some types that do not have any associated observed example.::TYPE:Research Gap:NOTE:This weakness is probably under-studied for proprietary or custom formats. It is likely that these issues are fairly common in applications that use their own custom format for configuration files, logs, meta-data, messaging, etc. They would only be found by accident or with a focused effort based on an understanding of the format.::",{"point":"9r","priority":"6","details":"9s"},"CWE-ID: 140Improper Neutralization of Delimiters","The product does not neutralize or incorrectly neutralizes delimiters.Guidelines:",{"point":"9u","priority":"6","details":"9v"},"CWE-ID: 141Improper Neutralization of Parameter/Argument Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component.Guidelines:",{"point":"9x","priority":"6","details":"9y"},"CWE-ID: 142Improper Neutralization of Value Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component.Guidelines:",{"point":"a0","priority":"6","details":"a1"},"CWE-ID: 143Improper Neutralization of Record Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component.Guidelines:",{"point":"a3","priority":"6","details":"a4"},"CWE-ID: 144Improper Neutralization of Line Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as line delimiters when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:Depending on the language and syntax being used, this could be the same as the record delimiter (CWE-143).::",{"point":"a6","priority":"6","details":"a7"},"CWE-ID: 145Improper Neutralization of Section Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as section delimiters when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:Depending on the language and syntax being used, this could be the same as the record delimiter (CWE-143).::",{"point":"a9","priority":"6","details":"aa"},"CWE-ID: 146Improper Neutralization of Expression/Command Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:A shell metacharacter (covered in CWE-150) is one example of a potential delimiter that may need to be neutralized.::",{"point":"ac","priority":"6","details":"ad"},"CWE-ID: 147Improper Neutralization of Input Terminators","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as input terminators when they are sent to a downstream component.Guidelines:",{"point":"af","priority":"6","details":"ag"},"CWE-ID: 148Improper Neutralization of Input Leaders","The product does not properly handle when a leading character or sequence (leader) is missing or malformed, or if multiple leaders are used when only one should be allowed.Guidelines:",{"point":"ai","priority":"6","details":"aj"},"CWE-ID: 149Improper Neutralization of Quoting Syntax","Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.Guidelines:",{"point":"al","priority":"6","details":"am"},"CWE-ID: 150Improper Neutralization of Escape, Meta, or Control Sequences","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.Guidelines:",{"point":"ao","priority":"6","details":"ap"},"CWE-ID: 151Improper Neutralization of Comment Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as comment delimiters when they are sent to a downstream component.Guidelines:",{"point":"ar","priority":"6","details":"as"},"CWE-ID: 152Improper Neutralization of Macro Symbols","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as macro symbols when they are sent to a downstream component.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"au","priority":"6","details":"av"},"CWE-ID: 153Improper Neutralization of Substitution Characters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as substitution characters when they are sent to a downstream component.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"ax","priority":"6","details":"ay"},"CWE-ID: 154Improper Neutralization of Variable Name Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as variable name delimiters when they are sent to a downstream component.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"b0","priority":"6","details":"b1"},"CWE-ID: 155Improper Neutralization of Wildcards or Matching Symbols","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as wildcards or matching symbols when they are sent to a downstream component.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"b3","priority":"6","details":"b4"},"CWE-ID: 156Improper Neutralization of Whitespace","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as whitespace when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:Can overlap other separator characters or delimiters.::",{"point":"b6","priority":"6","details":"b7"},"CWE-ID: 157Failure to Sanitize Paired Delimiters","The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"b9","priority":"6","details":"ba"},"CWE-ID: 158Improper Neutralization of Null Byte or NUL Character","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:This can be a factor in multiple interpretation errors, other interaction errors, filename equivalence, etc.::",{"point":"bc","priority":"6","details":"bd"},"CWE-ID: 159Improper Handling of Invalid Use of Special Elements","The product does not properly filter, remove, quote, or otherwise manage the invalid use of special elements in user-controlled input, which could cause adverse effect on its behavior and integrity.Guidelines:::TYPE:Maintenance:NOTE:The list of children for this entry is far from complete. However, the types of special elements might be too precise for use within CWE.::TYPE:Terminology:NOTE:Precise terminology for the underlying weaknesses does not exist. Therefore, these weaknesses use the terminology associated with the manipulation.::TYPE:Research Gap:NOTE:Customized languages and grammars, even those that are specific to a particular product, are potential sources of weaknesses that are related to special elements. However, most researchers concentrate on the most commonly used representations for data transmission, such as HTML and SQL. Any representation that is commonly used is likely to be a rich source of weaknesses; researchers are encouraged to investigate previously unexplored representations.::",{"point":"bf","priority":"6","details":"bg"},"CWE-ID: 160Improper Neutralization of Leading Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes leading special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bi","priority":"6","details":"bj"},"CWE-ID: 161Improper Neutralization of Multiple Leading Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple leading special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bl","priority":"6","details":"bm"},"CWE-ID: 162Improper Neutralization of Trailing Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes trailing special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bo","priority":"6","details":"bp"},"CWE-ID: 163Improper Neutralization of Multiple Trailing Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple trailing special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"br","priority":"6","details":"bs"},"CWE-ID: 164Improper Neutralization of Internal Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes internal special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bu","priority":"6","details":"bv"},"CWE-ID: 165Improper Neutralization of Multiple Internal Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple internal special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bx","priority":"6","details":"by"},"CWE-ID: 166Improper Handling of Missing Special Element","The product receives input from an upstream component, but it does not handle or incorrectly handles when an expected special element is missing.Guidelines:",{"point":"c0","priority":"6","details":"c1"},"CWE-ID: 167Improper Handling of Additional Special Element","The product receives input from an upstream component, but it does not handle or incorrectly handles when an additional unexpected special element is provided.Guidelines:",{"point":"c3","priority":"6","details":"c4"},"CWE-ID: 168Improper Handling of Inconsistent Special Elements","The product does not properly handle input in which an inconsistency exists between two or more special characters or reserved words.Guidelines:",{"point":"c6","priority":"6","details":"c7"},"CWE-ID: 170Improper Null Termination","The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.Guidelines:::TYPE:Relationship:NOTE:Factors: this is usually resultant from other weaknesses such as off-by-one errors, but it can be primary to boundary condition violations such as buffer overflows. In buffer overflows, it can act as an expander for assumed-immutable data.::TYPE:Relationship:NOTE:Overlaps missing input terminator.::TYPE:Applicable Platform:NOTE:Conceptually, this does not just apply to the C language; any language or representation that involves a terminator could have this type of problem.::TYPE:Maintenance:NOTE:As currently described, this entry is more like a category than a weakness.::",{"point":"c9","priority":"6","details":"ca"},"CWE-ID: 172Encoding Error","The product does not properly encode or decode the data, resulting in unexpected values.Guidelines:::TYPE:Relationship:NOTE:Partially overlaps path traversal and equivalence weaknesses.::TYPE:Maintenance:NOTE:This is more like a category than a weakness.::TYPE:Maintenance:NOTE:Many other types of encodings should be listed in this category.::",{"point":"cc","priority":"6","details":"cd"},"CWE-ID: 173Improper Handling of Alternate Encoding","The product does not properly handle when an input uses an alternate encoding that is valid for the control sphere to which the input is being sent.Guidelines:",{"point":"cf","priority":"6","details":"cg"},"CWE-ID: 174Double Decoding of the Same Data","The product decodes the same input twice, which can limit the effectiveness of any protection mechanism that occurs in between the decoding operations.Guidelines:::TYPE:Research Gap:NOTE:Probably under-studied.::",{"point":"ci","priority":"6","details":"cj"},"CWE-ID: 175Improper Handling of Mixed Encoding","The product does not properly handle when the same input uses several different (mixed) encodings.Guidelines:",{"point":"cl","priority":"6","details":"cm"},"CWE-ID: 176Improper Handling of Unicode Encoding","The product does not properly handle when an input contains Unicode encoding.Guidelines:",{"point":"co","priority":"6","details":"cp"},"CWE-ID: 177Improper Handling of URL Encoding (Hex Encoding)","The product does not properly handle when all or part of an input has been URL encoded.Guidelines:",{"point":"cr","priority":"6","details":"cs"},"CWE-ID: 178Improper Handling of Case Sensitivity","The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.Guidelines:::TYPE:Research Gap:NOTE:These are probably under-studied in Windows and Mac environments, where file names are case-insensitive and thus are subject to equivalence manipulations involving case.::",{"point":"cu","priority":"6","details":"cv"},"CWE-ID: 179Incorrect Behavior Order: Early Validation","The product validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous inputs that only arise after the modification.Guidelines:::TYPE:Research Gap:NOTE:These errors are mostly reported in path traversal vulnerabilities, but the concept applies whenever validation occurs.::",{"point":"cx","priority":"6","details":"cy"},"CWE-ID: 180Incorrect Behavior Order: Validate Before Canonicalize","The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step.Guidelines:::TYPE:Relationship:NOTE:This overlaps other categories.::",{"point":"d0","priority":"6","details":"d1"},"CWE-ID: 181Incorrect Behavior Order: Validate Before Filter","The product validates data before it has been filtered, which prevents the product from detecting data that becomes invalid after the filtering step.Guidelines:::TYPE:Research Gap:NOTE:This category is probably under-studied.::",{"point":"d3","priority":"6","details":"d4"},"CWE-ID: 182Collapse of Data into Unsafe Value","The product filters data in a way that causes it to be reduced or collapsed into an unsafe value that violates an expected security property.Guidelines:::TYPE:Relationship:NOTE:Overlaps regular expressions, although an implementation might not necessarily use regexp's.::",{"point":"d6","priority":"6","details":"d7"},"CWE-ID: 183Permissive List of Allowed Inputs","The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.Guidelines:",{"point":"d9","priority":"6","details":"da"},"CWE-ID: 184Incomplete List of Disallowed Inputs","The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses.Guidelines:::TYPE:Relationship:NOTE:Multiple interpretation errors can indirectly introduce inputs that should be disallowed. For example, a list of dangerous shell metacharacters might not include a metacharacter that only has meaning in one particular shell, not all of them; or a check for XSS manipulations might ignore an unusual construct that is supported by one web browser, but not others.::",{"point":"dc","priority":"6","details":"dd"},"CWE-ID: 185Incorrect Regular Expression","The product specifies a regular expression in a way that causes data to be improperly matched or compared.Guidelines:::TYPE:Relationship:NOTE:While there is some overlap with allowlist/denylist problems, this entry is intended to deal with incorrectly written regular expressions, regardless of their intended use. Not every regular expression is intended for use as an allowlist or denylist. In addition, allowlists and denylists can be implemented using other mechanisms besides regular expressions.::TYPE:Research Gap:NOTE:Regexp errors are likely a primary factor in many MFVs, especially those that require multiple manipulations to exploit. However, they are rarely diagnosed at this level of detail.::",{"point":"df","priority":"6","details":"dg"},"CWE-ID: 186Overly Restrictive Regular Expression","A regular expression is overly restrictive, which prevents dangerous values from being detected.Guidelines:::TYPE:Relationship:NOTE:Can overlap allowlist/denylist errors (CWE-183/CWE-184)::",{"point":"di","priority":"6","details":"dj"},"CWE-ID: 187Partial String Comparison","The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.Guidelines:::TYPE:Relationship:NOTE:This is conceptually similar to other weaknesses, such as insufficient verification and regular expression errors. It is primary to some weaknesses.::",{"point":"dl","priority":"6","details":"dm"},"CWE-ID: 188Reliance on Data/Memory Layout","The product makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior.Guidelines:",{"point":"do","priority":"6","details":"dp"},"CWE-ID: 190Integer Overflow or Wraparound","The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.Guidelines:::TYPE:Relationship:NOTE:Integer overflows can be primary to buffer overflows.::TYPE:Terminology:NOTE:Integer overflow is sometimes used to cover several types of errors, including signedness errors, or buffer overflows that involve manipulation of integer data types instead of characters. Part of the confusion results from the fact that 0xffffffff is -1 in a signed context. Other confusion also arises because of the role that integer overflows have in chains.::",{"point":"dr","priority":"6","details":"ds"},"CWE-ID: 191Integer Underflow (Wrap or Wraparound)","The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.Guidelines:",{"point":"du","priority":"6","details":"dv"},"CWE-ID: 192Integer Coercion Error","Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types.Guidelines:::TYPE:Maintenance:NOTE:Within C, it might be that coercion is semantically different than casting, possibly depending on whether the programmer directly specifies the conversion, or if the compiler does it implicitly. This has implications for the presentation of this entry and others, such as CWE-681, and whether there is enough of a difference for these entries to be split.::",{"point":"dx","priority":"6","details":"dy"},"CWE-ID: 193Off-by-one Error","A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.Guidelines:::TYPE:Relationship:NOTE:This is not always a buffer overflow. For example, an off-by-one error could be a factor in a partial comparison, a read from the wrong memory location, an incorrect conditional, etc.::",{"point":"e0","priority":"6","details":"e1"},"CWE-ID: 194Unexpected Sign Extension","The product performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses.Guidelines:::TYPE:Relationship:NOTE:Sign extension errors can lead to buffer overflows and other memory-based problems. They are also likely to be factors in other weaknesses that are not based on memory operations, but rely on numeric calculation.::TYPE:Maintenance:NOTE:This entry is closely associated with signed-to-unsigned conversion errors (CWE-195) and other numeric errors. These relationships need to be more closely examined within CWE.::",{"point":"e3","priority":"6","details":"e4"},"CWE-ID: 195Signed to Unsigned Conversion Error","The product uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive.Guidelines:",{"point":"e6","priority":"6","details":"e7"},"CWE-ID: 196Unsigned to Signed Conversion Error","The product uses an unsigned primitive and performs a cast to a signed primitive, which can produce an unexpected value if the value of the unsigned primitive can not be represented using a signed primitive.Guidelines:",{"point":"e9","priority":"6","details":"ea"},"CWE-ID: 197Numeric Truncation Error","Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion.Guidelines:::TYPE:Research Gap:NOTE:This weakness has traditionally been under-studied and under-reported, although vulnerabilities in popular software have been published in 2008 and 2009.::",{"point":"ec","priority":"6","details":"ed"},"CWE-ID: 198Use of Incorrect Byte Ordering","The product receives input from an upstream component, but it does not account for byte ordering (e.g. big-endian and little-endian) when processing the input, causing an incorrect number or value to be used.Guidelines:::TYPE:Research Gap:NOTE:Under-reported.::",{"point":"ef","priority":"6","details":"eg"},"CWE-ID: 200Exposure of Sensitive Information to an Unauthorized Actor","The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Guidelines:::TYPE:Maintenance:NOTE:As a result of mapping analysis in the 2020 Top 25 and more recent versions, this weakness is under review, since it is frequently misused in mapping to cover many problems that lead to loss of confidentiality. See Mapping Notes, Extended Description, and Alternate Terms.::",{"point":"ei","priority":"6","details":"ej"},"CWE-ID: 201Insertion of Sensitive Information Into Sent Data","The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.Guidelines:",{"point":"el","priority":"6","details":"em"},"CWE-ID: 202Exposure of Sensitive Information Through Data Queries","When trying to keep information confidential, an attacker can often infer some of the information by using statistics.Guidelines:::TYPE:Maintenance:NOTE:The relationship between CWE-202 and CWE-612 needs to be investigated more closely, as they may be different descriptions of the same kind of problem. CWE-202 is also being considered for deprecation, as it is not clearly described and may have been misunderstood by CWE users. It could be argued that this issue is better covered by CAPEC; an attacker can utilize their data-query privileges to perform this kind of operation, and if the attacker should not be allowed to perform the operation - or if the sensitive data should not have been made accessible at all - then that is more appropriately classified as a separate CWE related to authorization (see the parent, CWE-1230).::",{"point":"eo","priority":"6","details":"ep"},"CWE-ID: 203Observable Discrepancy","The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.Guidelines:",{"point":"er","priority":"6","details":"es"},"CWE-ID: 204Observable Response Discrepancy","The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.Guidelines:::TYPE:Relationship:NOTE:can overlap errors related to escalated privileges::",{"point":"eu","priority":"6","details":"ev"},"CWE-ID: 205Observable Behavioral Discrepancy","The product's behaviors indicate important differences that may be observed by unauthorized actors in a way that reveals (1) its internal state or decision process, or (2) differences from other products with equivalent functionality.Guidelines:",{"point":"ex","priority":"6","details":"ey"},"CWE-ID: 206Observable Internal Behavioral Discrepancy","The product performs multiple behaviors that are combined to produce a single result, but the individual behaviors are observable separately in a way that allows attackers to reveal internal state or internal decision points.Guidelines:",{"point":"f0","priority":"6","details":"f1"},"CWE-ID: 207Observable Behavioral Discrepancy With Equivalent Products","The product operates in an environment in which its existence or specific identity should not be known, but it behaves differently than other products with equivalent functionality, in a way that is observable to an attacker.Guidelines:",{"point":"f3","priority":"6","details":"f4"},"CWE-ID: 208Observable Timing Discrepancy","Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.Guidelines:::TYPE:Relationship:NOTE:Often primary in cryptographic applications and algorithms.::",{"point":"f6","priority":"6","details":"f7"},"CWE-ID: 209Generation of Error Message Containing Sensitive Information","The product generates an error message that includes sensitive information about its environment, users, or associated data.Guidelines:",{"point":"f9","priority":"6","details":"fa"},"CWE-ID: 210Self-generated Error Message Containing Sensitive Information","The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.Guidelines:",{"point":"fc","priority":"6","details":"fd"},"CWE-ID: 211Externally-Generated Error Message Containing Sensitive Information","The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information.Guidelines:::TYPE:Relationship:NOTE:This is inherently a resultant vulnerability from a weakness within the product or an interaction error.::",{"point":"ff","priority":"6","details":"fg"},"CWE-ID: 212Improper Removal of Sensitive Information Before Storage or Transfer","The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.Guidelines:::TYPE:Relationship:NOTE:This entry is intended to be different from resultant information leaks, including those that occur from improper buffer initialization and reuse, improper encryption, interaction errors, and multiple interpretation errors. This entry could be regarded as a privacy leak, depending on the type of information that is leaked.::TYPE:Relationship:NOTE:There is a close association between CWE-226 and CWE-212. The difference is partially that of perspective. CWE-226 is geared towards the final stage of the resource lifecycle, in which the resource is deleted, eliminated, expired, or otherwise released for reuse. Technically, this involves a transfer to a different control sphere, in which the original contents of the resource are no longer relevant. CWE-212, however, is intended for sensitive data in resources that are intentionally shared with others, so they are still active. This distinction is useful from the perspective of the CWE research view (CWE-1000).::TYPE:Terminology:NOTE:The terms cleansing and scrubbing have multiple uses within computing. In information security, these are used for the removal of sensitive data, but they are also used for the modification of incoming/outgoing data so that it conforms to specifications.::",{"point":"fi","priority":"6","details":"fj"},"CWE-ID: 213Exposure of Sensitive Information Due to Incompatible Policies","The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product's administrator, users, or others whose information is being processed.Guidelines:::TYPE:Maintenance:NOTE:This entry is being considered for deprecation. It overlaps many other entries related to information exposures. It might not be essential to preserve this entry, since other key stakeholder policies are covered elsewhere, e.g. personal privacy leaks (CWE-359) and system-level exposures that are important to system administrators (CWE-497).::TYPE:Theoretical:NOTE:In vulnerability theory terms, this covers cases in which the developer's Intended Policy allows the information to be made available, but the information might be in violation of a Universal Policy in which the product's administrator should have control over which information is considered sensitive and therefore should not be exposed.::",{"point":"fl","priority":"6","details":"fm"},"CWE-ID: 214Invocation of Process Using Visible Sensitive Information","A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system.Guidelines:::TYPE:Research Gap:NOTE:Under-studied, especially environment variables.::",{"point":"fo","priority":"6","details":"fp"},"CWE-ID: 215Insertion of Sensitive Information Into Debugging Code","The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.Guidelines:::TYPE:Relationship:NOTE:This overlaps other categories.::",{"point":"fr","priority":"6","details":"fs"},"CWE-ID: 219Storage of File with Sensitive Data Under Web Root","The product stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties.Guidelines:",{"point":"fu","priority":"6","details":"fv"},"CWE-ID: 220Storage of File With Sensitive Data Under FTP Root","The product stores sensitive data under the FTP server root with insufficient access control, which might make it accessible to untrusted parties.Guidelines:",{"point":"fx","priority":"6","details":"fy"},"CWE-ID: 221Information Loss or Omission","The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.Guidelines:",{"point":"g0","priority":"6","details":"g1"},"CWE-ID: 222Truncation of Security-relevant Information","The product truncates the display, recording, or processing of security-relevant information in a way that can obscure the source or nature of an attack.Guidelines:",{"point":"g3","priority":"6","details":"g4"},"CWE-ID: 223Omission of Security-relevant Information","The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.Guidelines:",{"point":"g6","priority":"6","details":"g7"},"CWE-ID: 224Obscured Security-relevant Information by Alternate Name","The product records security-relevant information according to an alternate name of the affected entity, instead of the canonical name.Guidelines:",{"point":"g9","priority":"6","details":"ga"},"CWE-ID: 226Sensitive Information in Resource Not Removed Before Reuse","The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or zeroize the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.Guidelines:::TYPE:Relationship:NOTE:There is a close association between CWE-226 and CWE-212. The difference is partially that of perspective. CWE-226 is geared towards the final stage of the resource lifecycle, in which the resource is deleted, eliminated, expired, or otherwise released for reuse. Technically, this involves a transfer to a different control sphere, in which the original contents of the resource are no longer relevant. CWE-212, however, is intended for sensitive data in resources that are intentionally shared with others, so they are still active. This distinction is useful from the perspective of the CWE research view (CWE-1000).::TYPE:Maintenance:NOTE:This entry needs modification to clarify the differences with CWE-212. The description also combines two problems that are distinct from the CWE research perspective: the inadvertent transfer of information to another sphere, and improper initialization/shutdown. Some of the associated taxonomy mappings reflect these different uses.::TYPE:Research Gap:NOTE:This is frequently found for network packets, but it can also exist in local memory allocation, files, etc.::",{"point":"gc","priority":"6","details":"gd"},"CWE-ID: 228Improper Handling of Syntactically Invalid Structure","The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification.Guidelines:::TYPE:Maintenance:NOTE:This entry needs more investigation. Public vulnerability research generally focuses on the manipulations that generate invalid structure, instead of the weaknesses that are exploited by those manipulations. For example, a common attack involves making a request that omits a required field, which can trigger a crash in some cases. The crash could be due to a named chain such as CWE-690 (Unchecked Return Value to NULL Pointer Dereference), but public reports rarely cover this aspect of a vulnerability.::TYPE:Theoretical:NOTE:The validity of input could be roughly classified along syntactic, semantic, and lexical dimensions. If the specification requires that an input value should be delimited with the [ and ] square brackets, then any input that does not follow this specification would be syntactically invalid. If the input between the brackets is expected to be a number, but the letters aaa are provided, then the input is syntactically invalid. If the input is a number and enclosed in brackets, but the number is outside of the allowable range, then it is semantically invalid. The inter-relationships between these properties - and their associated weaknesses- need further exploration.::",{"point":"gf","priority":"6","details":"gg"},"CWE-ID: 229Improper Handling of Values","The product does not properly handle when the expected number of values for parameters, fields, or arguments is not provided in input, or if those values are undefined.Guidelines:",{"point":"gi","priority":"6","details":"gj"},"CWE-ID: 230Improper Handling of Missing Values","The product does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empty, blank, or null.Guidelines:::TYPE:Research Gap:NOTE:Some crash by port scan bugs are probably due to this, but lack of diagnosis makes it difficult to be certain.::",{"point":"gl","priority":"6","details":"gm"},"CWE-ID: 231Improper Handling of Extra Values","The product does not handle or incorrectly handles when more values are provided than expected.Guidelines:::TYPE:Relationship:NOTE:This can overlap buffer overflows.::",{"point":"go","priority":"6","details":"gp"},"CWE-ID: 232Improper Handling of Undefined Values","The product does not handle or incorrectly handles when a value is not defined or supported for the associated parameter, field, or argument name.Guidelines:",{"point":"gr","priority":"6","details":"gs"},"CWE-ID: 233Improper Handling of Parameters","The product does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined.Guidelines:",{"point":"gu","priority":"6","details":"gv"},"CWE-ID: 234Failure to Handle Missing Parameter","If too few arguments are sent to a function, the function will still pop the expected number of arguments from the stack. Potentially, a variable number of arguments could be exhausted in a function as well.Guidelines:::TYPE:Maintenance:NOTE:This entry will be deprecated in a future version of CWE. The term missing parameter was used in both PLOVER and CLASP, with completely different meanings. However, data from both taxonomies was merged into this entry. In PLOVER, it was meant to cover malformed inputs that do not contain required parameters, such as a missing parameter in a CGI request. This entry's observed examples and classification came from PLOVER. However, the description, demonstrative example, and other information are derived from CLASP. They are related to an incorrect number of function arguments, which is already covered by CWE-685.::",{"point":"gx","priority":"6","details":"gy"},"CWE-ID: 235Improper Handling of Extra Parameters","The product does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount.Guidelines:::TYPE:Relationship:NOTE:This type of problem has a big role in multiple interpretation vulnerabilities and various HTTP attacks.::",{"point":"h0","priority":"6","details":"h1"},"CWE-ID: 236Improper Handling of Undefined Parameters","The product does not handle or incorrectly handles when a particular parameter, field, or argument name is not defined or supported by the product.Guidelines:",{"point":"h3","priority":"6","details":"h4"},"CWE-ID: 237Improper Handling of Structural Elements","The product does not handle or incorrectly handles inputs that are related to complex structures.Guidelines:",{"point":"h6","priority":"6","details":"h7"},"CWE-ID: 238Improper Handling of Incomplete Structural Elements","The product does not handle or incorrectly handles when a particular structural element is not completely specified.Guidelines:::TYPE:Relationship:NOTE:Can be primary to other problems.::",{"point":"h9","priority":"6","details":"ha"},"CWE-ID: 239Failure to Handle Incomplete Element","The product does not properly handle when a particular element is not completely specified.Guidelines:",{"point":"hc","priority":"6","details":"hd"},"CWE-ID: 240Improper Handling of Inconsistent Structural Elements","The product does not handle or incorrectly handles when two or more structural elements should be consistent, but are not.Guidelines:",{"point":"hf","priority":"6","details":"hg"},"CWE-ID: 241Improper Handling of Unexpected Data Type","The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).Guidelines:::TYPE:Research Gap:NOTE:Probably under-studied.::",{"point":"hi","priority":"6","details":"hj"},"CWE-ID: 242Use of Inherently Dangerous Function","The product calls a function that can never be guaranteed to work safely.Guidelines:",{"point":"hl","priority":"6","details":"hm"},"CWE-ID: 243Creation of chroot Jail Without Changing Working Directory","The product uses the chroot() system call to create a jail, but does not change the working directory afterward. This does not prevent access to files outside of the jail.Guidelines:",{"point":"ho","priority":"6","details":"hp"},"CWE-ID: 244Improper Clearing of Heap Memory Before Release ('Heap Inspection')","Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory.Guidelines:",{"point":"hr","priority":"6","details":"hs"},"CWE-ID: 245J2EE Bad Practices: Direct Management of Connections","The J2EE application directly manages connections, instead of using the container's connection management facilities.Guidelines:",{"point":"hu","priority":"6","details":"hv"},"CWE-ID: 246J2EE Bad Practices: Direct Use of Sockets","The J2EE application directly uses sockets instead of using framework method calls.Guidelines:",{"point":"hx","priority":"6","details":"hy"},"CWE-ID: 248Uncaught Exception","An exception is thrown from a function, but it is not caught.Guidelines:",{"point":"i0","priority":"6","details":"i1"},"CWE-ID: 250Execution with Unnecessary Privileges","The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.Guidelines:::TYPE:Relationship:NOTE:There is a close association with CWE-653 (Insufficient Separation of Privileges). CWE-653 is about providing separate components for each privilege; CWE-250 is about ensuring that each component has the least amount of privileges possible.::TYPE:Maintenance:NOTE:CWE-271, CWE-272, and CWE-250 are all closely related and possibly overlapping. CWE-271 is probably better suited as a category. Both CWE-272 and CWE-250 are in active use by the community. The least privilege phrase has multiple interpretations.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"i3","priority":"6","details":"i4"},"CWE-ID: 252Unchecked Return Value","The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.Guidelines:",{"point":"i6","priority":"6","details":"i7"},"CWE-ID: 253Incorrect Check of Function Return Value","The product incorrectly checks a return value from a function, which prevents it from detecting errors or exceptional conditions.Guidelines:",{"point":"i9","priority":"6","details":"ia"},"CWE-ID: 256Plaintext Storage of a Password","Storing a password in plaintext may result in a system compromise.Guidelines:",{"point":"ic","priority":"6","details":"id"},"CWE-ID: 257Storing Passwords in a Recoverable Format","The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.Guidelines:::TYPE:Maintenance:NOTE:The meaning of this entry needs to be investigated more closely, especially with respect to what is meant by recoverable.::",{"point":"if","priority":"6","details":"ig"},"CWE-ID: 258Empty Password in Configuration File","Using an empty string as a password is insecure.Guidelines:",{"point":"ii","priority":"6","details":"ij"},"CWE-ID: 259Use of Hard-coded Password","The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.Guidelines:::TYPE:Maintenance:NOTE:This entry could be split into multiple variants: an inbound variant (as seen in the second demonstrative example) and an outbound variant (as seen in the first demonstrative example). These variants are likely to have different consequences, detectability, etc. More importantly, from a vulnerability theory perspective, they could be characterized as different behaviors.::",{"point":"il","priority":"6","details":"im"},"CWE-ID: 260Password in Configuration File","The product stores a password in a configuration file that might be accessible to actors who do not know the password.Guidelines:",{"point":"io","priority":"6","details":"ip"},"CWE-ID: 261Weak Encoding for Password","Obscuring a password with a trivial encoding does not protect the password.Guidelines:::TYPE:Other:NOTE:The crypt family of functions uses weak cryptographic algorithms and should be avoided. It may be present in some projects for compatibility.::",{"point":"ir","priority":"6","details":"is"},"CWE-ID: 262Not Using Password Aging","The product does not have a mechanism in place for managing password aging.Guidelines:",{"point":"iu","priority":"6","details":"iv"},"CWE-ID: 263Password Aging with Long Expiration","The product supports password aging, but the expiration period is too long.Guidelines:",{"point":"ix","priority":"6","details":"iy"},"CWE-ID: 266Incorrect Privilege Assignment","A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.Guidelines:",{"point":"j0","priority":"6","details":"j1"},"CWE-ID: 267Privilege Defined With Unsafe Actions","A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity.Guidelines:::TYPE:Maintenance:NOTE:Note: there are 2 separate sub-categories here: - privilege incorrectly allows entities to perform certain actions - object is incorrectly accessible to entities with a given privilege::",{"point":"j3","priority":"6","details":"j4"},"CWE-ID: 268Privilege Chaining","Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination.Guidelines:::TYPE:Relationship:NOTE:There is some conceptual overlap with Unsafe Privilege.::",{"point":"j6","priority":"6","details":"j7"},"CWE-ID: 269Improper Privilege Management","The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.Guidelines:::TYPE:Maintenance:NOTE:The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693).::",{"point":"j9","priority":"6","details":"ja"},"CWE-ID: 270Privilege Context Switching Error","The product does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control.Guidelines:::TYPE:Research Gap:NOTE:This concept needs more study.::",{"point":"jc","priority":"6","details":"jd"},"CWE-ID: 271Privilege Dropping / Lowering Errors","The product does not drop privileges before passing control of a resource to an actor that does not have those privileges.Guidelines:::TYPE:Maintenance:NOTE:CWE-271, CWE-272, and CWE-250 are all closely related and possibly overlapping. CWE-271 is probably better suited as a category.::",{"point":"jf","priority":"6","details":"jg"},"CWE-ID: 272Least Privilege Violation","The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.Guidelines:::TYPE:Maintenance:NOTE:CWE-271, CWE-272, and CWE-250 are all closely related and possibly overlapping. CWE-271 is probably better suited as a category.::TYPE:Other:NOTE:If system privileges are not dropped when it is reasonable to do so, this is not a vulnerability by itself. According to the principle of least privilege, access should be allowed only when it is absolutely necessary to the function of a given system, and only for the minimal necessary amount of time. Any further allowance of privilege widens the window of time during which a successful exploitation of the system will provide an attacker with that same privilege. If at all possible, limit the allowance of system privilege to small, simple sections of code that may be called atomically. When a program calls a privileged function, such as chroot(), it must first acquire root privilege. As soon as the privileged operation has completed, the program should drop root privilege and return to the privilege level of the invoking user.::",{"point":"ji","priority":"6","details":"jj"},"CWE-ID: 273Improper Check for Dropped Privileges","The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.Guidelines:",{"point":"jl","priority":"6","details":"jm"},"CWE-ID: 274Improper Handling of Insufficient Privileges","The product does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses.Guidelines:::TYPE:Maintenance:NOTE:CWE-280 and CWE-274 are too similar. It is likely that CWE-274 will be deprecated in the future.::TYPE:Relationship:NOTE:Overlaps dropped privileges, insufficient permissions.::TYPE:Theoretical:NOTE:This has a layering relationship with Unchecked Error Condition and Unchecked Return Value.::TYPE:Theoretical:NOTE:Within the context of vulnerability theory, privileges and permissions are two sides of the same coin. Privileges are associated with actors, and permissions are associated with resources. To perform access control, at some point the product makes a decision about whether the actor (and the privileges that have been assigned to that actor) is allowed to access the resource (based on the permissions that have been specified for that resource).::",{"point":"jo","priority":"6","details":"jp"},"CWE-ID: 276Incorrect Default Permissions","During installation, installed file permissions are set to allow anyone to modify those files.Guidelines:",{"point":"jr","priority":"6","details":"js"},"CWE-ID: 277Insecure Inherited Permissions","A product defines a set of insecure permissions that are inherited by objects that are created by the program.Guidelines:",{"point":"ju","priority":"6","details":"jv"},"CWE-ID: 278Insecure Preserved Inherited Permissions","A product inherits a set of insecure permissions for an object, e.g. when copying from an archive file, without user awareness or involvement.Guidelines:",{"point":"jx","priority":"6","details":"jy"},"CWE-ID: 279Incorrect Execution-Assigned Permissions","While it is executing, the product sets the permissions of an object in a way that violates the intended permissions that have been specified by the user.Guidelines:",{"point":"k0","priority":"6","details":"k1"},"CWE-ID: 280Improper Handling of Insufficient Permissions or Privileges","The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.Guidelines:::TYPE:Maintenance:NOTE:CWE-280 and CWE-274 are too similar. It is likely that CWE-274 will be deprecated in the future.::TYPE:Relationship:NOTE:This can be both primary and resultant. When primary, it can expose a variety of weaknesses because a resource might not have the expected state, and subsequent operations might fail. It is often resultant from Unchecked Error Condition (CWE-391).::TYPE:Theoretical:NOTE:Within the context of vulnerability theory, privileges and permissions are two sides of the same coin. Privileges are associated with actors, and permissions are associated with resources. To perform access control, at some point the software makes a decision about whether the actor (and the privileges that have been assigned to that actor) is allowed to access the resource (based on the permissions that have been specified for that resource).::TYPE:Research Gap:NOTE:This type of issue is under-studied, since researchers often concentrate on whether an object has too many permissions, instead of not enough. These weaknesses are likely to appear in environments with fine-grained models for permissions and privileges, which can include operating systems and other large-scale software packages. However, even highly simplistic permission/privilege models are likely to contain these issues if the developer has not considered the possibility of access failure.::",{"point":"k3","priority":"6","details":"k4"},"CWE-ID: 281Improper Preservation of Permissions","The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.Guidelines:",{"point":"k6","priority":"6","details":"k7"},"CWE-ID: 282Improper Ownership Management","The product assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.Guidelines:::TYPE:Maintenance:NOTE:The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693).::",{"point":"k9","priority":"6","details":"ka"},"CWE-ID: 283Unverified Ownership","The product does not properly verify that a critical resource is owned by the proper entity.Guidelines:::TYPE:Relationship:NOTE:This overlaps insufficient comparison, verification errors, permissions, and privileges.::",{"point":"kc","priority":"6","details":"kd"},"CWE-ID: 284Improper Access Control","The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.Guidelines:::TYPE:Maintenance:NOTE:This entry needs more work. Possible sub-categories include: Trusted group includes undesired entities (partially covered by CWE-286) Group can perform undesired actions ACL parse error does not fail closed::",{"point":"kf","priority":"6","details":"kg"},"CWE-ID: 285Improper Authorization","The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.Guidelines:",{"point":"ki","priority":"6","details":"kj"},"CWE-ID: 286Incorrect User Management","The product does not properly manage a user within its environment.Guidelines:::TYPE:Maintenance:NOTE:The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693).::TYPE:Maintenance:NOTE:This item needs more work. Possible sub-categories include: user in wrong group, and user with insecure profile or configuration. It also might be better expressed as a category than a weakness.::",{"point":"kl","priority":"6","details":"km"},"CWE-ID: 287Improper Authentication","When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Guidelines:::TYPE:Relationship:NOTE:This can be resultant from SQL injection vulnerabilities and other issues.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"ko","priority":"6","details":"kp"},"CWE-ID: 288Authentication Bypass Using an Alternate Path or Channel","A product requires authentication, but the product has an alternate path or channel that does not require authentication.Guidelines:::TYPE:Relationship:NOTE:overlaps Unprotected Alternate Channel::",{"point":"kr","priority":"6","details":"ks"},"CWE-ID: 289Authentication Bypass by Alternate Name","The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.Guidelines:::TYPE:Relationship:NOTE:Overlaps equivalent encodings, canonicalization, authorization, multiple trailing slash, trailing space, mixed case, and other equivalence issues.::TYPE:Theoretical:NOTE:Alternate names are useful in data driven manipulation attacks, not just for authentication.::",{"point":"ku","priority":"6","details":"kv"},"CWE-ID: 290Authentication Bypass by Spoofing","This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.Guidelines:::TYPE:Relationship:NOTE:This can be resultant from insufficient verification.::",{"point":"kx","priority":"6","details":"ky"},"CWE-ID: 291Reliance on IP Address for Authentication","The product uses an IP address for authentication.Guidelines:",{"point":"l0","priority":"6","details":"l1"},"CWE-ID: 293Using Referer Field for Authentication","The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking.Guidelines:",{"point":"l3","priority":"6","details":"l4"},"CWE-ID: 294Authentication Bypass by Capture-replay","A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).Guidelines:",{"point":"l6","priority":"6","details":"l7"},"CWE-ID: 295Improper Certificate Validation","The product does not validate, or incorrectly validates, a certificate.Guidelines:",{"point":"l9","priority":"6","details":"la"},"CWE-ID: 296Improper Following of a Certificate's Chain of Trust","The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.Guidelines:",{"point":"lc","priority":"6","details":"ld"},"CWE-ID: 297Improper Validation of Certificate with Host Mismatch","The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.Guidelines:",{"point":"lf","priority":"6","details":"lg"},"CWE-ID: 298Improper Validation of Certificate Expiration","A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age.Guidelines:",{"point":"li","priority":"6","details":"lj"},"CWE-ID: 299Improper Check for Certificate Revocation","The product does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised.Guidelines:",{"point":"ll","priority":"6","details":"lm"},"CWE-ID: 300Channel Accessible by Non-Endpoint","The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.Guidelines:::TYPE:Maintenance:NOTE:The summary identifies multiple distinct possibilities, suggesting that this is a category that must be broken into more specific weaknesses.::",{"point":"lo","priority":"6","details":"lp"},"CWE-ID: 301Reflection Attack in an Authentication Protocol","Simple authentication protocols are subject to reflection attacks if a malicious user can use the target machine to impersonate a trusted user.Guidelines:::TYPE:Maintenance:NOTE:The term reflection is used in multiple ways within CWE and the community, so its usage should be reviewed.::",{"point":"lr","priority":"6","details":"ls"},"CWE-ID: 302Authentication Bypass by Assumed-Immutable Data","The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.Guidelines:",{"point":"lu","priority":"6","details":"lv"},"CWE-ID: 303Incorrect Implementation of Authentication Algorithm","The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.Guidelines:",{"point":"lx","priority":"6","details":"ly"},"CWE-ID: 304Missing Critical Step in Authentication","The product implements an authentication technique, but it skips a step that weakens the technique.Guidelines:",{"point":"m0","priority":"6","details":"m1"},"CWE-ID: 305Authentication Bypass by Primary Weakness","The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.Guidelines:::TYPE:Relationship:NOTE:Most authentication bypass errors are resultant, not primary.::",{"point":"m3","priority":"6","details":"m4"},"CWE-ID: 306Missing Authentication for Critical Function","The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.Guidelines:",{"point":"m6","priority":"6","details":"m7"},"CWE-ID: 307Improper Restriction of Excessive Authentication Attempts","The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.Guidelines:",{"point":"m9","priority":"6","details":"ma"},"CWE-ID: 308Use of Single-factor Authentication","The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme.Guidelines:",{"point":"mc","priority":"6","details":"md"},"CWE-ID: 309Use of Password System for Primary Authentication","The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.Guidelines:",{"point":"mf","priority":"6","details":"mg"},"CWE-ID: 311Missing Encryption of Sensitive Data","The product does not encrypt sensitive or critical information before storage or transmission.Guidelines:::TYPE:Relationship:NOTE:There is an overlapping relationship between insecure storage of sensitive information (CWE-922) and missing encryption of sensitive information (CWE-311). Encryption is often used to prevent an attacker from reading the sensitive data. However, encryption does not prevent the attacker from erasing or overwriting the data.::",{"point":"mi","priority":"6","details":"mj"},"CWE-ID: 312Cleartext Storage of Sensitive Information","The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"ml","priority":"6","details":"mm"},"CWE-ID: 313Cleartext Storage in a File or on Disk","The product stores sensitive information in cleartext in a file, or on disk.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"mo","priority":"6","details":"mp"},"CWE-ID: 314Cleartext Storage in the Registry","The product stores sensitive information in cleartext in the registry.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"mr","priority":"6","details":"ms"},"CWE-ID: 315Cleartext Storage of Sensitive Information in a Cookie","The product stores sensitive information in cleartext in a cookie.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"mu","priority":"6","details":"mv"},"CWE-ID: 316Cleartext Storage of Sensitive Information in Memory","The product stores sensitive information in cleartext in memory.Guidelines:::TYPE:Relationship:NOTE:This could be a resultant weakness, e.g. if the compiler removes code that was intended to wipe memory.::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"mx","priority":"6","details":"my"},"CWE-ID: 317Cleartext Storage of Sensitive Information in GUI","The product stores sensitive information in cleartext within the GUI.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"n0","priority":"6","details":"n1"},"CWE-ID: 318Cleartext Storage of Sensitive Information in Executable","The product stores sensitive information in cleartext in an executable.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"n3","priority":"6","details":"n4"},"CWE-ID: 319Cleartext Transmission of Sensitive Information","The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.Guidelines:::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"n6","priority":"6","details":"n7"},"CWE-ID: 321Use of Hard-coded Cryptographic Key","The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.Guidelines:::TYPE:Other:NOTE:The main difference between the use of hard-coded passwords and the use of hard-coded cryptographic keys is the false sense of security that the former conveys. Many people believe that simply hashing a hard-coded password before storage will protect the information from malicious users. However, many hashes are reversible (or at least vulnerable to brute force attacks) -- and further, many authentication protocols simply request the hash itself, making it no better than a password.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"n9","priority":"6","details":"na"},"CWE-ID: 322Key Exchange without Entity Authentication","The product performs a key exchange with an actor without verifying the identity of that actor.Guidelines:",{"point":"nc","priority":"6","details":"nd"},"CWE-ID: 323Reusing a Nonce, Key Pair in Encryption","Nonces should be used for the present occasion and only once.Guidelines:",{"point":"nf","priority":"6","details":"ng"},"CWE-ID: 324Use of a Key Past its Expiration Date","The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.Guidelines:",{"point":"ni","priority":"6","details":"nj"},"CWE-ID: 325Missing Cryptographic Step","The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.Guidelines:::TYPE:Relationship:NOTE:Overlaps incomplete/missing security check.::TYPE:Relationship:NOTE:Can be resultant.::",{"point":"nl","priority":"6","details":"nm"},"CWE-ID: 326Inadequate Encryption Strength","The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.Guidelines:",{"point":"no","priority":"6","details":"np"},"CWE-ID: 327Use of a Broken or Risky Cryptographic Algorithm","The product uses a broken or risky cryptographic algorithm or protocol.Guidelines:::TYPE:Maintenance:NOTE:Since CWE 4.4, various cryptography-related entries, including CWE-327 and CWE-1240, have been slated for extensive research, analysis, and community consultation to define consistent terminology, improve relationships, and reduce overlap or duplication. As of CWE 4.6, this work is still ongoing.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"nr","priority":"6","details":"ns"},"CWE-ID: 328Use of Weak Hash","The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).Guidelines:::TYPE:Maintenance:NOTE:Since CWE 4.4, various cryptography-related entries including CWE-328 have been slated for extensive research, analysis, and community consultation to define consistent terminology, improve relationships, and reduce overlap or duplication. As of CWE 4.6, this work is still ongoing.::",{"point":"nu","priority":"6","details":"nv"},"CWE-ID: 329Generation of Predictable IV with CBC Mode","The product generates and uses a predictable initialization Vector (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible to dictionary attacks when they are encrypted under the same key.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"nx","priority":"6","details":"ny"},"CWE-ID: 330Use of Insufficiently Random Values","The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.Guidelines:::TYPE:Relationship:NOTE:This can be primary to many other weaknesses such as cryptographic errors, authentication errors, symlink following, information leaks, and others.::TYPE:Maintenance:NOTE:As of CWE 4.3, CWE-330 and its descendants are being investigated by the CWE crypto team to identify gaps related to randomness and unpredictability, as well as the relationships between randomness and cryptographic primitives. This subtree analysis might result in the addition or deprecation of existing entries; the reorganization of relationships in some views, e.g. the research view (CWE-1000); more consistent use of terminology; and/or significant modifications to related entries.::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"o0","priority":"6","details":"o1"},"CWE-ID: 331Insufficient Entropy","The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"o3","priority":"6","details":"o4"},"CWE-ID: 332Insufficient Entropy in PRNG","The lack of entropy available for, or used by, a Pseudo-Random Number Generator (PRNG) can be a stability and security threat.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"o6","priority":"6","details":"o7"},"CWE-ID: 333Improper Handling of Insufficient Entropy in TRNG","True random number generators (TRNG) generally have a limited source of entropy and therefore can fail or block.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"o9","priority":"6","details":"oa"},"CWE-ID: 334Small Space of Random Values","The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"oc","priority":"6","details":"od"},"CWE-ID: 335Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)","The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"of","priority":"6","details":"og"},"CWE-ID: 336Same Seed in Pseudo-Random Number Generator (PRNG)","A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"oi","priority":"6","details":"oj"},"CWE-ID: 337Predictable Seed in Pseudo-Random Number Generator (PRNG)","A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"ol","priority":"6","details":"om"},"CWE-ID: 338Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)","The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"oo","priority":"6","details":"op"},"CWE-ID: 339Small Seed Space in PRNG","A Pseudo-Random Number Generator (PRNG) uses a relatively small seed space, which makes it more susceptible to brute force attacks.Guidelines:::TYPE:Maintenance:NOTE:This entry may have a chaining relationship with predictable from observable state (CWE-341).::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"or","priority":"6","details":"os"},"CWE-ID: 340Generation of Predictable Numbers or Identifiers","The product uses a scheme that generates numbers or identifiers that are more predictable than required.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"ou","priority":"6","details":"ov"},"CWE-ID: 341Predictable from Observable State","A number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"ox","priority":"6","details":"oy"},"CWE-ID: 342Predictable Exact Value from Previous Values","An exact value or random number can be precisely predicted by observing previous values.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"p0","priority":"6","details":"p1"},"CWE-ID: 343Predictable Value Range from Previous Values","The product's random number generator produces a series of values which, when observed, can be used to infer a relatively small range of possibilities for the next value that could be generated.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"p3","priority":"6","details":"p4"},"CWE-ID: 344Use of Invariant Value in Dynamically Changing Context","The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.Guidelines:::TYPE:Relationship:NOTE:overlaps default configuration.::",{"point":"p6","priority":"6","details":"p7"},"CWE-ID: 345Insufficient Verification of Data Authenticity","The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.Guidelines:::TYPE:Relationship:NOTE:origin validation could fall under this.::TYPE:Maintenance:NOTE:The specific ways in which the origin is not properly identified should be laid out as separate weaknesses. In some sense, this is more like a category.::",{"point":"p9","priority":"6","details":"pa"},"CWE-ID: 346Origin Validation Error","The product does not properly verify that the source of data or communication is valid.Guidelines:::TYPE:Maintenance:NOTE:This entry has some significant overlap with other CWE entries and may need some clarification. See terminology notes.::TYPE:Terminology:NOTE:The Origin Validation Error term was originally used in a 1995 thesis [REF-324]. Although not formally defined, an issue is considered to be an origin validation error if either (1) an object [accepts] input from an unauthorized subject, or (2) the system [fails] to properly or completely authenticate a subject. A later section says that an origin validation error can occur when the system (1) does not properly authenticate a user or process or (2) does not properly authenticate the shared data or libraries. The only example provided in the thesis (covered by OSVDB:57615) involves a setuid program running command-line arguments without dropping privileges. So, this definition (and its examples in the thesis) effectively cover other weaknesses such as CWE-287 (Improper Authentication), CWE-285 (Improper Authorization), and CWE-250 (Execution with Unnecessary Privileges). There appears to be little usage of this term today, except in the SecurityFocus vulnerability database, where the term is used for a variety of issues, including web-browser problems that allow violation of the Same Origin Policy and improper validation of the source of an incoming message.::",{"point":"pc","priority":"6","details":"pd"},"CWE-ID: 347Improper Verification of Cryptographic Signature","The product does not verify, or incorrectly verifies, the cryptographic signature for data.Guidelines:",{"point":"pf","priority":"6","details":"pg"},"CWE-ID: 348Use of Less Trusted Source","The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.Guidelines:",{"point":"pi","priority":"6","details":"pj"},"CWE-ID: 349Acceptance of Extraneous Untrusted Data With Trusted Data","The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.Guidelines:",{"point":"pl","priority":"6","details":"pm"},"CWE-ID: 350Reliance on Reverse DNS Resolution for a Security-Critical Action","The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.Guidelines:::TYPE:Maintenance:NOTE:CWE-350, CWE-247, and CWE-292 were merged into CWE-350 in CWE 2.5. CWE-247 was originally derived from Seven Pernicious Kingdoms, CWE-350 from PLOVER, and CWE-292 from CLASP. All taxonomies focused closely on the use of reverse DNS for authentication of incoming requests.::",{"point":"po","priority":"6","details":"pp"},"CWE-ID: 351Insufficient Type Distinction","The product does not properly distinguish between different types of elements in a way that leads to insecure behavior.Guidelines:::TYPE:Relationship:NOTE:Overlaps others, e.g. Multiple Interpretation Errors.::",{"point":"pr","priority":"6","details":"ps"},"CWE-ID: 352Cross-Site Request Forgery (CSRF)","The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.Guidelines:::TYPE:Relationship:NOTE:There can be a close relationship between XSS and CSRF (CWE-352). An attacker might use CSRF in order to trick the victim into submitting requests to the server in which the requests contain an XSS payload. A well-known example of this was the Samy worm on MySpace [REF-956]. The worm used XSS to insert malicious HTML sequences into a user's profile and add the attacker as a MySpace friend. MySpace friends of that victim would then execute the payload to modify their own profiles, causing the worm to propagate exponentially. Since the victims did not intentionally insert the malicious script themselves, CSRF was a root cause.::TYPE:Theoretical:NOTE:The CSRF topology is multi-channel: Attacker (as outsider) to intermediary (as user). The interaction point is either an external or internal channel. Intermediary (as user) to server (as victim). The activation point is an internal channel.::",{"point":"pu","priority":"6","details":"pv"},"CWE-ID: 353Missing Support for Integrity Check","The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.Guidelines:",{"point":"px","priority":"6","details":"py"},"CWE-ID: 354Improper Validation of Integrity Check Value","The product does not validate or incorrectly validates the integrity check values or checksums of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.Guidelines:",{"point":"q0","priority":"6","details":"q1"},"CWE-ID: 356Product UI does not Warn User of Unsafe Actions","The product's user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick users into inflicting damage to their system.Guidelines:::TYPE:Relationship:NOTE:Often resultant, e.g. in unhandled error conditions.::TYPE:Relationship:NOTE:Can overlap privilege errors, conceptually at least.::",{"point":"q3","priority":"6","details":"q4"},"CWE-ID: 357Insufficient UI Warning of Dangerous Operations","The user interface provides a warning to a user regarding dangerous or sensitive operations, but the warning is not noticeable enough to warrant attention.Guidelines:",{"point":"q6","priority":"6","details":"q7"},"CWE-ID: 358Improperly Implemented Security Check for Standard","The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.Guidelines:::TYPE:Relationship:NOTE:This is a missing step error on the product side, which can overlap weaknesses such as insufficient verification and spoofing. It is frequently found in cryptographic and authentication errors. It is sometimes resultant.::",{"point":"q9","priority":"6","details":"qa"},"CWE-ID: 359Exposure of Private Personal Information to an Unauthorized Actor","The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.Guidelines:::TYPE:Maintenance:NOTE:This entry overlaps many other entries that are not organized around the kind of sensitive information that is exposed. However, because privacy is treated with such importance due to regulations and other factors, and it may be useful for weakness-finding tools to highlight capabilities that detect personal private information instead of system information, it is not clear whether - and how - this entry should be deprecated.::",{"point":"qc","priority":"6","details":"qd"},"CWE-ID: 360Trust of System Event Data","Security based on event locations are insecure and can be spoofed.Guidelines:",{"point":"qf","priority":"6","details":"qg"},"CWE-ID: 362Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')","The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.Guidelines:::TYPE:Maintenance:NOTE:The relationship between race conditions and synchronization problems (CWE-662) needs to be further developed. They are not necessarily two perspectives of the same core concept, since synchronization is only one technique for avoiding race conditions, and synchronization can be used for other purposes besides race condition prevention.::TYPE:Research Gap:NOTE:Race conditions in web applications are under-studied and probably under-reported. However, in 2008 there has been growing interest in this area.::TYPE:Research Gap:NOTE:Much of the focus of race condition research has been in Time-of-check Time-of-use (TOCTOU) variants (CWE-367), but many race conditions are related to synchronization problems that do not necessarily require a time-of-check.::TYPE:Research Gap:NOTE:From a classification/taxonomy perspective, the relationships between concurrency and program state need closer investigation and may be useful in organizing related issues.::",{"point":"qi","priority":"6","details":"qj"},"CWE-ID: 363Race Condition Enabling Link Following","The product checks the status of a file or directory before accessing it, which produces a race condition in which the file can be replaced with a link before the access is performed, causing the product to access the wrong file.Guidelines:::TYPE:Relationship:NOTE:This is already covered by the Link Following weakness (CWE-59). It is included here because so many people associate race conditions with link problems; however, not all link following issues involve race conditions.::",{"point":"ql","priority":"6","details":"qm"},"CWE-ID: 364Signal Handler Race Condition","The product uses a signal handler that introduces a race condition.Guidelines:",{"point":"qo","priority":"6","details":"qp"},"CWE-ID: 366Race Condition within a Thread","If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.Guidelines:",{"point":"qr","priority":"6","details":"qs"},"CWE-ID: 367Time-of-check Time-of-use (TOCTOU) Race Condition","The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.Guidelines:::TYPE:Relationship:NOTE:TOCTOU issues do not always involve symlinks, and not every symlink issue is a TOCTOU problem.::TYPE:Research Gap:NOTE:Non-symlink TOCTOU issues are not reported frequently, but they are likely to occur in code that attempts to be secure.::",{"point":"qu","priority":"6","details":"qv"},"CWE-ID: 368Context Switching Race Condition","A product performs a series of non-atomic actions to switch between contexts that cross privilege or other security boundaries, but a race condition allows an attacker to modify or misrepresent the product's behavior during the switch.Guidelines:::TYPE:Relationship:NOTE:Can overlap signal handler race conditions.::TYPE:Research Gap:NOTE:Under-studied as a concept. Frequency unknown; few vulnerability reports give enough detail to know when a context switching race condition is a factor.::",{"point":"qx","priority":"6","details":"qy"},"CWE-ID: 369Divide By Zero","The product divides a value by zero.Guidelines:",{"point":"r0","priority":"6","details":"r1"},"CWE-ID: 370Missing Check for Certificate Revocation after Initial Check","The product does not check the revocation status of a certificate after its initial revocation check, which can cause the product to perform privileged actions even after the certificate is revoked at a later time.Guidelines:",{"point":"r3","priority":"6","details":"r4"},"CWE-ID: 372Incomplete Internal State Distinction","The product does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect operations in a security-relevant manner.Guidelines:::TYPE:Relationship:NOTE:This conceptually overlaps other categories such as insufficient verification, but this entry refers to the product's incorrect perception of its own state.::TYPE:Relationship:NOTE:This is probably resultant from other weaknesses such as unhandled error conditions, inability to handle out-of-order steps, multiple interpretation errors, etc.::TYPE:Maintenance:NOTE:This entry is being considered for deprecation. It was poorly-defined in PLOVER and is not easily described using the behavior/resource/property model of vulnerability theory.::",{"point":"r6","priority":"6","details":"r7"},"CWE-ID: 374Passing Mutable Objects to an Untrusted Method","The product sends non-cloned mutable data as an argument to a method or function.Guidelines:",{"point":"r9","priority":"6","details":"ra"},"CWE-ID: 375Returning a Mutable Object to an Untrusted Caller","Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function.Guidelines:",{"point":"rc","priority":"6","details":"rd"},"CWE-ID: 377Insecure Temporary File","Creating and using insecure temporary files can leave application and system data vulnerable to attack.Guidelines:::TYPE:Other:NOTE:Applications require temporary files so frequently that many different mechanisms exist for creating them in the C Library and Windows(R) API. Most of these functions are vulnerable to various forms of attacks. The functions designed to aid in the creation of temporary files can be broken into two groups based whether they simply provide a filename or actually open a new file. - Group 1: Unique Filenames: The first group of C Library and WinAPI functions designed to help with the process of creating temporary files do so by generating a unique file name for a new temporary file, which the program is then supposed to open. This group includes C Library functions like tmpnam(), tempnam(), mktemp() and their C++ equivalents prefaced with an _ (underscore) as well as the GetTempFileName() function from the Windows API. This group of functions suffers from an underlying race condition on the filename chosen. Although the functions guarantee that the filename is unique at the time it is selected, there is no mechanism to prevent another process or an attacker from creating a file with the same name after it is selected but before the application attempts to open the file. Beyond the risk of a legitimate collision caused by another call to the same function, there is a high probability that an attacker will be able to create a malicious collision because the filenames generated by these functions are not sufficiently randomized to make them difficult to guess. If a file with the selected name is created, then depending on how the file is opened the existing contents or access permissions of the file may remain intact. If the existing contents of the file are malicious in nature, an attacker may be able to inject dangerous data into the application when it reads data back from the temporary file. If an attacker pre-creates the file with relaxed access permissions, then data stored in the temporary file by the application may be accessed, modified or corrupted by an attacker. On Unix based systems an even more insidious attack is possible if the attacker pre-creates the file as a link to another important file. Then, if the application truncates or writes data to the file, it may unwittingly perform damaging operations for the attacker. This is an especially serious threat if the program operates with elevated permissions. Finally, in the best case the file will be opened with the a call to open() using the O_CREAT and O_EXCL flags or to CreateFile() using the CREATE_NEW attribute, which will fail if the file already exists and therefore prevent the types of attacks described above. However, if an attacker is able to accurately predict a sequence of temporary file names, then the application may be prevented from opening necessary temporary storage causing a denial of service (DoS) attack. This type of attack would not be difficult to mount given the small amount of randomness used in the selection of the filenames generated by these functions. - Group 2: Unique Files: The second group of C Library functions attempts to resolve some of the security problems related to temporary files by not only generating a unique file name, but also opening the file. This group includes C Library functions like tmpfile() and its C++ equivalents prefaced with an _ (underscore), as well as the slightly better-behaved C Library function mkstemp(). The tmpfile() style functions construct a unique filename and open it in the same way that fopen() would if passed the flags wb+, that is, as a binary file in read/write mode. If the file already exists, tmpfile() will truncate it to size zero, possibly in an attempt to assuage the security concerns mentioned earlier regarding the race condition that exists between the selection of a supposedly unique filename and the subsequent opening of the selected file. However, this behavior clearly does not solve the function's security problems. First, an attacker can pre-create the file with relaxed access-permissions that will likely be retained by the file opened by tmpfile(). Furthermore, on Unix based systems if the attacker pre-creates the file as a link to another important file, the application may use its possibly elevated permissions to truncate that file, thereby doing damage on behalf of the attacker. Finally, if tmpfile() does create a new file, the access permissions applied to that file will vary from one operating system to another, which can leave application data vulnerable even if an attacker is unable to predict the filename to be used in advance. Finally, mkstemp() is a reasonably safe way create temporary files. It will attempt to create and open a unique file based on a filename template provided by the user combined with a series of randomly generated characters. If it is unable to create such a file, it will fail and return -1. On modern systems the file is opened using mode 0600, which means the file will be secure from tampering unless the user explicitly changes its access permissions. However, mkstemp() still suffers from the use of predictable file names and can leave an application vulnerable to denial of service attacks if an attacker causes mkstemp() to fail by predicting and pre-creating the filenames to be used.::",{"point":"rf","priority":"6","details":"rg"},"CWE-ID: 378Creation of Temporary File With Insecure Permissions","Opening temporary files without appropriate measures or controls can leave the file, its contents and any function that it impacts vulnerable to attack.Guidelines:",{"point":"ri","priority":"6","details":"rj"},"CWE-ID: 379Creation of Temporary File in Directory with Insecure Permissions","The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.Guidelines:",{"point":"rl","priority":"6","details":"rm"},"CWE-ID: 382J2EE Bad Practices: Use of System.exit()","A J2EE application uses System.exit(), which also shuts down its container.Guidelines:",{"point":"ro","priority":"6","details":"rp"},"CWE-ID: 383J2EE Bad Practices: Direct Use of Threads","Thread management in a Web application is forbidden in some circumstances and is always highly error prone.Guidelines:",{"point":"rr","priority":"6","details":"rs"},"CWE-ID: 384Session Fixation","Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.Guidelines:::TYPE:Other:NOTE:Other attack vectors include DNS poisoning and related network based attacks where an attacker causes the user to visit a malicious site by redirecting a request for a valid site. Network based attacks typically involve a physical presence on the victim's network or control of a compromised machine on the network, which makes them harder to exploit remotely, but their significance should not be overlooked. Less secure session management mechanisms, such as the default implementation in Apache Tomcat, allow session identifiers normally expected in a cookie to be specified on the URL as well, which enables an attacker to cause a victim to use a fixed session identifier simply by emailing a malicious URL.::",{"point":"ru","priority":"6","details":"rv"},"CWE-ID: 385Covert Timing Channel","Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are working to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks that create or exploit covert channels. As a result of that work, this entry might change in CWE 4.10.::",{"point":"rx","priority":"6","details":"ry"},"CWE-ID: 386Symbolic Name not Mapping to Correct Object","A constant symbolic reference to an object is used, even though the reference can resolve to a different object over time.Guidelines:",{"point":"s0","priority":"6","details":"s1"},"CWE-ID: 390Detection of Error Condition Without Action","The product detects a specific error, but takes no actions to handle the error.Guidelines:",{"point":"s3","priority":"6","details":"s4"},"CWE-ID: 391Unchecked Error Condition","[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.Guidelines:::TYPE:Maintenance:NOTE:This entry is slated for deprecation; it has multiple widespread interpretations by CWE analysts. It currently combines information from three different taxonomies, but each taxonomy is talking about a slightly different issue. CWE analysts might map to this entry based on any of these issues. 7PK has Empty Catch Block which has an association with empty exception block (CWE-1069); in this case, the exception has performed the check, but does not handle. In PLOVER there is Unchecked Return Value which is CWE-252, but unlike Empty Catch Block there isn't even a check of the issue - and Unchecked Error Condition implies lack of a check. For CLASP, Uncaught Exception (CWE-248) is associated with incorrect error propagation - uncovered in CWE 3.2 and earlier, at least. There are other issues related to error handling and checks.::TYPE:Other:NOTE:When a programmer ignores an exception, they implicitly state that they are operating under one of two assumptions: This method call can never fail. It doesn't matter if this call fails.::",{"point":"s6","priority":"6","details":"s7"},"CWE-ID: 392Missing Report of Error Condition","The product encounters an error but does not provide a status code or return value to indicate that an error has occurred.Guidelines:",{"point":"s9","priority":"6","details":"sa"},"CWE-ID: 393Return of Wrong Status Code","A function or operation returns an incorrect return value or status code that does not indicate an error, but causes the product to modify its behavior based on the incorrect result.Guidelines:::TYPE:Relationship:NOTE:This can be primary or resultant, but it is probably most often primary to other issues.::",{"point":"sc","priority":"6","details":"sd"},"CWE-ID: 394Unexpected Status Code or Return Value","The product does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the product.Guidelines:::TYPE:Relationship:NOTE:Usually primary, but can be resultant from issues such as behavioral change or API abuse. This can produce resultant vulnerabilities.::",{"point":"sf","priority":"6","details":"sg"},"CWE-ID: 395Use of NullPointerException Catch to Detect NULL Pointer Dereference","Catching NullPointerException should not be used as an alternative to programmatic checks to prevent dereferencing a null pointer.Guidelines:",{"point":"si","priority":"6","details":"sj"},"CWE-ID: 396Declaration of Catch for Generic Exception","Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.Guidelines:",{"point":"sl","priority":"6","details":"sm"},"CWE-ID: 397Declaration of Throws for Generic Exception","Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.Guidelines:::TYPE:Applicable Platform:NOTE:For C++, this weakness only applies to C++98, C++03, and C++11. It relies on a feature known as Dynamic Exception Specification, which was part of early versions of C++ but was deprecated in C++11. It has been removed for C++17 and later.::",{"point":"so","priority":"6","details":"sp"},"CWE-ID: 400Uncontrolled Resource Consumption","The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Guidelines:::TYPE:Maintenance:NOTE:Resource consumption could be interpreted as a consequence instead of an insecure behavior, so this entry is being considered for modification. It appears to be referenced too frequently when more precise mappings are available. Some of its children, such as CWE-771, might be better considered as a chain.::TYPE:Theoretical:NOTE:Vulnerability theory is largely about how behaviors and resources interact. Resource exhaustion can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect the underlying weaknesses that enable these attacks (or consequences) to take place.::TYPE:Other:NOTE:Database queries that take a long time to process are good DoS targets. An attacker would have to write a few lines of Perl code to generate enough traffic to exceed the site's ability to keep up. This would effectively prevent authorized users from using the site at all. Resources can be exploited simply by ensuring that the target machine must do much more work and consume more resources in order to service a request than the attacker must do to initiate a request. A prime example of this can be found in old switches that were vulnerable to macof attacks (so named for a tool developed by Dugsong). These attacks flooded a switch with random IP and MAC address combinations, therefore exhausting the switch's cache, which held the information of which port corresponded to which MAC addresses. Once this cache was exhausted, the switch would fail in an insecure way and would begin to act simply as a hub, broadcasting all traffic on all ports and allowing for basic sniffing attacks.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"sr","priority":"6","details":"ss"},"CWE-ID: 401Missing Release of Memory after Effective Lifetime","The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.Guidelines:::TYPE:Relationship:NOTE:This is often a resultant weakness due to improper handling of malformed data or early termination of sessions.::TYPE:Terminology:NOTE:memory leak has sometimes been used to describe other kinds of issues, e.g. for information leaks in which the contents of memory are inadvertently leaked (CVE-2003-0400 is one such example of this terminology conflict).::",{"point":"su","priority":"6","details":"sv"},"CWE-ID: 402Transmission of Private Resources into a New Sphere ('Resource Leak')","The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product.Guidelines:",{"point":"sx","priority":"6","details":"sy"},"CWE-ID: 403Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')","A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors.Guidelines:",{"point":"t0","priority":"6","details":"t1"},"CWE-ID: 404Improper Resource Shutdown or Release","The product does not release or incorrectly releases a resource before it is made available for re-use.Guidelines:::TYPE:Relationship:NOTE:Overlaps memory leaks, asymmetric resource consumption, malformed input errors.::",{"point":"t3","priority":"6","details":"t4"},"CWE-ID: 405Asymmetric Resource Consumption (Amplification)","The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is asymmetric.Guidelines:",{"point":"t6","priority":"6","details":"t7"},"CWE-ID: 406Insufficient Control of Network Message Volume (Network Amplification)","The product does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the product to transmit more traffic than should be allowed for that actor.Guidelines:::TYPE:Relationship:NOTE:This can be resultant from weaknesses that simplify spoofing attacks.::TYPE:Theoretical:NOTE:Network amplification, when performed with spoofing, is normally a multi-channel attack from attacker (acting as user) to amplifier, and amplifier to victim.::",{"point":"t9","priority":"6","details":"ta"},"CWE-ID: 407Inefficient Algorithmic Complexity","An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.Guidelines:",{"point":"tc","priority":"6","details":"td"},"CWE-ID: 408Incorrect Behavior Order: Early Amplification","The product allows an entity to perform a legitimate but expensive operation before authentication or authorization has taken place.Guidelines:::TYPE:Relationship:NOTE:Overlaps authentication errors.::",{"point":"tf","priority":"6","details":"tg"},"CWE-ID: 409Improper Handling of Highly Compressed Data (Data Amplification)","The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.Guidelines:",{"point":"ti","priority":"6","details":"tj"},"CWE-ID: 410Insufficient Resource Pool","The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.Guidelines:",{"point":"tl","priority":"6","details":"tm"},"CWE-ID: 412Unrestricted Externally Accessible Lock","The product properly checks for the existence of a lock, but the lock can be externally controlled or influenced by an actor that is outside of the intended sphere of control.Guidelines:::TYPE:Relationship:NOTE:This overlaps Insufficient Resource Pool when the pool is of size 1. It can also be resultant from race conditions, although the timing window could be quite large in some cases.::",{"point":"to","priority":"6","details":"tp"},"CWE-ID: 413Improper Resource Locking","The product does not lock or does not correctly lock a resource when the product must have exclusive access to the resource.Guidelines:",{"point":"tr","priority":"6","details":"ts"},"CWE-ID: 414Missing Lock Check","A product does not check to see if a lock is present before performing sensitive operations on a resource.Guidelines:",{"point":"tu","priority":"6","details":"tv"},"CWE-ID: 415Double Free","The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.Guidelines:::TYPE:Relationship:NOTE:This is usually resultant from another weakness, such as an unhandled error or race condition between threads. It could also be primary to weaknesses such as buffer overflows.::TYPE:Theoretical:NOTE:It could be argued that Double Free would be most appropriately located as a child of Use after Free, but Use and Release are considered to be distinct operations within vulnerability theory, therefore this is more accurately Release of a Resource after Expiration or Release, which doesn't exist yet.::",{"point":"tx","priority":"6","details":"ty"},"CWE-ID: 416Use After Free","Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.Guidelines:",{"point":"u0","priority":"6","details":"u1"},"CWE-ID: 419Unprotected Primary Channel","The product uses a primary channel for administration or restricted functionality, but it does not properly protect the channel.Guidelines:",{"point":"u3","priority":"6","details":"u4"},"CWE-ID: 420Unprotected Alternate Channel","The product protects a primary channel, but it does not use the same level of protection for an alternate channel.Guidelines:::TYPE:Relationship:NOTE:This can be primary to authentication errors, and resultant from unhandled error conditions.::",{"point":"u6","priority":"6","details":"u7"},"CWE-ID: 421Race Condition During Access to Alternate Channel","The product opens an alternate channel to communicate with an authorized user, but the channel is accessible to other actors.Guidelines:",{"point":"u9","priority":"6","details":"ua"},"CWE-ID: 422Unprotected Windows Messaging Channel ('Shatter')","The product does not properly verify the source of a message in the Windows Messaging System while running at elevated privileges, creating an alternate channel through which an attacker can directly send a message to the product.Guidelines:::TYPE:Relationship:NOTE:Overlaps privilege errors and UI errors.::TYPE:Research Gap:NOTE:Possibly under-reported, probably under-studied. It is suspected that a number of publicized vulnerabilities that involve local privilege escalation on Windows systems may be related to Shatter attacks, but they are not labeled as such. Alternate channel attacks likely exist in other operating systems and messaging models, e.g. in privileged X Windows applications, but examples are not readily available.::",{"point":"uc","priority":"6","details":"ud"},"CWE-ID: 424Improper Protection of Alternate Path","The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.Guidelines:",{"point":"uf","priority":"6","details":"ug"},"CWE-ID: 425Direct Request ('Forced Browsing')","The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.Guidelines:::TYPE:Relationship:NOTE:Overlaps Modification of Assumed-Immutable Data (MAID), authorization errors, container errors; often primary to other weaknesses such as XSS and SQL injection.::TYPE:Theoretical:NOTE:Forced browsing is a step-based manipulation involving the omission of one or more steps, whose order is assumed to be immutable. The application does not verify that the first step was performed successfully before the second step. The consequence is typically authentication bypass or path disclosure, although it can be primary to all kinds of weaknesses, especially in languages such as PHP, which allow external modification of assumed-immutable variables.::",{"point":"ui","priority":"6","details":"uj"},"CWE-ID: 426Untrusted Search Path","The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.Guidelines:",{"point":"ul","priority":"6","details":"um"},"CWE-ID: 427Uncontrolled Search Path Element","The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.Guidelines:::TYPE:Relationship:NOTE:Unlike untrusted search path (CWE-426), which inherently involves control over the definition of a control sphere (i.e., modification of a search path), this entry concerns a fixed control sphere in which some part of the sphere may be under attacker control (i.e., the search path cannot be modified by an attacker, but one element of the path can be under attacker control).::TYPE:Theoretical:NOTE:This weakness is not a clean fit under CWE-668 or CWE-610, which suggests that the control sphere model might need enhancement or clarification.::",{"point":"uo","priority":"6","details":"up"},"CWE-ID: 428Unquoted Search Path or Element","The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.Guidelines:::TYPE:Applicable Platform:NOTE:This weakness could apply to any OS that supports spaces in filenames, especially any OS that make it easy for a user to insert spaces into filenames or folders, such as Windows. While spaces are technically supported in Unix, the practice is generally avoided. .::TYPE:Maintenance:NOTE:This weakness primarily involves the lack of quoting, which is not explicitly stated as a part of CWE-116. CWE-116 also describes output in light of structured messages, but the generation of a filename or search path (as in this weakness) might not be considered a structured message. An additional complication is the relationship to control spheres. Unlike untrusted search path (CWE-426), which inherently involves control over the definition of a control sphere, this entry concerns a fixed control sphere in which some part of the sphere may be under attacker control. This is not a clean fit under CWE-668 or CWE-610, which suggests that the control sphere model needs enhancement or clarification.::",{"point":"ur","priority":"6","details":"us"},"CWE-ID: 430Deployment of Wrong Handler","The wrong handler is assigned to process an object.Guidelines:",{"point":"uu","priority":"6","details":"uv"},"CWE-ID: 431Missing Handler","A handler is not available or implemented.Guidelines:",{"point":"ux","priority":"6","details":"uy"},"CWE-ID: 432Dangerous Signal Handler not Disabled During Sensitive Operations","The product uses a signal handler that shares state with other signal handlers, but it does not properly mask or prevent those signal handlers from being invoked while the original signal handler is still running.Guidelines:",{"point":"v0","priority":"6","details":"v1"},"CWE-ID: 433Unparsed Raw Web Content Delivery","The product stores raw content or supporting code under the web document root with an extension that is not specifically handled by the server.Guidelines:::TYPE:Relationship:NOTE:This overlaps direct requests (CWE-425), alternate path (CWE-424), permissions (CWE-275), and sensitive file under web root (CWE-219).::",{"point":"v3","priority":"6","details":"v4"},"CWE-ID: 434Unrestricted Upload of File with Dangerous Type","The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.Guidelines:::TYPE:Relationship:NOTE:This can have a chaining relationship with incomplete denylist / permissive allowlist errors when the product tries, but fails, to properly limit which types of files are allowed (CWE-183, CWE-184). This can also overlap multiple interpretation errors for intermediaries, e.g. anti-virus products that do not remove or quarantine attachments with certain file extensions that can be processed by client systems.::",{"point":"v6","priority":"6","details":"v7"},"CWE-ID: 435Improper Interaction Between Multiple Correctly-Behaving Entities","An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses.Guidelines:::TYPE:Research Gap:NOTE:Weaknesses related to this Pillar appear to be under-studied, especially with respect to classification schemes. Input from academic and other communities could help identify and resolve gaps or organizational difficulties within CWE.::TYPE:Relationship:NOTE:The Interaction Error term, in CWE and elsewhere, is only intended to describe products that behave according to specification. When one or more of the products do not comply with specifications, then it is more likely to be API Abuse (CWE-227) or an interpretation conflict (CWE-436). This distinction can be blurred in real world scenarios, especially when de facto standards do not comply with specifications, or when there are no standards but there is widespread adoption. As a result, it can be difficult to distinguish these weaknesses during mapping and classification.::",{"point":"v9","priority":"6","details":"va"},"CWE-ID: 436Interpretation Conflict","Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.Guidelines:",{"point":"vc","priority":"6","details":"vd"},"CWE-ID: 437Incomplete Model of Endpoint Features","A product acts as an intermediary or monitor between two or more endpoints, but it does not have a complete model of an endpoint's features, behaviors, or state, potentially causing the product to perform incorrect actions based on this incomplete model.Guidelines:::TYPE:Relationship:NOTE:This can be related to interaction errors, although in some cases, one of the endpoints is not performing correctly according to specification.::",{"point":"vf","priority":"6","details":"vg"},"CWE-ID: 439Behavioral Change in New Version or Environment","A's behavior or functionality changes with a new version of A, or a new environment, which is not known (or manageable) by B.Guidelines:",{"point":"vi","priority":"6","details":"vj"},"CWE-ID: 440Expected Behavior Violation","A feature, API, or function does not perform according to its specification.Guidelines:::TYPE:Theoretical:NOTE:The behavior of an application that is not consistent with the expectations of the developer may lead to incorrect use of the software.::",{"point":"vl","priority":"6","details":"vm"},"CWE-ID: 441Unintended Proxy or Intermediary ('Confused Deputy')","The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.Guidelines:::TYPE:Relationship:NOTE:This weakness has a chaining relationship with CWE-668 (Exposure of Resource to Wrong Sphere) because the proxy effectively provides the attacker with access to the target's resources that the attacker cannot directly obtain.::TYPE:Maintenance:NOTE:This could possibly be considered as an emergent resource.::TYPE:Theoretical:NOTE:It could be argued that the confused deputy is a fundamental aspect of most vulnerabilities that require an active attacker. Even for common implementation issues such as buffer overflows, SQL injection, OS command injection, and path traversal, the vulnerable program already has the authorization to run code or access files. The vulnerability arises when the attacker causes the program to run unexpected code or access unexpected files.::",{"point":"vo","priority":"6","details":"vp"},"CWE-ID: 444Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')","The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.Guidelines:::TYPE:Theoretical:NOTE:Request smuggling can be performed due to a multiple interpretation error, where the target is an intermediary or monitor, via a consistency manipulation (Transfer-Encoding and Content-Length headers).::",{"point":"vr","priority":"6","details":"vs"},"CWE-ID: 446UI Discrepancy for Security Feature","The user interface does not correctly enable or configure a security feature, but the interface provides feedback that causes the user to believe that the feature is in a secure state.Guidelines:::TYPE:Maintenance:NOTE:This entry is likely a loose composite that could be broken down into the different types of errors that cause the user interface to have incorrect interactions with the underlying security feature.::",{"point":"vu","priority":"6","details":"vv"},"CWE-ID: 447Unimplemented or Unsupported Feature in UI","A UI function for a security feature appears to be supported and gives feedback to the user that suggests that it is supported, but the underlying functionality is not implemented.Guidelines:::TYPE:Research Gap:NOTE:This issue needs more study, as there are not many examples. It is not clear whether it is primary or resultant.::",{"point":"vx","priority":"6","details":"vy"},"CWE-ID: 448Obsolete Feature in UI","A UI function is obsolete and the product does not warn the user.Guidelines:",{"point":"w0","priority":"6","details":"w1"},"CWE-ID: 449The UI Performs the Wrong Action","The UI performs the wrong action with respect to the user's request.Guidelines:",{"point":"w3","priority":"6","details":"w4"},"CWE-ID: 450Multiple Interpretations of UI Input","The UI has multiple interpretations of user input but does not prompt the user when it selects the less secure interpretation.Guidelines:",{"point":"w6","priority":"6","details":"w7"},"CWE-ID: 451User Interface (UI) Misrepresentation of Critical Information","The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks.Guidelines:::TYPE:Maintenance:NOTE:This entry should be broken down into more precise entries. See extended description.::TYPE:Research Gap:NOTE:Misrepresentation problems are frequently studied in web browsers, but there are no known efforts for classifying these kinds of problems in terms of the shortcomings of the interface. In addition, many misrepresentation issues are resultant.::",{"point":"w9","priority":"6","details":"wa"},"CWE-ID: 453Insecure Default Variable Initialization","The product, by default, initializes an internal variable with an insecure or less secure value than is possible.Guidelines:::TYPE:Maintenance:NOTE:This overlaps other categories, probably should be split into separate items.::",{"point":"wc","priority":"6","details":"wd"},"CWE-ID: 454External Initialization of Trusted Variables or Data Stores","The product initializes critical internal variables or data stores using inputs that can be modified by untrusted actors.Guidelines:::TYPE:Relationship:NOTE:Overlaps Missing variable initialization, especially in PHP.::TYPE:Applicable Platform:NOTE:This is often found in PHP due to register_globals and the common practice of storing library/include files under the web document root so that they are available using a direct request.::",{"point":"wf","priority":"6","details":"wg"},"CWE-ID: 455Non-exit on Failed Initialization","The product does not exit or otherwise modify its operation when security-relevant errors occur during initialization, such as when a configuration file has a format error or a hardware security module (HSM) cannot be activated, which can cause the product to execute in a less secure fashion than intended by the administrator.Guidelines:::TYPE:Research Gap:NOTE:Under-studied. These issues are not frequently reported, and it is difficult to find published examples.::",{"point":"wi","priority":"6","details":"wj"},"CWE-ID: 456Missing Initialization of a Variable","The product does not initialize critical variables, which causes the execution environment to use unexpected values.Guidelines:::TYPE:Relationship:NOTE:This weakness is a major factor in a number of resultant weaknesses, especially in web applications that allow global variable initialization (such as PHP) with libraries that can be directly requested.::TYPE:Research Gap:NOTE:It is highly likely that a large number of resultant weaknesses have missing initialization as a primary factor, but researcher reports generally do not provide this level of detail.::",{"point":"wl","priority":"6","details":"wm"},"CWE-ID: 457Use of Uninitialized Variable","The code uses a variable that has not been initialized, leading to unpredictable or unintended results.Guidelines:",{"point":"wo","priority":"6","details":"wp"},"CWE-ID: 459Incomplete Cleanup","The product does not properly clean up and remove temporary or supporting resources after they have been used.Guidelines:::TYPE:Relationship:NOTE:CWE-459 is a child of CWE-404 because, while CWE-404 covers any type of improper shutdown or release of a resource, CWE-459 deals specifically with a multi-step shutdown process in which a crucial step for proper cleanup is omitted or impossible. That is, CWE-459 deals specifically with a cleanup or shutdown process that does not successfully remove all potentially sensitive data.::TYPE:Relationship:NOTE:Overlaps other categories such as permissions and containment. Concept needs further development. This could be primary (e.g. leading to infoleak) or resultant (e.g. resulting from unhandled error conditions or early termination).::",{"point":"wr","priority":"6","details":"ws"},"CWE-ID: 460Improper Cleanup on Thrown Exception","The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow.Guidelines:",{"point":"wu","priority":"6","details":"wv"},"CWE-ID: 462Duplicate Key in Associative List (Alist)","Duplicate keys in associative lists can lead to non-unique keys being mistaken for an error.Guidelines:",{"point":"wx","priority":"6","details":"wy"},"CWE-ID: 463Deletion of Data Structure Sentinel","The accidental deletion of a data-structure sentinel can cause serious programming logic problems.Guidelines:",{"point":"x0","priority":"6","details":"x1"},"CWE-ID: 464Addition of Data Structure Sentinel","The accidental addition of a data-structure sentinel can cause serious programming logic problems.Guidelines:",{"point":"x3","priority":"6","details":"x4"},"CWE-ID: 466Return of Pointer Value Outside of Expected Range","A function can return a pointer to memory that is outside of the buffer that the pointer is expected to reference.Guidelines:::TYPE:Maintenance:NOTE:This entry should have a chaining relationship with CWE-119 instead of a parent / child relationship, however the focus of this weakness does not map cleanly to any existing entries in CWE. A new parent is being considered which covers the more generic problem of incorrect return values. There is also an abstract relationship to weaknesses in which one component sends incorrect messages to another component; in this case, one routine is sending an incorrect value to another.::",{"point":"x6","priority":"6","details":"x7"},"CWE-ID: 467Use of sizeof() on a Pointer Type","The code calls sizeof() on a malloced pointer type, which always returns the wordsize/8. This can produce an unexpected result if the programmer intended to determine how much memory has been allocated.Guidelines:",{"point":"x9","priority":"6","details":"xa"},"CWE-ID: 468Incorrect Pointer Scaling","In C and C++, one may often accidentally refer to the wrong memory due to the semantics of when math operations are implicitly scaled.Guidelines:",{"point":"xc","priority":"6","details":"xd"},"CWE-ID: 469Use of Pointer Subtraction to Determine Size","The product subtracts one pointer from another in order to determine size, but this calculation can be incorrect if the pointers do not exist in the same memory chunk.Guidelines:",{"point":"xf","priority":"6","details":"xg"},"CWE-ID: 470Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')","The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.Guidelines:",{"point":"xi","priority":"6","details":"xj"},"CWE-ID: 471Modification of Assumed-Immutable Data (MAID)","The product does not properly protect an assumed-immutable element from being modified by an attacker.Guidelines:::TYPE:Relationship:NOTE:MAID issues can be primary to many other weaknesses, and they are a major factor in languages that provide easy access to internal program constructs, such as PHP's register_globals and similar features. However, MAID issues can also be resultant from weaknesses that modify internal state; for example, a program might validate some data and store it in memory, but a buffer overflow could overwrite that validated data, leading to a change in program logic.::TYPE:Theoretical:NOTE:There are many examples where the MUTABILITY property is a major factor in a vulnerability.::",{"point":"xl","priority":"6","details":"xm"},"CWE-ID: 472External Control of Assumed-Immutable Web Parameter","The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.Guidelines:::TYPE:Relationship:NOTE:This is a primary weakness for many other weaknesses and functional consequences, including XSS, SQL injection, path disclosure, and file inclusion.::TYPE:Theoretical:NOTE:This is a technology-specific MAID problem.::",{"point":"xo","priority":"6","details":"xp"},"CWE-ID: 473PHP External Variable Modification","A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies. This can expose the application to numerous weaknesses that would not exist otherwise.Guidelines:::TYPE:Relationship:NOTE:This is a language-specific instance of Modification of Assumed-Immutable Data (MAID). This can be resultant from direct request (alternate path) issues. It can be primary to weaknesses such as PHP file inclusion, SQL injection, XSS, authentication bypass, and others.::",{"point":"xr","priority":"6","details":"xs"},"CWE-ID: 474Use of Function with Inconsistent Implementations","The code uses a function that has inconsistent implementations across operating systems and versions.Guidelines:",{"point":"xu","priority":"6","details":"xv"},"CWE-ID: 475Undefined Behavior for Input to API","The behavior of this function is undefined unless its control parameter is set to a specific value.Guidelines:::TYPE:Other:NOTE:The Linux Standard Base Specification 2.0.1 for libc places constraints on the arguments to some internal functions [21]. If the constraints are not met, the behavior of the functions is not defined. It is unusual for this function to be called directly. It is almost always invoked through a macro defined in a system header file, and the macro ensures that the following constraints are met: The value 1 must be passed to the third parameter (the version number) of the following file system function: __xmknod The value 2 must be passed to the third parameter (the group argument) of the following wide character string functions: __wcstod_internal __wcstof_internal __wcstol_internal __wcstold_internal __wcstoul_internal The value 3 must be passed as the first parameter (the version number) of the following file system functions: __xstat __lxstat __fxstat __xstat64 __lxstat64 __fxstat64::",{"point":"xx","priority":"6","details":"xy"},"CWE-ID: 476NULL Pointer Dereference","A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.Guidelines:",{"point":"y0","priority":"6","details":"y1"},"CWE-ID: 477Use of Obsolete Function","The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained.Guidelines:",{"point":"y3","priority":"6","details":"y4"},"CWE-ID: 478Missing Default Case in Multiple Condition Expression","The code does not have a default case in an expression with multiple conditions, such as a switch statement.Guidelines:",{"point":"y6","priority":"6","details":"y7"},"CWE-ID: 479Signal Handler Use of a Non-reentrant Function","The product defines a signal handler that calls a non-reentrant function.Guidelines:",{"point":"y9","priority":"6","details":"ya"},"CWE-ID: 480Use of Incorrect Operator","The product accidentally uses the wrong operator, which changes the logic in security-relevant ways.Guidelines:",{"point":"yc","priority":"6","details":"yd"},"CWE-ID: 481Assigning instead of Comparing","The code uses an operator for assignment when the intention was to perform a comparison.Guidelines:",{"point":"yf","priority":"6","details":"yg"},"CWE-ID: 482Comparing instead of Assigning","The code uses an operator for comparison when the intention was to perform an assignment.Guidelines:",{"point":"yi","priority":"6","details":"yj"},"CWE-ID: 483Incorrect Block Delimitation","The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.Guidelines:",{"point":"yl","priority":"6","details":"ym"},"CWE-ID: 484Omitted Break Statement in Switch","The product omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition.Guidelines:",{"point":"yo","priority":"6","details":"yp"},"CWE-ID: 486Comparison of Classes by Name","The product compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name.Guidelines:",{"point":"yr","priority":"6","details":"ys"},"CWE-ID: 487Reliance on Package-level Scope","Java packages are not inherently closed; therefore, relying on them for code security is not a good practice.Guidelines:",{"point":"yu","priority":"6","details":"yv"},"CWE-ID: 488Exposure of Data Element to Wrong Session","The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.Guidelines:",{"point":"yx","priority":"6","details":"yy"},"CWE-ID: 489Active Debug Code","The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.Guidelines:::TYPE:Other:NOTE:In J2EE a main method may be a good indicator that debug code has been left in the application, although there may not be any direct security impact.::",{"point":"z0","priority":"6","details":"z1"},"CWE-ID: 491Public cloneable() Method Without Final ('Object Hijack')","A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state.Guidelines:",{"point":"z3","priority":"6","details":"z4"},"CWE-ID: 492Use of Inner Class Containing Sensitive Data","Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers.Guidelines:::TYPE:Other:NOTE:Mobile code, in this case a Java Applet, is code that is transmitted across a network and executed on a remote machine. Because mobile code developers have little if any control of the environment in which their code will execute, special security concerns become relevant. One of the biggest environmental threats results from the risk that the mobile code will run side-by-side with other, potentially malicious, mobile code. Because all of the popular web browsers execute code from multiple sources together in the same JVM, many of the security guidelines for mobile code are focused on preventing manipulation of your objects' state and behavior by adversaries who have access to the same virtual machine where your program is running.::",{"point":"z6","priority":"6","details":"z7"},"CWE-ID: 493Critical Public Variable Without Final Modifier","The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.Guidelines:",{"point":"z9","priority":"6","details":"za"},"CWE-ID: 494Download of Code Without Integrity Check","The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.Guidelines:::TYPE:Research Gap:NOTE:This is critical for mobile code, but it is likely to become more and more common as developers continue to adopt automated, network-based product distributions and upgrades. Software-as-a-Service (SaaS) might introduce additional subtleties. Common exploitation scenarios may include ad server compromises and bad upgrades.::",{"point":"zc","priority":"6","details":"zd"},"CWE-ID: 495Private Data Structure Returned From A Public Method","The product has a method that is declared public, but returns a reference to a private data structure, which could then be modified in unexpected ways.Guidelines:",{"point":"zf","priority":"6","details":"zg"},"CWE-ID: 496Public Data Assigned to Private Array-Typed Field","Assigning public data to a private array is equivalent to giving public access to the array.Guidelines:",{"point":"zi","priority":"6","details":"zj"},"CWE-ID: 497Exposure of Sensitive System Information to an Unauthorized Control Sphere","The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.Guidelines:",{"point":"zl","priority":"6","details":"zm"},"CWE-ID: 498Cloneable Class Containing Sensitive Information","The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class.Guidelines:",{"point":"zo","priority":"6","details":"zp"},"CWE-ID: 499Serializable Class Containing Sensitive Data","The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another class.Guidelines:",{"point":"zr","priority":"6","details":"zs"},"CWE-ID: 500Public Static Field Not Marked Final","An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways.Guidelines:",{"point":"zu","priority":"6","details":"zv"},"CWE-ID: 501Trust Boundary Violation","The product mixes trusted and untrusted data in the same data structure or structured message.Guidelines:",{"point":"zx","priority":"6","details":"zy"},"CWE-ID: 502Deserialization of Untrusted Data","The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.Guidelines:::TYPE:Maintenance:NOTE:The relationships between CWE-502 and CWE-915 need further exploration. CWE-915 is more narrowly scoped to object modification, and is not necessarily used for deserialization.::",{"point":"100","priority":"6","details":"101"},"CWE-ID: 506Embedded Malicious Code","The product contains code that appears to be malicious in nature.Guidelines:::TYPE:Terminology:NOTE:The term Trojan horse was introduced by Dan Edwards and recorded by James Anderson [18] to characterize a particular computer security threat; it has been redefined many times [4,18-20].::",{"point":"103","priority":"6","details":"104"},"CWE-ID: 507Trojan Horse","The product appears to contain benign or useful functionality, but it also contains code that is hidden from normal operation that violates the intended security policy of the user or the system administrator.Guidelines:::TYPE:Other:NOTE:Potentially malicious dynamic code compiled at runtime can conceal any number of attacks that will not appear in the baseline. The use of dynamically compiled code could also allow the injection of attacks on post-deployed applications.::TYPE:Terminology:NOTE:Definitions of Trojan horse and related terms have varied widely over the years, but common usage in 2008 generally refers to software that performs a legitimate function, but also contains malicious code. Almost any malicious code can be called a Trojan horse, since the author of malicious code needs to disguise it somehow so that it will be invoked by a nonmalicious user (unless the author means also to invoke the code, in which case they presumably already possess the authorization to perform the intended sabotage). A Trojan horse that replicates itself by copying its code into other program files (see case MA1) is commonly referred to as a virus. One that replicates itself by creating new processes or files to contain its code, instead of modifying existing storage entities, is often called a worm. Denning provides a general discussion of these terms; differences of opinion about the term applicable to a particular flaw or its exploitations sometimes occur.::",{"point":"106","priority":"6","details":"107"},"CWE-ID: 508Non-Replicating Malicious Code","Non-replicating malicious code only resides on the target system or product that is attacked; it does not attempt to spread to other systems.Guidelines:",{"point":"109","priority":"6","details":"10a"},"CWE-ID: 509Replicating Malicious Code (Virus or Worm)","Replicating malicious code, including viruses and worms, will attempt to attack other systems once it has successfully compromised the target system or the product.Guidelines:",{"point":"10c","priority":"6","details":"10d"},"CWE-ID: 510Trapdoor","A trapdoor is a hidden piece of code that responds to a special input, allowing its user access to resources without passing through the normal security enforcement mechanism.Guidelines:",{"point":"10f","priority":"6","details":"10g"},"CWE-ID: 511Logic/Time Bomb","The product contains code that is designed to disrupt the legitimate operation of the product (or its environment) when a certain time passes, or when a certain logical condition is met.Guidelines:",{"point":"10i","priority":"6","details":"10j"},"CWE-ID: 512Spyware","The product collects personally identifiable information about a human user or the user's activities, but the product accesses this information using other resources besides itself, and it does not require that user's explicit approval or direct input into the product.Guidelines:",{"point":"10l","priority":"6","details":"10m"},"CWE-ID: 514Covert Channel","A covert channel is a path that can be used to transfer information in a way not intended by the system's designers.Guidelines:::TYPE:Theoretical:NOTE:A covert channel can be thought of as an emergent resource, meaning that it was not an originally intended resource, however it exists due the application's behaviors.::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are working to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks that create or exploit covert channels. As a result of that work, this entry might change in CWE 4.10.::",{"point":"10o","priority":"6","details":"10p"},"CWE-ID: 515Covert Storage Channel","A covert storage channel transfers information through the setting of bits by one program and the reading of those bits by another. What distinguishes this case from that of ordinary operation is that the bits are used to convey encoded information.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are working to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks that create or exploit covert channels. As a result of that work, this entry might change in CWE 4.10.::",{"point":"10r","priority":"6","details":"10s"},"CWE-ID: 520.NET Misconfiguration: Use of Impersonation","Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms of attacks.Guidelines:",{"point":"10u","priority":"6","details":"10v"},"CWE-ID: 521Weak Password Requirements","The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.Guidelines:",{"point":"10x","priority":"6","details":"10y"},"CWE-ID: 522Insufficiently Protected Credentials","The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.Guidelines:",{"point":"110","priority":"6","details":"111"},"CWE-ID: 523Unprotected Transport of Credentials","Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.Guidelines:",{"point":"113","priority":"6","details":"114"},"CWE-ID: 524Use of Cache Containing Sensitive Information","The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.Guidelines:",{"point":"116","priority":"6","details":"117"},"CWE-ID: 525Use of Web Browser Cache Containing Sensitive Information","The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.Guidelines:",{"point":"119","priority":"6","details":"11a"},"CWE-ID: 526Cleartext Storage of Sensitive Information in an Environment Variable","The product uses an environment variable to store unencrypted sensitive information.Guidelines:",{"point":"11c","priority":"6","details":"11d"},"CWE-ID: 527Exposure of Version-Control Repository to an Unauthorized Control Sphere","The product stores a CVS, git, or other repository in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.Guidelines:",{"point":"11f","priority":"6","details":"11g"},"CWE-ID: 528Exposure of Core Dump File to an Unauthorized Control Sphere","The product generates a core dump file in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.Guidelines:",{"point":"11i","priority":"6","details":"11j"},"CWE-ID: 529Exposure of Access Control List Files to an Unauthorized Control Sphere","The product stores access control list files in a directory or other container that is accessible to actors outside of the intended control sphere.Guidelines:",{"point":"11l","priority":"6","details":"11m"},"CWE-ID: 530Exposure of Backup File to an Unauthorized Control Sphere","A backup file is stored in a directory or archive that is made accessible to unauthorized actors.Guidelines:",{"point":"11o","priority":"6","details":"11p"},"CWE-ID: 531Inclusion of Sensitive Information in Test Code","Accessible test applications can pose a variety of security risks. Since developers or administrators rarely consider that someone besides themselves would even know about the existence of these applications, it is common for them to contain sensitive information or functions.Guidelines:",{"point":"11r","priority":"6","details":"11s"},"CWE-ID: 532Insertion of Sensitive Information into Log File","Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.Guidelines:",{"point":"11u","priority":"6","details":"11v"},"CWE-ID: 535Exposure of Information Through Shell Error Message","A command shell error message indicates that there exists an unhandled exception in the web application code. In many cases, an attacker can leverage the conditions that cause these errors in order to gain unauthorized access to the system.Guidelines:",{"point":"11x","priority":"6","details":"11y"},"CWE-ID: 536Servlet Runtime Error Message Containing Sensitive Information","A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker.Guidelines:",{"point":"120","priority":"6","details":"121"},"CWE-ID: 537Java Runtime Error Message Containing Sensitive Information","In many cases, an attacker can leverage the conditions that cause unhandled exception errors in order to gain unauthorized access to the system.Guidelines:",{"point":"123","priority":"6","details":"124"},"CWE-ID: 538Insertion of Sensitive Information into Externally-Accessible File or Directory","The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.Guidelines:::TYPE:Maintenance:NOTE:Depending on usage, this could be a weakness or a category. Further study of all its children is needed, and the entire sub-tree may need to be clarified. The current organization is based primarily on the exposure of sensitive information as a consequence, instead of as a primary weakness.::TYPE:Maintenance:NOTE:There is a close relationship with CWE-552, which is more focused on weaknesses. As a result, it may be more appropriate to convert CWE-538 to a category.::",{"point":"126","priority":"6","details":"127"},"CWE-ID: 539Use of Persistent Cookies Containing Sensitive Information","The web application uses persistent cookies, but the cookies contain sensitive information.Guidelines:",{"point":"129","priority":"6","details":"12a"},"CWE-ID: 540Inclusion of Sensitive Information in Source Code","Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.Guidelines:",{"point":"12c","priority":"6","details":"12d"},"CWE-ID: 541Inclusion of Sensitive Information in an Include File","If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system.Guidelines:",{"point":"12f","priority":"6","details":"12g"},"CWE-ID: 543Use of Singleton Pattern Without Synchronization in a Multithreaded Context","The product uses the singleton pattern when creating a resource within a multithreaded environment.Guidelines:",{"point":"12i","priority":"6","details":"12j"},"CWE-ID: 544Missing Standardized Error Handling Mechanism","The product does not use a standardized method for handling errors throughout the code, which might introduce inconsistent error handling and resultant weaknesses.Guidelines:",{"point":"12l","priority":"6","details":"12m"},"CWE-ID: 546Suspicious Comment","The code contains comments that suggest the presence of bugs, incomplete functionality, or weaknesses.Guidelines:",{"point":"12o","priority":"6","details":"12p"},"CWE-ID: 547Use of Hard-coded, Security-relevant Constants","The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change.Guidelines:",{"point":"12r","priority":"6","details":"12s"},"CWE-ID: 548Exposure of Information Through Directory Listing","A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers.Guidelines:",{"point":"12u","priority":"6","details":"12v"},"CWE-ID: 549Missing Password Field Masking","The product does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords.Guidelines:",{"point":"12x","priority":"6","details":"12y"},"CWE-ID: 550Server-generated Error Message Containing Sensitive Information","Certain conditions, such as network failure, will cause a server error message to be displayed.Guidelines:",{"point":"130","priority":"6","details":"131"},"CWE-ID: 551Incorrect Behavior Order: Authorization Before Parsing and Canonicalization","If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.Guidelines:",{"point":"133","priority":"6","details":"134"},"CWE-ID: 552Files or Directories Accessible to External Parties","The product makes files or directories accessible to unauthorized actors, even though they should not be.Guidelines:",{"point":"136","priority":"6","details":"137"},"CWE-ID: 553Command Shell in Externally Accessible Directory","A possible shell file exists in /cgi-bin/ or other accessible directories. This is extremely dangerous and can be used by an attacker to execute commands on the web server.Guidelines:",{"point":"139","priority":"6","details":"13a"},"CWE-ID: 554ASP.NET Misconfiguration: Not Using Input Validation Framework","The ASP.NET application does not use an input validation framework.Guidelines:",{"point":"13c","priority":"6","details":"13d"},"CWE-ID: 555J2EE Misconfiguration: Plaintext Password in Configuration File","The J2EE application stores a plaintext password in a configuration file.Guidelines:",{"point":"13f","priority":"6","details":"13g"},"CWE-ID: 556ASP.NET Misconfiguration: Use of Identity Impersonation","Configuring an ASP.NET application to run with impersonated credentials may give the application unnecessary privileges.Guidelines:",{"point":"13i","priority":"6","details":"13j"},"CWE-ID: 558Use of getlogin() in Multithreaded Application","The product uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values.Guidelines:",{"point":"13l","priority":"6","details":"13m"},"CWE-ID: 560Use of umask() with chmod-style Argument","The product calls umask() with an incorrect argument that is specified as if it is an argument to chmod().Guidelines:::TYPE:Other:NOTE:Some umask() manual pages begin with the false statement: umask sets the umask to mask & 0777 Although this behavior would better align with the usage of chmod(), where the user provided argument specifies the bits to enable on the specified file, the behavior of umask() is in fact opposite: umask() sets the umask to ~mask & 0777. The documentation goes on to describe the correct usage of umask(): The umask is used by open() to set initial file permissions on a newly-created file. Specifically, permissions in the umask are turned off from the mode argument to open(2) (so, for example, the common umask default value of 022 results in new files being created with permissions 0666 & ~022 = 0644 = rw-r--r-- in the usual case where the mode is specified as 0666).::",{"point":"13o","priority":"6","details":"13p"},"CWE-ID: 561Dead Code","The product contains dead code, which can never be executed.Guidelines:",{"point":"13r","priority":"6","details":"13s"},"CWE-ID: 562Return of Stack Variable Address","A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.Guidelines:",{"point":"13u","priority":"6","details":"13v"},"CWE-ID: 563Assignment to Variable without Use","The variable's value is assigned but never used, making it a dead store.Guidelines:",{"point":"13x","priority":"6","details":"13y"},"CWE-ID: 564SQL Injection: Hibernate","Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.Guidelines:",{"point":"140","priority":"6","details":"141"},"CWE-ID: 565Reliance on Cookies without Validation and Integrity Checking","The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.Guidelines:::TYPE:Relationship:NOTE:This problem can be primary to many types of weaknesses in web applications. A developer may perform proper validation against URL parameters while assuming that attackers cannot modify cookies. As a result, the program might skip basic input validation to enable cross-site scripting, SQL injection, price tampering, and other attacks..::",{"point":"143","priority":"6","details":"144"},"CWE-ID: 566Authorization Bypass Through User-Controlled SQL Primary Key","The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.Guidelines:",{"point":"146","priority":"6","details":"147"},"CWE-ID: 567Unsynchronized Access to Shared Data in a Multithreaded Context","The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.Guidelines:",{"point":"149","priority":"6","details":"14a"},"CWE-ID: 568finalize() Method Without super.finalize()","The product contains a finalize() method that does not call super.finalize().Guidelines:",{"point":"14c","priority":"6","details":"14d"},"CWE-ID: 570Expression is Always False","The product contains an expression that will always evaluate to false.Guidelines:",{"point":"14f","priority":"6","details":"14g"},"CWE-ID: 571Expression is Always True","The product contains an expression that will always evaluate to true.Guidelines:",{"point":"14i","priority":"6","details":"14j"},"CWE-ID: 572Call to Thread run() instead of start()","The product calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee.Guidelines:",{"point":"14l","priority":"6","details":"14m"},"CWE-ID: 573Improper Following of Specification by Caller","The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.Guidelines:",{"point":"14o","priority":"6","details":"14p"},"CWE-ID: 574EJB Bad Practices: Use of Synchronization Primitives","The product violates the Enterprise JavaBeans (EJB) specification by using thread synchronization primitives.Guidelines:",{"point":"14r","priority":"6","details":"14s"},"CWE-ID: 575EJB Bad Practices: Use of AWT Swing","The product violates the Enterprise JavaBeans (EJB) specification by using AWT/Swing.Guidelines:",{"point":"14u","priority":"6","details":"14v"},"CWE-ID: 576EJB Bad Practices: Use of Java I/O","The product violates the Enterprise JavaBeans (EJB) specification by using the java.io package.Guidelines:",{"point":"14x","priority":"6","details":"14y"},"CWE-ID: 577EJB Bad Practices: Use of Sockets","The product violates the Enterprise JavaBeans (EJB) specification by using sockets.Guidelines:",{"point":"150","priority":"6","details":"151"},"CWE-ID: 578EJB Bad Practices: Use of Class Loader","The product violates the Enterprise JavaBeans (EJB) specification by using the class loader.Guidelines:",{"point":"153","priority":"6","details":"154"},"CWE-ID: 579J2EE Bad Practices: Non-serializable Object Stored in Session","The product stores a non-serializable object as an HttpSession attribute, which can hurt reliability.Guidelines:",{"point":"156","priority":"6","details":"157"},"CWE-ID: 580clone() Method Without super.clone()","The product contains a clone() method that does not call super.clone() to obtain the new object.Guidelines:",{"point":"159","priority":"6","details":"15a"},"CWE-ID: 581Object Model Violation: Just One of Equals and Hashcode Defined","The product does not maintain equal hashcodes for equal objects.Guidelines:",{"point":"15c","priority":"6","details":"15d"},"CWE-ID: 582Array Declared Public, Final, and Static","The product declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified.Guidelines:",{"point":"15f","priority":"6","details":"15g"},"CWE-ID: 583finalize() Method Declared Public","The product violates secure coding principles for mobile code by declaring a finalize() method public.Guidelines:",{"point":"15i","priority":"6","details":"15j"},"CWE-ID: 584Return Inside Finally Block","The code has a return statement inside a finally block, which will cause any thrown exception in the try block to be discarded.Guidelines:",{"point":"15l","priority":"6","details":"15m"},"CWE-ID: 585Empty Synchronized Block","The product contains an empty synchronized block.Guidelines:",{"point":"15o","priority":"6","details":"15p"},"CWE-ID: 586Explicit Call to Finalize()","The product makes an explicit call to the finalize() method from outside the finalizer.Guidelines:",{"point":"15r","priority":"6","details":"15s"},"CWE-ID: 587Assignment of a Fixed Address to a Pointer","The product sets a pointer to a specific address other than NULL or 0.Guidelines:",{"point":"15u","priority":"6","details":"15v"},"CWE-ID: 588Attempt to Access Child of a Non-structure Pointer","Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption.Guidelines:",{"point":"15x","priority":"6","details":"15y"},"CWE-ID: 589Call to Non-ubiquitous API","The product uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allow denial of service or other consequences.Guidelines:",{"point":"160","priority":"6","details":"161"},"CWE-ID: 590Free of Memory not on the Heap","The product calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc().Guidelines:::TYPE:Other:NOTE:In C++, if the new operator was used to allocate the memory, it may be allocated with the malloc(), calloc() or realloc() family of functions in the implementation. Someone aware of this behavior might choose to map this problem to CWE-590 or to its parent, CWE-762, depending on their perspective.::",{"point":"163","priority":"6","details":"164"},"CWE-ID: 591Sensitive Data Storage in Improperly Locked Memory","The product stores sensitive data in memory that is not locked, or that has been incorrectly locked, which might cause the memory to be written to swap files on disk by the virtual memory manager. This can make the data more accessible to external actors.Guidelines:",{"point":"166","priority":"6","details":"167"},"CWE-ID: 593Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created","The product modifies the SSL context after connection creation has begun.Guidelines:",{"point":"169","priority":"6","details":"16a"},"CWE-ID: 594J2EE Framework: Saving Unserializable Objects to Disk","When the J2EE container attempts to write unserializable objects to disk there is no guarantee that the process will complete successfully.Guidelines:",{"point":"16c","priority":"6","details":"16d"},"CWE-ID: 595Comparison of Object References Instead of Object Contents","The product compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects.Guidelines:",{"point":"16f","priority":"6","details":"16g"},"CWE-ID: 597Use of Wrong Operator in String Comparison","The product uses the wrong operator when comparing a string, such as using == when the .equals() method should be used instead.Guidelines:",{"point":"16i","priority":"6","details":"16j"},"CWE-ID: 598Use of GET Request Method With Sensitive Query Strings","The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.Guidelines:",{"point":"16l","priority":"6","details":"16m"},"CWE-ID: 599Missing Validation of OpenSSL Certificate","The product uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all necessary security requirements.Guidelines:::TYPE:Relationship:NOTE:CWE-295 and CWE-599 are very similar, although CWE-599 has a more narrow scope that is only applied to OpenSSL certificates. As a result, other children of CWE-295 can be regarded as children of CWE-599 as well. CWE's use of one-dimensional hierarchical relationships is not well-suited to handle different kinds of abstraction relationships based on concepts like types of resources (OpenSSL certificate as a child of any certificate) and types of behaviors (not validating expiration as a child of improper validation).::",{"point":"16o","priority":"6","details":"16p"},"CWE-ID: 600Uncaught Exception in Servlet","The Servlet does not catch all exceptions, which may reveal sensitive debugging information.Guidelines:::TYPE:Maintenance:NOTE:The Missing Catch Block concept is probably broader than just Servlets, but the broader concept is not sufficiently covered in CWE.::",{"point":"16r","priority":"6","details":"16s"},"CWE-ID: 601URL Redirection to Untrusted Site ('Open Redirect')","A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.Guidelines:",{"point":"16u","priority":"6","details":"16v"},"CWE-ID: 602Client-Side Enforcement of Server-Side Security","The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.Guidelines:",{"point":"16x","priority":"6","details":"16y"},"CWE-ID: 603Use of Client-Side Authentication","A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check.Guidelines:",{"point":"170","priority":"6","details":"171"},"CWE-ID: 605Multiple Binds to the Same Port","When multiple sockets are allowed to bind to the same port, other services on that port may be stolen or spoofed.Guidelines:",{"point":"173","priority":"6","details":"174"},"CWE-ID: 606Unchecked Input for Loop Condition","The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping.Guidelines:",{"point":"176","priority":"6","details":"177"},"CWE-ID: 607Public Static Final Field References Mutable Object","A public or protected static final field references a mutable object, which allows the object to be changed by malicious code, or accidentally from another package.Guidelines:",{"point":"179","priority":"6","details":"17a"},"CWE-ID: 608Struts: Non-private Field in ActionForm Class","An ActionForm class contains a field that has not been declared private, which can be accessed without using a setter or getter.Guidelines:",{"point":"17c","priority":"6","details":"17d"},"CWE-ID: 609Double-Checked Locking","The product uses double-checked locking to access a resource without the overhead of explicit synchronization, but the locking is insufficient.Guidelines:",{"point":"17f","priority":"6","details":"17g"},"CWE-ID: 610Externally Controlled Reference to a Resource in Another Sphere","The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.Guidelines:::TYPE:Relationship:NOTE:This is a general class of weakness, but most research is focused on more specialized cases, such as path traversal (CWE-22) and symlink following (CWE-61). A symbolic link has a name; in general, it appears like any other file in the file system. However, the link includes a reference to another file, often in another directory - perhaps in another sphere of control. Many common library functions that accept filenames will follow a symbolic link and use the link's target instead.::TYPE:Maintenance:NOTE:The relationship between CWE-99 and CWE-610 needs further investigation and clarification. They might be duplicates. CWE-99 Resource Injection, as originally defined in Seven Pernicious Kingdoms taxonomy, emphasizes the identifier used to access a system resource such as a file name or port number, yet it explicitly states that the resource injection term does not apply to path manipulation, which effectively identifies the path at which a resource can be found and could be considered to be one aspect of a resource identifier. Also, CWE-610 effectively covers any type of resource, whether that resource is at the system layer, the application layer, or the code layer.::",{"point":"17i","priority":"6","details":"17j"},"CWE-ID: 611Improper Restriction of XML External Entity Reference","The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.Guidelines:::TYPE:Relationship:NOTE:CWE-918 (SSRF) and CWE-611 (XXE) are closely related, because they both involve web-related technologies and can launch outbound requests to unexpected destinations. However, XXE can be performed client-side, or in other contexts in which the software is not acting directly as a server, so the Server portion of the SSRF acronym does not necessarily apply.::",{"point":"17l","priority":"6","details":"17m"},"CWE-ID: 612Improper Authorization of Index Containing Sensitive Information","The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the original information.Guidelines:::TYPE:Research Gap:NOTE:This weakness is probably under-studied and under-reported.::",{"point":"17o","priority":"6","details":"17p"},"CWE-ID: 613Insufficient Session Expiration","According to WASC, Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.Guidelines:::TYPE:Other:NOTE:The lack of proper session expiration may improve the likely success of certain attacks. For example, an attacker may intercept a session ID, possibly via a network sniffer or Cross-site Scripting attack. Although short session expiration times do not help if a stolen token is immediately used, they will protect against ongoing replaying of the session ID. In another scenario, a user might access a web site from a shared computer (such as at a library, Internet cafe, or open work environment). Insufficient Session Expiration could allow an attacker to use the browser's back button to access web pages previously accessed by the victim.::",{"point":"17r","priority":"6","details":"17s"},"CWE-ID: 614Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.Guidelines:",{"point":"17u","priority":"6","details":"17v"},"CWE-ID: 615Inclusion of Sensitive Information in Source Code Comments","While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc.Guidelines:",{"point":"17x","priority":"6","details":"17y"},"CWE-ID: 616Incomplete Identification of Uploaded File Variables (PHP)","The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files.Guidelines:",{"point":"180","priority":"6","details":"181"},"CWE-ID: 617Reachable Assertion","The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.Guidelines:",{"point":"183","priority":"6","details":"184"},"CWE-ID: 618Exposed Unsafe ActiveX Method","An ActiveX control is intended for use in a web browser, but it exposes dangerous methods that perform actions that are outside of the browser's security model (e.g. the zone or domain).Guidelines:",{"point":"186","priority":"6","details":"187"},"CWE-ID: 619Dangling Database Cursor ('Cursor Injection')","If a database cursor is not closed properly, then it could become accessible to other users while retaining the same privileges that were originally assigned, leaving the cursor dangling.Guidelines:",{"point":"189","priority":"6","details":"18a"},"CWE-ID: 620Unverified Password Change","When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.Guidelines:",{"point":"18c","priority":"6","details":"18d"},"CWE-ID: 621Variable Extraction Error","The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables.Guidelines:::TYPE:Research Gap:NOTE:Probably under-reported for PHP. Seems under-studied for other interpreted languages.::",{"point":"18f","priority":"6","details":"18g"},"CWE-ID: 622Improper Validation of Function Hook Arguments","The product adds hooks to user-accessible API functions, but it does not properly validate the arguments. This could lead to resultant vulnerabilities.Guidelines:",{"point":"18i","priority":"6","details":"18j"},"CWE-ID: 623Unsafe ActiveX Control Marked Safe For Scripting","An ActiveX control is intended for restricted use, but it has been marked as safe-for-scripting.Guidelines:",{"point":"18l","priority":"6","details":"18m"},"CWE-ID: 624Executable Regular Expression Error","The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.Guidelines:::TYPE:Research Gap:NOTE:Under-studied. The existing PHP reports are limited to highly skilled researchers, but there are few examples for other languages. It is suspected that this is under-reported for all languages. Usability factors might make it more prevalent in PHP, but this theory has not been investigated.::",{"point":"18o","priority":"6","details":"18p"},"CWE-ID: 625Permissive Regular Expression","The product uses a regular expression that does not sufficiently restrict the set of allowed values.Guidelines:",{"point":"18r","priority":"6","details":"18s"},"CWE-ID: 626Null Byte Interaction Error (Poison Null Byte)","The product does not properly handle null bytes or NUL characters when passing data between different representations or components.Guidelines:::TYPE:Terminology:NOTE:Current usage of poison null byte is typically related to this C/Perl/PHP interaction error, but the original term in 1998 was applied to an off-by-one buffer overflow involving a null byte.::TYPE:Research Gap:NOTE:There are not many CVE examples, because the poison NULL byte is a design limitation, which typically is not included in CVE by itself. It is typically used as a facilitator manipulation to widen the scope of potential attacks against other vulnerabilities.::",{"point":"18u","priority":"6","details":"18v"},"CWE-ID: 627Dynamic Variable Evaluation","In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions.Guidelines:::TYPE:Research Gap:NOTE:Under-studied, probably under-reported. Few researchers look for this issue; most public reports are for PHP, although other languages are affected. This issue is likely to grow in PHP as developers begin to implement functionality in place of register_globals.::",{"point":"18x","priority":"6","details":"18y"},"CWE-ID: 628Function Call with Incorrectly Specified Arguments","The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.Guidelines:",{"point":"190","priority":"6","details":"191"},"CWE-ID: 636Not Failing Securely ('Failing Open')","When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.Guidelines:::TYPE:Research Gap:NOTE:Since design issues are hard to fix, they are rarely publicly reported, so there are few CVE examples of this problem as of January 2008. Most publicly reported issues occur as the result of an implementation error instead of design, such as CVE-2005-3177 (Improper handling of large numbers of resources) or CVE-2005-2969 (inadvertently disabling a verification step, leading to selection of a weaker protocol).::",{"point":"193","priority":"6","details":"194"},"CWE-ID: 637Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')","The product uses a more complex mechanism than necessary, which could lead to resultant weaknesses when the mechanism is not correctly understood, modeled, configured, implemented, or used.Guidelines:",{"point":"196","priority":"6","details":"197"},"CWE-ID: 638Not Using Complete Mediation","The product does not perform access checks on a resource every time the resource is accessed by an entity, which can create resultant weaknesses if that entity's rights or privileges change over time.Guidelines:",{"point":"199","priority":"6","details":"19a"},"CWE-ID: 639Authorization Bypass Through User-Controlled Key","The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.Guidelines:",{"point":"19c","priority":"6","details":"19d"},"CWE-ID: 640Weak Password Recovery Mechanism for Forgotten Password","The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.Guidelines:::TYPE:Maintenance:NOTE:This entry might be reclassified as a category or loose composite, since it lists multiple specific errors that can make the mechanism weak. However, under view 1000, it could be a weakness under protection mechanism failure, although it is different from most PMF issues since it is related to a feature that is designed to bypass a protection mechanism (specifically, the lack of knowledge of a password).::TYPE:Maintenance:NOTE:This entry probably needs to be split; see extended description.::",{"point":"19f","priority":"6","details":"19g"},"CWE-ID: 641Improper Restriction of Names for Files and Other Resources","The product constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name.Guidelines:",{"point":"19i","priority":"6","details":"19j"},"CWE-ID: 642External Control of Critical State Data","The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.Guidelines:",{"point":"19l","priority":"6","details":"19m"},"CWE-ID: 643Improper Neutralization of Data within XPath Expressions ('XPath Injection')","The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.Guidelines:::TYPE:Relationship:NOTE:This weakness is similar to other weaknesses that enable injection style attacks, such as SQL injection, command injection and LDAP injection. The main difference is that the target of attack here is the XML database.::",{"point":"19o","priority":"6","details":"19p"},"CWE-ID: 644Improper Neutralization of HTTP Headers for Scripting Syntax","The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.Guidelines:",{"point":"19r","priority":"6","details":"19s"},"CWE-ID: 645Overly Restrictive Account Lockout Mechanism","The product contains an account lockout protection mechanism, but the mechanism is too restrictive and can be triggered too easily, which allows attackers to deny service to legitimate users by causing their accounts to be locked out.Guidelines:",{"point":"19u","priority":"6","details":"19v"},"CWE-ID: 646Reliance on File Name or Extension of Externally-Supplied File","The product allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attackers to cause the file to be misclassified and processed in a dangerous fashion.Guidelines:",{"point":"19x","priority":"6","details":"19y"},"CWE-ID: 647Use of Non-Canonical URL Paths for Authorization Decisions","The product defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization.Guidelines:",{"point":"1a0","priority":"6","details":"1a1"},"CWE-ID: 648Incorrect Use of Privileged APIs","The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.Guidelines:",{"point":"1a3","priority":"6","details":"1a4"},"CWE-ID: 649Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking","The product uses obfuscation or encryption of inputs that should not be mutable by an external actor, but the product does not use integrity checks to detect if those inputs have been modified.Guidelines:",{"point":"1a6","priority":"6","details":"1a7"},"CWE-ID: 650Trusting HTTP Permission Methods on the Server Side","The server contains a protection mechanism that assumes that any URI that is accessed using HTTP GET will not cause a state change to the associated resource. This might allow attackers to bypass intended access restrictions and conduct resource modification and deletion attacks, since some applications allow GET to modify state.Guidelines:",{"point":"1a9","priority":"6","details":"1aa"},"CWE-ID: 651Exposure of WSDL File Containing Sensitive Information","The Web services architecture may require exposing a Web Service Definition Language (WSDL) file that contains information on the publicly accessible services and how callers of these services should interact with them (e.g. what parameters they expect and what types they return).Guidelines:",{"point":"1ac","priority":"6","details":"1ad"},"CWE-ID: 652Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')","The product uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.Guidelines:::TYPE:Relationship:NOTE:This weakness is similar to other weaknesses that enable injection style attacks, such as SQL injection, command injection and LDAP injection. The main difference is that the target of attack here is the XML database.::",{"point":"1af","priority":"6","details":"1ag"},"CWE-ID: 653Improper Isolation or Compartmentalization","The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.Guidelines:::TYPE:Relationship:NOTE:There is a close association with CWE-250 (Execution with Unnecessary Privileges). CWE-653 is about providing separate components for each privilege; CWE-250 is about ensuring that each component has the least amount of privileges possible. In this fashion, compartmentalization becomes one mechanism for reducing privileges.::TYPE:Terminology:NOTE:The term Separation of Privilege is used in several different ways in the industry, but they generally combine two closely related principles: compartmentalization (this node) and using only one factor in a security decision (CWE-654). Proper compartmentalization implicitly introduces multiple factors into a security decision, but there can be cases in which multiple factors are required for authentication or other mechanisms that do not involve compartmentalization, such as performing all required checks on a submitted certificate. It is likely that CWE-653 and CWE-654 will provoke further discussion.::",{"point":"1ai","priority":"6","details":"1aj"},"CWE-ID: 654Reliance on a Single Factor in a Security Decision","A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality.Guidelines:::TYPE:Maintenance:NOTE:This entry is closely associated with the term Separation of Privilege. This term is used in several different ways in the industry, but they generally combine two closely related principles: compartmentalization (CWE-653) and using only one factor in a security decision (this entry). Proper compartmentalization implicitly introduces multiple factors into a security decision, but there can be cases in which multiple factors are required for authentication or other mechanisms that do not involve compartmentalization, such as performing all required checks on a submitted certificate. It is likely that CWE-653 and CWE-654 will provoke further discussion.::",{"point":"1al","priority":"6","details":"1am"},"CWE-ID: 655Insufficient Psychological Acceptability","The product has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose.Guidelines:::TYPE:Other:NOTE:This weakness covers many security measures causing user inconvenience, requiring effort or causing frustration, that are disproportionate to the risks or value of the protected assets, or that are perceived to be ineffective.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"1ao","priority":"6","details":"1ap"},"CWE-ID: 656Reliance on Security Through Obscurity","The product uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism.Guidelines:::TYPE:Relationship:NOTE:Note that there is a close relationship between this weakness and CWE-603 (Use of Client-Side Authentication). If developers do not believe that a user can reverse engineer a client, then they are more likely to choose client-side authentication in the belief that it is safe.::",{"point":"1ar","priority":"6","details":"1as"},"CWE-ID: 657Violation of Secure Design Principles","The product violates well-established principles for secure design.Guidelines:::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"1au","priority":"6","details":"1av"},"CWE-ID: 662Improper Synchronization","The product utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.Guidelines:::TYPE:Maintenance:NOTE:Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships.::",{"point":"1ax","priority":"6","details":"1ay"},"CWE-ID: 663Use of a Non-reentrant Function in a Concurrent Context","The product calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity to call the same function or otherwise influence its state.Guidelines:",{"point":"1b0","priority":"6","details":"1b1"},"CWE-ID: 664Improper Control of a Resource Through its Lifetime","The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.Guidelines:::TYPE:Maintenance:NOTE:More work is needed on this entry and its children. There are perspective/layering issues; for example, one breakdown is based on lifecycle phase (CWE-404, CWE-665), while other children are independent of lifecycle, such as CWE-400. Others do not specify as many bases or variants, such as CWE-704, which primarily covers numbers at this stage.::",{"point":"1b3","priority":"6","details":"1b4"},"CWE-ID: 665Improper Initialization","The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.Guidelines:",{"point":"1b6","priority":"6","details":"1b7"},"CWE-ID: 666Operation on Resource in Wrong Phase of Lifetime","The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors.Guidelines:",{"point":"1b9","priority":"6","details":"1ba"},"CWE-ID: 667Improper Locking","The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.Guidelines:::TYPE:Maintenance:NOTE:Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships.::",{"point":"1bc","priority":"6","details":"1bd"},"CWE-ID: 668Exposure of Resource to Wrong Sphere","The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.Guidelines:::TYPE:Theoretical:NOTE:A control sphere is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product's security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for administrators who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be users who are authenticated to the operating system on which the product is installed. Each sphere has different sets of actors and allowable behaviors.::",{"point":"1bf","priority":"6","details":"1bg"},"CWE-ID: 669Incorrect Resource Transfer Between Spheres","The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.Guidelines:",{"point":"1bi","priority":"6","details":"1bj"},"CWE-ID: 670Always-Incorrect Control Flow Implementation","The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.Guidelines:::TYPE:Maintenance:NOTE:This node could possibly be split into lower-level nodes. Early Return is for returning control to the caller too soon (e.g., CWE-584). Excess Return is when control is returned too far up the call stack (CWE-600, CWE-395). Improper control limitation occurs when the product maintains control at a lower level of execution, when control should be returned further up the call stack (CWE-455). Incorrect syntax covers code that's just plain wrong such as CWE-484 and CWE-483.::",{"point":"1bl","priority":"6","details":"1bm"},"CWE-ID: 671Lack of Administrator Control over Security","The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.Guidelines:",{"point":"1bo","priority":"6","details":"1bp"},"CWE-ID: 672Operation on a Resource after Expiration or Release","The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.Guidelines:",{"point":"1br","priority":"6","details":"1bs"},"CWE-ID: 673External Influence of Sphere Definition","The product does not prevent the definition of control spheres from external actors.Guidelines:::TYPE:Theoretical:NOTE:A control sphere is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product's security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for administrators who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be users who are authenticated to the operating system on which the product is installed. Each sphere has different sets of actors and allowable behaviors.::",{"point":"1bu","priority":"6","details":"1bv"},"CWE-ID: 674Uncontrolled Recursion","The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.Guidelines:",{"point":"1bx","priority":"6","details":"1by"},"CWE-ID: 675Multiple Operations on Resource in Single-Operation Context","The product performs the same operation on a resource two or more times, when the operation should only be applied once.Guidelines:::TYPE:Relationship:NOTE:This weakness is probably closely associated with other issues related to doubling, such as CWE-462 (duplicate key in alist) or CWE-102 (Struts duplicate validation forms). It's usually a case of an API contract violation (CWE-227).::",{"point":"1c0","priority":"6","details":"1c1"},"CWE-ID: 676Use of Potentially Dangerous Function","The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.Guidelines:::TYPE:Relationship:NOTE:This weakness is different than CWE-242 (Use of Inherently Dangerous Function). CWE-242 covers functions with such significant security problems that they can never be guaranteed to be safe. Some functions, if used properly, do not directly pose a security risk, but can introduce a weakness if not called correctly. These are regarded as potentially dangerous. A well-known example is the strcpy() function. When provided with a destination buffer that is larger than its source, strcpy() will not overflow. However, it is so often misused that some developers prohibit strcpy() entirely.::",{"point":"1c3","priority":"6","details":"1c4"},"CWE-ID: 680Integer Overflow to Buffer Overflow","The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow.Guidelines:",{"point":"1c6","priority":"6","details":"1c7"},"CWE-ID: 681Incorrect Conversion between Numeric Types","When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.Guidelines:",{"point":"1c9","priority":"6","details":"1ca"},"CWE-ID: 682Incorrect Calculation","The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.Guidelines:::TYPE:Research Gap:NOTE:Weaknesses related to this Pillar appear to be under-studied, especially with respect to classification schemes. Input from academic and other communities could help identify and resolve gaps or organizational difficulties within CWE.::",{"point":"1cc","priority":"6","details":"1cd"},"CWE-ID: 683Function Call With Incorrect Order of Arguments","The product calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses.Guidelines:",{"point":"1cf","priority":"6","details":"1cg"},"CWE-ID: 684Incorrect Provision of Specified Functionality","The code does not function according to its published specifications, potentially leading to incorrect usage.Guidelines:",{"point":"1ci","priority":"6","details":"1cj"},"CWE-ID: 685Function Call With Incorrect Number of Arguments","The product calls a function, procedure, or routine, but the caller specifies too many arguments, or too few arguments, which may lead to undefined behavior and resultant weaknesses.Guidelines:",{"point":"1cl","priority":"6","details":"1cm"},"CWE-ID: 686Function Call With Incorrect Argument Type","The product calls a function, procedure, or routine, but the caller specifies an argument that is the wrong data type, which may lead to resultant weaknesses.Guidelines:",{"point":"1co","priority":"6","details":"1cp"},"CWE-ID: 687Function Call With Incorrectly Specified Argument Value","The product calls a function, procedure, or routine, but the caller specifies an argument that contains the wrong value, which may lead to resultant weaknesses.Guidelines:::TYPE:Relationship:NOTE:When primary, this weakness is most likely to occur in rarely-tested code, since the wrong value can change the semantic meaning of the program's execution and lead to obviously-incorrect behavior. It can also be resultant from issues in which the program assigns the wrong value to a variable, and that variable is later used in a function call. In that sense, this issue could be argued as having chaining relationships with many implementation errors in CWE.::",{"point":"1cr","priority":"6","details":"1cs"},"CWE-ID: 688Function Call With Incorrect Variable or Reference as Argument","The product calls a function, procedure, or routine, but the caller specifies the wrong variable or reference as one of the arguments, which may lead to undefined behavior and resultant weaknesses.Guidelines:",{"point":"1cu","priority":"6","details":"1cv"},"CWE-ID: 689Permission Race Condition During Resource Copy","The product, while copying or cloning a resource, does not set the resource's permissions or access control until the copy is complete, leaving the resource exposed to other spheres while the copy is taking place.Guidelines:::TYPE:Research Gap:NOTE:Under-studied. It seems likely that this weakness could occur in any situation in which a complex or large copy operation occurs, when the resource can be made available to other spheres as soon as it is created, but before its initialization is complete.::",{"point":"1cx","priority":"6","details":"1cy"},"CWE-ID: 690Unchecked Return Value to NULL Pointer Dereference","The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference.Guidelines:",{"point":"1d0","priority":"6","details":"1d1"},"CWE-ID: 691Insufficient Control Flow Management","The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.Guidelines:",{"point":"1d3","priority":"6","details":"1d4"},"CWE-ID: 692Incomplete Denylist to Cross-Site Scripting","The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.Guidelines:",{"point":"1d6","priority":"6","details":"1d7"},"CWE-ID: 693Protection Mechanism Failure","The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.Guidelines:::TYPE:Research Gap:NOTE:The concept of protection mechanisms is well established, but protection mechanism failures have not been studied comprehensively. It is suspected that protection mechanisms can have significantly different types of weaknesses than the weaknesses that they are intended to prevent.::",{"point":"1d9","priority":"6","details":"1da"},"CWE-ID: 694Use of Multiple Resources with Duplicate Identifier","The product uses multiple resources that can have the same identifier, in a context in which unique identifiers are required.Guidelines:::TYPE:Relationship:NOTE:This weakness is probably closely associated with other issues related to doubling, such as CWE-675 (Duplicate Operations on Resource). It's often a case of an API contract violation (CWE-227).::",{"point":"1dc","priority":"6","details":"1dd"},"CWE-ID: 695Use of Low-Level Functionality","The product uses low-level functionality that is explicitly prohibited by the framework or specification under which the product is supposed to operate.Guidelines:",{"point":"1df","priority":"6","details":"1dg"},"CWE-ID: 696Incorrect Behavior Order","The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses.Guidelines:",{"point":"1di","priority":"6","details":"1dj"},"CWE-ID: 697Incorrect Comparison","The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.Guidelines:::TYPE:Research Gap:NOTE:Weaknesses related to this Pillar appear to be under-studied, especially with respect to classification schemes. Input from academic and other communities could help identify and resolve gaps or organizational difficulties within CWE.::TYPE:Maintenance:NOTE:This entry likely has some relationships with case sensitivity (CWE-178), but case sensitivity is a factor in other types of weaknesses besides comparison. Also, in cryptography, certain attacks are possible when certain comparison operations do not take place in constant time, causing a timing-related information leak (CWE-208).::",{"point":"1dl","priority":"6","details":"1dm"},"CWE-ID: 698Execution After Redirect (EAR)","The web application sends a redirect to another location, but instead of exiting, it executes additional code.Guidelines:",{"point":"1do","priority":"6","details":"1dp"},"CWE-ID: 703Improper Check or Handling of Exceptional Conditions","The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.Guidelines:::TYPE:Relationship:NOTE:This is a high-level class that might have some overlap with other classes. It could be argued that even normal weaknesses such as buffer overflows involve unusual or exceptional conditions. In that sense, this might be an inherent aspect of most other weaknesses within CWE, similar to API Abuse (CWE-227) and Indicator of Poor Code Quality (CWE-398). However, this entry is currently intended to unify disparate concepts that do not have other places within the Research Concepts view (CWE-1000).::",{"point":"1dr","priority":"6","details":"1ds"},"CWE-ID: 704Incorrect Type Conversion or Cast","The product does not correctly convert an object, resource, or structure from one type to a different type.Guidelines:",{"point":"1du","priority":"6","details":"1dv"},"CWE-ID: 705Incorrect Control Flow Scoping","The product does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.Guidelines:",{"point":"1dx","priority":"6","details":"1dy"},"CWE-ID: 706Use of Incorrectly-Resolved Name or Reference","The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.Guidelines:",{"point":"1e0","priority":"6","details":"1e1"},"CWE-ID: 707Improper Neutralization","The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.Guidelines:::TYPE:Maintenance:NOTE:Concepts such as validation, data transformation, and neutralization are being refined, so relationships between CWE-20 and other entries such as CWE-707 may change in future versions, along with an update to the Vulnerability Theory document.::",{"point":"1e3","priority":"6","details":"1e4"},"CWE-ID: 708Incorrect Ownership Assignment","The product assigns an owner to a resource, but the owner is outside of the intended control sphere.Guidelines:::TYPE:Maintenance:NOTE:This overlaps verification errors, permissions, and privileges. A closely related weakness is the incorrect assignment of groups to a resource. It is not clear whether it would fall under this entry or require a different entry.::",{"point":"1e6","priority":"6","details":"1e7"},"CWE-ID: 710Improper Adherence to Coding Standards","The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.Guidelines:",{"point":"1e9","priority":"6","details":"1ea"},"CWE-ID: 732Incorrect Permission Assignment for Critical Resource","The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.Guidelines:::TYPE:Maintenance:NOTE:The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693).::",{"point":"1ec","priority":"6","details":"1ed"},"CWE-ID: 733Compiler Optimization Removal or Modification of Security-critical Code","The developer builds a security-critical protection mechanism into the software, but the compiler optimizes the program such that the mechanism is removed or modified.Guidelines:",{"point":"1ef","priority":"6","details":"1eg"},"CWE-ID: 749Exposed Dangerous Method or Function","The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.Guidelines:::TYPE:Research Gap:NOTE:Under-reported and under-studied. This weakness could appear in any technology, language, or framework that allows the programmer to provide a functional interface to external parties, but it is not heavily reported. In 2007, CVE began showing a notable increase in reports of exposed method vulnerabilities in ActiveX applications, as well as IOCTL access to OS-level resources. These weaknesses have been documented for Java applications in various secure programming sources, but there are few reports in CVE, which suggests limited awareness in most parts of the vulnerability research community.::",{"point":"1ei","priority":"6","details":"1ej"},"CWE-ID: 754Improper Check for Unusual or Exceptional Conditions","The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.Guidelines:::TYPE:Relationship:NOTE:Sometimes, when a return value can be used to indicate an error, an unchecked return value is a code-layer instance of a missing application-layer check for exceptional conditions. However, return values are not always needed to communicate exceptional conditions. For example, expiration of resources, values passed by reference, asynchronously modified data, sockets, etc. may indicate exceptional conditions without the use of a return value.::",{"point":"1el","priority":"6","details":"1em"},"CWE-ID: 755Improper Handling of Exceptional Conditions","The product does not handle or incorrectly handles an exceptional condition.Guidelines:",{"point":"1eo","priority":"6","details":"1ep"},"CWE-ID: 756Missing Custom Error Page","The product does not return custom error pages to the user, possibly exposing sensitive information.Guidelines:",{"point":"1er","priority":"6","details":"1es"},"CWE-ID: 757Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')","A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties.Guidelines:::TYPE:Relationship:NOTE:This is related to CWE-300, although not all downgrade attacks necessarily require an entity that redirects or interferes with the network. See examples.::",{"point":"1eu","priority":"6","details":"1ev"},"CWE-ID: 758Reliance on Undefined, Unspecified, or Implementation-Defined Behavior","The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity.Guidelines:",{"point":"1ex","priority":"6","details":"1ey"},"CWE-ID: 759Use of a One-Way Hash without a Salt","The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.Guidelines:",{"point":"1f0","priority":"6","details":"1f1"},"CWE-ID: 760Use of a One-Way Hash with a Predictable Salt","The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"1f3","priority":"6","details":"1f4"},"CWE-ID: 761Free of Pointer not at Start of Buffer","The product calls free() on a pointer to a memory resource that was allocated on the heap, but the pointer is not at the start of the buffer.Guidelines:::TYPE:Maintenance:NOTE:Currently, CWE-763 is the parent, however it may be desirable to have an intermediate parent which is not function-specific, similar to how CWE-762 is an intermediate parent between CWE-763 and CWE-590.::",{"point":"1f6","priority":"6","details":"1f7"},"CWE-ID: 762Mismatched Memory Management Routines","The product attempts to return a memory resource to the system, but it calls a release function that is not compatible with the function that was originally used to allocate that resource.Guidelines:::TYPE:Applicable Platform:NOTE:This weakness is possible in any programming language that allows manual management of memory.::",{"point":"1f9","priority":"6","details":"1fa"},"CWE-ID: 763Release of Invalid Pointer or Reference","The product attempts to return a memory resource to the system, but it calls the wrong release function or calls the appropriate release function incorrectly.Guidelines:::TYPE:Maintenance:NOTE:The view-1000 subtree that is associated with this weakness needs additional work. Several entries will likely be created in this branch. Currently the focus is on free() of memory, but delete and other related release routines may require the creation of intermediate entries that are not specific to a particular function. In addition, the role of other types of invalid pointers, such as an expired pointer, i.e. CWE-415 Double Free and release of uninitialized pointers, related to CWE-457.::",{"point":"1fc","priority":"6","details":"1fd"},"CWE-ID: 764Multiple Locks of a Critical Resource","The product locks a critical resource more times than intended, leading to an unexpected state in the system.Guidelines:::TYPE:Maintenance:NOTE:An alternate way to think about this weakness is as an imbalance between the number of locks / unlocks in the control flow. Over the course of execution, if each lock call is not followed by a subsequent call to unlock in a reasonable amount of time, then system performance may be degraded or at least operating at less than peak levels if there is competition for the locks. This entry may need to be modified to reflect these concepts in the future.::",{"point":"1ff","priority":"6","details":"1fg"},"CWE-ID: 765Multiple Unlocks of a Critical Resource","The product unlocks a critical resource more times than intended, leading to an unexpected state in the system.Guidelines:::TYPE:Maintenance:NOTE:An alternate way to think about this weakness is as an imbalance between the number of locks / unlocks in the control flow. Over the course of execution, if each lock call is not followed by a subsequent call to unlock in a reasonable amount of time, then system performance may be degraded or at least operating at less than peak levels if there is competition for the locks. This entry may need to be modified to reflect these concepts in the future.::",{"point":"1fi","priority":"6","details":"1fj"},"CWE-ID: 766Critical Data Element Declared Public","The product declares a critical variable, field, or member to be public when intended security policy requires it to be private.Guidelines:",{"point":"1fl","priority":"6","details":"1fm"},"CWE-ID: 767Access to Critical Private Variable via Public Method","The product defines a public method that reads or modifies a private variable.Guidelines:::TYPE:Maintenance:NOTE:This entry is closely associated with access control for public methods. If the public methods are restricted with proper access controls, then the information in the private variable will not be exposed to unexpected parties. There may be chaining or composite relationships between improper access controls and this weakness.::",{"point":"1fo","priority":"6","details":"1fp"},"CWE-ID: 768Incorrect Short Circuit Evaluation","The product contains a conditional statement with multiple logical expressions in which one of the non-leading expressions may produce side effects. This may lead to an unexpected state in the program after the execution of the conditional, because short-circuiting logic may prevent the side effects from occurring.Guidelines:",{"point":"1fr","priority":"6","details":"1fs"},"CWE-ID: 770Allocation of Resources Without Limits or Throttling","The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.Guidelines:::TYPE:Relationship:NOTE:This entry is different from uncontrolled resource consumption (CWE-400) in that there are other weaknesses that are related to inability to control resource consumption, such as holding on to a resource too long after use, or not correctly keeping track of active resources so that they can be managed and released when they are finished (CWE-771).::TYPE:Theoretical:NOTE:Vulnerability theory is largely about how behaviors and resources interact. Resource exhaustion can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect one of the underlying weaknesses that enable these attacks (or consequences) to take place.::",{"point":"1fu","priority":"6","details":"1fv"},"CWE-ID: 771Missing Reference to Active Allocated Resource","The product does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed.Guidelines:",{"point":"1fx","priority":"6","details":"1fy"},"CWE-ID: 772Missing Release of Resource after Effective Lifetime","The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.Guidelines:::TYPE:Maintenance:NOTE:Resource exhaustion (CWE-400) is currently treated as a weakness, although it is more like a category of weaknesses that all have the same type of consequence. While this entry treats CWE-400 as a parent in view 1000, the relationship is probably more appropriately described as a chain.::TYPE:Theoretical:NOTE:Vulnerability theory is largely about how behaviors and resources interact. Resource exhaustion can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect one of the underlying weaknesses that enable these attacks (or consequences) to take place.::",{"point":"1g0","priority":"6","details":"1g1"},"CWE-ID: 773Missing Reference to Active File Descriptor or Handle","The product does not properly maintain references to a file descriptor or handle, which prevents that file descriptor/handle from being reclaimed.Guidelines:",{"point":"1g3","priority":"6","details":"1g4"},"CWE-ID: 774Allocation of File Descriptors or Handles Without Limits or Throttling","The product allocates file descriptors or handles on behalf of an actor without imposing any restrictions on how many descriptors can be allocated, in violation of the intended security policy for that actor.Guidelines:",{"point":"1g6","priority":"6","details":"1g7"},"CWE-ID: 775Missing Release of File Descriptor or Handle after Effective Lifetime","The product does not release a file descriptor or handle after its effective lifetime has ended, i.e., after the file descriptor/handle is no longer needed.Guidelines:",{"point":"1g9","priority":"6","details":"1ga"},"CWE-ID: 776Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.Guidelines:",{"point":"1gc","priority":"6","details":"1gd"},"CWE-ID: 777Regular Expression without Anchors","The product uses a regular expression to perform neutralization, but the regular expression is not anchored and may allow malicious or malformed data to slip through.Guidelines:",{"point":"1gf","priority":"6","details":"1gg"},"CWE-ID: 778Insufficient Logging","When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.Guidelines:",{"point":"1gi","priority":"6","details":"1gj"},"CWE-ID: 779Logging of Excessive Data","The product logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack.Guidelines:",{"point":"1gl","priority":"6","details":"1gm"},"CWE-ID: 780Use of RSA Algorithm without OAEP","The product uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption.Guidelines:::TYPE:Maintenance:NOTE:This entry could probably have a new parent related to improper padding, however the role of padding in cryptographic algorithms can vary, such as hiding the length of the plaintext and providing additional random bits for the cipher. In general, cryptographic problems in CWE are not well organized and further research is needed.::",{"point":"1go","priority":"6","details":"1gp"},"CWE-ID: 781Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code","The product defines an IOCTL that uses METHOD_NEITHER for I/O, but it does not validate or incorrectly validates the addresses that are provided.Guidelines:::TYPE:Applicable Platform:NOTE:Because IOCTL functionality is typically performing low-level actions and closely interacts with the operating system, this weakness may only appear in code that is written in low-level languages.::TYPE:Research Gap:NOTE:While this type of issue has been known since 2006, it is probably still under-studied and under-reported. Most of the focus has been on high-profile software and security products, but other kinds of system software also use drivers. Since exploitation requires the development of custom code, it requires some skill to find this weakness. Because exploitation typically requires local privileges, it might not be a priority for active attackers. However, remote exploitation may be possible for software such as device drivers. Even when remote vectors are not available, it may be useful as the final privilege-escalation step in multi-stage remote attacks against application-layer software, or as the primary attack by a local user on a multi-user system.::",{"point":"1gr","priority":"6","details":"1gs"},"CWE-ID: 782Exposed IOCTL with Insufficient Access Control","The product implements an IOCTL with functionality that should be restricted, but it does not properly enforce access control for the IOCTL.Guidelines:::TYPE:Relationship:NOTE:This can be primary to many other weaknesses when the programmer assumes that the IOCTL can only be accessed by trusted parties. For example, a program or driver might not validate incoming addresses in METHOD_NEITHER IOCTLs in Windows environments (CWE-781), which could allow buffer overflow and similar attacks to take place, even when the attacker never should have been able to access the IOCTL at all.::TYPE:Applicable Platform:NOTE:Because IOCTL functionality is typically performing low-level actions and closely interacts with the operating system, this weakness may only appear in code that is written in low-level languages.::",{"point":"1gu","priority":"6","details":"1gv"},"CWE-ID: 783Operator Precedence Logic Error","The product uses an expression in which operator precedence causes incorrect logic to be used.Guidelines:",{"point":"1gx","priority":"6","details":"1gy"},"CWE-ID: 784Reliance on Cookies without Validation and Integrity Checking in a Security Decision","The product uses a protection mechanism that relies on the existence or values of a cookie, but it does not properly ensure that the cookie is valid for the associated user.Guidelines:::TYPE:Maintenance:NOTE:A new parent might need to be defined for this entry. This entry is specific to cookies, which reflects the significant number of vulnerabilities being reported for cookie-based authentication in CVE during 2008 and 2009. However, other types of inputs - such as parameters or headers - could also be used for similar authentication or authorization. Similar issues (under the Research view) include CWE-247 and CWE-472.::",{"point":"1h0","priority":"6","details":"1h1"},"CWE-ID: 785Use of Path Manipulation Function without Maximum-sized Buffer","The product invokes a function for normalizing paths or file names, but it provides an output buffer that is smaller than the maximum possible size, such as PATH_MAX.Guidelines:::TYPE:Maintenance:NOTE:This entry is at a much lower level of abstraction than most entries because it is function-specific. It also has significant overlap with other entries that can vary depending on the perspective. For example, incorrect usage could trigger either a stack-based overflow (CWE-121) or a heap-based overflow (CWE-122). The CWE team has not decided how to handle such entries.::",{"point":"1h3","priority":"6","details":"1h4"},"CWE-ID: 786Access of Memory Location Before Start of Buffer","The product reads or writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.Guidelines:",{"point":"1h6","priority":"6","details":"1h7"},"CWE-ID: 787Out-of-bounds Write","The product writes data past the end, or before the beginning, of the intended buffer.Guidelines:",{"point":"1h9","priority":"6","details":"1ha"},"CWE-ID: 788Access of Memory Location After End of Buffer","The product reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer.Guidelines:",{"point":"1hc","priority":"6","details":"1hd"},"CWE-ID: 789Memory Allocation with Excessive Size Value","The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.Guidelines:::TYPE:Relationship:NOTE:This weakness can be closely associated with integer overflows (CWE-190). Integer overflow attacks would concentrate on providing an extremely large number that triggers an overflow that causes less memory to be allocated than expected. By providing a large value that does not trigger an integer overflow, the attacker could still cause excessive amounts of memory to be allocated.::TYPE:Applicable Platform:NOTE:Uncontrolled memory allocation is possible in many languages, such as dynamic array allocation in perl or initial size parameters in Collections in Java. However, languages like C and C++ where programmers have the power to more directly control memory management will be more susceptible.::",{"point":"1hf","priority":"6","details":"1hg"},"CWE-ID: 790Improper Filtering of Special Elements","The product receives data from an upstream component, but does not filter or incorrectly filters special elements before sending it to a downstream component.Guidelines:",{"point":"1hi","priority":"6","details":"1hj"},"CWE-ID: 791Incomplete Filtering of Special Elements","The product receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component.Guidelines:",{"point":"1hl","priority":"6","details":"1hm"},"CWE-ID: 792Incomplete Filtering of One or More Instances of Special Elements","The product receives data from an upstream component, but does not completely filter one or more instances of special elements before sending it to a downstream component.Guidelines:",{"point":"1ho","priority":"6","details":"1hp"},"CWE-ID: 793Only Filtering One Instance of a Special Element","The product receives data from an upstream component, but only filters a single instance of a special element before sending it to a downstream component.Guidelines:",{"point":"1hr","priority":"6","details":"1hs"},"CWE-ID: 794Incomplete Filtering of Multiple Instances of Special Elements","The product receives data from an upstream component, but does not filter all instances of a special element before sending it to a downstream component.Guidelines:",{"point":"1hu","priority":"6","details":"1hv"},"CWE-ID: 795Only Filtering Special Elements at a Specified Location","The product receives data from an upstream component, but only accounts for special elements at a specified location, thereby missing remaining special elements that may exist before sending it to a downstream component.Guidelines:",{"point":"1hx","priority":"6","details":"1hy"},"CWE-ID: 796Only Filtering Special Elements Relative to a Marker","The product receives data from an upstream component, but only accounts for special elements positioned relative to a marker (e.g. at the beginning/end of a string; the second argument), thereby missing remaining special elements that may exist before sending it to a downstream component.Guidelines:",{"point":"1i0","priority":"6","details":"1i1"},"CWE-ID: 797Only Filtering Special Elements at an Absolute Position","The product receives data from an upstream component, but only accounts for special elements at an absolute position (e.g. byte number 10), thereby missing remaining special elements that may exist before sending it to a downstream component.Guidelines:",{"point":"1i3","priority":"6","details":"1i4"},"CWE-ID: 798Use of Hard-coded Credentials","The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.Guidelines:::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"1i6","priority":"6","details":"1i7"},"CWE-ID: 799Improper Control of Interaction Frequency","The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.Guidelines:",{"point":"1i9","priority":"6","details":"1ia"},"CWE-ID: 804Guessable CAPTCHA","The product uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.Guidelines:",{"point":"1ic","priority":"6","details":"1id"},"CWE-ID: 805Buffer Access with Incorrect Length Value","The product uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer.Guidelines:",{"point":"1if","priority":"6","details":"1ig"},"CWE-ID: 806Buffer Access Using Size of Source Buffer","The product uses the size of a source buffer when reading from or writing to a destination buffer, which may cause it to access memory that is outside of the bounds of the buffer.Guidelines:",{"point":"1ii","priority":"6","details":"1ij"},"CWE-ID: 807Reliance on Untrusted Inputs in a Security Decision","The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.Guidelines:",{"point":"1il","priority":"6","details":"1im"},"CWE-ID: 820Missing Synchronization","The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.Guidelines:::TYPE:Maintenance:NOTE:Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships.::",{"point":"1io","priority":"6","details":"1ip"},"CWE-ID: 821Incorrect Synchronization","The product utilizes a shared resource in a concurrent manner, but it does not correctly synchronize access to the resource.Guidelines:::TYPE:Maintenance:NOTE:Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships.::",{"point":"1ir","priority":"6","details":"1is"},"CWE-ID: 822Untrusted Pointer Dereference","The product obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer.Guidelines:::TYPE:Maintenance:NOTE:There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.::TYPE:Terminology:NOTE:Many weaknesses related to pointer dereferences fall under the general term of memory corruption or memory safety. As of September 2010, there is no commonly-used terminology that covers the lower-level variants.::",{"point":"1iu","priority":"6","details":"1iv"},"CWE-ID: 823Use of Out-of-range Pointer Offset","The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.Guidelines:::TYPE:Maintenance:NOTE:There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.::TYPE:Terminology:NOTE:Many weaknesses related to pointer dereferences fall under the general term of memory corruption or memory safety. As of September 2010, there is no commonly-used terminology that covers the lower-level variants.::",{"point":"1ix","priority":"6","details":"1iy"},"CWE-ID: 824Access of Uninitialized Pointer","The product accesses or uses a pointer that has not been initialized.Guidelines:::TYPE:Maintenance:NOTE:There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.::TYPE:Terminology:NOTE:Many weaknesses related to pointer dereferences fall under the general term of memory corruption or memory safety. As of September 2010, there is no commonly-used terminology that covers the lower-level variants.::",{"point":"1j0","priority":"6","details":"1j1"},"CWE-ID: 825Expired Pointer Dereference","The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.Guidelines:::TYPE:Maintenance:NOTE:There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.::TYPE:Terminology:NOTE:Many weaknesses related to pointer dereferences fall under the general term of memory corruption or memory safety. As of September 2010, there is no commonly-used terminology that covers the lower-level variants.::",{"point":"1j3","priority":"6","details":"1j4"},"CWE-ID: 826Premature Release of Resource During Expected Lifetime","The product releases a resource that is still intended to be used by itself or another actor.Guidelines:::TYPE:Research Gap:NOTE:Under-studied and under-reported as of September 2010. This weakness has been reported in high-visibility software, although the focus has been primarily on memory allocation and de-allocation. There are very few examples of this weakness that are not directly related to memory management, although such weaknesses are likely to occur in real-world software for other types of resources.::",{"point":"1j6","priority":"6","details":"1j7"},"CWE-ID: 827Improper Control of Document Type Definition","The product does not restrict a reference to a Document Type Definition (DTD) to the intended control sphere. This might allow attackers to reference arbitrary DTDs, possibly causing the product to expose files, consume excessive system resources, or execute arbitrary http requests on behalf of the attacker.Guidelines:",{"point":"1j9","priority":"6","details":"1ja"},"CWE-ID: 828Signal Handler with Functionality that is not Asynchronous-Safe","The product defines a signal handler that contains code sequences that are not asynchronous-safe, i.e., the functionality is not reentrant, or it can be interrupted.Guidelines:",{"point":"1jc","priority":"6","details":"1jd"},"CWE-ID: 829Inclusion of Functionality from Untrusted Control Sphere","The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.Guidelines:",{"point":"1jf","priority":"6","details":"1jg"},"CWE-ID: 830Inclusion of Web Functionality from an Untrusted Source","The product includes web functionality (such as a web widget) from another domain, which causes it to operate within the domain of the product, potentially granting total access and control of the product to the untrusted source.Guidelines:",{"point":"1ji","priority":"6","details":"1jj"},"CWE-ID: 831Signal Handler Function Associated with Multiple Signals","The product defines a function that is used as a handler for more than one signal.Guidelines:",{"point":"1jl","priority":"6","details":"1jm"},"CWE-ID: 832Unlock of a Resource that is not Locked","The product attempts to unlock a resource that is not locked.Guidelines:",{"point":"1jo","priority":"6","details":"1jp"},"CWE-ID: 833Deadlock","The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.Guidelines:",{"point":"1jr","priority":"6","details":"1js"},"CWE-ID: 834Excessive Iteration","The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.Guidelines:",{"point":"1ju","priority":"6","details":"1jv"},"CWE-ID: 835Loop with Unreachable Exit Condition ('Infinite Loop')","The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.Guidelines:",{"point":"1jx","priority":"6","details":"1jy"},"CWE-ID: 836Use of Password Hash Instead of Password for Authentication","The product records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store.Guidelines:",{"point":"1k0","priority":"6","details":"1k1"},"CWE-ID: 837Improper Enforcement of a Single, Unique Action","The product requires that an actor should only be able to perform an action once, or to have only one unique action, but the product does not enforce or improperly enforces this restriction.Guidelines:",{"point":"1k3","priority":"6","details":"1k4"},"CWE-ID: 838Inappropriate Encoding for Output Context","The product uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is expected by the downstream component.Guidelines:",{"point":"1k6","priority":"6","details":"1k7"},"CWE-ID: 839Numeric Range Comparison Without Minimum Check","The product checks a value to ensure that it is less than or equal to a maximum, but it does not also verify that the value is greater than or equal to the minimum.Guidelines:",{"point":"1k9","priority":"6","details":"1ka"},"CWE-ID: 841Improper Enforcement of Behavioral Workflow","The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.Guidelines:::TYPE:Research Gap:NOTE:This weakness is typically associated with business logic flaws, except when it produces resultant weaknesses. The classification of business logic flaws has been under-studied, although exploitation of business flaws frequently happens in real-world systems, and many applied vulnerability researchers investigate them. The greatest focus is in web applications. There is debate within the community about whether these problems represent particularly new concepts, or if they are variations of well-known principles. Many business logic flaws appear to be oriented toward business processes, application flows, and sequences of behaviors, which are not as well-represented in CWE as weaknesses related to input validation, memory management, etc.::",{"point":"1kc","priority":"6","details":"1kd"},"CWE-ID: 842Placement of User into Incorrect Group","The product or the administrator places a user into an incorrect group.Guidelines:",{"point":"1kf","priority":"6","details":"1kg"},"CWE-ID: 843Access of Resource Using Incompatible Type ('Type Confusion')","The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.Guidelines:::TYPE:Applicable Platform:NOTE:This weakness is possible in any type-unsafe programming language.::TYPE:Research Gap:NOTE:Type confusion weaknesses have received some attention by applied researchers and major software vendors for C and C++ code. Some publicly-reported vulnerabilities probably have type confusion as a root-cause weakness, but these may be described as memory corruption instead. For other languages, there are very few public reports of type confusion weaknesses. These are probably under-studied. Since many programs rely directly or indirectly on loose typing, a potential type confusion behavior might be intentional, possibly requiring more manual analysis.::",{"point":"1ki","priority":"6","details":"1kj"},"CWE-ID: 862Missing Authorization","The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Guidelines:",{"point":"1kl","priority":"6","details":"1km"},"CWE-ID: 863Incorrect Authorization","The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.Guidelines:",{"point":"1ko","priority":"6","details":"1kp"},"CWE-ID: 908Use of Uninitialized Resource","The product uses or accesses a resource that has not been initialized.Guidelines:",{"point":"1kr","priority":"6","details":"1ks"},"CWE-ID: 909Missing Initialization of Resource","The product does not initialize a critical resource.Guidelines:",{"point":"1ku","priority":"6","details":"1kv"},"CWE-ID: 910Use of Expired File Descriptor","The product uses or accesses a file descriptor after it has been closed.Guidelines:",{"point":"1kx","priority":"6","details":"1ky"},"CWE-ID: 911Improper Update of Reference Count","The product uses a reference count to manage a resource, but it does not update or incorrectly updates the reference count.Guidelines:",{"point":"1l0","priority":"6","details":"1l1"},"CWE-ID: 912Hidden Functionality","The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the product's users or administrators.Guidelines:",{"point":"1l3","priority":"6","details":"1l4"},"CWE-ID: 913Improper Control of Dynamically-Managed Code Resources","The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.Guidelines:",{"point":"1l6","priority":"6","details":"1l7"},"CWE-ID: 914Improper Control of Dynamically-Identified Variables","The product does not properly restrict reading from or writing to dynamically-identified variables.Guidelines:",{"point":"1l9","priority":"6","details":"1la"},"CWE-ID: 915Improperly Controlled Modification of Dynamically-Determined Object Attributes","The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.Guidelines:::TYPE:Maintenance:NOTE:The relationships between CWE-502 and CWE-915 need further exploration. CWE-915 is more narrowly scoped to object modification, and is not necessarily used for deserialization.::",{"point":"1lc","priority":"6","details":"1ld"},"CWE-ID: 916Use of Password Hash With Insufficient Computational Effort","The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.Guidelines:",{"point":"1lf","priority":"6","details":"1lg"},"CWE-ID: 917Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')","The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.Guidelines:::TYPE:Maintenance:NOTE:The interrelationships and differences between CWE-917 and CWE-1336 need to be further clarified.::TYPE:Relationship:NOTE:In certain versions of Spring 3.0.5 and earlier, there was a vulnerability (CVE-2011-2730) in which Expression Language tags would be evaluated twice, which effectively exposed any application to EL injection. However, even for later versions, this weakness is still possible depending on configuration.::",{"point":"1li","priority":"6","details":"1lj"},"CWE-ID: 918Server-Side Request Forgery (SSRF)","The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.Guidelines:::TYPE:Relationship:NOTE:CWE-918 (SSRF) and CWE-611 (XXE) are closely related, because they both involve web-related technologies and can launch outbound requests to unexpected destinations. However, XXE can be performed client-side, or in other contexts in which the software is not acting directly as a server, so the Server portion of the SSRF acronym does not necessarily apply.::",{"point":"1ll","priority":"6","details":"1lm"},"CWE-ID: 920Improper Restriction of Power Consumption","The product operates in an environment in which power is a limited resource that cannot be automatically replenished, but the product does not properly restrict the amount of power that its operation consumes.Guidelines:",{"point":"1lo","priority":"6","details":"1lp"},"CWE-ID: 921Storage of Sensitive Data in a Mechanism without Access Control","The product stores sensitive information in a file system or device that does not have built-in access control.Guidelines:",{"point":"1lr","priority":"6","details":"1ls"},"CWE-ID: 922Insecure Storage of Sensitive Information","The product stores sensitive information without properly limiting read or write access by unauthorized actors.Guidelines:::TYPE:Relationship:NOTE:There is an overlapping relationship between insecure storage of sensitive information (CWE-922) and missing encryption of sensitive information (CWE-311). Encryption is often used to prevent an attacker from reading the sensitive data. However, encryption does not prevent the attacker from erasing or overwriting the data. While data tampering would be visible upon inspection, the integrity and availability of the data is compromised prior to the audit.::TYPE:Maintenance:NOTE:This is a high-level entry that includes children from various parts of the CWE research view (CWE-1000). Currently, most of the information is in these child entries. This entry will be made more comprehensive in later CWE versions.::",{"point":"1lu","priority":"6","details":"1lv"},"CWE-ID: 923Improper Restriction of Communication Channel to Intended Endpoints","The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.Guidelines:",{"point":"1lx","priority":"6","details":"1ly"},"CWE-ID: 924Improper Enforcement of Message Integrity During Transmission in a Communication Channel","The product establishes a communication channel with an endpoint and receives a message from that endpoint, but it does not sufficiently ensure that the message was not modified during transmission.Guidelines:::TYPE:Maintenance:NOTE:This entry should be made more comprehensive in later CWE versions, as it is likely an important design flaw that underlies (or chains to) other weaknesses.::",{"point":"1m0","priority":"6","details":"1m1"},"CWE-ID: 925Improper Verification of Intent by Broadcast Receiver","The Android application uses a Broadcast Receiver that receives an Intent but does not properly verify that the Intent came from an authorized source.Guidelines:::TYPE:Maintenance:NOTE:This entry will be made more comprehensive in later CWE versions.::",{"point":"1m3","priority":"6","details":"1m4"},"CWE-ID: 926Improper Export of Android Application Components","The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.Guidelines:",{"point":"1m6","priority":"6","details":"1m7"},"CWE-ID: 927Use of Implicit Intent for Sensitive Communication","The Android application uses an implicit intent for transmitting sensitive data to other applications.Guidelines:",{"point":"1m9","priority":"6","details":"1ma"},"CWE-ID: 939Improper Authorization in Handler for Custom URL Scheme","The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.Guidelines:",{"point":"1mc","priority":"6","details":"1md"},"CWE-ID: 940Improper Verification of Source of a Communication Channel","The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin.Guidelines:::TYPE:Relationship:NOTE:While many access control issues involve authenticating the user, this weakness is more about authenticating the actual source of the communication channel itself; there might not be any user in such cases.::",{"point":"1mf","priority":"6","details":"1mg"},"CWE-ID: 941Incorrectly Specified Destination in a Communication Channel","The product creates a communication channel to initiate an outgoing request to an actor, but it does not correctly specify the intended destination for that actor.Guidelines:",{"point":"1mi","priority":"6","details":"1mj"},"CWE-ID: 942Permissive Cross-domain Policy with Untrusted Domains","The product uses a cross-domain policy file that includes domains that should not be trusted.Guidelines:",{"point":"1ml","priority":"6","details":"1mm"},"CWE-ID: 943Improper Neutralization of Special Elements in Data Query Logic","The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.Guidelines:::TYPE:Relationship:NOTE:It could be argued that data query languages are effectively a command language - albeit with a limited set of commands - and thus any query-language injection issue could be treated as a child of CWE-74. However, CWE-943 is intended to better organize query-oriented issues to separate them from fully-functioning programming languages, and also to provide a more precise identifier for the many query languages that do not have their own CWE identifier.::",{"point":"1mo","priority":"6","details":"1mp"},"CWE-ID: 1004Sensitive Cookie Without 'HttpOnly' Flag","The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.Guidelines:",{"point":"1mr","priority":"6","details":"1ms"},"CWE-ID: 1007Insufficient Visual Distinction of Homoglyphs Presented to User","The product displays information or identifiers to a user, but the display mechanism does not make it easy for the user to distinguish between visually similar or identical glyphs (homoglyphs), which may cause the user to misinterpret a glyph and perform an unintended, insecure action.Guidelines:",{"point":"1mu","priority":"6","details":"1mv"},"CWE-ID: 1021Improper Restriction of Rendered UI Layers or Frames","The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.Guidelines:",{"point":"1mx","priority":"6","details":"1my"},"CWE-ID: 1022Use of Web Link to Untrusted Target with window.opener Access","The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property.Guidelines:",{"point":"1n0","priority":"6","details":"1n1"},"CWE-ID: 1023Incomplete Comparison with Missing Factors","The product performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors.Guidelines:",{"point":"1n3","priority":"6","details":"1n4"},"CWE-ID: 1024Comparison of Incompatible Types","The product performs a comparison between two entities, but the entities are of different, incompatible types that cannot be guaranteed to provide correct results when they are directly compared.Guidelines:",{"point":"1n6","priority":"6","details":"1n7"},"CWE-ID: 1025Comparison Using Wrong Factors","The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.Guidelines:",{"point":"1n9","priority":"6","details":"1na"},"CWE-ID: 1037Processor Optimization Removal or Modification of Security-critical Code","The developer builds a security-critical protection mechanism into the software, but the processor optimizes the execution of the program such that the mechanism is removed or modified.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. As a result, this entry might change significantly in CWE 4.10.::",{"point":"1nc","priority":"6","details":"1nd"},"CWE-ID: 1038Insecure Automated Optimizations","The product uses a mechanism that automatically optimizes code, e.g. to improve a characteristic such as performance, but the optimizations can have an unintended side effect that might violate an intended security assumption.Guidelines:",{"point":"1nf","priority":"6","details":"1ng"},"CWE-ID: 1039Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations","The product uses an automated mechanism such as machine learning to recognize complex data inputs (e.g. image or audio) as a particular concept or category, but it does not properly detect or handle inputs that have been modified or constructed in a way that causes the mechanism to detect a different, incorrect concept.Guidelines:::TYPE:Relationship:NOTE:Further investigation is needed to determine if better relationships exist or if additional organizational entries need to be created. For example, this issue might be better related to recognition of input as an incorrect type, which might place it as a sibling of CWE-704 (incorrect type conversion).::",{"point":"1ni","priority":"6","details":"1nj"},"CWE-ID: 1041Use of Redundant Code","The product has multiple functions, methods, procedures, macros, etc. that contain the same code.Guidelines:",{"point":"1nl","priority":"6","details":"1nm"},"CWE-ID: 1042Static Member Data Element outside of a Singleton Class Element","The code contains a member element that is declared as static (but not final), in which its parent class element is not a singleton class - that is, a class element that can be used only once in the 'to' association of a Create action.Guidelines:",{"point":"1no","priority":"6","details":"1np"},"CWE-ID: 1043Data Element Aggregating an Excessively Large Number of Non-Primitive Elements","The product uses a data element that has an excessively large number of sub-elements with non-primitive data types such as structures or aggregated objects.Guidelines:",{"point":"1nr","priority":"6","details":"1ns"},"CWE-ID: 1044Architecture with Number of Horizontal Layers Outside of Expected Range","The product's architecture contains too many - or too few - horizontal layers.Guidelines:",{"point":"1nu","priority":"6","details":"1nv"},"CWE-ID: 1045Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor","A parent class has a virtual destructor method, but the parent has a child class that does not have a virtual destructor.Guidelines:",{"point":"1nx","priority":"6","details":"1ny"},"CWE-ID: 1046Creation of Immutable Text Using String Concatenation","The product creates an immutable text string using string concatenation operations.Guidelines:",{"point":"1o0","priority":"6","details":"1o1"},"CWE-ID: 1047Modules with Circular Dependencies","The product contains modules in which one module has references that cycle back to itself, i.e., there are circular dependencies.Guidelines:",{"point":"1o3","priority":"6","details":"1o4"},"CWE-ID: 1048Invokable Control Element with Large Number of Outward Calls","The code contains callable control elements that contain an excessively large number of references to other application objects external to the context of the callable, i.e. a Fan-Out value that is excessively large.Guidelines:",{"point":"1o6","priority":"6","details":"1o7"},"CWE-ID: 1049Excessive Data Query Operations in a Large Data Table","The product performs a data query with a large number of joins and sub-queries on a large data table.Guidelines:",{"point":"1o9","priority":"6","details":"1oa"},"CWE-ID: 1050Excessive Platform Resource Consumption within a Loop","The product has a loop body or loop condition that contains a control element that directly or indirectly consumes platform resources, e.g. messaging, sessions, locks, or file descriptors.Guidelines:",{"point":"1oc","priority":"6","details":"1od"},"CWE-ID: 1051Initialization with Hard-Coded Network Resource Configuration Data","The product initializes data using hard-coded values that act as network resource identifiers.Guidelines:",{"point":"1of","priority":"6","details":"1og"},"CWE-ID: 1052Excessive Use of Hard-Coded Literals in Initialization","The product initializes a data element using a hard-coded literal that is not a simple integer or static constant element.Guidelines:",{"point":"1oi","priority":"6","details":"1oj"},"CWE-ID: 1053Missing Documentation for Design","The product does not have documentation that represents how it is designed.Guidelines:",{"point":"1ol","priority":"6","details":"1om"},"CWE-ID: 1054Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer","The code at one architectural layer invokes code that resides at a deeper layer than the adjacent layer, i.e., the invocation skips at least one layer, and the invoked code is not part of a vertical utility layer that can be referenced from any horizontal layer.Guidelines:",{"point":"1oo","priority":"6","details":"1op"},"CWE-ID: 1055Multiple Inheritance from Concrete Classes","The product contains a class with inheritance from more than one concrete class.Guidelines:",{"point":"1or","priority":"6","details":"1os"},"CWE-ID: 1056Invokable Control Element with Variadic Parameters","A named-callable or method control element has a signature that supports a variable (variadic) number of parameters or arguments.Guidelines:",{"point":"1ou","priority":"6","details":"1ov"},"CWE-ID: 1057Data Access Operations Outside of Expected Data Manager Component","The product uses a dedicated, central data manager component as required by design, but it contains code that performs data-access operations that do not use this data manager.Guidelines:",{"point":"1ox","priority":"6","details":"1oy"},"CWE-ID: 1058Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element","The code contains a function or method that operates in a multi-threaded environment but owns an unsafe non-final static storable or member data element.Guidelines:",{"point":"1p0","priority":"6","details":"1p1"},"CWE-ID: 1059Insufficient Technical Documentation","The product does not contain sufficient technical or engineering documentation (whether on paper or in electronic form) that contains descriptions of all the relevant software/hardware elements of the product, such as its usage, structure, architectural components, interfaces, design, implementation, configuration, operation, etc.Guidelines:",{"point":"1p3","priority":"6","details":"1p4"},"CWE-ID: 1060Excessive Number of Inefficient Server-Side Data Accesses","The product performs too many data queries without using efficient data processing functionality such as stored procedures.Guidelines:",{"point":"1p6","priority":"6","details":"1p7"},"CWE-ID: 1061Insufficient Encapsulation","The product does not sufficiently hide the internal representation and implementation details of data or methods, which might allow external components or modules to modify data unexpectedly, invoke unexpected functionality, or introduce dependencies that the programmer did not intend.Guidelines:",{"point":"1p9","priority":"6","details":"1pa"},"CWE-ID: 1062Parent Class with References to Child Class","The code has a parent class that contains references to a child class, its methods, or its members.Guidelines:",{"point":"1pc","priority":"6","details":"1pd"},"CWE-ID: 1063Creation of Class Instance within a Static Code Block","A static code block creates an instance of a class.Guidelines:",{"point":"1pf","priority":"6","details":"1pg"},"CWE-ID: 1064Invokable Control Element with Signature Containing an Excessive Number of Parameters","The product contains a function, subroutine, or method whose signature has an unnecessarily large number of parameters/arguments.Guidelines:",{"point":"1pi","priority":"6","details":"1pj"},"CWE-ID: 1065Runtime Resource Management Control Element in a Component Built to Run on Application Servers","The product uses deployed components from application servers, but it also uses low-level functions/methods for management of resources, instead of the API provided by the application server.Guidelines:",{"point":"1pl","priority":"6","details":"1pm"},"CWE-ID: 1066Missing Serialization Control Element","The product contains a serializable data element that does not have an associated serialization method.Guidelines:",{"point":"1po","priority":"6","details":"1pp"},"CWE-ID: 1067Excessive Execution of Sequential Searches of Data Resource","The product contains a data query against an SQL table or view that is configured in a way that does not utilize an index and may cause sequential searches to be performed.Guidelines:",{"point":"1pr","priority":"6","details":"1ps"},"CWE-ID: 1068Inconsistency Between Implementation and Documented Design","The implementation of the product is not consistent with the design as described within the relevant documentation.Guidelines:",{"point":"1pu","priority":"6","details":"1pv"},"CWE-ID: 1069Empty Exception Block","An invokable code block contains an exception handling block that does not contain any code, i.e. is empty.Guidelines:",{"point":"1px","priority":"6","details":"1py"},"CWE-ID: 1070Serializable Data Element Containing non-Serializable Item Elements","The product contains a serializable, storable data element such as a field or member, but the data element contains member elements that are not serializable.Guidelines:",{"point":"1q0","priority":"6","details":"1q1"},"CWE-ID: 1071Empty Code Block","The source code contains a block that does not contain any code, i.e., the block is empty.Guidelines:",{"point":"1q3","priority":"6","details":"1q4"},"CWE-ID: 1072Data Resource Access without Use of Connection Pooling","The product accesses a data resource through a database without using a connection pooling capability.Guidelines:",{"point":"1q6","priority":"6","details":"1q7"},"CWE-ID: 1073Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses","The product contains a client with a function or method that contains a large number of data accesses/queries that are sent through a data manager, i.e., does not use efficient database capabilities.Guidelines:",{"point":"1q9","priority":"6","details":"1qa"},"CWE-ID: 1074Class with Excessively Deep Inheritance","A class has an inheritance level that is too high, i.e., it has a large number of parent classes.Guidelines:",{"point":"1qc","priority":"6","details":"1qd"},"CWE-ID: 1075Unconditional Control Flow Transfer outside of Switch Block","The product performs unconditional control transfer (such as a goto) in code outside of a branching structure such as a switch block.Guidelines:",{"point":"1qf","priority":"6","details":"1qg"},"CWE-ID: 1076Insufficient Adherence to Expected Conventions","The product's architecture, source code, design, documentation, or other artifact does not follow required conventions.Guidelines:",{"point":"1qi","priority":"6","details":"1qj"},"CWE-ID: 1077Floating Point Comparison with Incorrect Operator","The code performs a comparison such as an equality test between two float (floating point) values, but it uses comparison operators that do not account for the possibility of loss of precision.Guidelines:",{"point":"1ql","priority":"6","details":"1qm"},"CWE-ID: 1078Inappropriate Source Code Style or Formatting","The source code does not follow desired style or formatting for indentation, white space, comments, etc.Guidelines:",{"point":"1qo","priority":"6","details":"1qp"},"CWE-ID: 1079Parent Class without Virtual Destructor Method","A parent class contains one or more child classes, but the parent class does not have a virtual destructor method.Guidelines:",{"point":"1qr","priority":"6","details":"1qs"},"CWE-ID: 1080Source Code File with Excessive Number of Lines of Code","A source code file has too many lines of code.Guidelines:",{"point":"1qu","priority":"6","details":"1qv"},"CWE-ID: 1082Class Instance Self Destruction Control Element","The code contains a class instance that calls the method or function to delete or destroy itself.Guidelines:",{"point":"1qx","priority":"6","details":"1qy"},"CWE-ID: 1083Data Access from Outside Expected Data Manager Component","The product is intended to manage data access through a particular data manager component such as a relational or non-SQL database, but it contains code that performs data access operations without using that component.Guidelines:",{"point":"1r0","priority":"6","details":"1r1"},"CWE-ID: 1084Invokable Control Element with Excessive File or Data Access Operations","A function or method contains too many operations that utilize a data manager or file resource.Guidelines:",{"point":"1r3","priority":"6","details":"1r4"},"CWE-ID: 1085Invokable Control Element with Excessive Volume of Commented-out Code","A function, method, procedure, etc. contains an excessive amount of code that has been commented out within its body.Guidelines:",{"point":"1r6","priority":"6","details":"1r7"},"CWE-ID: 1086Class with Excessive Number of Child Classes","A class contains an unnecessarily large number of children.Guidelines:",{"point":"1r9","priority":"6","details":"1ra"},"CWE-ID: 1087Class with Virtual Method without a Virtual Destructor","A class contains a virtual method, but the method does not have an associated virtual destructor.Guidelines:",{"point":"1rc","priority":"6","details":"1rd"},"CWE-ID: 1088Synchronous Access of Remote Resource without Timeout","The code has a synchronous call to a remote resource, but there is no timeout for the call, or the timeout is set to infinite.Guidelines:",{"point":"1rf","priority":"6","details":"1rg"},"CWE-ID: 1089Large Data Table with Excessive Number of Indices","The product uses a large data table that contains an excessively large number of indices.Guidelines:",{"point":"1ri","priority":"6","details":"1rj"},"CWE-ID: 1090Method Containing Access of a Member Element from Another Class","A method for a class performs an operation that directly accesses a member element from another class.Guidelines:",{"point":"1rl","priority":"6","details":"1rm"},"CWE-ID: 1091Use of Object without Invoking Destructor Method","The product contains a method that accesses an object but does not later invoke the element's associated finalize/destructor method.Guidelines:",{"point":"1ro","priority":"6","details":"1rp"},"CWE-ID: 1092Use of Same Invokable Control Element in Multiple Architectural Layers","The product uses the same control element across multiple architectural layers.Guidelines:",{"point":"1rr","priority":"6","details":"1rs"},"CWE-ID: 1093Excessively Complex Data Representation","The product uses an unnecessarily complex internal representation for its data structures or interrelationships between those structures.Guidelines:",{"point":"1ru","priority":"6","details":"1rv"},"CWE-ID: 1094Excessive Index Range Scan for a Data Resource","The product contains an index range scan for a large data table, but the scan can cover a large number of rows.Guidelines:",{"point":"1rx","priority":"6","details":"1ry"},"CWE-ID: 1095Loop Condition Value Update within the Loop","The product uses a loop with a control flow condition based on a value that is updated within the body of the loop.Guidelines:",{"point":"1s0","priority":"6","details":"1s1"},"CWE-ID: 1096Singleton Class Instance Creation without Proper Locking or Synchronization","The product implements a Singleton design pattern but does not use appropriate locking or other synchronization mechanism to ensure that the singleton class is only instantiated once.Guidelines:",{"point":"1s3","priority":"6","details":"1s4"},"CWE-ID: 1097Persistent Storable Data Element without Associated Comparison Control Element","The product uses a storable data element that does not have all of the associated functions or methods that are necessary to support comparison.Guidelines:",{"point":"1s6","priority":"6","details":"1s7"},"CWE-ID: 1098Data Element containing Pointer Item without Proper Copy Control Element","The code contains a data element with a pointer that does not have an associated copy or constructor method.Guidelines:",{"point":"1s9","priority":"6","details":"1sa"},"CWE-ID: 1099Inconsistent Naming Conventions for Identifiers","The product's code, documentation, or other artifacts do not consistently use the same naming conventions for variables, callables, groups of related callables, I/O capabilities, data types, file names, or similar types of elements.Guidelines:",{"point":"1sc","priority":"6","details":"1sd"},"CWE-ID: 1100Insufficient Isolation of System-Dependent Functions","The product or code does not isolate system-dependent functionality into separate standalone modules.Guidelines:",{"point":"1sf","priority":"6","details":"1sg"},"CWE-ID: 1101Reliance on Runtime Component in Generated Code","The product uses automatically-generated code that cannot be executed without a specific runtime support component.Guidelines:",{"point":"1si","priority":"6","details":"1sj"},"CWE-ID: 1102Reliance on Machine-Dependent Data Representation","The code uses a data representation that relies on low-level data representation or constructs that may vary across different processors, physical machines, OSes, or other physical components.Guidelines:",{"point":"1sl","priority":"6","details":"1sm"},"CWE-ID: 1103Use of Platform-Dependent Third Party Components","The product relies on third-party components that do not provide equivalent functionality across all desirable platforms.Guidelines:",{"point":"1so","priority":"6","details":"1sp"},"CWE-ID: 1104Use of Unmaintained Third Party Components","The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer.Guidelines:",{"point":"1sr","priority":"6","details":"1ss"},"CWE-ID: 1105Insufficient Encapsulation of Machine-Dependent Functionality","The product or code uses machine-dependent functionality, but it does not sufficiently encapsulate or isolate this functionality from the rest of the code.Guidelines:",{"point":"1su","priority":"6","details":"1sv"},"CWE-ID: 1106Insufficient Use of Symbolic Constants","The source code uses literal constants that may need to change or evolve over time, instead of using symbolic constants.Guidelines:",{"point":"1sx","priority":"6","details":"1sy"},"CWE-ID: 1107Insufficient Isolation of Symbolic Constant Definitions","The source code uses symbolic constants, but it does not sufficiently place the definitions of these constants into a more centralized or isolated location.Guidelines:",{"point":"1t0","priority":"6","details":"1t1"},"CWE-ID: 1108Excessive Reliance on Global Variables","The code is structured in a way that relies too much on using or setting global variables throughout various points in the code, instead of preserving the associated information in a narrower, more local context.Guidelines:",{"point":"1t3","priority":"6","details":"1t4"},"CWE-ID: 1109Use of Same Variable for Multiple Purposes","The code contains a callable, block, or other code element in which the same variable is used to control more than one unique task or store more than one instance of data.Guidelines:",{"point":"1t6","priority":"6","details":"1t7"},"CWE-ID: 1110Incomplete Design Documentation","The product's design documentation does not adequately describe control flow, data flow, system initialization, relationships between tasks, components, rationales, or other important aspects of the design.Guidelines:",{"point":"1t9","priority":"6","details":"1ta"},"CWE-ID: 1111Incomplete I/O Documentation","The product's documentation does not adequately define inputs, outputs, or system/software interfaces.Guidelines:",{"point":"1tc","priority":"6","details":"1td"},"CWE-ID: 1112Incomplete Documentation of Program Execution","The document does not fully define all mechanisms that are used to control or influence how product-specific programs are executed.Guidelines:",{"point":"1tf","priority":"6","details":"1tg"},"CWE-ID: 1113Inappropriate Comment Style","The source code uses comment styles or formats that are inconsistent or do not follow expected standards for the product.Guidelines:",{"point":"1ti","priority":"6","details":"1tj"},"CWE-ID: 1114Inappropriate Whitespace Style","The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product.Guidelines:",{"point":"1tl","priority":"6","details":"1tm"},"CWE-ID: 1115Source Code Element without Standard Prologue","The source code contains elements such as source files that do not consistently provide a prologue or header that has been standardized for the project.Guidelines:",{"point":"1to","priority":"6","details":"1tp"},"CWE-ID: 1116Inaccurate Comments","The source code contains comments that do not accurately describe or explain aspects of the portion of the code with which the comment is associated.Guidelines:",{"point":"1tr","priority":"6","details":"1ts"},"CWE-ID: 1117Callable with Insufficient Behavioral Summary","The code contains a function or method whose signature and/or associated inline documentation does not sufficiently describe the callable's inputs, outputs, side effects, assumptions, or return codes.Guidelines:",{"point":"1tu","priority":"6","details":"1tv"},"CWE-ID: 1118Insufficient Documentation of Error Handling Techniques","The documentation does not sufficiently describe the techniques that are used for error handling, exception processing, or similar mechanisms.Guidelines:",{"point":"1tx","priority":"6","details":"1ty"},"CWE-ID: 1119Excessive Use of Unconditional Branching","The code uses too many unconditional branches (such as goto).Guidelines:",{"point":"1u0","priority":"6","details":"1u1"},"CWE-ID: 1120Excessive Code Complexity","The code is too complex, as calculated using a well-defined, quantitative measure.Guidelines:",{"point":"1u3","priority":"6","details":"1u4"},"CWE-ID: 1121Excessive McCabe Cyclomatic Complexity","The code contains McCabe cyclomatic complexity that exceeds a desirable maximum.Guidelines:",{"point":"1u6","priority":"6","details":"1u7"},"CWE-ID: 1122Excessive Halstead Complexity","The code is structured in a way that a Halstead complexity measure exceeds a desirable maximum.Guidelines:",{"point":"1u9","priority":"6","details":"1ua"},"CWE-ID: 1123Excessive Use of Self-Modifying Code","The product uses too much self-modifying code.Guidelines:",{"point":"1uc","priority":"6","details":"1ud"},"CWE-ID: 1124Excessively Deep Nesting","The code contains a callable or other code grouping in which the nesting / branching is too deep.Guidelines:",{"point":"1uf","priority":"6","details":"1ug"},"CWE-ID: 1125Excessive Attack Surface","The product has an attack surface whose quantitative measurement exceeds a desirable maximum.Guidelines:",{"point":"1ui","priority":"6","details":"1uj"},"CWE-ID: 1126Declaration of Variable with Unnecessarily Wide Scope","The source code declares a variable in one scope, but the variable is only used within a narrower scope.Guidelines:",{"point":"1ul","priority":"6","details":"1um"},"CWE-ID: 1127Compilation with Insufficient Warnings or Errors","The code is compiled without sufficient warnings enabled, which may prevent the detection of subtle bugs or quality issues.Guidelines:",{"point":"1uo","priority":"6","details":"1up"},"CWE-ID: 1164Irrelevant Code","The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness.Guidelines:",{"point":"1ur","priority":"6","details":"1us"},"CWE-ID: 1173Improper Use of Validation Framework","The product does not use, or incorrectly uses, an input validation framework that is provided by the source language or an independent library.Guidelines:",{"point":"1uu","priority":"6","details":"1uv"},"CWE-ID: 1174ASP.NET Misconfiguration: Improper Model Validation","The ASP.NET application does not use, or incorrectly uses, the model validation framework.Guidelines:",{"point":"1ux","priority":"6","details":"1uy"},"CWE-ID: 1176Inefficient CPU Computation","The product performs CPU computations using algorithms that are not as efficient as they could be for the needs of the developer, i.e., the computations can be optimized further.Guidelines:",{"point":"1v0","priority":"6","details":"1v1"},"CWE-ID: 1177Use of Prohibited Code","The product uses a function, library, or third party component that has been explicitly prohibited, whether by the developer or the customer.Guidelines:",{"point":"1v3","priority":"6","details":"1v4"},"CWE-ID: 1188Initialization of a Resource with an Insecure Default","The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.Guidelines:::TYPE:Maintenance:NOTE:This entry improves organization of concepts under initialization. The typical CWE model is to cover Missing and Incorrect behaviors. Arguably, this entry could be named as Incorrect instead of Insecure. This might be changed in the near future.::",{"point":"1v6","priority":"6","details":"1v7"},"CWE-ID: 1189Improper Isolation of Shared Resources on System-on-a-Chip (SoC)","The System-On-a-Chip (SoC) does not properly isolate shared resources between trusted and untrusted agents.Guidelines:",{"point":"1v9","priority":"6","details":"1va"},"CWE-ID: 1190DMA Device Enabled Too Early in Boot Phase","The product enables a Direct Memory Access (DMA) capable device before the security configuration settings are established, which allows an attacker to extract data from or gain privileges on the product.Guidelines:",{"point":"1vc","priority":"6","details":"1vd"},"CWE-ID: 1191On-Chip Debug and Test Interface With Improper Access Control","The chip does not implement or does not correctly perform access control to check whether users are authorized to access internal registers and test modes through the physical debug/test interface.Guidelines:::TYPE:Relationship:NOTE:CWE-1191 and CWE-1244 both involve physical debug access, but the weaknesses are different. CWE-1191 is effectively about missing authorization for a debug interface, i.e. JTAG. CWE-1244 is about providing internal assets with the wrong debug access level, exposing the asset to untrusted debug agents.::",{"point":"1vf","priority":"6","details":"1vg"},"CWE-ID: 1192Improper Identifier for IP Block used in System-On-Chip (SOC)","The System-on-Chip (SoC) does not have unique, immutable identifiers for each of its components.Guidelines:",{"point":"1vi","priority":"6","details":"1vj"},"CWE-ID: 1193Power-On of Untrusted Execution Core Before Enabling Fabric Access Control","The product enables components that contain untrusted firmware before memory and fabric access controls have been enabled.Guidelines:",{"point":"1vl","priority":"6","details":"1vm"},"CWE-ID: 1204Generation of Weak Initialization Vector (IV)","The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or unique according to the expected cryptographic requirements for that primitive.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"1vo","priority":"6","details":"1vp"},"CWE-ID: 1209Failure to Disable Reserved Bits","The reserved bits in a hardware design are not disabled prior to production. Typically, reserved bits are used for future capabilities and should not support any functional logic in the design. However, designers might covertly use these bits to debug or further develop new capabilities in production hardware. Adversaries with access to these bits will write to them in hopes of compromising hardware state.Guidelines:",{"point":"1vr","priority":"6","details":"1vs"},"CWE-ID: 1220Insufficient Granularity of Access Control","The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.Guidelines:",{"point":"1vu","priority":"6","details":"1vv"},"CWE-ID: 1221Incorrect Register Defaults or Module Parameters","Hardware description language code incorrectly defines register defaults or hardware Intellectual Property (IP) parameters to insecure values.Guidelines:",{"point":"1vx","priority":"6","details":"1vy"},"CWE-ID: 1222Insufficient Granularity of Address Regions Protected by Register Locks","The product defines a large address region protected from modification by the same register lock control bit. This results in a conflict between the functional requirement that some addresses need to be writable by software during operation and the security requirement that the system configuration lock bit must be set during the boot process.Guidelines:",{"point":"1w0","priority":"6","details":"1w1"},"CWE-ID: 1223Race Condition for Write-Once Attributes","A write-once register in hardware design is programmable by an untrusted software component earlier than the trusted software component, resulting in a race condition issue.Guidelines:",{"point":"1w3","priority":"6","details":"1w4"},"CWE-ID: 1224Improper Restriction of Write-Once Bit Fields","The hardware design control register sticky bits or write-once bit fields are improperly implemented, such that they can be reprogrammed by software.Guidelines:",{"point":"1w6","priority":"6","details":"1w7"},"CWE-ID: 1229Creation of Emergent Resource","The product manages resources or behaves in a way that indirectly creates a new, distinct resource that can be used by attackers in violation of the intended policy.Guidelines:",{"point":"1w9","priority":"6","details":"1wa"},"CWE-ID: 1230Exposure of Sensitive Information Through Metadata","The product prevents direct access to a resource containing sensitive information, but it does not sufficiently limit access to metadata that is derived from the original, sensitive information.Guidelines:",{"point":"1wc","priority":"6","details":"1wd"},"CWE-ID: 1231Improper Prevention of Lock Bit Modification","The product uses a trusted lock bit for restricting access to registers, address regions, or other resources, but the product does not prevent the value of the lock bit from being modified after it has been set.Guidelines:",{"point":"1wf","priority":"6","details":"1wg"},"CWE-ID: 1232Improper Lock Behavior After Power State Transition","Register lock bit protection disables changes to system configuration once the bit is set. Some of the protected registers or lock bits become programmable after power state transitions (e.g., Entry and wake from low power sleep modes) causing the system configuration to be changeable.Guidelines:",{"point":"1wi","priority":"6","details":"1wj"},"CWE-ID: 1233Security-Sensitive Hardware Controls with Missing Lock Bit Protection","The product uses a register lock bit protection mechanism, but it does not ensure that the lock bit prevents modification of system registers or controls that perform changes to important hardware system configuration.Guidelines:",{"point":"1wl","priority":"6","details":"1wm"},"CWE-ID: 1234Hardware Internal or Debug Modes Allow Override of Locks","System configuration protection may be bypassed during debug mode.Guidelines:",{"point":"1wo","priority":"6","details":"1wp"},"CWE-ID: 1235Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations","The code uses boxed primitives, which may introduce inefficiencies into performance-critical operations.Guidelines:",{"point":"1wr","priority":"6","details":"1ws"},"CWE-ID: 1236Improper Neutralization of Formula Elements in a CSV File","The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.Guidelines:",{"point":"1wu","priority":"6","details":"1wv"},"CWE-ID: 1239Improper Zeroization of Hardware Register","The hardware product does not properly clear sensitive information from built-in registers when the user of the hardware block changes.Guidelines:",{"point":"1wx","priority":"6","details":"1wy"},"CWE-ID: 1240Use of a Cryptographic Primitive with a Risky Implementation","To fulfill the need for a cryptographic primitive, the product implements a cryptographic algorithm using a non-standard, unproven, or disallowed/non-compliant cryptographic implementation.Guidelines:::TYPE:Terminology:NOTE:Terminology for cryptography varies widely, from informal and colloquial to mathematically-defined, with different precision and formalism depending on whether the stakeholder is a developer, cryptologist, etc. Yet there is a need for CWE to be self-consistent while remaining understandable and acceptable to multiple audiences. As of CWE 4.6, CWE terminology around primitives and algorithms is emerging as shown by the following example, subject to future consultation and agreement within the CWE and cryptography communities. Suppose one wishes to send encrypted data using a CLI tool such as OpenSSL. One might choose to use AES with a 256-bit key and require tamper protection (GCM mode, for instance). For compatibility's sake, one might also choose the ciphertext to be formatted to the PKCS#5 standard. In this case, the cryptographic system would be AES-256-GCM with PKCS#5 formatting. The cryptographic function would be AES-256 in the GCM mode of operation, and the algorithm would be AES. Colloquially, one would say that AES (and sometimes AES-256) is the cryptographic primitive, because it is the algorithm that realizes the concept of symmetric encryption (without modes of operation or other protocol related modifications). In practice, developers and architects typically refer to base cryptographic algorithms (AES, SHA, etc.) as cryptographic primitives.::TYPE:Maintenance:NOTE:Since CWE 4.4, various cryptography-related entries, including CWE-327 and CWE-1240, have been slated for extensive research, analysis, and community consultation to define consistent terminology, improve relationships, and reduce overlap or duplication. As of CWE 4.6, this work is still ongoing.::",{"point":"1x0","priority":"6","details":"1x1"},"CWE-ID: 1241Use of Predictable Algorithm in Random Number Generator","The device uses an algorithm that is predictable and generates a pseudo-random number.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"1x3","priority":"6","details":"1x4"},"CWE-ID: 1242Inclusion of Undocumented Features or Chicken Bits","The device includes chicken bits or undocumented features that can create entry points for unauthorized actors.Guidelines:",{"point":"1x6","priority":"6","details":"1x7"},"CWE-ID: 1243Sensitive Non-Volatile Information Not Protected During Debug","Access to security-sensitive information stored in fuses is not limited during debug.Guidelines:",{"point":"1x9","priority":"6","details":"1xa"},"CWE-ID: 1244Internal Asset Exposed to Unsafe Debug Access Level or State","The product uses physical debug or test interfaces with support for multiple access levels, but it assigns the wrong debug access level to an internal asset, providing unintended access to the asset from untrusted debug agents.Guidelines:::TYPE:Relationship:NOTE:CWE-1191 and CWE-1244 both involve physical debug access, but the weaknesses are different. CWE-1191 is effectively about missing authorization for a debug interface, i.e. JTAG. CWE-1244 is about providing internal assets with the wrong debug access level, exposing the asset to untrusted debug agents.::",{"point":"1xc","priority":"6","details":"1xd"},"CWE-ID: 1245Improper Finite State Machines (FSMs) in Hardware Logic","Faulty finite state machines (FSMs) in the hardware logic allow an attacker to put the system in an undefined state, to cause a denial of service (DoS) or gain privileges on the victim's system.Guidelines:",{"point":"1xf","priority":"6","details":"1xg"},"CWE-ID: 1246Improper Write Handling in Limited-write Non-Volatile Memories","The product does not implement or incorrectly implements wear leveling operations in limited-write non-volatile memories.Guidelines:",{"point":"1xi","priority":"6","details":"1xj"},"CWE-ID: 1247Improper Protection Against Voltage and Clock Glitches","The device does not contain or contains incorrectly implemented circuitry or sensors to detect and mitigate voltage and clock glitches and protect sensitive information or software contained on the device.Guidelines:",{"point":"1xl","priority":"6","details":"1xm"},"CWE-ID: 1248Semiconductor Defects in Hardware Logic with Security-Sensitive Implications","The security-sensitive hardware module contains semiconductor defects.Guidelines:",{"point":"1xo","priority":"6","details":"1xp"},"CWE-ID: 1249Application-Level Admin Tool with Inconsistent View of Underlying Operating System","The product provides an application for administrators to manage parts of the underlying operating system, but the application does not accurately identify all of the relevant entities or resources that exist in the OS; that is, the application's model of the OS's state is inconsistent with the OS's actual state.Guidelines:",{"point":"1xr","priority":"6","details":"1xs"},"CWE-ID: 1250Improper Preservation of Consistency Between Independent Representations of Shared State","The product has or supports multiple distributed components or sub-systems that are each required to keep their own local copy of shared data - such as state or cache - but the product does not ensure that all local copies remain consistent with each other.Guidelines:::TYPE:Research Gap:NOTE:Issues related to state and cache - creation, preservation, and update - are a significant gap in CWE that is expected to be addressed in future versions. It likely has relationships to concurrency and synchronization, incorrect behavior order, and other areas that already have some coverage in CWE, although the focus has typically been on independent processes on the same operating system - not on independent systems that are all a part of a larger system-of-systems.::",{"point":"1xu","priority":"6","details":"1xv"},"CWE-ID: 1251Mirrored Regions with Different Values","The product's architecture mirrors regions without ensuring that their contents always stay in sync.Guidelines:::TYPE:Research Gap:NOTE:Issues related to state and cache - creation, preservation, and update - are a significant gap in CWE that is expected to be addressed in future versions. It has relationships to concurrency and synchronization, incorrect behavior order, and other areas that already have some coverage in CWE, although the focus has typically been on independent processes on the same operating system - not on independent systems that are all a part of a larger system-of-systems.::",{"point":"1xx","priority":"6","details":"1xy"},"CWE-ID: 1252CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations","The CPU is not configured to provide hardware support for exclusivity of write and execute operations on memory. This allows an attacker to execute data from all of memory.Guidelines:",{"point":"1y0","priority":"6","details":"1y1"},"CWE-ID: 1253Incorrect Selection of Fuse Values","The logic level used to set a system to a secure state relies on a fuse being unblown. An attacker can set the system to an insecure state merely by blowing the fuse.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1y3","priority":"6","details":"1y4"},"CWE-ID: 1254Incorrect Comparison Logic Granularity","The product's comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failure on one of these steps, the operation may be vulnerable to a timing attack that can result in the interception of the process for nefarious purposes.Guidelines:",{"point":"1y6","priority":"6","details":"1y7"},"CWE-ID: 1255Comparison Logic is Vulnerable to Power Side-Channel Attacks","A device's real time power consumption may be monitored during security token evaluation and the information gleaned may be used to determine the value of the reference token.Guidelines:",{"point":"1y9","priority":"6","details":"1ya"},"CWE-ID: 1256Improper Restriction of Software Interfaces to Hardware Features","The product provides software-controllable device functionality for capabilities such as power and clock management, but it does not properly limit functionality that can lead to modification of hardware memory or register bits, or the ability to observe physical side channels.Guidelines:",{"point":"1yc","priority":"6","details":"1yd"},"CWE-ID: 1257Improper Access Control Applied to Mirrored or Aliased Memory Regions","Aliased or mirrored memory regions in hardware designs may have inconsistent read/write permissions enforced by the hardware. A possible result is that an untrusted agent is blocked from accessing a memory region but is not blocked from accessing the corresponding aliased memory region.Guidelines:",{"point":"1yf","priority":"6","details":"1yg"},"CWE-ID: 1258Exposure of Sensitive System Information Due to Uncleared Debug Information","The hardware does not fully clear security-sensitive values, such as keys and intermediate values in cryptographic operations, when debug mode is entered.Guidelines:",{"point":"1yi","priority":"6","details":"1yj"},"CWE-ID: 1259Improper Restriction of Security Token Assignment","The System-On-A-Chip (SoC) implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens are improperly protected.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements. Currently it is expressed as a general absence of a protection mechanism as opposed to a specific mistake, and the entry's name and description could be interpreted as applying to software.::",{"point":"1yl","priority":"6","details":"1ym"},"CWE-ID: 1260Improper Handling of Overlap Between Protected Memory Ranges","The product allows address regions to overlap, which can result in the bypassing of intended memory protection.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.6, CWE-1260 and CWE-1316 are siblings under view 1000, but CWE-1260 might be a parent of CWE-1316. More analysis is warranted.::",{"point":"1yo","priority":"6","details":"1yp"},"CWE-ID: 1261Improper Handling of Single Event Upsets","The hardware logic does not effectively handle when single-event upsets (SEUs) occur.Guidelines:",{"point":"1yr","priority":"6","details":"1ys"},"CWE-ID: 1262Improper Access Control for Register Interface","The product uses memory-mapped I/O registers that act as an interface to hardware functionality from software, but there is improper access control to those registers.Guidelines:",{"point":"1yu","priority":"6","details":"1yv"},"CWE-ID: 1263Improper Physical Access Control","The product is designed with access restricted to certain information, but it does not sufficiently protect against an unauthorized actor with physical access to these areas.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1yx","priority":"6","details":"1yy"},"CWE-ID: 1264Hardware Logic with Insecure De-Synchronization between Control and Data Channels","The hardware logic for error handling and security checks can incorrectly forward data before the security check is complete.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. As a result, this entry might change significantly in CWE 4.10.::",{"point":"1z0","priority":"6","details":"1z1"},"CWE-ID: 1265Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls","During execution of non-reentrant code, the product performs a call that unintentionally produces a nested invocation of the non-reentrant code.Guidelines:",{"point":"1z3","priority":"6","details":"1z4"},"CWE-ID: 1266Improper Scrubbing of Sensitive Data from Decommissioned Device","The product does not properly provide a capability for the product administrator to remove sensitive data at the time the product is decommissioned. A scrubbing capability could be missing, insufficient, or incorrect.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1z6","priority":"6","details":"1z7"},"CWE-ID: 1267Policy Uses Obsolete Encoding","The product uses an obsolete encoding mechanism to implement access controls.Guidelines:",{"point":"1z9","priority":"6","details":"1za"},"CWE-ID: 1268Policy Privileges are not Assigned Consistently Between Control and Data Agents","The product's hardware-enforced access control for a particular resource improperly accounts for privilege discrepancies between control and write policies.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1zc","priority":"6","details":"1zd"},"CWE-ID: 1269Product Released in Non-Release Configuration","The product released to market is released in pre-production or manufacturing configuration.Guidelines:",{"point":"1zf","priority":"6","details":"1zg"},"CWE-ID: 1270Generation of Incorrect Security Tokens","The product implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens generated in the system are incorrect.Guidelines:",{"point":"1zi","priority":"6","details":"1zj"},"CWE-ID: 1271Uninitialized Value on Reset for Registers Holding Security Settings","Security-critical logic is not set to a known value on reset.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1zl","priority":"6","details":"1zm"},"CWE-ID: 1272Sensitive Information Uncleared Before Debug/Power State Transition","The product performs a power or debug state transition, but it does not clear sensitive information that should no longer be accessible due to changes to information access restrictions.Guidelines:",{"point":"1zo","priority":"6","details":"1zp"},"CWE-ID: 1273Device Unlock Credential Sharing","The credentials necessary for unlocking a device are shared across multiple parties and may expose sensitive information.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1zr","priority":"6","details":"1zs"},"CWE-ID: 1274Improper Access Control for Volatile Memory Containing Boot Code","The product conducts a secure-boot process that transfers bootloader code from Non-Volatile Memory (NVM) into Volatile Memory (VM), but it does not have sufficient access control or other protections for the Volatile Memory.Guidelines:",{"point":"1zu","priority":"6","details":"1zv"},"CWE-ID: 1275Sensitive Cookie with Improper SameSite Attribute","The SameSite attribute for sensitive cookies is not set, or an insecure value is used.Guidelines:",{"point":"1zx","priority":"6","details":"1zy"},"CWE-ID: 1276Hardware Child Block Incorrectly Connected to Parent System","Signals between a hardware IP and the parent system design are incorrectly connected causing security risks.Guidelines:",{"point":"200","priority":"6","details":"201"},"CWE-ID: 1277Firmware Not Updateable","The product does not provide its users with the ability to update or patch its firmware to address any vulnerabilities or weaknesses that may be present.Guidelines:::TYPE:Terminology:NOTE:The firmware term does not have a single commonly-shared definition, so there may be variations in how this CWE entry is interpreted during mapping.::",{"point":"203","priority":"6","details":"204"},"CWE-ID: 1278Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques","Information stored in hardware may be recovered by an attacker with the capability to capture and analyze images of the integrated circuit using techniques such as scanning electron microscopy.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements. It is more attack-oriented, so it might be more suited for CAPEC.::",{"point":"206","priority":"6","details":"207"},"CWE-ID: 1279Cryptographic Operations are run Before Supporting Units are Ready","Performing cryptographic operations without ensuring that the supporting inputs are ready to supply valid data may compromise the cryptographic result.Guidelines:",{"point":"209","priority":"6","details":"20a"},"CWE-ID: 1280Access Control Check Implemented After Asset is Accessed","A product's hardware-based access control check occurs after the asset has been accessed.Guidelines:",{"point":"20c","priority":"6","details":"20d"},"CWE-ID: 1281Sequence of Processor Instructions Leads to Unexpected Behavior","Specific combinations of processor instructions lead to undesirable behavior such as locking the processor until a hard reset performed.Guidelines:",{"point":"20f","priority":"6","details":"20g"},"CWE-ID: 1282Assumed-Immutable Data is Stored in Writable Memory","Immutable data, such as a first-stage bootloader, device identifiers, and write-once configuration settings are stored in writable memory that can be re-programmed or updated in the field.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::TYPE:Maintenance:NOTE:As of CWE 4.3, CWE-1282 and CWE-1233 are being investigated for potential duplication or overlap.::",{"point":"20i","priority":"6","details":"20j"},"CWE-ID: 1283Mutable Attestation or Measurement Reporting Data","The register contents used for attestation or measurement reporting data to verify boot flow are modifiable by an adversary.Guidelines:::TYPE:Maintenance:NOTE:This entry is still in development and will continue to see updates and content improvements.::",{"point":"20l","priority":"6","details":"20m"},"CWE-ID: 1284Improper Validation of Specified Quantity in Input","The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"20o","priority":"6","details":"20p"},"CWE-ID: 1285Improper Validation of Specified Index, Position, or Offset in Input","The product receives input that is expected to specify an index, position, or offset into an indexable resource such as a buffer or file, but it does not validate or incorrectly validates that the specified index/position/offset has the required properties.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"20r","priority":"6","details":"20s"},"CWE-ID: 1286Improper Validation of Syntactic Correctness of Input","The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"20u","priority":"6","details":"20v"},"CWE-ID: 1287Improper Validation of Specified Type of Input","The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"20x","priority":"6","details":"20y"},"CWE-ID: 1288Improper Validation of Consistency within Input","The product receives a complex input with multiple elements or fields that must be consistent with each other, but it does not validate or incorrectly validates that the input is actually consistent.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"210","priority":"6","details":"211"},"CWE-ID: 1289Improper Validation of Unsafe Equivalence in Input","The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"213","priority":"6","details":"214"},"CWE-ID: 1290Incorrect Decoding of Security Identifiers","The product implements a decoding mechanism to decode certain bus-transaction signals to security identifiers. If the decoding is implemented incorrectly, then untrusted agents can now gain unauthorized access to the asset.Guidelines:",{"point":"216","priority":"6","details":"217"},"CWE-ID: 1291Public Key Re-Use for Signing both Debug and Production Code","The same public key is used for signing both debug and production code.Guidelines:",{"point":"219","priority":"6","details":"21a"},"CWE-ID: 1292Incorrect Conversion of Security Identifiers","The product implements a conversion mechanism to map certain bus-transaction signals to security identifiers. However, if the conversion is incorrectly implemented, untrusted agents can gain unauthorized access to the asset.Guidelines:",{"point":"21c","priority":"6","details":"21d"},"CWE-ID: 1293Missing Source Correlation of Multiple Independent Data","The product relies on one source of data, preventing the ability to detect if an adversary has compromised a data source.Guidelines:",{"point":"21f","priority":"6","details":"21g"},"CWE-ID: 1294Insecure Security Identifier Mechanism","The System-on-Chip (SoC) implements a Security Identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Identifiers are not correctly implemented.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"21i","priority":"6","details":"21j"},"CWE-ID: 1295Debug Messages Revealing Unnecessary Information","The product fails to adequately prevent the revealing of unnecessary and potentially sensitive system information within debugging messages.Guidelines:",{"point":"21l","priority":"6","details":"21m"},"CWE-ID: 1296Incorrect Chaining or Granularity of Debug Components","The product's debug components contain incorrect chaining or granularity of debug components.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"21o","priority":"6","details":"21p"},"CWE-ID: 1297Unprotected Confidential Information on Device is Accessible by OSAT Vendors","The product does not adequately protect confidential information on the device from being accessed by Outsourced Semiconductor Assembly and Test (OSAT) vendors.Guidelines:::TYPE:Maintenance:NOTE:This entry might be subject to CWE Scope Exclusion SCOPE.SITUATIONS (Focus on situations in which weaknesses may appear); SCOPE.HUMANPROC (Human/organizational process; and/or SCOPE.CUSTREL (Not customer-relevant).::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"21r","priority":"6","details":"21s"},"CWE-ID: 1298Hardware Logic Contains Race Conditions","A race condition in the hardware logic results in undermining security guarantees of the system.Guidelines:",{"point":"21u","priority":"6","details":"21v"},"CWE-ID: 1299Missing Protection Mechanism for Alternate Hardware Interface","The lack of protections on alternate paths to access control-protected assets (such as unprotected shadow registers and other external facing unguarded interfaces) allows an attacker to bypass existing protections to the asset that are only performed against the primary path.Guidelines:",{"point":"21x","priority":"6","details":"21y"},"CWE-ID: 1300Improper Protection of Physical Side Channels","The device does not contain sufficient protection mechanisms to prevent physical side channels from exposing sensitive information due to patterns in physically observable phenomena such as variations in power consumption, electromagnetic emissions (EME), or acoustic emissions.Guidelines:",{"point":"220","priority":"6","details":"221"},"CWE-ID: 1301Insufficient or Incomplete Data Removal within Hardware Component","The product's data removal process does not completely delete all data and potentially sensitive information within hardware components.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"223","priority":"6","details":"224"},"CWE-ID: 1302Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)","The product implements a security identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. A transaction is sent without a security identifier.Guidelines:",{"point":"226","priority":"6","details":"227"},"CWE-ID: 1303Non-Transparent Sharing of Microarchitectural Resources","Hardware structures shared across execution contexts (e.g., caches and branch predictors) can violate the expected architecture isolation between contexts.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. Finally, this entry's demonstrative example might not be appropriate. As a result, this entry might change significantly in CWE 4.10.::",{"point":"229","priority":"6","details":"22a"},"CWE-ID: 1304Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation","The product performs a power save/restore operation, but it does not ensure that the integrity of the configuration state is maintained and/or verified between the beginning and ending of the operation.Guidelines:",{"point":"22c","priority":"6","details":"22d"},"CWE-ID: 1310Missing Ability to Patch ROM Code","Missing an ability to patch ROM code may leave a System or System-on-Chip (SoC) in a vulnerable state.Guidelines:",{"point":"22f","priority":"6","details":"22g"},"CWE-ID: 1311Improper Translation of Security Attributes by Fabric Bridge","The bridge incorrectly translates security attributes from either trusted to untrusted or from untrusted to trusted when converting from one fabric protocol to another.Guidelines:",{"point":"22i","priority":"6","details":"22j"},"CWE-ID: 1312Missing Protection for Mirrored Regions in On-Chip Fabric Firewall","The firewall in an on-chip fabric protects the main addressed region, but it does not protect any mirrored memory or memory-mapped-IO (MMIO) regions.Guidelines:",{"point":"22l","priority":"6","details":"22m"},"CWE-ID: 1313Hardware Allows Activation of Test or Debug Logic at Runtime","During runtime, the hardware allows for test or debug logic (feature) to be activated, which allows for changing the state of the hardware. This feature can alter the intended behavior of the system and allow for alteration and leakage of sensitive data by an adversary.Guidelines:",{"point":"22o","priority":"6","details":"22p"},"CWE-ID: 1314Missing Write Protection for Parametric Data Values","The device does not write-protect the parametric data values for sensors that scale the sensor value, allowing untrusted software to manipulate the apparent result and potentially damage hardware or cause operational failure.Guidelines:",{"point":"22r","priority":"6","details":"22s"},"CWE-ID: 1315Improper Setting of Bus Controlling Capability in Fabric End-point","The bus controller enables bits in the fabric end-point to allow responder devices to control transactions on the fabric.Guidelines:",{"point":"22u","priority":"6","details":"22v"},"CWE-ID: 1316Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges","The address map of the on-chip fabric has protected and unprotected regions overlapping, allowing an attacker to bypass access control to the overlapping portion of the protected region.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.6, CWE-1260 and CWE-1316 are siblings under view 1000, but CWE-1260 might be a parent of CWE-1316. More analysis is warranted.::",{"point":"22x","priority":"6","details":"22y"},"CWE-ID: 1317Improper Access Control in Fabric Bridge","The product uses a fabric bridge for transactions between two Intellectual Property (IP) blocks, but the bridge does not properly perform the expected privilege, identity, or other access control checks between those IP blocks.Guidelines:",{"point":"230","priority":"6","details":"231"},"CWE-ID: 1318Missing Support for Security Features in On-chip Fabrics or Buses","On-chip fabrics or buses either do not support or are not configured to support privilege separation or other security features, such as access control.Guidelines:",{"point":"233","priority":"6","details":"234"},"CWE-ID: 1319Improper Protection against Electromagnetic Fault Injection (EM-FI)","The device is susceptible to electromagnetic fault injection attacks, causing device internal information to be compromised or security mechanisms to be bypassed.Guidelines:::TYPE:Maintenance:NOTE:This entry is attack-oriented and may require significant modification in future versions, or even deprecation. It is not clear whether there is really a design mistake that enables such attacks, so this is not necessarily a weakness and may be more appropriate for CAPEC.::",{"point":"236","priority":"6","details":"237"},"CWE-ID: 1320Improper Protection for Outbound Error Messages and Alert Signals","Untrusted agents can disable alerts about signal conditions exceeding limits or the response mechanism that handles such alerts.Guidelines:",{"point":"239","priority":"6","details":"23a"},"CWE-ID: 1321Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')","The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.Guidelines:",{"point":"23c","priority":"6","details":"23d"},"CWE-ID: 1322Use of Blocking Code in Single-threaded, Non-blocking Context","The product uses a non-blocking model that relies on a single threaded process for features such as scalability, but it contains code that can block when it is invoked.Guidelines:",{"point":"23f","priority":"6","details":"23g"},"CWE-ID: 1323Improper Management of Sensitive Trace Data","Trace data collected from several sources on the System-on-Chip (SoC) is stored in unprotected locations or transported to untrusted agents.Guidelines:",{"point":"23i","priority":"6","details":"23j"},"CWE-ID: 1325Improperly Controlled Sequential Memory Allocation","The product manages a group of objects or resources and performs a separate memory allocation for each object, but it does not properly limit the total amount of memory that is consumed by all of the combined objects.Guidelines:",{"point":"23l","priority":"6","details":"23m"},"CWE-ID: 1326Missing Immutable Root of Trust in Hardware","A missing immutable root of trust in the hardware results in the ability to bypass secure boot or execute untrusted or adversarial boot code.Guidelines:",{"point":"23o","priority":"6","details":"23p"},"CWE-ID: 1327Binding to an Unrestricted IP Address","The product assigns the address 0.0.0.0 for a database server, a cloud service/instance, or any computing resource that communicates remotely.Guidelines:",{"point":"23r","priority":"6","details":"23s"},"CWE-ID: 1328Security Version Number Mutable to Older Versions","Security-version number in hardware is mutable, resulting in the ability to downgrade (roll-back) the boot firmware to vulnerable code versions.Guidelines:",{"point":"23u","priority":"6","details":"23v"},"CWE-ID: 1329Reliance on Component That is Not Updateable","The product contains a component that cannot be updated or patched in order to remove vulnerabilities or significant bugs.Guidelines:",{"point":"23x","priority":"6","details":"23y"},"CWE-ID: 1330Remanent Data Readable after Memory Erase","Confidential information stored in memory circuits is readable or recoverable after being cleared or erased.Guidelines:",{"point":"240","priority":"6","details":"241"},"CWE-ID: 1331Improper Isolation of Shared Resources in Network On Chip (NoC)","The Network On Chip (NoC) does not isolate or incorrectly isolates its on-chip-fabric and internal resources such that they are shared between trusted and untrusted agents, creating timing channels.Guidelines:",{"point":"243","priority":"6","details":"244"},"CWE-ID: 1332Improper Handling of Faults that Lead to Instruction Skips","The device is missing or incorrectly implements circuitry or sensors that detect and mitigate the skipping of security-critical CPU instructions when they occur.Guidelines:",{"point":"246","priority":"6","details":"247"},"CWE-ID: 1333Inefficient Regular Expression Complexity","The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.Guidelines:",{"point":"249","priority":"6","details":"24a"},"CWE-ID: 1334Unauthorized Error Injection Can Degrade Hardware Redundancy","An unauthorized agent can inject errors into a redundant block to deprive the system of redundancy or put the system in a degraded operating mode.Guidelines:",{"point":"24c","priority":"6","details":"24d"},"CWE-ID: 1335Incorrect Bitwise Shift of Integer","An integer value is specified to be shifted by a negative amount or an amount greater than or equal to the number of bits contained in the value causing an unexpected or indeterminate result.Guidelines:",{"point":"24f","priority":"6","details":"24g"},"CWE-ID: 1336Improper Neutralization of Special Elements Used in a Template Engine","The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.Guidelines:::TYPE:Relationship:NOTE:Since expression languages are often used in templating languages, there may be some overlap with CWE-917 (Expression Language Injection). XSS (CWE-79) is also co-located with template injection.::TYPE:Maintenance:NOTE:The interrelationships and differences between CWE-917 and CWE-1336 need to be further clarified.::",{"point":"24i","priority":"6","details":"24j"},"CWE-ID: 1338Improper Protections Against Hardware Overheating","A hardware device is missing or has inadequate protection features to prevent overheating.Guidelines:",{"point":"24l","priority":"6","details":"24m"},"CWE-ID: 1339Insufficient Precision or Accuracy of a Real Number","The product processes a real number with an implementation in which the number's representation does not preserve required accuracy and precision in its fractional part, causing an incorrect result.Guidelines:",{"point":"24o","priority":"6","details":"24p"},"CWE-ID: 1341Multiple Releases of Same Resource or Handle","The product attempts to close or release a resource or handle more than once, without any successful open between the close operations.Guidelines:::TYPE:Terminology:NOTE:The terms related to release may vary depending on the type of resource, programming language, specification, or framework. Close has been used synonymously for the release of resources like file descriptors and file handles. Return is sometimes used instead of Release. Free is typically used when releasing memory or buffers back into the system for reuse.::",{"point":"24r","priority":"6","details":"24s"},"CWE-ID: 1342Information Exposure through Microarchitectural State after Transient Execution","The processor does not properly clear microarchitectural state after incorrect microcode assists or speculative execution, resulting in transient execution.Guidelines:::TYPE:Relationship:NOTE:CWE-1342 differs from CWE-1303, which is related to misprediction and biasing microarchitectural components, while CWE-1342 addresses illegal data flows and retention. For example, Spectre is an instance of CWE-1303 biasing branch prediction to steer the transient execution indirectly.::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. As a result, this entry might change significantly in CWE 4.10.::",{"point":"24u","priority":"6","details":"24v"},"CWE-ID: 1351Improper Handling of Hardware Behavior in Exceptionally Cold Environments","A hardware device, or the firmware running on it, is missing or has incorrect protection features to maintain goals of security primitives when the device is cooled below standard operating temperatures.Guidelines:",{"point":"24x","priority":"6","details":"24y"},"CWE-ID: 1357Reliance on Insufficiently Trustworthy Component","The product is built from multiple separate components, but it uses a component that is not sufficiently trusted to meet expectations for security, reliability, updateability, and maintainability.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.10, the name and description for this entry has undergone significant change and is still under public discussion, especially by members of the HW SIG.::",{"point":"250","priority":"6","details":"251"},"CWE-ID: 1384Improper Handling of Physical or Environmental Conditions","The product does not properly handle unexpected physical or environmental conditions that occur naturally or are artificially induced.Guidelines:",{"point":"253","priority":"6","details":"254"},"CWE-ID: 1385Missing Origin Validation in WebSockets","The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid.Guidelines:",{"point":"256","priority":"6","details":"257"},"CWE-ID: 1386Insecure Operation on Windows Junction / Mount Point","The product opens a file or directory, but it does not properly prevent the name from being associated with a junction or mount point to a destination that is outside of the intended control sphere.Guidelines:::TYPE:Terminology:NOTE:Symbolic links, hard links, junctions, and mount points can be confusing terminology, as there are differences in how they operate between UNIX-based systems and Windows, and there are interactions between them.::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"259","priority":"6","details":"25a"},"CWE-ID: 1389Incorrect Parsing of Numbers with Different Radices","The product parses numeric input assuming base 10 (decimal) values, but it does not account for inputs that use a different base number (radix).Guidelines:",{"point":"25c","priority":"6","details":"25d"},"CWE-ID: 1390Weak Authentication","The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.Guidelines:",{"point":"25f","priority":"6","details":"25g"},"CWE-ID: 1391Use of Weak Credentials","The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker.Guidelines:",{"point":"25i","priority":"6","details":"25j"},"CWE-ID: 1392Use of Default Credentials","The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality.Guidelines:",{"point":"25l","priority":"6","details":"25m"},"CWE-ID: 1393Use of Default Password","The product uses default passwords for potentially critical functionality.Guidelines:",{"point":"25o","priority":"6","details":"25p"},"CWE-ID: 1394Use of Default Cryptographic Key","The product uses a default cryptographic key for potentially critical functionality.Guidelines:",{"point":"25r","priority":"6","details":"25s"},"CWE-ID: 1395Dependency on Vulnerable Third-Party Component","The product has a dependency on a third-party component that contains one or more known vulnerabilities.Guidelines:",{"point":"25u","priority":"6","details":"25v"},"CWE-ID: 1419Incorrect Initialization of Resource","The product attempts to initialize a resource but does not correctly do so, which might leave the resource in an unexpected, incorrect, or insecure state when it is accessed.Guidelines:",{"point":"25x","priority":"6","details":"25y"},"CWE-ID: 1420Exposure of Sensitive Information during Transient Execution","A processor event or prediction may allow incorrect operations (or correct operations with incorrect data) to execute transiently, potentially exposing data over a covert channel.Guidelines:",{"point":"260","priority":"6","details":"261"},"CWE-ID: 1421Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution","A processor event may allow transient operations to access architecturally restricted data (for example, in another address space) in a shared microarchitectural structure (for example, a CPU cache), potentially exposing the data over a covert channel.Guidelines:",{"point":"263","priority":"6","details":"264"},"CWE-ID: 1422Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution","A processor event or prediction may allow incorrect or stale data to be forwarded to transient operations, potentially exposing data over a covert channel.Guidelines:",{"point":"266","priority":"6","details":"267"},"CWE-ID: 1423Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution","Shared microarchitectural predictor state may allow code to influence transient execution across a hardware boundary, potentially exposing data that is accessible beyond the boundary over a covert channel.Guidelines:",{"point":"269","priority":"6","details":"26a"},["8","b","e","h","k","n","q","t","w","z","12","15","18","1b","1e","1h","1k","1n","1q","1t","1w","1z","22","25","28","2b","2e","2h","2k","2n","2q","2t","2w","2z","32","35","38","3b","3e","3h","3k","3n","3q","3t","3w","3z","42","45","48","4b","4e","4h","4k","4n","4q","4t","4w","4z","52","55","58","5b","5e","5h","5k","5n","5q","5t","5w","5z","62","65","68","6b","6e","6h","6k","6n","6q","6t","6w","6z","72","75","78","7b","7e","7h","7k","7n","7q","7t","7w","7z","82","85","88","8b","8e","8h","8k","8n","8q","8t","8w","8z","92","95","98","9b","9e","9h","9k","9n","9q","9t","9w","9z","a2","a5","a8","ab","ae","ah","ak","an","aq","at","aw","az","b2","b5","b8","bb","be","bh","bk","bn","bq","bt","bw","bz","c2","c5","c8","cb","ce","ch","ck","cn","cq","ct","cw","cz","d2","d5","d8","db","de","dh","dk","dn","dq","dt","dw","dz","e2","e5","e8","eb","ee","eh","ek","en","eq","et","ew","ez","f2","f5","f8","fb","fe","fh","fk","fn","fq","ft","fw","fz","g2","g5","g8","gb","ge","gh","gk","gn","gq","gt","gw","gz","h2","h5","h8","hb","he","hh","hk","hn","hq","ht","hw","hz","i2","i5","i8","ib","ie","ih","ik","in","iq","it","iw","iz","j2","j5","j8","jb","je","jh","jk","jn","jq","jt","jw","jz","k2","k5","k8","kb","ke","kh","kk","kn","kq","kt","kw","kz","l2","l5","l8","lb","le","lh","lk","ln","lq","lt","lw","lz","m2","m5","m8","mb","me","mh","mk","mn","mq","mt","mw","mz","n2","n5","n8","nb","ne","nh","nk","nn","nq","nt","nw","nz","o2","o5","o8","ob","oe","oh","ok","on","oq","ot","ow","oz","p2","p5","p8","pb","pe","ph","pk","pn","pq","pt","pw","pz","q2","q5","q8","qb","qe","qh","qk","qn","qq","qt","qw","qz","r2","r5","r8","rb","re","rh","rk","rn","rq","rt","rw","rz","s2","s5","s8","sb","se","sh","sk","sn","sq","st","sw","sz","t2","t5","t8","tb","te","th","tk","tn","tq","tt","tw","tz","u2","u5","u8","ub","ue","uh","uk","un","uq","ut","uw","uz","v2","v5","v8","vb","ve","vh","vk","vn","vq","vt","vw","vz","w2","w5","w8","wb","we","wh","wk","wn","wq","wt","ww","wz","x2","x5","x8","xb","xe","xh","xk","xn","xq","xt","xw","xz","y2","y5","y8","yb","ye","yh","yk","yn","yq","yt","yw","yz","z2","z5","z8","zb","ze","zh","zk","zn","zq","zt","zw","zz","102","105","108","10b","10e","10h","10k","10n","10q","10t","10w","10z","112","115","118","11b","11e","11h","11k","11n","11q","11t","11w","11z","122","125","128","12b","12e","12h","12k","12n","12q","12t","12w","12z","132","135","138","13b","13e","13h","13k","13n","13q","13t","13w","13z","142","145","148","14b","14e","14h","14k","14n","14q","14t","14w","14z","152","155","158","15b","15e","15h","15k","15n","15q","15t","15w","15z","162","165","168","16b","16e","16h","16k","16n","16q","16t","16w","16z","172","175","178","17b","17e","17h","17k","17n","17q","17t","17w","17z","182","185","188","18b","18e","18h","18k","18n","18q","18t","18w","18z","192","195","198","19b","19e","19h","19k","19n","19q","19t","19w","19z","1a2","1a5","1a8","1ab","1ae","1ah","1ak","1an","1aq","1at","1aw","1az","1b2","1b5","1b8","1bb","1be","1bh","1bk","1bn","1bq","1bt","1bw","1bz","1c2","1c5","1c8","1cb","1ce","1ch","1ck","1cn","1cq","1ct","1cw","1cz","1d2","1d5","1d8","1db","1de","1dh","1dk","1dn","1dq","1dt","1dw","1dz","1e2","1e5","1e8","1eb","1ee","1eh","1ek","1en","1eq","1et","1ew","1ez","1f2","1f5","1f8","1fb","1fe","1fh","1fk","1fn","1fq","1ft","1fw","1fz","1g2","1g5","1g8","1gb","1ge","1gh","1gk","1gn","1gq","1gt","1gw","1gz","1h2","1h5","1h8","1hb","1he","1hh","1hk","1hn","1hq","1ht","1hw","1hz","1i2","1i5","1i8","1ib","1ie","1ih","1ik","1in","1iq","1it","1iw","1iz","1j2","1j5","1j8","1jb","1je","1jh","1jk","1jn","1jq","1jt","1jw","1jz","1k2","1k5","1k8","1kb","1ke","1kh","1kk","1kn","1kq","1kt","1kw","1kz","1l2","1l5","1l8","1lb","1le","1lh","1lk","1ln","1lq","1lt","1lw","1lz","1m2","1m5","1m8","1mb","1me","1mh","1mk","1mn","1mq","1mt","1mw","1mz","1n2","1n5","1n8","1nb","1ne","1nh","1nk","1nn","1nq","1nt","1nw","1nz","1o2","1o5","1o8","1ob","1oe","1oh","1ok","1on","1oq","1ot","1ow","1oz","1p2","1p5","1p8","1pb","1pe","1ph","1pk","1pn","1pq","1pt","1pw","1pz","1q2","1q5","1q8","1qb","1qe","1qh","1qk","1qn","1qq","1qt","1qw","1qz","1r2","1r5","1r8","1rb","1re","1rh","1rk","1rn","1rq","1rt","1rw","1rz","1s2","1s5","1s8","1sb","1se","1sh","1sk","1sn","1sq","1st","1sw","1sz","1t2","1t5","1t8","1tb","1te","1th","1tk","1tn","1tq","1tt","1tw","1tz","1u2","1u5","1u8","1ub","1ue","1uh","1uk","1un","1uq","1ut","1uw","1uz","1v2","1v5","1v8","1vb","1ve","1vh","1vk","1vn","1vq","1vt","1vw","1vz","1w2","1w5","1w8","1wb","1we","1wh","1wk","1wn","1wq","1wt","1ww","1wz","1x2","1x5","1x8","1xb","1xe","1xh","1xk","1xn","1xq","1xt","1xw","1xz","1y2","1y5","1y8","1yb","1ye","1yh","1yk","1yn","1yq","1yt","1yw","1yz","1z2","1z5","1z8","1zb","1ze","1zh","1zk","1zn","1zq","1zt","1zw","1zz","202","205","208","20b","20e","20h","20k","20n","20q","20t","20w","20z","212","215","218","21b","21e","21h","21k","21n","21q","21t","21w","21z","222","225","228","22b","22e","22h","22k","22n","22q","22t","22w","22z","232","235","238","23b","23e","23h","23k","23n","23q","23t","23w","23z","242","245","248","24b","24e","24h","24k","24n","24q","24t","24w","24z","252","255","258","25b","25e","25h","25k","25n","25q","25t","25w","25z","262","265","268","26b"],"red",{"title":"0","slug":"1","description":"2","icon":"3","intro":"4","checklist":"26c","color":"26d"},"CWE: Weaknesses During Design","cwe-design","This view (slice) lists weaknesses that can be introduced during design.","physical","This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities.","CWE-ID:20 Improper Input Validation","::METHOD:Automated Static Analysis:DESCRIPTION:Some instances of improper input validation can be detected using automated static analysis. A static analysis tool might allow the user to specify which application-specific methods or functions perform input validation; the tool might also have built-in knowledge of validation frameworks such as Struts. The tool may then suppress or de-prioritize any associated warnings. This allows the analyst to focus on areas of the software in which input validation does not appear to be present. Except in the cases described in the previous paragraph, automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes.::METHOD:Manual Static Analysis:DESCRIPTION:When custom input validation is required, such as when enforcing business rules, manual analysis is necessary to ensure that the validation is properly implemented.::METHOD:Fuzzing:DESCRIPTION:Fuzzing techniques can be useful for detecting input validation errors. When unexpected inputs are provided to the software, the software should not crash or otherwise become unstable, and it should generate application-controlled error messages. If exceptions or interpreter-generated error messages occur, this indicates that the input was not detected and handled within the application logic itself.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer Cost effective for partial coverage: Host Application Interface Scanner Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"26k","priority":"6","details":"11","howto":"26l"},"CWE-ID:73 External Control of File Name or Path","::METHOD:Automated Static Analysis:DESCRIPTION:The external control or influence of filenames can often be detected using automated static analysis that models data flow within the product. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes.::",{"point":"26n","priority":"6","details":"4y","howto":"26o"},"CWE-ID:99 Improper Control of Resource Identifiers ('Resource Injection')","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"26q","priority":"6","details":"71","howto":"26r"},"CWE-ID:115 Misinterpretation of Input","::METHOD:Fuzzing:DESCRIPTION:Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.:EFFECTIVENESS:High::",{"point":"26t","priority":"6","details":"87","howto":"26u"},"CWE-ID:184 Incomplete List of Disallowed Inputs","::METHOD:Black Box:DESCRIPTION:Exploitation of a vulnerability with commonly-used manipulations might fail, but minor variations might succeed.::",{"point":"26w","priority":"6","details":"dd","howto":"26x"},"CWE-ID:200 Exposure of Sensitive Information to an Unauthorized Actor","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Inter-application Flow Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Source code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"26z","priority":"6","details":"ej","howto":"270"},"CWE-ID:201 Insertion of Sensitive Information Into Sent Data",{"point":"272","priority":"6","details":"em","howto":"26r"},"CWE-ID:202 Exposure of Sensitive Information Through Data Queries","",{"point":"274","priority":"6","details":"ep","howto":"275"},"CWE-ID:203 Observable Discrepancy",{"point":"277","priority":"6","details":"es","howto":"275"},"CWE-ID:204 Observable Response Discrepancy",{"point":"279","priority":"6","details":"ev","howto":"275"},"CWE-ID:205 Observable Behavioral Discrepancy",{"point":"27b","priority":"6","details":"ey","howto":"275"},"CWE-ID:208 Observable Timing Discrepancy",{"point":"27d","priority":"6","details":"f7","howto":"275"},"CWE-ID:209 Generation of Error Message Containing Sensitive Information","::METHOD:Manual Analysis:DESCRIPTION:This weakness generally requires domain-specific interpretation using manual analysis. However, the number of potential error conditions may be too large to cover completely within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Analysis:DESCRIPTION:Automated methods may be able to detect certain idioms automatically, such as exposed stack traces or pathnames, but violation of business rules or privacy requirements is not typically feasible.:EFFECTIVENESS:Moderate::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Error conditions may be triggered with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.)::",{"point":"27f","priority":"6","details":"fa","howto":"27g"},"CWE-ID:210 Self-generated Error Message Containing Sensitive Information",{"point":"27i","priority":"6","details":"fd","howto":"275"},"CWE-ID:211 Externally-Generated Error Message Containing Sensitive Information",{"point":"27k","priority":"6","details":"fg","howto":"275"},"CWE-ID:212 Improper Removal of Sensitive Information Before Storage or Transfer",{"point":"27m","priority":"6","details":"fj","howto":"275"},"CWE-ID:213 Exposure of Sensitive Information Due to Incompatible Policies",{"point":"27o","priority":"6","details":"fm","howto":"275"},"CWE-ID:214 Invocation of Process Using Visible Sensitive Information",{"point":"27q","priority":"6","details":"fp","howto":"275"},"CWE-ID:221 Information Loss or Omission",{"point":"27s","priority":"6","details":"g1","howto":"275"},"CWE-ID:223 Omission of Security-relevant Information",{"point":"27u","priority":"6","details":"g7","howto":"275"},"CWE-ID:250 Execution with Unnecessary Privileges","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and perform a login. Look for library functions and system calls that indicate when privileges are being raised or dropped. Look for accesses of resources that are restricted to normal users.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Compare binary / bytecode to application permission manifest Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker Permission Manifest Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"27w","priority":"6","details":"i4","howto":"27x"},"CWE-ID:256 Plaintext Storage of a Password",{"point":"27z","priority":"6","details":"id","howto":"26r"},"CWE-ID:257 Storing Passwords in a Recoverable Format",{"point":"281","priority":"6","details":"ig","howto":"26r"},"CWE-ID:260 Password in Configuration File",{"point":"283","priority":"6","details":"ip","howto":"26r"},"CWE-ID:261 Weak Encoding for Password",{"point":"285","priority":"6","details":"is","howto":"26r"},"CWE-ID:262 Not Using Password Aging",{"point":"287","priority":"6","details":"iv","howto":"275"},"CWE-ID:263 Password Aging with Long Expiration",{"point":"289","priority":"6","details":"iy","howto":"275"},"CWE-ID:267 Privilege Defined With Unsafe Actions",{"point":"28b","priority":"6","details":"j4","howto":"275"},"CWE-ID:268 Privilege Chaining",{"point":"28d","priority":"6","details":"j7","howto":"275"},"CWE-ID:269 Improper Privilege Management",{"point":"28f","priority":"6","details":"ja","howto":"26r"},"CWE-ID:270 Privilege Context Switching Error",{"point":"28h","priority":"6","details":"jd","howto":"275"},"CWE-ID:271 Privilege Dropping / Lowering Errors",{"point":"28j","priority":"6","details":"jg","howto":"275"},"CWE-ID:276 Incorrect Default Permissions","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Inter-application Flow Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Host Application Interface Scanner Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Forced Path Execution:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"28l","priority":"6","details":"js","howto":"28m"},"CWE-ID:282 Improper Ownership Management",{"point":"28o","priority":"6","details":"ka","howto":"26r"},"CWE-ID:283 Unverified Ownership",{"point":"28q","priority":"6","details":"kd","howto":"275"},"CWE-ID:285 Improper Authorization","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries. Generally, automated static analysis tools have difficulty detecting custom authorization schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an authorization check; an automated technique that detects the absence of authorization may report false positives.:EFFECTIVENESS:Limited::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated dynamic analysis may find many or all possible interfaces that do not require authorization, but manual analysis is required to determine if the lack of authorization violates business logic::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer Forced Path Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"28s","priority":"6","details":"kj","howto":"28t"},"CWE-ID:286 Incorrect User Management",{"point":"28v","priority":"6","details":"km","howto":"275"},"CWE-ID:287 Improper Authentication","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting certain types of authentication. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authentication libraries. Generally, automated static analysis tools have difficulty detecting custom authentication schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an established identity; an automated technique that detects the absence of authentication may report false positives.:EFFECTIVENESS:Limited::METHOD:Manual Static Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Manual static analysis is useful for evaluating the correctness of custom authentication mechanisms.:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"28x","priority":"6","details":"kp","howto":"28y"},"CWE-ID:288 Authentication Bypass Using an Alternate Path or Channel",{"point":"290","priority":"6","details":"ks","howto":"275"},"CWE-ID:289 Authentication Bypass by Alternate Name",{"point":"292","priority":"6","details":"kv","howto":"275"},"CWE-ID:294 Authentication Bypass by Capture-replay",{"point":"294","priority":"6","details":"l7","howto":"275"},"CWE-ID:295 Improper Certificate Validation","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Man-in-the-middle attack tool:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"296","priority":"6","details":"la","howto":"297"},"CWE-ID:300 Channel Accessible by Non-Endpoint",{"point":"299","priority":"6","details":"lp","howto":"26r"},"CWE-ID:301 Reflection Attack in an Authentication Protocol",{"point":"29b","priority":"6","details":"ls","howto":"275"},"CWE-ID:302 Authentication Bypass by Assumed-Immutable Data",{"point":"29d","priority":"6","details":"lv","howto":"275"},"CWE-ID:306 Missing Authentication for Critical Function","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authentication mechanisms.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting commonly-used idioms for authentication. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authentication libraries. Generally, automated static analysis tools have difficulty detecting custom authentication schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an established identity; an automated technique that detects the absence of authentication may report false positives.:EFFECTIVENESS:Limited::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"29f","priority":"6","details":"m7","howto":"29g"},"CWE-ID:307 Improper Restriction of Excessive Authentication Attempts","::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer Cost effective for partial coverage: Forced Path Execution:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"29i","priority":"6","details":"ma","howto":"29j"},"CWE-ID:308 Use of Single-factor Authentication",{"point":"29l","priority":"6","details":"md","howto":"275"},"CWE-ID:309 Use of Password System for Primary Authentication",{"point":"29n","priority":"6","details":"mg","howto":"275"},"CWE-ID:311 Missing Encryption of Sensitive Data","::METHOD:Manual Analysis:DESCRIPTION:The characterizaton of sensitive data often requires domain-specific understanding, so manual methods are useful. However, manual efforts might not achieve desired code coverage within limited time constraints. Black box methods may produce artifacts (e.g. stored data or unencrypted network transfer) that require manual evaluation.:EFFECTIVENESS:High::METHOD:Automated Analysis:DESCRIPTION:Automated measurement of the entropy of an input/output source may indicate the use or lack of encryption, but human analysis is still required to distinguish intentionally-unencrypted data (e.g. metadata) from sensitive data.::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Network Sniffer Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Man-in-the-middle attack tool:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"29p","priority":"6","details":"mj","howto":"29q"},"CWE-ID:312 Cleartext Storage of Sensitive Information",{"point":"29s","priority":"6","details":"mm","howto":"26r"},"CWE-ID:319 Cleartext Transmission of Sensitive Information","::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process, trigger the feature that sends the data, and look for the presence or absence of common cryptographic functions in the call tree. Monitor the network and determine if the data packets contain readable commands. Tools exist for detecting if certain encodings are in use. If the traffic contains high entropy, this might indicate the usage of encryption.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"29u","priority":"6","details":"n7","howto":"29v"},"CWE-ID:322 Key Exchange without Entity Authentication",{"point":"29x","priority":"6","details":"nd","howto":"275"},"CWE-ID:323 Reusing a Nonce, Key Pair in Encryption",{"point":"29z","priority":"6","details":"ng","howto":"275"},"CWE-ID:324 Use of a Key Past its Expiration Date",{"point":"2a1","priority":"6","details":"nj","howto":"275"},"CWE-ID:326 Inadequate Encryption Strength",{"point":"2a3","priority":"6","details":"np","howto":"26r"},"CWE-ID:327 Use of a Broken or Risky Cryptographic Algorithm","::METHOD:Automated Analysis:DESCRIPTION:Automated methods may be useful for recognizing commonly-used libraries or features that have become obsolete.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis Binary / Bytecode simple extractor - strings, ELF readers, etc.:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Man-in-the-middle attack tool Cost effective for partial coverage: Framework-based Fuzzer Automated Monitored Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2a5","priority":"6","details":"ns","howto":"2a6"},"CWE-ID:328 Use of Weak Hash",{"point":"2a8","priority":"6","details":"nv","howto":"26r"},"CWE-ID:330 Use of Insufficiently Random Values","::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and look for library functions that indicate when randomness is being used. Run the process multiple times to see if the seed changes. Look for accesses of devices or equivalent resources that are commonly used for strong (or weak) randomness, such as /dev/urandom on Linux. Look for library or system calls that access predictable information such as process IDs and system time.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Man-in-the-middle attack tool:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2aa","priority":"6","details":"o1","howto":"2ab"},"CWE-ID:331 Insufficient Entropy",{"point":"2ad","priority":"6","details":"o4","howto":"275"},"CWE-ID:334 Small Space of Random Values",{"point":"2af","priority":"6","details":"od","howto":"275"},"CWE-ID:338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",{"point":"2ah","priority":"6","details":"op","howto":"26r"},"CWE-ID:340 Generation of Predictable Numbers or Identifiers",{"point":"2aj","priority":"6","details":"ov","howto":"275"},"CWE-ID:341 Predictable from Observable State",{"point":"2al","priority":"6","details":"oy","howto":"275"},"CWE-ID:342 Predictable Exact Value from Previous Values",{"point":"2an","priority":"6","details":"p1","howto":"275"},"CWE-ID:343 Predictable Value Range from Previous Values",{"point":"2ap","priority":"6","details":"p4","howto":"275"},"CWE-ID:344 Use of Invariant Value in Dynamically Changing Context",{"point":"2ar","priority":"6","details":"p7","howto":"275"},"CWE-ID:345 Insufficient Verification of Data Authenticity",{"point":"2at","priority":"6","details":"pa","howto":"26r"},"CWE-ID:346 Origin Validation Error",{"point":"2av","priority":"6","details":"pd","howto":"275"},"CWE-ID:347 Improper Verification of Cryptographic Signature",{"point":"2ax","priority":"6","details":"pg","howto":"26r"},"CWE-ID:348 Use of Less Trusted Source",{"point":"2az","priority":"6","details":"pj","howto":"275"},"CWE-ID:353 Missing Support for Integrity Check",{"point":"2b1","priority":"6","details":"py","howto":"275"},"CWE-ID:354 Improper Validation of Integrity Check Value",{"point":"2b3","priority":"6","details":"q1","howto":"275"},"CWE-ID:356 Product UI does not Warn User of Unsafe Actions",{"point":"2b5","priority":"6","details":"q4","howto":"275"},"CWE-ID:357 Insufficient UI Warning of Dangerous Operations",{"point":"2b7","priority":"6","details":"q7","howto":"275"},"CWE-ID:358 Improperly Implemented Security Check for Standard",{"point":"2b9","priority":"6","details":"qa","howto":"275"},"CWE-ID:359 Exposure of Private Personal Information to an Unauthorized Actor","::METHOD:Architecture or Design Review:DESCRIPTION:Private personal data can enter a program in a variety of ways: Directly from the user in the form of a password or personal information Accessed from a database or other data store by the application Indirectly from a partner or other third party If the data is written to an external location - such as the console, file system, or network - a privacy violation may occur.:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2bb","priority":"6","details":"qd","howto":"2bc"},"CWE-ID:360 Trust of System Event Data",{"point":"2be","priority":"6","details":"qg","howto":"275"},"CWE-ID:362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')","::METHOD:Black Box:DESCRIPTION:Black box methods may be able to identify evidence of race conditions via methods such as multiple simultaneous connections, which may cause the software to become instable or crash. However, race conditions with very narrow timing windows would not be detectable.::METHOD:White Box:DESCRIPTION:Common idioms are detectable in white box analysis, such as time-of-check-time-of-use (TOCTOU) file operations (CWE-367), or double-checked locking (CWE-609).::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Race conditions may be detected with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior. Insert breakpoints or delays in between relevant code statements to artificially expand the race window so that it will be easier to detect.:EFFECTIVENESS:Moderate::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Framework-based Fuzzer Cost effective for partial coverage: Fuzz Tester Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2bg","priority":"6","details":"qj","howto":"2bh"},"CWE-ID:363 Race Condition Enabling Link Following",{"point":"2bj","priority":"6","details":"qm","howto":"275"},"CWE-ID:368 Context Switching Race Condition",{"point":"2bl","priority":"6","details":"qy","howto":"275"},"CWE-ID:385 Covert Timing Channel",{"point":"2bn","priority":"6","details":"ry","howto":"275"},"CWE-ID:386 Symbolic Name not Mapping to Correct Object",{"point":"2bp","priority":"6","details":"s1","howto":"275"},"CWE-ID:400 Uncontrolled Resource Consumption","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis typically has limited utility in recognizing resource exhaustion problems, except for program-independent system resources such as files, sockets, and processes. For system resources, automated static analysis may be able to detect circumstances in which resources are not released after they have expired. Automated analysis of configuration files may be able to detect settings that do not specify a maximum value. Automated static analysis tools will not be appropriate for detecting exhaustion of custom resources, such as an intended security policy in which a bulletin board user is only allowed to make a limited number of posts per day.:EFFECTIVENESS:Limited::METHOD:Automated Dynamic Analysis:DESCRIPTION:Certain automated dynamic analysis techniques may be effective in spotting resource exhaustion problems, especially with resources such as processes, memory, and connections. The technique may involve generating a large number of requests to the product within a short time frame.:EFFECTIVENESS:Moderate::METHOD:Fuzzing:DESCRIPTION:While fuzzing is typically geared toward finding low-level implementation bugs, it can inadvertently find resource exhaustion problems. This can occur when the fuzzer generates a large number of test cases but does not restart the targeted product in between test cases. If an individual test case produces a crash, but it does not do so reliably, then an inability to handle resource exhaustion may be the cause.:EFFECTIVENESS:Opportunistic::",{"point":"2br","priority":"6","details":"ss","howto":"2bs"},"CWE-ID:402 Transmission of Private Resources into a New Sphere ('Resource Leak')",{"point":"2bu","priority":"6","details":"sy","howto":"26r"},"CWE-ID:405 Asymmetric Resource Consumption (Amplification)",{"point":"2bw","priority":"6","details":"t7","howto":"275"},"CWE-ID:406 Insufficient Control of Network Message Volume (Network Amplification)",{"point":"2by","priority":"6","details":"ta","howto":"275"},"CWE-ID:407 Inefficient Algorithmic Complexity",{"point":"2c0","priority":"6","details":"td","howto":"275"},"CWE-ID:408 Incorrect Behavior Order: Early Amplification",{"point":"2c2","priority":"6","details":"tg","howto":"275"},"CWE-ID:409 Improper Handling of Highly Compressed Data (Data Amplification)",{"point":"2c4","priority":"6","details":"tj","howto":"275"},"CWE-ID:410 Insufficient Resource Pool",{"point":"2c6","priority":"6","details":"tm","howto":"275"},"CWE-ID:412 Unrestricted Externally Accessible Lock","::METHOD:White Box:DESCRIPTION:Automated code analysis techniques might not be able to reliably detect this weakness, since the application's behavior and general security model dictate which resource locks are critical. Interpretation of the weakness might require knowledge of the environment, e.g. if the existence of a file is used as a lock, but the file is created in a world-writable directory.::",{"point":"2c8","priority":"6","details":"tp","howto":"2c9"},"CWE-ID:413 Improper Resource Locking",{"point":"2cb","priority":"6","details":"ts","howto":"26r"},"CWE-ID:414 Missing Lock Check",{"point":"2cd","priority":"6","details":"tv","howto":"275"},"CWE-ID:419 Unprotected Primary Channel",{"point":"2cf","priority":"6","details":"u4","howto":"275"},"CWE-ID:420 Unprotected Alternate Channel",{"point":"2ch","priority":"6","details":"u7","howto":"275"},"CWE-ID:421 Race Condition During Access to Alternate Channel",{"point":"2cj","priority":"6","details":"ua","howto":"275"},"CWE-ID:424 Improper Protection of Alternate Path",{"point":"2cl","priority":"6","details":"ug","howto":"275"},"CWE-ID:434 Unrestricted Upload of File with Dangerous Type","::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2cn","priority":"6","details":"v7","howto":"2co"},"CWE-ID:436 Interpretation Conflict",{"point":"2cq","priority":"6","details":"vd","howto":"275"},"CWE-ID:437 Incomplete Model of Endpoint Features",{"point":"2cs","priority":"6","details":"vg","howto":"275"},"CWE-ID:439 Behavioral Change in New Version or Environment",{"point":"2cu","priority":"6","details":"vj","howto":"275"},"CWE-ID:440 Expected Behavior Violation",{"point":"2cw","priority":"6","details":"vm","howto":"275"},"CWE-ID:441 Unintended Proxy or Intermediary ('Confused Deputy')",{"point":"2cy","priority":"6","details":"vp","howto":"26r"},"CWE-ID:446 UI Discrepancy for Security Feature",{"point":"2d0","priority":"6","details":"vv","howto":"275"},"CWE-ID:451 User Interface (UI) Misrepresentation of Critical Information",{"point":"2d2","priority":"6","details":"wa","howto":"275"},"CWE-ID:454 External Initialization of Trusted Variables or Data Stores",{"point":"2d4","priority":"6","details":"wg","howto":"275"},"CWE-ID:470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')",{"point":"2d6","priority":"6","details":"xj","howto":"26r"},"CWE-ID:471 Modification of Assumed-Immutable Data (MAID)",{"point":"2d8","priority":"6","details":"xm","howto":"275"},"CWE-ID:475 Undefined Behavior for Input to API",{"point":"2da","priority":"6","details":"xy","howto":"26r"},"CWE-ID:494 Download of Code Without Integrity Check","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is typically required to find the behavior that triggers the download of code, and to determine whether integrity-checking methods are in use.::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and also sniff the network connection. Trigger features related to product updates or plugin installation, which is likely to force a code download. Monitor when files are downloaded and separately executed, or if they are otherwise read back into the process. Look for evidence of cryptographic library calls that use integrity checking.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2dc","priority":"6","details":"zd","howto":"2dd"},"CWE-ID:501 Trust Boundary Violation",{"point":"2df","priority":"6","details":"zy","howto":"26r"},"CWE-ID:502 Deserialization of Untrusted Data",{"point":"2dh","priority":"6","details":"101","howto":"26r"},"CWE-ID:510 Trapdoor","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Inter-application Flow Analysis Binary / Bytecode simple extractor - strings, ELF readers, etc.:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies Generated Code Inspection:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Automated Monitored Execution Forced Path Execution Debugger Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Cost effective for partial coverage: Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"2dj","priority":"6","details":"10g","howto":"2dk"},"CWE-ID:511 Logic/Time Bomb",{"point":"2dm","priority":"6","details":"10j","howto":"275"},"CWE-ID:512 Spyware",{"point":"2do","priority":"6","details":"10m","howto":"275"},"CWE-ID:521 Weak Password Requirements",{"point":"2dq","priority":"6","details":"10y","howto":"26r"},"CWE-ID:522 Insufficiently Protected Credentials",{"point":"2ds","priority":"6","details":"111","howto":"26r"},"CWE-ID:523 Unprotected Transport of Credentials",{"point":"2du","priority":"6","details":"114","howto":"26r"},"CWE-ID:532 Insertion of Sensitive Information into Log File",{"point":"2dw","priority":"6","details":"11v","howto":"26r"},"CWE-ID:544 Missing Standardized Error Handling Mechanism",{"point":"2dy","priority":"6","details":"12m","howto":"275"},"CWE-ID:552 Files or Directories Accessible to External Parties",{"point":"2e0","priority":"6","details":"137","howto":"26r"},"CWE-ID:565 Reliance on Cookies without Validation and Integrity Checking",{"point":"2e2","priority":"6","details":"144","howto":"26r"},"CWE-ID:601 URL Redirection to Untrusted Site ('Open Redirect')","::METHOD:Manual Static Analysis:DESCRIPTION:Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated black box tools that supply URLs to every input may be able to spot Location header modifications, but test case coverage is a factor, and custom redirects may not be detected.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis tools may not be able to determine whether input influences the beginning of a URL, which is important for reducing false positives.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2e4","priority":"6","details":"16v","howto":"2e5"},"CWE-ID:602 Client-Side Enforcement of Server-Side Security",{"point":"2e7","priority":"6","details":"16y","howto":"275"},"CWE-ID:603 Use of Client-Side Authentication",{"point":"2e9","priority":"6","details":"171","howto":"275"},"CWE-ID:610 Externally Controlled Reference to a Resource in Another Sphere",{"point":"2eb","priority":"6","details":"17j","howto":"275"},"CWE-ID:612 Improper Authorization of Index Containing Sensitive Information",{"point":"2ed","priority":"6","details":"17p","howto":"275"},"CWE-ID:613 Insufficient Session Expiration",{"point":"2ef","priority":"6","details":"17s","howto":"26r"},"CWE-ID:620 Unverified Password Change",{"point":"2eh","priority":"6","details":"18d","howto":"275"},"CWE-ID:636 Not Failing Securely ('Failing Open')",{"point":"2ej","priority":"6","details":"194","howto":"275"},"CWE-ID:637 Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')",{"point":"2el","priority":"6","details":"197","howto":"275"},"CWE-ID:639 Authorization Bypass Through User-Controlled Key",{"point":"2en","priority":"6","details":"19d","howto":"26r"},"CWE-ID:640 Weak Password Recovery Mechanism for Forgotten Password",{"point":"2ep","priority":"6","details":"19g","howto":"275"},"CWE-ID:641 Improper Restriction of Names for Files and Other Resources",{"point":"2er","priority":"6","details":"19j","howto":"275"},"CWE-ID:642 External Control of Critical State Data",{"point":"2et","priority":"6","details":"19m","howto":"26r"},"CWE-ID:645 Overly Restrictive Account Lockout Mechanism",{"point":"2ev","priority":"6","details":"19v","howto":"275"},"CWE-ID:648 Incorrect Use of Privileged APIs",{"point":"2ex","priority":"6","details":"1a4","howto":"275"},"CWE-ID:649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking",{"point":"2ez","priority":"6","details":"1a7","howto":"275"},"CWE-ID:653 Improper Isolation or Compartmentalization","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Compare binary / bytecode to application permission manifest:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"2f1","priority":"6","details":"1aj","howto":"2f2"},"CWE-ID:654 Reliance on a Single Factor in a Security Decision",{"point":"2f4","priority":"6","details":"1am","howto":"275"},"CWE-ID:655 Insufficient Psychological Acceptability",{"point":"2f6","priority":"6","details":"1ap","howto":"275"},"CWE-ID:656 Reliance on Security Through Obscurity",{"point":"2f8","priority":"6","details":"1as","howto":"275"},"CWE-ID:657 Violation of Secure Design Principles",{"point":"2fa","priority":"6","details":"1av","howto":"275"},"CWE-ID:662 Improper Synchronization",{"point":"2fc","priority":"6","details":"1ay","howto":"275"},"CWE-ID:667 Improper Locking",{"point":"2fe","priority":"6","details":"1bd","howto":"26r"},"CWE-ID:668 Exposure of Resource to Wrong Sphere",{"point":"2fg","priority":"6","details":"1bg","howto":"275"},"CWE-ID:669 Incorrect Resource Transfer Between Spheres",{"point":"2fi","priority":"6","details":"1bj","howto":"275"},"CWE-ID:671 Lack of Administrator Control over Security",{"point":"2fk","priority":"6","details":"1bp","howto":"275"},"CWE-ID:673 External Influence of Sphere Definition",{"point":"2fm","priority":"6","details":"1bv","howto":"275"},"CWE-ID:694 Use of Multiple Resources with Duplicate Identifier",{"point":"2fo","priority":"6","details":"1dd","howto":"275"},"CWE-ID:696 Incorrect Behavior Order",{"point":"2fq","priority":"6","details":"1dj","howto":"275"},"CWE-ID:706 Use of Incorrectly-Resolved Name or Reference",{"point":"2fs","priority":"6","details":"1e1","howto":"275"},"CWE-ID:708 Incorrect Ownership Assignment",{"point":"2fu","priority":"6","details":"1e7","howto":"275"},"CWE-ID:732 Incorrect Permission Assignment for Critical Resource","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis may be effective in detecting permission problems for system resources such as files, directories, shared memory, device interfaces, etc. Automated techniques may be able to detect the use of library functions that modify permissions, then analyze function calls for arguments that contain potentially insecure values. However, since the software's intended security policy might allow loose permissions for certain operations (such as publishing a file on a web server), automated static analysis may produce some false positives - i.e., warnings that do not have any security consequences or require any code changes. When custom permissions models are used - such as defining who can read messages in a particular forum in a bulletin board system - these can be difficult to detect using automated static analysis. It may be possible to define custom signatures that identify any custom functions that implement the permission checks and assignments.::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated dynamic analysis may be effective in detecting permission problems for system resources such as files, directories, shared memory, device interfaces, etc. However, since the software's intended security policy might allow loose permissions for certain operations (such as publishing a file on a web server), automated dynamic analysis may produce some false positives - i.e., warnings that do not have any security consequences or require any code changes. When custom permissions models are used - such as defining who can read messages in a particular forum in a bulletin board system - these can be difficult to detect using automated dynamic analysis. It may be possible to define custom signatures that identify any custom functions that implement the permission checks and assignments.::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.::METHOD:Manual Static Analysis:DESCRIPTION:Manual static analysis may be effective in detecting the use of custom permissions models and functions. The code could then be examined to identifying usage of the related functions. Then the human analyst could evaluate permission assignments in the context of the intended security model of the software.::METHOD:Manual Dynamic Analysis:DESCRIPTION:Manual dynamic analysis may be effective in detecting the use of custom permissions models and functions. The program could then be executed with a focus on exercising code paths that are related to the custom permissions. Then the human analyst could evaluate permission assignments in the context of the intended security model of the software.::METHOD:Fuzzing:DESCRIPTION:Fuzzing is not effective in detecting this weakness.::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and watch for library functions or system calls on OS resources such as files, directories, and shared memory. Examine the arguments to these calls to infer which permissions are being used.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Inter-application Flow Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Host Application Interface Scanner Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Forced Path Execution:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2fw","priority":"6","details":"1ed","howto":"2fx"},"CWE-ID:749 Exposed Dangerous Method or Function",{"point":"2fz","priority":"6","details":"1ej","howto":"26r"},"CWE-ID:757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')",{"point":"2g1","priority":"6","details":"1ev","howto":"26r"},"CWE-ID:770 Allocation of Resources Without Limits or Throttling","::METHOD:Manual Static Analysis:DESCRIPTION:Manual static analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. If denial-of-service is not considered a significant risk, or if there is strong emphasis on consequences such as code execution, then manual analysis may not focus on this weakness at all.::METHOD:Fuzzing:DESCRIPTION:While fuzzing is typically geared toward finding low-level implementation bugs, it can inadvertently find uncontrolled resource allocation problems. This can occur when the fuzzer generates a large number of test cases but does not restart the targeted product in between test cases. If an individual test case produces a crash, but it does not do so reliably, then an inability to limit resource allocation may be the cause. When the allocation is directly affected by numeric inputs, then fuzzing may produce indications of this weakness.:EFFECTIVENESS:Opportunistic::METHOD:Automated Dynamic Analysis:DESCRIPTION:Certain automated dynamic analysis techniques may be effective in producing side effects of uncontrolled resource allocation problems, especially with resources such as processes, memory, and connections. The technique may involve generating a large number of requests to the product within a short time frame. Manual analysis is likely required to interpret the results.::METHOD:Automated Static Analysis:DESCRIPTION:Specialized configuration or tuning may be required to train automated tools to recognize this weakness. Automated static analysis typically has limited utility in recognizing unlimited allocation problems, except for the missing release of program-independent system resources such as files, sockets, and processes, or unchecked arguments to memory. For system resources, automated static analysis may be able to detect circumstances in which resources are not released after they have expired, or if too much of a resource is requested at once, as can occur with memory. Automated analysis of configuration files may be able to detect settings that do not specify a maximum value. Automated static analysis tools will not be appropriate for detecting exhaustion of custom resources, such as an intended security policy in which a bulletin board user is only allowed to make a limited number of posts per day.::",{"point":"2g3","priority":"6","details":"1fv","howto":"2g4"},"CWE-ID:798 Use of Hard-coded Credentials","::METHOD:Black Box:DESCRIPTION:Credential storage in configuration files is findable using black box methods, but the use of hard-coded credentials for an incoming authentication routine typically involves an account that is not visible outside of the code.:EFFECTIVENESS:Moderate::METHOD:Automated Static Analysis:DESCRIPTION:Automated white box techniques have been published for detecting hard-coded credentials for incoming authentication, but there is some expert disagreement regarding their effectiveness and applicability to a broad range of methods.::METHOD:Manual Static Analysis:DESCRIPTION:This weakness may be detectable using manual code analysis. Unless authentication is decentralized and applied throughout the product, there can be sufficient time for the analyst to find incoming authentication routines and examine the program logic looking for usage of hard-coded credentials. Configuration files could also be analyzed.::METHOD:Manual Dynamic Analysis:DESCRIPTION:For hard-coded credentials in incoming authentication: use monitoring tools that examine the product's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the product was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and perform a login. Using call trees or similar artifacts from the output, examine the associated behaviors and see if any of them appear to be comparing the input to a fixed string or value.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Network Sniffer Forced Path Execution:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"2g6","priority":"6","details":"1i7","howto":"2g7"},"CWE-ID:799 Improper Control of Interaction Frequency",{"point":"2g9","priority":"6","details":"1ia","howto":"275"},"CWE-ID:804 Guessable CAPTCHA",{"point":"2gb","priority":"6","details":"1id","howto":"275"},"CWE-ID:807 Reliance on Untrusted Inputs in a Security Decision","::METHOD:Manual Static Analysis:DESCRIPTION:Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"2gd","priority":"6","details":"1im","howto":"2ge"},"CWE-ID:862 Missing Authorization","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries. Generally, automated static analysis tools have difficulty detecting custom authorization schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an authorization check; an automated technique that detects the absence of authorization may report false positives.:EFFECTIVENESS:Limited::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated dynamic analysis may find many or all possible interfaces that do not require authorization, but manual analysis is required to determine if the lack of authorization violates business logic.::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"2gg","priority":"6","details":"1km","howto":"2gh"},"CWE-ID:863 Incorrect Authorization","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries. Generally, automated static analysis tools have difficulty detecting custom authorization schemes. Even if they can be customized to recognize these schemes, they might not be able to tell whether the scheme correctly performs the authorization in a way that cannot be bypassed or subverted by an attacker.:EFFECTIVENESS:Limited::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated dynamic analysis may not be able to find interfaces that are protected by authorization checks, even if those checks contain weaknesses.::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer Forced Path Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2gj","priority":"6","details":"1kp","howto":"2gk"},"CWE-ID:912 Hidden Functionality",{"point":"2gm","priority":"6","details":"1l4","howto":"275"},"CWE-ID:913 Improper Control of Dynamically-Managed Code Resources",{"point":"2go","priority":"6","details":"1l7","howto":"26u"},"CWE-ID:915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",{"point":"2gq","priority":"6","details":"1ld","howto":"26r"},"CWE-ID:916 Use of Password Hash With Insufficient Computational Effort","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2gs","priority":"6","details":"1lg","howto":"2gt"},"CWE-ID:917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')",{"point":"2gv","priority":"6","details":"1lj","howto":"26r"},"CWE-ID:918 Server-Side Request Forgery (SSRF)",{"point":"2gx","priority":"6","details":"1lm","howto":"26r"},"CWE-ID:920 Improper Restriction of Power Consumption",{"point":"2gz","priority":"6","details":"1lp","howto":"275"},"CWE-ID:921 Storage of Sensitive Data in a Mechanism without Access Control",{"point":"2h1","priority":"6","details":"1ls","howto":"275"},"CWE-ID:922 Insecure Storage of Sensitive Information",{"point":"2h3","priority":"6","details":"1lv","howto":"26r"},"CWE-ID:923 Improper Restriction of Communication Channel to Intended Endpoints",{"point":"2h5","priority":"6","details":"1ly","howto":"26r"},"CWE-ID:924 Improper Enforcement of Message Integrity During Transmission in a Communication Channel",{"point":"2h7","priority":"6","details":"1m1","howto":"275"},"CWE-ID:940 Improper Verification of Source of a Communication Channel",{"point":"2h9","priority":"6","details":"1mg","howto":"275"},"CWE-ID:941 Incorrectly Specified Destination in a Communication Channel",{"point":"2hb","priority":"6","details":"1mj","howto":"275"},"CWE-ID:1007 Insufficient Visual Distinction of Homoglyphs Presented to User","::METHOD:Manual Dynamic Analysis:DESCRIPTION:If utilizing user accounts, attempt to submit a username that contains homoglyphs. Similarly, check to see if links containing homoglyphs can be sent via email, web browsers, or other mechanisms.:EFFECTIVENESS:Moderate::",{"point":"2hd","priority":"6","details":"1mv","howto":"2he"},"CWE-ID:1037 Processor Optimization Removal or Modification of Security-critical Code","::METHOD:White Box:DESCRIPTION:In theory this weakness can be detected through the use of white box testing techniques where specifically crafted test cases are used in conjunction with debuggers to verify the order of statements being executed.:EFFECTIVENESS:Opportunistic::",{"point":"2hg","priority":"6","details":"1nd","howto":"2hh"},"CWE-ID:1038 Insecure Automated Optimizations",{"point":"2hj","priority":"6","details":"1ng","howto":"275"},"CWE-ID:1039 Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations",{"point":"2hl","priority":"6","details":"1nj","howto":"275"},"CWE-ID:1044 Architecture with Number of Horizontal Layers Outside of Expected Range",{"point":"2hn","priority":"6","details":"1nv","howto":"275"},"CWE-ID:1059 Insufficient Technical Documentation",{"point":"2hp","priority":"6","details":"1p4","howto":"275"},"CWE-ID:1173 Improper Use of Validation Framework","::METHOD:Automated Static Analysis:DESCRIPTION:Some instances of improper input validation can be detected using automated static analysis. A static analysis tool might allow the user to specify which application-specific methods or functions perform input validation; the tool might also have built-in knowledge of validation frameworks such as Struts. The tool may then suppress or de-prioritize any associated warnings. This allows the analyst to focus on areas of the software in which input validation does not appear to be present. Except in the cases described in the previous paragraph, automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes.::",{"point":"2hr","priority":"6","details":"1uv","howto":"2hs"},"CWE-ID:1176 Inefficient CPU Computation",{"point":"2hu","priority":"6","details":"1v1","howto":"275"},"CWE-ID:1189 Improper Isolation of Shared Resources on System-on-a-Chip (SoC)","::METHOD:Automated Dynamic Analysis:DESCRIPTION:Pre-silicon / post-silicon: Test access to shared systems resources (memory ranges, control registers, etc.) from untrusted software to verify that the assets are not incorrectly exposed to untrusted agents. Note that access to shared resources can be dynamically allowed or revoked based on system flows. Security testing should cover such dynamic shared resource allocation and access control modification flows.:EFFECTIVENESS:High::",{"point":"2hw","priority":"6","details":"1va","howto":"2hx"},"CWE-ID:1190 DMA Device Enabled Too Early in Boot Phase",{"point":"2hz","priority":"6","details":"1vd","howto":"275"},"CWE-ID:1191 On-Chip Debug and Test Interface With Improper Access Control","::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Authentication and authorization of debug and test interfaces should be part of the architecture and design review process. Withholding of private register documentation from the debug and test interface public specification (Security by obscurity) should not be considered as sufficient security.::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Dynamic tests should be done in the pre-silicon and post-silicon stages to verify that the debug and test interfaces are not open by default.::METHOD:Fuzzing:DESCRIPTION:Tests that fuzz Debug and Test Interfaces should ensure that no access without appropriate authentication and authorization is possible.:EFFECTIVENESS:Moderate::",{"point":"2i1","priority":"6","details":"1vg","howto":"2i2"},"CWE-ID:1192 Improper Identifier for IP Block used in System-On-Chip (SOC)",{"point":"2i4","priority":"6","details":"1vj","howto":"275"},"CWE-ID:1209 Failure to Disable Reserved Bits",{"point":"2i6","priority":"6","details":"1vs","howto":"275"},"CWE-ID:1220 Insufficient Granularity of Access Control",{"point":"2i8","priority":"6","details":"1vv","howto":"275"},"CWE-ID:1223 Race Condition for Write-Once Attributes",{"point":"2ia","priority":"6","details":"1w4","howto":"275"},"CWE-ID:1224 Improper Restriction of Write-Once Bit Fields",{"point":"2ic","priority":"6","details":"1w7","howto":"275"},"CWE-ID:1230 Exposure of Sensitive Information Through Metadata",{"point":"2ie","priority":"6","details":"1wd","howto":"275"},"CWE-ID:1231 Improper Prevention of Lock Bit Modification","::METHOD:Manual Analysis:DESCRIPTION:Set the lock bit. Power cycle the device. Attempt to clear the lock bit. If the information is changed, implement a design fix. Retest. Also, attempt to indirectly clear the lock bit or bypass it.:EFFECTIVENESS:High::",{"point":"2ig","priority":"6","details":"1wg","howto":"2ih"},"CWE-ID:1232 Improper Lock Behavior After Power State Transition",{"point":"2ij","priority":"6","details":"1wj","howto":"275"},"CWE-ID:1233 Security-Sensitive Hardware Controls with Missing Lock Bit Protection","::METHOD:Manual Analysis:DESCRIPTION:Set the lock bit. Attempt to modify the information protected by the lock bit. If the information is changed, implement a design fix. Retest. Also, attempt to indirectly clear the lock bit or bypass it.:EFFECTIVENESS:High::",{"point":"2il","priority":"6","details":"1wm","howto":"2im"},"CWE-ID:1234 Hardware Internal or Debug Modes Allow Override of Locks",{"point":"2io","priority":"6","details":"1wp","howto":"275"},"CWE-ID:1240 Use of a Cryptographic Primitive with a Risky Implementation","::METHOD:Architecture or Design Review:DESCRIPTION:Review requirements, documentation, and product design to ensure that primitives are consistent with the strongest-available recommendations from trusted parties. If the product appears to be using custom or proprietary implementations that have not had sufficient public review and approval, then this is a significant concern.:EFFECTIVENESS:High::METHOD:Manual Analysis:DESCRIPTION:Analyze the product to ensure that implementations for each primitive do not contain any known vulnerabilities and are not using any known-weak algorithms, including MD4, MD5, SHA1, DES, etc.:EFFECTIVENESS:Moderate::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:For hardware, during the implementation (pre-Silicon / post-Silicon) phase, dynamic tests should be done to ensure that outputs from cryptographic routines are indeed working properly, such as test vectors provided by NIST [REF-1236].:EFFECTIVENESS:Moderate::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:It needs to be determined if the output of a cryptographic primitive is lacking entropy, which is one clear sign that something went wrong with the crypto implementation. There exist many methods of measuring the entropy of a bytestream, from sophisticated ones (like calculating Shannon's entropy of a sequence of characters) to crude ones (by compressing it and comparing the size of the original bytestream vs. the compressed - a truly random byte stream should not be compressible and hence the uncompressed and compressed bytestreams should be nearly identical in size).:EFFECTIVENESS:Moderate::",{"point":"2iq","priority":"6","details":"1x1","howto":"2ir"},"CWE-ID:1241 Use of Predictable Algorithm in Random Number Generator",{"point":"2it","priority":"6","details":"1x4","howto":"275"},"CWE-ID:1242 Inclusion of Undocumented Features or Chicken Bits",{"point":"2iv","priority":"6","details":"1x7","howto":"275"},"CWE-ID:1243 Sensitive Non-Volatile Information Not Protected During Debug",{"point":"2ix","priority":"6","details":"1xa","howto":"275"},"CWE-ID:1244 Internal Asset Exposed to Unsafe Debug Access Level or State","::METHOD:Manual Analysis:DESCRIPTION:Check 2 devices for their passcode to authenticate access to JTAG/debugging ports. If the passcodes are missing or the same, update the design to fix and retest. Check communications over JTAG/debugging ports for encryption. If the communications are not encrypted, fix the design and retest.:EFFECTIVENESS:Moderate::",{"point":"2iz","priority":"6","details":"1xd","howto":"2j0"},"CWE-ID:1245 Improper Finite State Machines (FSMs) in Hardware Logic",{"point":"2j2","priority":"6","details":"1xg","howto":"275"},"CWE-ID:1246 Improper Write Handling in Limited-write Non-Volatile Memories",{"point":"2j4","priority":"6","details":"1xj","howto":"275"},"CWE-ID:1249 Application-Level Admin Tool with Inconsistent View of Underlying Operating System",{"point":"2j6","priority":"6","details":"1xs","howto":"275"},"CWE-ID:1252 CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations",{"point":"2j8","priority":"6","details":"1y1","howto":"275"},"CWE-ID:1253 Incorrect Selection of Fuse Values",{"point":"2ja","priority":"6","details":"1y4","howto":"275"},"CWE-ID:1254 Incorrect Comparison Logic Granularity",{"point":"2jc","priority":"6","details":"1y7","howto":"275"},"CWE-ID:1256 Improper Restriction of Software Interfaces to Hardware Features","::METHOD:Manual Analysis:DESCRIPTION:Perform a security evaluation of system-level architecture and design with software-aided physical attacks in scope.::METHOD:Automated Dynamic Analysis:DESCRIPTION:Use custom software to change registers that control clock settings or power settings to try to bypass security locks, or repeatedly write DRAM to try to change adjacent locations. This can be effective in extracting or changing data. The drawback is that it cannot be run before manufacturing, and it may require specialized software.:EFFECTIVENESS:Moderate::",{"point":"2je","priority":"6","details":"1yd","howto":"2jf"},"CWE-ID:1257 Improper Access Control Applied to Mirrored or Aliased Memory Regions",{"point":"2jh","priority":"6","details":"1yg","howto":"275"},"CWE-ID:1258 Exposure of Sensitive System Information Due to Uncleared Debug Information",{"point":"2jj","priority":"6","details":"1yj","howto":"275"},"CWE-ID:1259 Improper Restriction of Security Token Assignment",{"point":"2jl","priority":"6","details":"1ym","howto":"275"},"CWE-ID:1260 Improper Handling of Overlap Between Protected Memory Ranges","::METHOD:Manual Analysis:DESCRIPTION:Create a high privilege memory block of any arbitrary size. Attempt to create a lower privilege memory block with an overlap of the high privilege memory block. If the creation attempt works, fix the hardware. Repeat the test.:EFFECTIVENESS:High::",{"point":"2jn","priority":"6","details":"1yp","howto":"2jo"},"CWE-ID:1261 Improper Handling of Single Event Upsets",{"point":"2jq","priority":"6","details":"1ys","howto":"275"},"CWE-ID:1262 Improper Access Control for Register Interface","::METHOD:Manual Analysis:DESCRIPTION:This is applicable in the Architecture phase before implementation started. Make sure access policy is specified for the entire memory map. Manual analysis may not ensure the implementation is correct.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Registers controlling hardware should have access control implemented. This access control may be checked manually for correct implementation. Items to check consist of how are trusted parties set, how are trusted parties verified, how are accesses verified, etc. Effectiveness of a manual analysis will vary depending upon how complicated the interface is constructed.:EFFECTIVENESS:Moderate::METHOD:Simulation / Emulation:DESCRIPTION:Functional simulation is applicable during the Implementation Phase. Testcases must be created and executed for memory mapped registers to verify adherence to the access control policy. This method can be effective, since functional verification needs to be performed on the design, and verification for this weakness will be included. There can be difficulty covering the entire memory space during the test.:EFFECTIVENESS:Moderate::METHOD:Formal Verification:DESCRIPTION:Formal verification is applicable during the Implementation phase. Assertions need to be created in order to capture illegal register access scenarios and prove that they cannot occur. Formal methods are exhaustive and can be very effective, but creating the cases for large designs may be complex and difficult.:EFFECTIVENESS:High::METHOD:Automated Analysis:DESCRIPTION:Information flow tracking can be applicable during the Implementation phase. Security sensitive data (assets) - for example, as stored in registers - is automatically tracked over time through the design to verify the data doesn't reach illegal destinations that violate the access policies for the memory map. This method can be very effective when used together with simulation and emulation, since detecting violations doesn't rely on specific scenarios or data values. This method does rely on simulation and emulation, so testcases must exist in order to use this method.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Manual documentation review of the system memory map, register specification, and permissions associated with accessing security-relevant functionality exposed via memory-mapped registers.:EFFECTIVENESS:Moderate::METHOD:Fuzzing:DESCRIPTION:Perform penetration testing (either manual or semi-automated with fuzzing) to verify that access control mechanisms such as the memory protection units or on-chip bus firewall settings adequately protect critical hardware registers from software access.:EFFECTIVENESS:Moderate::",{"point":"2js","priority":"6","details":"1yv","howto":"2jt"},"CWE-ID:1263 Improper Physical Access Control",{"point":"2jv","priority":"6","details":"1yy","howto":"275"},"CWE-ID:1264 Hardware Logic with Insecure De-Synchronization between Control and Data Channels",{"point":"2jx","priority":"6","details":"1z1","howto":"275"},"CWE-ID:1266 Improper Scrubbing of Sensitive Data from Decommissioned Device",{"point":"2jz","priority":"6","details":"1z7","howto":"275"},"CWE-ID:1267 Policy Uses Obsolete Encoding",{"point":"2k1","priority":"6","details":"1za","howto":"275"},"CWE-ID:1268 Policy Privileges are not Assigned Consistently Between Control and Data Agents",{"point":"2k3","priority":"6","details":"1zd","howto":"275"},"CWE-ID:1270 Generation of Incorrect Security Tokens",{"point":"2k5","priority":"6","details":"1zj","howto":"275"},"CWE-ID:1272 Sensitive Information Uncleared Before Debug/Power State Transition","::METHOD:Manual Analysis:DESCRIPTION:Write a known pattern into each sensitive location. Enter the power/debug state in question. Read data back from the sensitive locations. If the reads are successful, and the data is the same as the pattern that was originally written, the test fails and the device needs to be fixed. Note that this test can likely be automated.:EFFECTIVENESS:High::",{"point":"2k7","priority":"6","details":"1zp","howto":"2k8"},"CWE-ID:1274 Improper Access Control for Volatile Memory Containing Boot Code","::METHOD:Manual Analysis:DESCRIPTION:Ensure the volatile memory is lockable or has locks. Ensure the volatile memory is locked for writes from untrusted agents or adversaries. Try modifying the volatile memory from an untrusted agent, and ensure these writes are dropped.:EFFECTIVENESS:High::METHOD:Manual Analysis:DESCRIPTION:Analyze the device using the following steps: Identify all fabric master agents that are active during system Boot Flow when initial code is loaded from Non-volatile storage to volatile memory. Identify the volatile memory regions that are used for storing loaded system executable program. During system boot, test programming the identified memory regions in step 2 from all the masters identified in step 1. Only trusted masters should be allowed to write to the memory regions. For example, pluggable device peripherals should not have write access to program load memory regions.:EFFECTIVENESS:Moderate::",{"point":"2ka","priority":"6","details":"1zv","howto":"2kb"},"CWE-ID:1277 Firmware Not Updateable","::METHOD:Manual Analysis:DESCRIPTION:Create a new installable boot image of the current build with a minor version number change. Use the standard installation method to update the boot image. Verify that the minor version number has changed. Create a fake image. Verify that the boot updater will not install the fake image and generates an invalid image error message or equivalent.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Check the consumer or maintainer documentation, the architecture/design documentation, or the original requirements to ensure that the documentation includes details for how to update the firmware.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Determine if there is a lack of a capability to update read-only memory (ROM) structure. This could manifest as a difference between the latest firmware version and the current version within the device.:EFFECTIVENESS:High::",{"point":"2kd","priority":"6","details":"204","howto":"2ke"},"CWE-ID:1278 Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques",{"point":"2kg","priority":"6","details":"207","howto":"275"},"CWE-ID:1279 Cryptographic Operations are run Before Supporting Units are Ready",{"point":"2ki","priority":"6","details":"20a","howto":"275"},"CWE-ID:1281 Sequence of Processor Instructions Leads to Unexpected Behavior",{"point":"2kk","priority":"6","details":"20g","howto":"275"},"CWE-ID:1283 Mutable Attestation or Measurement Reporting Data",{"point":"2km","priority":"6","details":"20m","howto":"275"},"CWE-ID:1290 Incorrect Decoding of Security Identifiers ",{"point":"2ko","priority":"6","details":"217","howto":"275"},"CWE-ID:1292 Incorrect Conversion of Security Identifiers",{"point":"2kq","priority":"6","details":"21d","howto":"275"},"CWE-ID:1293 Missing Source Correlation of Multiple Independent Data",{"point":"2ks","priority":"6","details":"21g","howto":"275"},"CWE-ID:1294 Insecure Security Identifier Mechanism",{"point":"2ku","priority":"6","details":"21j","howto":"275"},"CWE-ID:1298 Hardware Logic Contains Race Conditions",{"point":"2kw","priority":"6","details":"21v","howto":"275"},"CWE-ID:1299 Missing Protection Mechanism for Alternate Hardware Interface",{"point":"2ky","priority":"6","details":"21y","howto":"275"},"CWE-ID:1302 Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)",{"point":"2l0","priority":"6","details":"227","howto":"275"},"CWE-ID:1303 Non-Transparent Sharing of Microarchitectural Resources",{"point":"2l2","priority":"6","details":"22a","howto":"275"},"CWE-ID:1304 Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation",{"point":"2l4","priority":"6","details":"22d","howto":"275"},"CWE-ID:1310 Missing Ability to Patch ROM Code",{"point":"2l6","priority":"6","details":"22g","howto":"275"},"CWE-ID:1311 Improper Translation of Security Attributes by Fabric Bridge",{"point":"2l8","priority":"6","details":"22j","howto":"275"},"CWE-ID:1312 Missing Protection for Mirrored Regions in On-Chip Fabric Firewall","::METHOD:Manual Dynamic Analysis:DESCRIPTION:Using an external debugger, send write transactions to mirrored regions to test if original, write-protected regions are modified. Similarly, send read transactions to mirrored regions to test if the original, read-protected signals can be read.:EFFECTIVENESS:High::",{"point":"2la","priority":"6","details":"22m","howto":"2lb"},"CWE-ID:1313 Hardware Allows Activation of Test or Debug Logic at Runtime",{"point":"2ld","priority":"6","details":"22p","howto":"275"},"CWE-ID:1314 Missing Write Protection for Parametric Data Values",{"point":"2lf","priority":"6","details":"22s","howto":"275"},"CWE-ID:1315 Improper Setting of Bus Controlling Capability in Fabric End-point",{"point":"2lh","priority":"6","details":"22v","howto":"275"},"CWE-ID:1316 Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges","::METHOD:Automated Dynamic Analysis:DESCRIPTION:Review address map in specification to see if there are any overlapping ranges.:EFFECTIVENESS:High::METHOD:Manual Static Analysis:DESCRIPTION:Negative testing of access control on overlapped ranges.:EFFECTIVENESS:High::",{"point":"2lj","priority":"6","details":"22y","howto":"2lk"},"CWE-ID:1317 Improper Access Control in Fabric Bridge","::METHOD:Simulation / Emulation:DESCRIPTION:RTL simulation to ensure that bridge-access controls are implemented properly.:EFFECTIVENESS:High::METHOD:Formal Verification:DESCRIPTION:Formal verification of bridge RTL to ensure that access control cannot be bypassed.:EFFECTIVENESS:High::",{"point":"2lm","priority":"6","details":"231","howto":"2ln"},"CWE-ID:1318 Missing Support for Security Features in On-chip Fabrics or Buses","::METHOD:Architecture or Design Review:DESCRIPTION:Review the fabric specification and ensure that it contains signals to transfer security-sensitive signals.:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:Lack of security features can also be confirmed through manual RTL review of the fabric RTL.:EFFECTIVENESS:High::",{"point":"2lp","priority":"6","details":"234","howto":"2lq"},"CWE-ID:1319 Improper Protection against Electromagnetic Fault Injection (EM-FI)",{"point":"2ls","priority":"6","details":"237","howto":"275"},"CWE-ID:1320 Improper Protection for Outbound Error Messages and Alert Signals",{"point":"2lu","priority":"6","details":"23a","howto":"275"},"CWE-ID:1323 Improper Management of Sensitive Trace Data",{"point":"2lw","priority":"6","details":"23j","howto":"275"},"CWE-ID:1326 Missing Immutable Root of Trust in Hardware","::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated testing can verify that RoT components are immutable.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Root of trust elements and memory should be part of architecture and design reviews.:EFFECTIVENESS:High::",{"point":"2ly","priority":"6","details":"23p","howto":"2lz"},"CWE-ID:1328 Security Version Number Mutable to Older Versions","::METHOD:Automated Dynamic Analysis:DESCRIPTION:Mutability of stored security version numbers and programming with older firmware images should be part of automated testing.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Anti-roll-back features should be reviewed as part of Architecture or Design review.:EFFECTIVENESS:High::",{"point":"2m1","priority":"6","details":"23v","howto":"2m2"},"CWE-ID:1329 Reliance on Component That is Not Updateable","::METHOD:Architecture or Design Review:DESCRIPTION:Check the consumer or maintainer documentation, the architecture/design documentation, or the original requirements to ensure that the documentation includes details for how to update the firmware.:EFFECTIVENESS:Moderate::",{"point":"2m4","priority":"6","details":"23y","howto":"2m5"},"CWE-ID:1331 Improper Isolation of Shared Resources in Network On Chip (NoC)","::METHOD:Manual Analysis:DESCRIPTION:Providing marker flags to send through the interfaces coupled with examination of which users are able to read or manipulate the flags will help verify that the proper isolation has been achieved and is effective.:EFFECTIVENESS:Moderate::",{"point":"2m7","priority":"6","details":"244","howto":"2m8"},"CWE-ID:1332 Improper Handling of Faults that Lead to Instruction Skips","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can be found using automated static analysis once a developer has indicated which code paths are critical to protect.:EFFECTIVENESS:Moderate::METHOD:Simulation / Emulation:DESCRIPTION:This weakness can be found using automated dynamic analysis. Both emulation of a CPU with instruction skips, as well as RTL simulation of a CPU IP, can indicate parts of the code that are sensitive to faults due to instruction skips.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:This weakness can be found using manual (static) analysis. The analyst has security objectives that are matched against the high-level code. This method is less precise than emulation, especially if the analysis is done at the higher level language rather than at assembly level.:EFFECTIVENESS:Moderate::",{"point":"2ma","priority":"6","details":"247","howto":"2mb"},"CWE-ID:1334 Unauthorized Error Injection Can Degrade Hardware Redundancy",{"point":"2md","priority":"6","details":"24d","howto":"275"},"CWE-ID:1336 Improper Neutralization of Special Elements Used in a Template Engine",{"point":"2mf","priority":"6","details":"24j","howto":"275"},"CWE-ID:1338 Improper Protections Against Hardware Overheating","::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Dynamic tests should be performed to stress-test temperature controls.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Power management controls should be part of Architecture and Design reviews.:EFFECTIVENESS:High::",{"point":"2mh","priority":"6","details":"24m","howto":"2mi"},"CWE-ID:1342 Information Exposure through Microarchitectural State after Transient Execution",{"point":"2mk","priority":"6","details":"24v","howto":"275"},"CWE-ID:1351 Improper Handling of Hardware Behavior in Exceptionally Cold Environments",{"point":"2mm","priority":"6","details":"24y","howto":"275"},"CWE-ID:1357 Reliance on Insufficiently Trustworthy Component",{"point":"2mo","priority":"6","details":"251","howto":"275"},"CWE-ID:1384 Improper Handling of Physical or Environmental Conditions",{"point":"2mq","priority":"6","details":"254","howto":"275"},"CWE-ID:1390 Weak Authentication",{"point":"2ms","priority":"6","details":"25g","howto":"275"},"CWE-ID:1391 Use of Weak Credentials",{"point":"2mu","priority":"6","details":"25j","howto":"275"},"CWE-ID:1392 Use of Default Credentials",{"point":"2mw","priority":"6","details":"25m","howto":"275"},"CWE-ID:1393 Use of Default Password",{"point":"2my","priority":"6","details":"25p","howto":"275"},"CWE-ID:1394 Use of Default Cryptographic Key",{"point":"2n0","priority":"6","details":"25s","howto":"275"},"CWE-ID:1395 Dependency on Vulnerable Third-Party Component","::METHOD:Automated Analysis:DESCRIPTION:For software, use Software Composition Analysis (SCA) tools, which automatically analyze products to identify third-party dependencies. Often, SCA tools can be used to link with known vulnerabilities in the dependencies that they detect. There are commercial and open-source alternatives, such as OWASP Dependency-Check [REF-1312]. Many languages or frameworks have package managers with similar capabilities, such as npm audit for JavaScript, pip-audit for Python, govulncheck for Go, and many others. Dynamic methods can detect loading of third-party components.:EFFECTIVENESS:High::",{"point":"2n2","priority":"6","details":"25v","howto":"2n3"},"CWE-ID:1420 Exposure of Sensitive Information during Transient Execution","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected in hardware by manually inspecting processor specifications. Features that exhibit this weakness may include microarchitectural predictors, access control checks that occur out-of-order, or any other features that can allow operations to execute without committing to architectural state. Academic researchers have demonstrated that new hardware weaknesses can be discovered by exhaustively analyzing a processor's machine clear (or nuke) conditions ([REF-1427]).:EFFECTIVENESS:Moderate::METHOD:Fuzzing:DESCRIPTION:Academic researchers have demonstrated that this weakness can be detected in hardware using software fuzzing tools that treat the underlying hardware as a black box ([REF-1428]).:EFFECTIVENESS:Opportunistic::METHOD:Fuzzing:DESCRIPTION:Academic researchers have demonstrated that this weakness can be detected in software using software fuzzing tools ([REF-1429]).:EFFECTIVENESS:Opportunistic::METHOD:Automated Static Analysis:DESCRIPTION:A variety of automated static analysis tools can identify potentially exploitable code sequences in software. These tools may perform the analysis on source code, on binary code, or on an intermediate code representation (for example, during compilation).:EFFECTIVENESS:Limited::METHOD:Automated Analysis:DESCRIPTION:Software vendors can release tools that detect presence of known weaknesses on a processor. For example, some of these tools can attempt to transiently execute a vulnerable code sequence and detect whether code successfully leaks data in a manner consistent with the weakness under test. Alternatively, some hardware vendors provide enumeration for the presence of a weakness (or lack of a weakness). These enumeration bits can be checked and reported by system software. For example, Linux supports these checks for many commodity processors: $ cat /proc/cpuinfo | grep bugs | head -n 1 bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit srbds mmio_stale_data retbleed:EFFECTIVENESS:High::",{"point":"2n5","priority":"6","details":"261","howto":"2n6"},"CWE-ID:1421 Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected in hardware by manually inspecting processor specifications. Features that exhibit this weakness may include microarchitectural predictors, access control checks that occur out-of-order, or any other features that can allow operations to execute without committing to architectural state. Academic researchers have demonstrated that new hardware weaknesses can be discovered by examining publicly available patent filings, for example [REF-1405] and [REF-1406]. Hardware designers can also scrutinize aspects of the instruction set architecture that have undefined behavior; these can become a focal point when applying other detection methods.:EFFECTIVENESS:Moderate::METHOD:Automated Analysis:DESCRIPTION:This weakness can be detected (pre-discovery) in hardware by employing static or dynamic taint analysis methods [REF-1401]. These methods can label data in one context (for example, kernel data) and perform information flow analysis (or a simulation, etc.) to determine whether tainted data can appear in another context (for example, user mode). Alternatively, stale or invalid data in shared microarchitectural resources can be marked as tainted, and the taint analysis framework can identify when transient operations encounter tainted data.:EFFECTIVENESS:Moderate::METHOD:Automated Analysis:DESCRIPTION:Software vendors can release tools that detect presence of known weaknesses (post-discovery) on a processor. For example, some of these tools can attempt to transiently execute a vulnerable code sequence and detect whether code successfully leaks data in a manner consistent with the weakness under test. Alternatively, some hardware vendors provide enumeration for the presence of a weakness (or lack of a weakness). These enumeration bits can be checked and reported by system software. For example, Linux supports these checks for many commodity processors: $ cat /proc/cpuinfo | grep bugs | head -n 1 bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit srbds mmio_stale_data retbleed:EFFECTIVENESS:High::METHOD:Fuzzing:DESCRIPTION:Academic researchers have demonstrated that this weakness can be detected in hardware using software fuzzing tools that treat the underlying hardware as a black box ([REF-1406], [REF-1430]):EFFECTIVENESS:Opportunistic::",{"point":"2n8","priority":"6","details":"264","howto":"2n9"},"CWE-ID:1422 Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution","::METHOD:Automated Static Analysis:DESCRIPTION:A variety of automated static analysis tools can identify potentially exploitable code sequences in software. These tools may perform the analysis on source code, on binary code, or on an intermediate code representation (for example, during compilation).:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected in hardware by manually inspecting processor specifications. Features that exhibit this weakness may include microarchitectural predictors, access control checks that occur out-of-order, or any other features that can allow operations to execute without committing to architectural state.Hardware designers can also scrutinize aspects of the instruction set architecture that have undefined behavior; these can become a focal point when applying other detection methods.:EFFECTIVENESS:Moderate::METHOD:Automated Analysis:DESCRIPTION:Software vendors can release tools that detect presence of known weaknesses on a processor. For example, some of these tools can attempt to transiently execute a vulnerable code sequence and detect whether code successfully leaks data in a manner consistent with the weakness under test. Alternatively, some hardware vendors provide enumeration for the presence of a weakness (or lack of a weakness). These enumeration bits can be checked and reported by system software. For example, Linux supports these checks for many commodity processors: $ cat /proc/cpuinfo | grep bugs | head -n 1 bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit srbds mmio_stale_data retbleed:EFFECTIVENESS:High::",{"point":"2nb","priority":"6","details":"267","howto":"2nc"},"CWE-ID:1423 Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected in hardware by manually inspecting processor specifications. Features that exhibit this weakness may have microarchitectural predictor state that is shared between hardware threads, execution contexts (for example, user and kernel), or other components that may host mutually distrusting software (or firmware, etc.).:EFFECTIVENESS:Moderate::METHOD:Automated Analysis:DESCRIPTION:Software vendors can release tools that detect presence of known weaknesses on a processor. For example, some of these tools can attempt to transiently execute a vulnerable code sequence and detect whether code successfully leaks data in a manner consistent with the weakness under test. Alternatively, some hardware vendors provide enumeration for the presence of a weakness (or lack of a weakness). These enumeration bits can be checked and reported by system software. For example, Linux supports these checks for many commodity processors: $ cat /proc/cpuinfo | grep bugs | head -n 1 bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit srbds mmio_stale_data retbleed:EFFECTIVENESS:High::METHOD:Automated Analysis:DESCRIPTION:This weakness can be detected in hardware by employing static or dynamic taint analysis methods [REF-1401]. These methods can label each predictor entry (or prediction history, etc.) according to the processor context that created it. Taint analysis or information flow analysis can then be applied to detect when predictor state created in one context can influence predictions made in another context.:EFFECTIVENESS:Moderate::",{"point":"2ne","priority":"6","details":"26a","howto":"2nf"},["26m","26p","26s","26v","26y","271","273","276","278","27a","27c","27e","27h","27j","27l","27n","27p","27r","27t","27v","27y","280","282","284","286","288","28a","28c","28e","28g","28i","28k","28n","28p","28r","28u","28w","28z","291","293","295","298","29a","29c","29e","29h","29k","29m","29o","29r","29t","29w","29y","2a0","2a2","2a4","2a7","2a9","2ac","2ae","2ag","2ai","2ak","2am","2ao","2aq","2as","2au","2aw","2ay","2b0","2b2","2b4","2b6","2b8","2ba","2bd","2bf","2bi","2bk","2bm","2bo","2bq","2bt","2bv","2bx","2bz","2c1","2c3","2c5","2c7","2ca","2cc","2ce","2cg","2ci","2ck","2cm","2cp","2cr","2ct","2cv","2cx","2cz","2d1","2d3","2d5","2d7","2d9","2db","2de","2dg","2di","2dl","2dn","2dp","2dr","2dt","2dv","2dx","2dz","2e1","2e3","2e6","2e8","2ea","2ec","2ee","2eg","2ei","2ek","2em","2eo","2eq","2es","2eu","2ew","2ey","2f0","2f3","2f5","2f7","2f9","2fb","2fd","2ff","2fh","2fj","2fl","2fn","2fp","2fr","2ft","2fv","2fy","2g0","2g2","2g5","2g8","2ga","2gc","2gf","2gi","2gl","2gn","2gp","2gr","2gu","2gw","2gy","2h0","2h2","2h4","2h6","2h8","2ha","2hc","2hf","2hi","2hk","2hm","2ho","2hq","2ht","2hv","2hy","2i0","2i3","2i5","2i7","2i9","2ib","2id","2if","2ii","2ik","2in","2ip","2is","2iu","2iw","2iy","2j1","2j3","2j5","2j7","2j9","2jb","2jd","2jg","2ji","2jk","2jm","2jp","2jr","2ju","2jw","2jy","2k0","2k2","2k4","2k6","2k9","2kc","2kf","2kh","2kj","2kl","2kn","2kp","2kr","2kt","2kv","2kx","2kz","2l1","2l3","2l5","2l7","2l9","2lc","2le","2lg","2li","2ll","2lo","2lr","2lt","2lv","2lx","2m0","2m3","2m6","2m9","2mc","2me","2mg","2mj","2ml","2mn","2mp","2mr","2mt","2mv","2mx","2mz","2n1","2n4","2n7","2na","2nd","2ng"],"magenta",{"title":"26f","slug":"26g","description":"26h","icon":"26i","intro":"26j","checklist":"2nh","color":"2ni"},"CWE :Weaknesses During Implementation","implementation-security","This view (slice) lists weaknesses that can be introduced during implementation.","shield","CWE-ID:5 J2EE Misconfiguration: Data Transmission Without Encryption",{"point":"2no","priority":"6","details":"7","howto":"275"},"CWE-ID:6 J2EE Misconfiguration: Insufficient Session-ID Length",{"point":"2nq","priority":"6","details":"a","howto":"275"},"CWE-ID:7 J2EE Misconfiguration: Missing Custom Error Page",{"point":"2ns","priority":"6","details":"d","howto":"275"},"CWE-ID:8 J2EE Misconfiguration: Entity Bean Declared Remote",{"point":"2nu","priority":"6","details":"g","howto":"275"},"CWE-ID:9 J2EE Misconfiguration: Weak Access Permissions for EJB Methods",{"point":"2nw","priority":"6","details":"j","howto":"275"},"CWE-ID:11 ASP.NET Misconfiguration: Creating Debug Binary",{"point":"2ny","priority":"6","details":"m","howto":"26r"},"CWE-ID:12 ASP.NET Misconfiguration: Missing Custom Error Page",{"point":"2o0","priority":"6","details":"p","howto":"275"},"CWE-ID:13 ASP.NET Misconfiguration: Password in Configuration File",{"point":"2o2","priority":"6","details":"s","howto":"275"},"CWE-ID:14 Compiler Removal of Code to Clear Buffers","::METHOD:Black Box:DESCRIPTION:This specific weakness is impossible to detect using black box methods. While an analyst could examine memory to see that it has not been scrubbed, an analysis of the executable would not be successful. This is because the compiler has already removed the relevant code. Only the source code shows whether the programmer intended to clear the memory or not, so this weakness is indistinguishable from others.::METHOD:White Box:DESCRIPTION:This weakness is only detectable using white box methods (see black box detection factor). Careful analysis is required to determine if the code is likely to be removed by the compiler.::",{"point":"2o4","priority":"6","details":"v","howto":"2o5"},"CWE-ID:15 External Control of System or Configuration Setting",{"point":"2o7","priority":"6","details":"y","howto":"26r"},{"point":"26k","priority":"6","details":"11","howto":"26l"},"CWE-ID:22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","::METHOD:Automated Static Analysis:DESCRIPTION:Automated techniques can find areas where path traversal weaknesses exist. However, tuning or customization may be required to remove or de-prioritize path-traversal problems that are only exploitable by the product's administrator - or other privileged users - and thus potentially valid behavior or, at worst, a bug instead of a vulnerability.:EFFECTIVENESS:High::METHOD:Manual Static Analysis:DESCRIPTION:Manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all file access operations can be assessed within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2oa","priority":"6","details":"14","howto":"2ob"},"CWE-ID:23 Relative Path Traversal",{"point":"2od","priority":"6","details":"17","howto":"26r"},"CWE-ID:24 Path Traversal: '../filedir'",{"point":"2of","priority":"6","details":"1a","howto":"275"},"CWE-ID:25 Path Traversal: '/../filedir'",{"point":"2oh","priority":"6","details":"1d","howto":"275"},"CWE-ID:26 Path Traversal: '/dir/../filename'",{"point":"2oj","priority":"6","details":"1g","howto":"275"},"CWE-ID:27 Path Traversal: 'dir/../../filename'",{"point":"2ol","priority":"6","details":"1j","howto":"275"},"CWE-ID:28 Path Traversal: '..filedir'",{"point":"2on","priority":"6","details":"1m","howto":"275"},"CWE-ID:29 Path Traversal: '..filename'",{"point":"2op","priority":"6","details":"1p","howto":"275"},"CWE-ID:30 Path Traversal: 'dir..filename'",{"point":"2or","priority":"6","details":"1s","howto":"275"},"CWE-ID:31 Path Traversal: 'dir....filename'",{"point":"2ot","priority":"6","details":"1v","howto":"275"},"CWE-ID:32 Path Traversal: '...' (Triple Dot)",{"point":"2ov","priority":"6","details":"1y","howto":"275"},"CWE-ID:33 Path Traversal: '....' (Multiple Dot)",{"point":"2ox","priority":"6","details":"21","howto":"275"},"CWE-ID:34 Path Traversal: '....//'","::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"2oz","priority":"6","details":"24","howto":"2p0"},"CWE-ID:35 Path Traversal: '.../...//'",{"point":"2p2","priority":"6","details":"27","howto":"275"},"CWE-ID:36 Absolute Path Traversal",{"point":"2p4","priority":"6","details":"2a","howto":"26r"},"CWE-ID:37 Path Traversal: '/absolute/pathname/here'",{"point":"2p6","priority":"6","details":"2d","howto":"275"},"CWE-ID:38 Path Traversal: 'absolutepathnamehere'",{"point":"2p8","priority":"6","details":"2g","howto":"275"},"CWE-ID:39 Path Traversal: 'C:dirname'",{"point":"2pa","priority":"6","details":"2j","howto":"275"},"CWE-ID:40 Path Traversal: 'UNCsharename' (Windows UNC Share)",{"point":"2pc","priority":"6","details":"2m","howto":"275"},"CWE-ID:41 Improper Resolution of Path Equivalence","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2pe","priority":"6","details":"2p","howto":"2pf"},"CWE-ID:42 Path Equivalence: 'filename.' (Trailing Dot)",{"point":"2ph","priority":"6","details":"2s","howto":"275"},"CWE-ID:43 Path Equivalence: 'filename....' (Multiple Trailing Dot)",{"point":"2pj","priority":"6","details":"2v","howto":"275"},"CWE-ID:44 Path Equivalence: 'file.name' (Internal Dot)",{"point":"2pl","priority":"6","details":"2y","howto":"275"},"CWE-ID:45 Path Equivalence: 'file...name' (Multiple Internal Dot)",{"point":"2pn","priority":"6","details":"31","howto":"275"},"CWE-ID:46 Path Equivalence: 'filename ' (Trailing Space)",{"point":"2pp","priority":"6","details":"34","howto":"275"},"CWE-ID:47 Path Equivalence: ' filename' (Leading Space)",{"point":"2pr","priority":"6","details":"37","howto":"275"},"CWE-ID:48 Path Equivalence: 'file name' (Internal Whitespace)",{"point":"2pt","priority":"6","details":"3a","howto":"275"},"CWE-ID:49 Path Equivalence: 'filename/' (Trailing Slash)",{"point":"2pv","priority":"6","details":"3d","howto":"275"},"CWE-ID:50 Path Equivalence: '//multiple/leading/slash'",{"point":"2px","priority":"6","details":"3g","howto":"275"},"CWE-ID:51 Path Equivalence: '/multiple//internal/slash'",{"point":"2pz","priority":"6","details":"3j","howto":"275"},"CWE-ID:52 Path Equivalence: '/multiple/trailing/slash//'",{"point":"2q1","priority":"6","details":"3m","howto":"275"},"CWE-ID:53 Path Equivalence: 'multipleinternalbackslash'",{"point":"2q3","priority":"6","details":"3p","howto":"275"},"CWE-ID:54 Path Equivalence: 'filedir' (Trailing Backslash)",{"point":"2q5","priority":"6","details":"3s","howto":"275"},"CWE-ID:55 Path Equivalence: '/./' (Single Dot Directory)",{"point":"2q7","priority":"6","details":"3v","howto":"275"},"CWE-ID:56 Path Equivalence: 'filedir*' (Wildcard)",{"point":"2q9","priority":"6","details":"3y","howto":"275"},"CWE-ID:57 Path Equivalence: 'fakedir/../realdir/filename'",{"point":"2qb","priority":"6","details":"41","howto":"275"},"CWE-ID:58 Path Equivalence: Windows 8.3 Filename",{"point":"2qd","priority":"6","details":"44","howto":"275"},"CWE-ID:59 Improper Link Resolution Before File Access ('Link Following')",{"point":"2qf","priority":"6","details":"47","howto":"2pf"},"CWE-ID:61 UNIX Symbolic Link (Symlink) Following",{"point":"2qh","priority":"6","details":"4a","howto":"275"},"CWE-ID:62 UNIX Hard Link",{"point":"2qj","priority":"6","details":"4d","howto":"275"},"CWE-ID:65 Windows Hard Link",{"point":"2ql","priority":"6","details":"4j","howto":"275"},"CWE-ID:66 Improper Handling of File Names that Identify Virtual Resources",{"point":"2qn","priority":"6","details":"4m","howto":"2pf"},"CWE-ID:67 Improper Handling of Windows Device Names",{"point":"2qp","priority":"6","details":"4p","howto":"275"},"CWE-ID:69 Improper Handling of Windows ::DATA Alternate Data Stream",{"point":"2qr","priority":"6","details":"4s","howto":"275"},"CWE-ID:72 Improper Handling of Apple HFS+ Alternate Data Stream Path",{"point":"2qt","priority":"6","details":"4v","howto":"275"},{"point":"26n","priority":"6","details":"4y","howto":"26o"},"CWE-ID:74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')",{"point":"2qw","priority":"6","details":"51","howto":"26r"},"CWE-ID:75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)",{"point":"2qy","priority":"6","details":"54","howto":"275"},"CWE-ID:76 Improper Neutralization of Equivalent Special Elements",{"point":"2r0","priority":"6","details":"57","howto":"275"},"CWE-ID:77 Improper Neutralization of Special Elements used in a Command ('Command Injection')",{"point":"2r2","priority":"6","details":"5a","howto":"26r"},"CWE-ID:78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes. Automated static analysis might not be able to detect the usage of custom API functions or third-party libraries that indirectly invoke OS commands, leading to false negatives - especially if the API/library code is not available for analysis.::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis:DESCRIPTION:Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2r4","priority":"6","details":"5d","howto":"2r5"},"CWE-ID:79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","::METHOD:Automated Static Analysis:DESCRIPTION:Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible, especially when multiple components are involved.:EFFECTIVENESS:Moderate::METHOD:Black Box:DESCRIPTION:Use the XSS Cheat Sheet [REF-714] or automated test-generation tools to help launch a wide variety of attacks against your web application. The Cheat Sheet contains many subtle XSS variations that are specifically targeted against weak XSS defenses.:EFFECTIVENESS:Moderate::",{"point":"2r7","priority":"6","details":"5g","howto":"2r8"},"CWE-ID:80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",{"point":"2ra","priority":"6","details":"5j","howto":"26r"},"CWE-ID:81 Improper Neutralization of Script in an Error Message Web Page",{"point":"2rc","priority":"6","details":"5m","howto":"275"},"CWE-ID:82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page",{"point":"2re","priority":"6","details":"5p","howto":"275"},"CWE-ID:83 Improper Neutralization of Script in Attributes in a Web Page",{"point":"2rg","priority":"6","details":"5s","howto":"26r"},"CWE-ID:84 Improper Neutralization of Encoded URI Schemes in a Web Page",{"point":"2ri","priority":"6","details":"5v","howto":"275"},"CWE-ID:85 Doubled Character XSS Manipulations",{"point":"2rk","priority":"6","details":"5y","howto":"275"},"CWE-ID:86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages",{"point":"2rm","priority":"6","details":"61","howto":"26r"},"CWE-ID:87 Improper Neutralization of Alternate XSS Syntax",{"point":"2ro","priority":"6","details":"64","howto":"275"},"CWE-ID:88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')",{"point":"2rq","priority":"6","details":"67","howto":"26r"},"CWE-ID:89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or do not require any code changes. Automated static analysis might not be able to detect the usage of custom API functions or third-party libraries that indirectly invoke SQL commands, leading to false negatives - especially if the API/library code is not available for analysis.::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Database Scanners Cost effective for partial coverage: Web Application Scanner Web Services Scanner:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2rs","priority":"6","details":"6a","howto":"2rt"},"CWE-ID:90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')",{"point":"2rv","priority":"6","details":"6d","howto":"26r"},"CWE-ID:91 XML Injection (aka Blind XPath Injection)",{"point":"2rx","priority":"6","details":"6g","howto":"26r"},"CWE-ID:93 Improper Neutralization of CRLF Sequences ('CRLF Injection')",{"point":"2rz","priority":"6","details":"6j","howto":"26r"},"CWE-ID:94 Improper Control of Generation of Code ('Code Injection')",{"point":"2s1","priority":"6","details":"6m","howto":"26r"},"CWE-ID:95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')",{"point":"2s3","priority":"6","details":"6p","howto":"26r"},"CWE-ID:96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')",{"point":"2s5","priority":"6","details":"6s","howto":"275"},"CWE-ID:97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page",{"point":"2s7","priority":"6","details":"6v","howto":"275"},"CWE-ID:98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')","::METHOD:Manual Analysis:DESCRIPTION:Manual white-box analysis can be very effective for finding this issue, since there is typically a relatively small number of include or require statements in each program.:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:The external control or influence of filenames can often be detected using automated static analysis that models data flow within the product. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes. If the program uses a customized input validation library, then some tools may allow the analyst to create custom signatures to detect usage of those routines.::",{"point":"2s9","priority":"6","details":"6y","howto":"2sa"},{"point":"26q","priority":"6","details":"71","howto":"26r"},"CWE-ID:102 Struts: Duplicate Validation Forms",{"point":"2sd","priority":"6","details":"74","howto":"275"},"CWE-ID:103 Struts: Incomplete validate() Method Definition",{"point":"2sf","priority":"6","details":"77","howto":"26r"},"CWE-ID:104 Struts: Form Bean Does Not Extend Validation Class",{"point":"2sh","priority":"6","details":"7a","howto":"26r"},"CWE-ID:105 Struts: Form Field Without Validator",{"point":"2sj","priority":"6","details":"7d","howto":"275"},"CWE-ID:106 Struts: Plug-in Framework not in Use",{"point":"2sl","priority":"6","details":"7g","howto":"275"},"CWE-ID:107 Struts: Unused Validation Form",{"point":"2sn","priority":"6","details":"7j","howto":"275"},"CWE-ID:108 Struts: Unvalidated Action Form",{"point":"2sp","priority":"6","details":"7m","howto":"275"},"CWE-ID:109 Struts: Validator Turned Off",{"point":"2sr","priority":"6","details":"7p","howto":"275"},"CWE-ID:110 Struts: Validator Without Form Field","::METHOD:Automated Static Analysis:DESCRIPTION:To find the issue in the implementation, manual checks or automated static analysis could be applied to the XML configuration files.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis:DESCRIPTION:To find the issue in the implementation, manual checks or automated static analysis could be applied to the XML configuration files.:EFFECTIVENESS:Moderate::",{"point":"2st","priority":"6","details":"7s","howto":"2su"},"CWE-ID:111 Direct Use of Unsafe JNI",{"point":"2sw","priority":"6","details":"7v","howto":"26r"},"CWE-ID:112 Missing XML Validation",{"point":"2sy","priority":"6","details":"7y","howto":"26r"},"CWE-ID:113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')",{"point":"2t0","priority":"6","details":"81","howto":"26r"},"CWE-ID:114 Process Control",{"point":"2t2","priority":"6","details":"84","howto":"26r"},{"point":"26t","priority":"6","details":"87","howto":"26u"},"CWE-ID:116 Improper Encoding or Escaping of Output","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.:EFFECTIVENESS:Moderate::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::",{"point":"2t5","priority":"6","details":"8a","howto":"2t6"},"CWE-ID:117 Improper Output Neutralization for Logs",{"point":"2t8","priority":"6","details":"8d","howto":"26r"},"CWE-ID:118 Incorrect Access of Indexable Resource ('Range Error')",{"point":"2ta","priority":"6","details":"8g","howto":"275"},"CWE-ID:119 Improper Restriction of Operations within the Bounds of a Memory Buffer","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode Quality Analysis Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Source Code Quality Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2tc","priority":"6","details":"8j","howto":"2td"},"CWE-ID:120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::METHOD:Manual Analysis:DESCRIPTION:Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2tf","priority":"6","details":"8m","howto":"2tg"},"CWE-ID:121 Stack-based Buffer Overflow","::METHOD:Fuzzing:DESCRIPTION:Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2ti","priority":"6","details":"8p","howto":"2tj"},"CWE-ID:122 Heap-based Buffer Overflow",{"point":"2tl","priority":"6","details":"8s","howto":"26u"},"CWE-ID:123 Write-what-where Condition",{"point":"2tn","priority":"6","details":"8v","howto":"275"},"CWE-ID:124 Buffer Underwrite ('Buffer Underflow')",{"point":"2tp","priority":"6","details":"8y","howto":"275"},"CWE-ID:125 Out-of-bounds Read",{"point":"2tr","priority":"6","details":"91","howto":"2tj"},"CWE-ID:126 Buffer Over-read",{"point":"2tt","priority":"6","details":"94","howto":"26r"},"CWE-ID:127 Buffer Under-read",{"point":"2tv","priority":"6","details":"97","howto":"275"},"CWE-ID:128 Wrap-around Error",{"point":"2tx","priority":"6","details":"9a","howto":"275"},"CWE-ID:129 Improper Validation of Array Index","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report array index errors that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::METHOD:Black Box:DESCRIPTION:Black box methods might not get the needed code coverage within limited time constraints, and a dynamic test might not produce any noticeable side effects even if it is successful.::",{"point":"2tz","priority":"6","details":"9d","howto":"2u0"},"CWE-ID:130 Improper Handling of Length Parameter Inconsistency",{"point":"2u2","priority":"6","details":"9g","howto":"275"},"CWE-ID:131 Incorrect Calculation of Buffer Size","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting potential errors in buffer calculations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of allocation calculations. This can be useful for detecting overflow conditions (CWE-190) or similar weaknesses that might have serious security impacts on the program.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Source Code Quality Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2u4","priority":"6","details":"9j","howto":"2u5"},"CWE-ID:134 Use of Externally-Controlled Format String","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.::METHOD:Black Box:DESCRIPTION:Since format strings often occur in rarely-occurring erroneous conditions (e.g. for error message logging), they can be difficult to detect using black box methods. It is highly likely that many latent issues exist in executables that do not have associated source code (or equivalent source.:EFFECTIVENESS:Limited::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary / Bytecode simple extractor - strings, ELF readers, etc.:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Warning Flags:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2u7","priority":"6","details":"9m","howto":"2u8"},"CWE-ID:135 Incorrect Calculation of Multi-Byte String Length",{"point":"2ua","priority":"6","details":"9p","howto":"26r"},"CWE-ID:138 Improper Neutralization of Special Elements",{"point":"2uc","priority":"6","details":"9s","howto":"275"},"CWE-ID:140 Improper Neutralization of Delimiters",{"point":"2ue","priority":"6","details":"9v","howto":"275"},"CWE-ID:141 Improper Neutralization of Parameter/Argument Delimiters",{"point":"2ug","priority":"6","details":"9y","howto":"275"},"CWE-ID:142 Improper Neutralization of Value Delimiters",{"point":"2ui","priority":"6","details":"a1","howto":"275"},"CWE-ID:143 Improper Neutralization of Record Delimiters",{"point":"2uk","priority":"6","details":"a4","howto":"275"},"CWE-ID:144 Improper Neutralization of Line Delimiters",{"point":"2um","priority":"6","details":"a7","howto":"275"},"CWE-ID:145 Improper Neutralization of Section Delimiters",{"point":"2uo","priority":"6","details":"aa","howto":"275"},"CWE-ID:146 Improper Neutralization of Expression/Command Delimiters",{"point":"2uq","priority":"6","details":"ad","howto":"275"},"CWE-ID:147 Improper Neutralization of Input Terminators",{"point":"2us","priority":"6","details":"ag","howto":"275"},"CWE-ID:148 Improper Neutralization of Input Leaders",{"point":"2uu","priority":"6","details":"aj","howto":"275"},"CWE-ID:149 Improper Neutralization of Quoting Syntax",{"point":"2uw","priority":"6","details":"am","howto":"275"},"CWE-ID:150 Improper Neutralization of Escape, Meta, or Control Sequences",{"point":"2uy","priority":"6","details":"ap","howto":"275"},"CWE-ID:151 Improper Neutralization of Comment Delimiters",{"point":"2v0","priority":"6","details":"as","howto":"275"},"CWE-ID:152 Improper Neutralization of Macro Symbols",{"point":"2v2","priority":"6","details":"av","howto":"275"},"CWE-ID:153 Improper Neutralization of Substitution Characters",{"point":"2v4","priority":"6","details":"ay","howto":"275"},"CWE-ID:154 Improper Neutralization of Variable Name Delimiters",{"point":"2v6","priority":"6","details":"b1","howto":"275"},"CWE-ID:155 Improper Neutralization of Wildcards or Matching Symbols",{"point":"2v8","priority":"6","details":"b4","howto":"275"},"CWE-ID:156 Improper Neutralization of Whitespace",{"point":"2va","priority":"6","details":"b7","howto":"275"},"CWE-ID:157 Failure to Sanitize Paired Delimiters",{"point":"2vc","priority":"6","details":"ba","howto":"275"},"CWE-ID:158 Improper Neutralization of Null Byte or NUL Character",{"point":"2ve","priority":"6","details":"bd","howto":"275"},"CWE-ID:159 Improper Handling of Invalid Use of Special Elements",{"point":"2vg","priority":"6","details":"bg","howto":"275"},"CWE-ID:160 Improper Neutralization of Leading Special Elements",{"point":"2vi","priority":"6","details":"bj","howto":"275"},"CWE-ID:161 Improper Neutralization of Multiple Leading Special Elements",{"point":"2vk","priority":"6","details":"bm","howto":"275"},"CWE-ID:162 Improper Neutralization of Trailing Special Elements",{"point":"2vm","priority":"6","details":"bp","howto":"275"},"CWE-ID:163 Improper Neutralization of Multiple Trailing Special Elements",{"point":"2vo","priority":"6","details":"bs","howto":"275"},"CWE-ID:164 Improper Neutralization of Internal Special Elements",{"point":"2vq","priority":"6","details":"bv","howto":"275"},"CWE-ID:165 Improper Neutralization of Multiple Internal Special Elements",{"point":"2vs","priority":"6","details":"by","howto":"275"},"CWE-ID:166 Improper Handling of Missing Special Element",{"point":"2vu","priority":"6","details":"c1","howto":"275"},"CWE-ID:167 Improper Handling of Additional Special Element",{"point":"2vw","priority":"6","details":"c4","howto":"275"},"CWE-ID:168 Improper Handling of Inconsistent Special Elements",{"point":"2vy","priority":"6","details":"c7","howto":"275"},"CWE-ID:170 Improper Null Termination",{"point":"2w0","priority":"6","details":"ca","howto":"26r"},"CWE-ID:172 Encoding Error",{"point":"2w2","priority":"6","details":"cd","howto":"275"},"CWE-ID:173 Improper Handling of Alternate Encoding",{"point":"2w4","priority":"6","details":"cg","howto":"275"},"CWE-ID:174 Double Decoding of the Same Data",{"point":"2w6","priority":"6","details":"cj","howto":"275"},"CWE-ID:175 Improper Handling of Mixed Encoding",{"point":"2w8","priority":"6","details":"cm","howto":"275"},"CWE-ID:176 Improper Handling of Unicode Encoding",{"point":"2wa","priority":"6","details":"cp","howto":"275"},"CWE-ID:177 Improper Handling of URL Encoding (Hex Encoding)",{"point":"2wc","priority":"6","details":"cs","howto":"275"},"CWE-ID:178 Improper Handling of Case Sensitivity",{"point":"2we","priority":"6","details":"cv","howto":"275"},"CWE-ID:179 Incorrect Behavior Order: Early Validation",{"point":"2wg","priority":"6","details":"cy","howto":"275"},"CWE-ID:180 Incorrect Behavior Order: Validate Before Canonicalize",{"point":"2wi","priority":"6","details":"d1","howto":"275"},"CWE-ID:181 Incorrect Behavior Order: Validate Before Filter",{"point":"2wk","priority":"6","details":"d4","howto":"275"},"CWE-ID:182 Collapse of Data into Unsafe Value",{"point":"2wm","priority":"6","details":"d7","howto":"26r"},"CWE-ID:183 Permissive List of Allowed Inputs",{"point":"2wo","priority":"6","details":"da","howto":"26r"},{"point":"26w","priority":"6","details":"dd","howto":"26x"},"CWE-ID:185 Incorrect Regular Expression",{"point":"2wr","priority":"6","details":"dg","howto":"26r"},"CWE-ID:186 Overly Restrictive Regular Expression",{"point":"2wt","priority":"6","details":"dj","howto":"275"},"CWE-ID:187 Partial String Comparison",{"point":"2wv","priority":"6","details":"dm","howto":"275"},"CWE-ID:188 Reliance on Data/Memory Layout",{"point":"2wx","priority":"6","details":"dp","howto":"26u"},"CWE-ID:190 Integer Overflow or Wraparound","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.:EFFECTIVENESS:High::METHOD:Black Box:DESCRIPTION:Sometimes, evidence of this weakness can be detected using dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of allocation calculations. This can be useful for detecting overflow conditions (CWE-190) or similar weaknesses that might have serious security impacts on the program.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2wz","priority":"6","details":"ds","howto":"2x0"},"CWE-ID:191 Integer Underflow (Wrap or Wraparound)",{"point":"2x2","priority":"6","details":"dv","howto":"26r"},"CWE-ID:192 Integer Coercion Error",{"point":"2x4","priority":"6","details":"dy","howto":"26r"},"CWE-ID:193 Off-by-one Error",{"point":"2x6","priority":"6","details":"e1","howto":"26r"},"CWE-ID:194 Unexpected Sign Extension",{"point":"2x8","priority":"6","details":"e4","howto":"275"},"CWE-ID:195 Signed to Unsigned Conversion Error",{"point":"2xa","priority":"6","details":"e7","howto":"26r"},"CWE-ID:196 Unsigned to Signed Conversion Error",{"point":"2xc","priority":"6","details":"ea","howto":"275"},"CWE-ID:197 Numeric Truncation Error",{"point":"2xe","priority":"6","details":"ed","howto":"2tj"},"CWE-ID:198 Use of Incorrect Byte Ordering","::METHOD:Black Box:DESCRIPTION:Because byte ordering bugs are usually very noticeable even with normal inputs, this bug is more likely to occur in rarely triggered error conditions, making them difficult to detect using black box methods.::",{"point":"2xg","priority":"6","details":"eg","howto":"2xh"},{"point":"26z","priority":"6","details":"ej","howto":"270"},{"point":"272","priority":"6","details":"em","howto":"26r"},{"point":"274","priority":"6","details":"ep","howto":"275"},{"point":"277","priority":"6","details":"es","howto":"275"},{"point":"279","priority":"6","details":"ev","howto":"275"},{"point":"27b","priority":"6","details":"ey","howto":"275"},"CWE-ID:206 Observable Internal Behavioral Discrepancy",{"point":"2xp","priority":"6","details":"f1","howto":"275"},"CWE-ID:207 Observable Behavioral Discrepancy With Equivalent Products",{"point":"2xr","priority":"6","details":"f4","howto":"275"},{"point":"27d","priority":"6","details":"f7","howto":"275"},{"point":"27f","priority":"6","details":"fa","howto":"27g"},{"point":"27i","priority":"6","details":"fd","howto":"275"},{"point":"27k","priority":"6","details":"fg","howto":"275"},{"point":"27m","priority":"6","details":"fj","howto":"275"},{"point":"27o","priority":"6","details":"fm","howto":"275"},{"point":"27q","priority":"6","details":"fp","howto":"275"},"CWE-ID:215 Insertion of Sensitive Information Into Debugging Code",{"point":"2y0","priority":"6","details":"fs","howto":"26r"},"CWE-ID:219 Storage of File with Sensitive Data Under Web Root",{"point":"2y2","priority":"6","details":"fv","howto":"275"},{"point":"27s","priority":"6","details":"g1","howto":"275"},"CWE-ID:222 Truncation of Security-relevant Information",{"point":"2y5","priority":"6","details":"g4","howto":"275"},{"point":"27u","priority":"6","details":"g7","howto":"275"},"CWE-ID:224 Obscured Security-relevant Information by Alternate Name",{"point":"2y8","priority":"6","details":"ga","howto":"275"},"CWE-ID:226 Sensitive Information in Resource Not Removed Before Reuse","::METHOD:Manual Analysis:DESCRIPTION:Write a known pattern into each sensitive location. Trigger the release of the resource or cause the desired state transition to occur. Read data back from the sensitive locations. If the reads are successful, and the data is the same as the pattern that was originally written, the test fails and the product needs to be fixed. Note that this test can likely be automated.:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2ya","priority":"6","details":"gd","howto":"2yb"},"CWE-ID:228 Improper Handling of Syntactically Invalid Structure",{"point":"2yd","priority":"6","details":"gg","howto":"26r"},"CWE-ID:229 Improper Handling of Values",{"point":"2yf","priority":"6","details":"gj","howto":"275"},"CWE-ID:230 Improper Handling of Missing Values",{"point":"2yh","priority":"6","details":"gm","howto":"275"},"CWE-ID:231 Improper Handling of Extra Values",{"point":"2yj","priority":"6","details":"gp","howto":"275"},"CWE-ID:232 Improper Handling of Undefined Values",{"point":"2yl","priority":"6","details":"gs","howto":"275"},"CWE-ID:233 Improper Handling of Parameters",{"point":"2yn","priority":"6","details":"gv","howto":"2tj"},"CWE-ID:234 Failure to Handle Missing Parameter",{"point":"2yp","priority":"6","details":"gy","howto":"275"},"CWE-ID:235 Improper Handling of Extra Parameters",{"point":"2yr","priority":"6","details":"h1","howto":"275"},"CWE-ID:236 Improper Handling of Undefined Parameters",{"point":"2yt","priority":"6","details":"h4","howto":"275"},"CWE-ID:238 Improper Handling of Incomplete Structural Elements",{"point":"2yv","priority":"6","details":"ha","howto":"275"},"CWE-ID:239 Failure to Handle Incomplete Element",{"point":"2yx","priority":"6","details":"hd","howto":"275"},"CWE-ID:240 Improper Handling of Inconsistent Structural Elements",{"point":"2yz","priority":"6","details":"hg","howto":"275"},"CWE-ID:241 Improper Handling of Unexpected Data Type",{"point":"2z1","priority":"6","details":"hj","howto":"275"},"CWE-ID:242 Use of Inherently Dangerous Function",{"point":"2z3","priority":"6","details":"hm","howto":"26r"},"CWE-ID:243 Creation of chroot Jail Without Changing Working Directory",{"point":"2z5","priority":"6","details":"hp","howto":"26r"},"CWE-ID:244 Improper Clearing of Heap Memory Before Release ('Heap Inspection')",{"point":"2z7","priority":"6","details":"hs","howto":"275"},"CWE-ID:245 J2EE Bad Practices: Direct Management of Connections",{"point":"2z9","priority":"6","details":"hv","howto":"26r"},"CWE-ID:246 J2EE Bad Practices: Direct Use of Sockets",{"point":"2zb","priority":"6","details":"hy","howto":"26r"},"CWE-ID:248 Uncaught Exception",{"point":"2zd","priority":"6","details":"i1","howto":"26r"},{"point":"27w","priority":"6","details":"i4","howto":"27x"},"CWE-ID:252 Unchecked Return Value",{"point":"2zg","priority":"6","details":"i7","howto":"26r"},"CWE-ID:253 Incorrect Check of Function Return Value",{"point":"2zi","priority":"6","details":"ia","howto":"275"},"CWE-ID:258 Empty Password in Configuration File",{"point":"2zk","priority":"6","details":"ij","howto":"275"},"CWE-ID:259 Use of Hard-coded Password","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and perform a login. Using disassembled code, look at the associated instructions and see if any of them appear to be comparing the input to a fixed string or value.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2zm","priority":"6","details":"im","howto":"2zn"},{"point":"283","priority":"6","details":"ip","howto":"26r"},"CWE-ID:266 Incorrect Privilege Assignment",{"point":"2zq","priority":"6","details":"j1","howto":"275"},{"point":"28b","priority":"6","details":"j4","howto":"275"},{"point":"28d","priority":"6","details":"j7","howto":"275"},{"point":"28f","priority":"6","details":"ja","howto":"26r"},{"point":"28h","priority":"6","details":"jd","howto":"275"},{"point":"28j","priority":"6","details":"jg","howto":"275"},"CWE-ID:272 Least Privilege Violation","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Compare binary / bytecode to application permission manifest:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Permission Manifest Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"2zx","priority":"6","details":"jj","howto":"2zy"},"CWE-ID:273 Improper Check for Dropped Privileges",{"point":"300","priority":"6","details":"jm","howto":"26r"},"CWE-ID:274 Improper Handling of Insufficient Privileges",{"point":"302","priority":"6","details":"jp","howto":"26r"},{"point":"28l","priority":"6","details":"js","howto":"28m"},"CWE-ID:277 Insecure Inherited Permissions",{"point":"305","priority":"6","details":"jv","howto":"275"},"CWE-ID:279 Incorrect Execution-Assigned Permissions",{"point":"307","priority":"6","details":"k1","howto":"275"},"CWE-ID:280 Improper Handling of Insufficient Permissions or Privileges ",{"point":"309","priority":"6","details":"k4","howto":"275"},"CWE-ID:281 Improper Preservation of Permissions",{"point":"30b","priority":"6","details":"k7","howto":"275"},"CWE-ID:284 Improper Access Control",{"point":"30d","priority":"6","details":"kg","howto":"275"},{"point":"28s","priority":"6","details":"kj","howto":"28t"},{"point":"28v","priority":"6","details":"km","howto":"275"},{"point":"28x","priority":"6","details":"kp","howto":"28y"},{"point":"292","priority":"6","details":"kv","howto":"275"},"CWE-ID:290 Authentication Bypass by Spoofing",{"point":"30j","priority":"6","details":"ky","howto":"275"},{"point":"296","priority":"6","details":"la","howto":"297"},"CWE-ID:296 Improper Following of a Certificate's Chain of Trust",{"point":"30m","priority":"6","details":"ld","howto":"26r"},"CWE-ID:297 Improper Validation of Certificate with Host Mismatch","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Set up an untrusted endpoint (e.g. a server) with which the product will connect. Create a test certificate that uses an invalid hostname but is signed by a trusted CA and provide this certificate from the untrusted endpoint. If the product performs any operations instead of disconnecting and reporting an error, then this indicates that the hostname is not being checked and the test certificate has been accepted.::METHOD:Black Box:DESCRIPTION:When Certificate Pinning is being used in a mobile application, consider using a tool such as Spinner [REF-955]. This methodology might be extensible to other technologies.::",{"point":"30o","priority":"6","details":"lg","howto":"30p"},"CWE-ID:298 Improper Validation of Certificate Expiration",{"point":"30r","priority":"6","details":"lj","howto":"275"},"CWE-ID:299 Improper Check for Certificate Revocation",{"point":"30t","priority":"6","details":"lm","howto":"26r"},{"point":"29d","priority":"6","details":"lv","howto":"275"},"CWE-ID:303 Incorrect Implementation of Authentication Algorithm",{"point":"30w","priority":"6","details":"ly","howto":"275"},"CWE-ID:304 Missing Critical Step in Authentication",{"point":"30y","priority":"6","details":"m1","howto":"26r"},"CWE-ID:305 Authentication Bypass by Primary Weakness",{"point":"310","priority":"6","details":"m4","howto":"275"},"CWE-ID:318 Cleartext Storage of Sensitive Information in Executable",{"point":"312","priority":"6","details":"n4","howto":"275"},"CWE-ID:325 Missing Cryptographic Step",{"point":"314","priority":"6","details":"nm","howto":"275"},{"point":"2a5","priority":"6","details":"ns","howto":"2a6"},"CWE-ID:329 Generation of Predictable IV with CBC Mode",{"point":"317","priority":"6","details":"ny","howto":"26r"},{"point":"2aa","priority":"6","details":"o1","howto":"2ab"},{"point":"2ad","priority":"6","details":"o4","howto":"275"},"CWE-ID:332 Insufficient Entropy in PRNG",{"point":"31b","priority":"6","details":"o7","howto":"275"},"CWE-ID:333 Improper Handling of Insufficient Entropy in TRNG",{"point":"31d","priority":"6","details":"oa","howto":"275"},{"point":"2af","priority":"6","details":"od","howto":"275"},"CWE-ID:335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)",{"point":"31g","priority":"6","details":"og","howto":"275"},"CWE-ID:336 Same Seed in Pseudo-Random Number Generator (PRNG)",{"point":"31i","priority":"6","details":"oj","howto":"26r"},"CWE-ID:337 Predictable Seed in Pseudo-Random Number Generator (PRNG)",{"point":"31k","priority":"6","details":"om","howto":"275"},{"point":"2ah","priority":"6","details":"op","howto":"26r"},"CWE-ID:339 Small Seed Space in PRNG",{"point":"31n","priority":"6","details":"os","howto":"275"},{"point":"2aj","priority":"6","details":"ov","howto":"275"},{"point":"2al","priority":"6","details":"oy","howto":"275"},{"point":"2an","priority":"6","details":"p1","howto":"275"},{"point":"2ap","priority":"6","details":"p4","howto":"275"},{"point":"2ar","priority":"6","details":"p7","howto":"275"},{"point":"2at","priority":"6","details":"pa","howto":"26r"},{"point":"2av","priority":"6","details":"pd","howto":"275"},{"point":"2ax","priority":"6","details":"pg","howto":"26r"},{"point":"2az","priority":"6","details":"pj","howto":"275"},"CWE-ID:349 Acceptance of Extraneous Untrusted Data With Trusted Data",{"point":"31y","priority":"6","details":"pm","howto":"275"},"CWE-ID:351 Insufficient Type Distinction",{"point":"320","priority":"6","details":"ps","howto":"275"},{"point":"2b1","priority":"6","details":"py","howto":"275"},{"point":"2b3","priority":"6","details":"q1","howto":"275"},{"point":"2b5","priority":"6","details":"q4","howto":"275"},{"point":"2b7","priority":"6","details":"q7","howto":"275"},{"point":"2b9","priority":"6","details":"qa","howto":"275"},{"point":"2bb","priority":"6","details":"qd","howto":"2bc"},{"point":"2be","priority":"6","details":"qg","howto":"275"},{"point":"2bg","priority":"6","details":"qj","howto":"2bh"},{"point":"2bj","priority":"6","details":"qm","howto":"275"},"CWE-ID:364 Signal Handler Race Condition",{"point":"32b","priority":"6","details":"qp","howto":"275"},"CWE-ID:366 Race Condition within a Thread",{"point":"32d","priority":"6","details":"qs","howto":"26r"},"CWE-ID:367 Time-of-check Time-of-use (TOCTOU) Race Condition",{"point":"32f","priority":"6","details":"qv","howto":"26r"},{"point":"2bl","priority":"6","details":"qy","howto":"275"},"CWE-ID:369 Divide By Zero","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::METHOD:Fuzzing:DESCRIPTION:Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.:EFFECTIVENESS:High::",{"point":"32i","priority":"6","details":"r1","howto":"32j"},"CWE-ID:370 Missing Check for Certificate Revocation after Initial Check",{"point":"32l","priority":"6","details":"r4","howto":"275"},"CWE-ID:372 Incomplete Internal State Distinction",{"point":"32n","priority":"6","details":"r7","howto":"275"},"CWE-ID:374 Passing Mutable Objects to an Untrusted Method",{"point":"32p","priority":"6","details":"ra","howto":"275"},"CWE-ID:375 Returning a Mutable Object to an Untrusted Caller",{"point":"32r","priority":"6","details":"rd","howto":"275"},"CWE-ID:377 Insecure Temporary File",{"point":"32t","priority":"6","details":"rg","howto":"26r"},"CWE-ID:378 Creation of Temporary File With Insecure Permissions",{"point":"32v","priority":"6","details":"rj","howto":"275"},"CWE-ID:379 Creation of Temporary File in Directory with Insecure Permissions",{"point":"32x","priority":"6","details":"rm","howto":"26r"},"CWE-ID:382 J2EE Bad Practices: Use of System.exit()",{"point":"32z","priority":"6","details":"rp","howto":"26r"},"CWE-ID:383 J2EE Bad Practices: Direct Use of Threads",{"point":"331","priority":"6","details":"rs","howto":"26r"},"CWE-ID:384 Session Fixation",{"point":"333","priority":"6","details":"rv","howto":"275"},{"point":"2bn","priority":"6","details":"ry","howto":"275"},{"point":"2bp","priority":"6","details":"s1","howto":"275"},"CWE-ID:390 Detection of Error Condition Without Action",{"point":"337","priority":"6","details":"s4","howto":"26r"},"CWE-ID:391 Unchecked Error Condition",{"point":"339","priority":"6","details":"s7","howto":"26r"},"CWE-ID:392 Missing Report of Error Condition",{"point":"33b","priority":"6","details":"sa","howto":"275"},"CWE-ID:393 Return of Wrong Status Code",{"point":"33d","priority":"6","details":"sd","howto":"26u"},"CWE-ID:394 Unexpected Status Code or Return Value",{"point":"33f","priority":"6","details":"sg","howto":"275"},"CWE-ID:395 Use of NullPointerException Catch to Detect NULL Pointer Dereference","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"33h","priority":"6","details":"sj","howto":"33i"},"CWE-ID:396 Declaration of Catch for Generic Exception",{"point":"33k","priority":"6","details":"sm","howto":"26r"},"CWE-ID:397 Declaration of Throws for Generic Exception",{"point":"33m","priority":"6","details":"sp","howto":"26r"},{"point":"2br","priority":"6","details":"ss","howto":"2bs"},"CWE-ID:401 Missing Release of Memory after Effective Lifetime",{"point":"33p","priority":"6","details":"sv","howto":"2tj"},{"point":"2bu","priority":"6","details":"sy","howto":"26r"},"CWE-ID:403 Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')",{"point":"33s","priority":"6","details":"t1","howto":"275"},"CWE-ID:404 Improper Resource Shutdown or Release","::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Resource clean up errors might be detected with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the product under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"33u","priority":"6","details":"t4","howto":"33v"},{"point":"2bw","priority":"6","details":"t7","howto":"275"},{"point":"2by","priority":"6","details":"ta","howto":"275"},{"point":"2c0","priority":"6","details":"td","howto":"275"},{"point":"2c2","priority":"6","details":"tg","howto":"275"},{"point":"2c4","priority":"6","details":"tj","howto":"275"},{"point":"2c6","priority":"6","details":"tm","howto":"275"},{"point":"2c8","priority":"6","details":"tp","howto":"2c9"},{"point":"2cb","priority":"6","details":"ts","howto":"26r"},{"point":"2cd","priority":"6","details":"tv","howto":"275"},"CWE-ID:415 Double Free",{"point":"346","priority":"6","details":"ty","howto":"2tj"},"CWE-ID:416 Use After Free",{"point":"348","priority":"6","details":"u1","howto":"2tj"},{"point":"2cf","priority":"6","details":"u4","howto":"275"},{"point":"2ch","priority":"6","details":"u7","howto":"275"},"CWE-ID:425 Direct Request ('Forced Browsing')",{"point":"34c","priority":"6","details":"uj","howto":"275"},"CWE-ID:426 Untrusted Search Path","::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and look for library functions and system calls that suggest when a search path is being used. One pattern is when the program performs multiple accesses of the same file but in different directories, with repeated failures until the proper filename is found. Library calls such as getenv() or their equivalent can be checked to see if any path-related variables are being accessed.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::METHOD:Manual Analysis:DESCRIPTION:Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.::",{"point":"34e","priority":"6","details":"um","howto":"34f"},"CWE-ID:427 Uncontrolled Search Path Element",{"point":"34h","priority":"6","details":"up","howto":"26r"},"CWE-ID:428 Unquoted Search Path or Element",{"point":"34j","priority":"6","details":"us","howto":"275"},"CWE-ID:430 Deployment of Wrong Handler",{"point":"34l","priority":"6","details":"uv","howto":"275"},"CWE-ID:431 Missing Handler",{"point":"34n","priority":"6","details":"uy","howto":"275"},"CWE-ID:432 Dangerous Signal Handler not Disabled During Sensitive Operations",{"point":"34p","priority":"6","details":"v1","howto":"275"},"CWE-ID:433 Unparsed Raw Web Content Delivery",{"point":"34r","priority":"6","details":"v4","howto":"275"},{"point":"2cn","priority":"6","details":"v7","howto":"2co"},"CWE-ID:435 Improper Interaction Between Multiple Correctly-Behaving Entities",{"point":"34u","priority":"6","details":"va","howto":"275"},{"point":"2cq","priority":"6","details":"vd","howto":"275"},{"point":"2cs","priority":"6","details":"vg","howto":"275"},{"point":"2cu","priority":"6","details":"vj","howto":"275"},{"point":"2cw","priority":"6","details":"vm","howto":"275"},"CWE-ID:444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')",{"point":"350","priority":"6","details":"vs","howto":"275"},{"point":"2d0","priority":"6","details":"vv","howto":"275"},"CWE-ID:447 Unimplemented or Unsupported Feature in UI",{"point":"353","priority":"6","details":"vy","howto":"275"},"CWE-ID:448 Obsolete Feature in UI",{"point":"355","priority":"6","details":"w1","howto":"275"},"CWE-ID:449 The UI Performs the Wrong Action",{"point":"357","priority":"6","details":"w4","howto":"275"},"CWE-ID:450 Multiple Interpretations of UI Input",{"point":"359","priority":"6","details":"w7","howto":"275"},{"point":"2d2","priority":"6","details":"wa","howto":"275"},"CWE-ID:453 Insecure Default Variable Initialization",{"point":"35c","priority":"6","details":"wd","howto":"275"},{"point":"2d4","priority":"6","details":"wg","howto":"275"},"CWE-ID:455 Non-exit on Failed Initialization",{"point":"35f","priority":"6","details":"wj","howto":"275"},"CWE-ID:456 Missing Initialization of a Variable",{"point":"35h","priority":"6","details":"wm","howto":"26r"},"CWE-ID:457 Use of Uninitialized Variable",{"point":"35j","priority":"6","details":"wp","howto":"2tj"},"CWE-ID:459 Incomplete Cleanup",{"point":"35l","priority":"6","details":"ws","howto":"26r"},"CWE-ID:460 Improper Cleanup on Thrown Exception",{"point":"35n","priority":"6","details":"wv","howto":"26r"},"CWE-ID:462 Duplicate Key in Associative List (Alist)",{"point":"35p","priority":"6","details":"wy","howto":"275"},"CWE-ID:463 Deletion of Data Structure Sentinel",{"point":"35r","priority":"6","details":"x1","howto":"275"},"CWE-ID:464 Addition of Data Structure Sentinel",{"point":"35t","priority":"6","details":"x4","howto":"275"},"CWE-ID:466 Return of Pointer Value Outside of Expected Range",{"point":"35v","priority":"6","details":"x7","howto":"275"},"CWE-ID:467 Use of sizeof() on a Pointer Type",{"point":"35x","priority":"6","details":"xa","howto":"26r"},"CWE-ID:468 Incorrect Pointer Scaling",{"point":"35z","priority":"6","details":"xd","howto":"275"},"CWE-ID:469 Use of Pointer Subtraction to Determine Size",{"point":"361","priority":"6","details":"xg","howto":"2tj"},{"point":"2d6","priority":"6","details":"xj","howto":"26r"},{"point":"2d8","priority":"6","details":"xm","howto":"275"},"CWE-ID:472 External Control of Assumed-Immutable Web Parameter",{"point":"365","priority":"6","details":"xp","howto":"26r"},"CWE-ID:473 PHP External Variable Modification",{"point":"367","priority":"6","details":"xs","howto":"275"},"CWE-ID:474 Use of Function with Inconsistent Implementations",{"point":"369","priority":"6","details":"xv","howto":"26r"},{"point":"2da","priority":"6","details":"xy","howto":"26r"},"CWE-ID:476 NULL Pointer Dereference","::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"36c","priority":"6","details":"y1","howto":"36d"},"CWE-ID:477 Use of Obsolete Function","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Binary / Bytecode Quality Analysis Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Debugger:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source Code Quality Analyzer Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Origin Analysis:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"36f","priority":"6","details":"y4","howto":"36g"},"CWE-ID:478 Missing Default Case in Multiple Condition Expression",{"point":"36i","priority":"6","details":"y7","howto":"26r"},"CWE-ID:479 Signal Handler Use of a Non-reentrant Function",{"point":"36k","priority":"6","details":"ya","howto":"26r"},"CWE-ID:480 Use of Incorrect Operator","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can be found easily using static analysis. However in some cases an operator might appear to be incorrect, but is actually correct and reflects unusual logic within the program.::METHOD:Manual Static Analysis:DESCRIPTION:This weakness can be found easily using static analysis. However in some cases an operator might appear to be incorrect, but is actually correct and reflects unusual logic within the program.::",{"point":"36m","priority":"6","details":"yd","howto":"36n"},"CWE-ID:481 Assigning instead of Comparing",{"point":"36p","priority":"6","details":"yg","howto":"26r"},"CWE-ID:482 Comparing instead of Assigning",{"point":"36r","priority":"6","details":"yj","howto":"26r"},"CWE-ID:483 Incorrect Block Delimitation",{"point":"36t","priority":"6","details":"ym","howto":"26r"},"CWE-ID:484 Omitted Break Statement in Switch","::METHOD:White Box:DESCRIPTION:Omission of a break statement might be intentional, in order to support fallthrough. Automated detection methods might therefore be erroneous. Semantic understanding of expected product behavior is required to interpret whether the code is correct.::METHOD:Black Box:DESCRIPTION:Since this weakness is associated with a code construct, it would be indistinguishable from other errors that produce the same behavior.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"36v","priority":"6","details":"yp","howto":"36w"},"CWE-ID:486 Comparison of Classes by Name",{"point":"36y","priority":"6","details":"ys","howto":"26r"},"CWE-ID:487 Reliance on Package-level Scope",{"point":"370","priority":"6","details":"yv","howto":"275"},"CWE-ID:488 Exposure of Data Element to Wrong Session",{"point":"372","priority":"6","details":"yy","howto":"26r"},"CWE-ID:489 Active Debug Code",{"point":"374","priority":"6","details":"z1","howto":"26r"},"CWE-ID:491 Public cloneable() Method Without Final ('Object Hijack')",{"point":"376","priority":"6","details":"z4","howto":"275"},"CWE-ID:492 Use of Inner Class Containing Sensitive Data",{"point":"378","priority":"6","details":"z7","howto":"26r"},"CWE-ID:493 Critical Public Variable Without Final Modifier",{"point":"37a","priority":"6","details":"za","howto":"26r"},{"point":"2dc","priority":"6","details":"zd","howto":"2dd"},"CWE-ID:495 Private Data Structure Returned From A Public Method",{"point":"37d","priority":"6","details":"zg","howto":"26r"},"CWE-ID:496 Public Data Assigned to Private Array-Typed Field",{"point":"37f","priority":"6","details":"zj","howto":"26r"},"CWE-ID:497 Exposure of Sensitive System Information to an Unauthorized Control Sphere",{"point":"37h","priority":"6","details":"zm","howto":"26r"},"CWE-ID:498 Cloneable Class Containing Sensitive Information",{"point":"37j","priority":"6","details":"zp","howto":"275"},"CWE-ID:499 Serializable Class Containing Sensitive Data",{"point":"37l","priority":"6","details":"zs","howto":"26r"},"CWE-ID:500 Public Static Field Not Marked Final",{"point":"37n","priority":"6","details":"zv","howto":"26r"},{"point":"2dh","priority":"6","details":"101","howto":"26r"},"CWE-ID:506 Embedded Malicious Code","::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies Generated Code Inspection:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Automated Monitored Execution:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Origin Analysis:EFFECTIVENESS:SOAR Partial::",{"point":"37q","priority":"6","details":"104","howto":"37r"},"CWE-ID:507 Trojan Horse",{"point":"37t","priority":"6","details":"107","howto":"275"},"CWE-ID:508 Non-Replicating Malicious Code",{"point":"37v","priority":"6","details":"10a","howto":"275"},"CWE-ID:509 Replicating Malicious Code (Virus or Worm)",{"point":"37x","priority":"6","details":"10d","howto":"275"},{"point":"2dj","priority":"6","details":"10g","howto":"2dk"},{"point":"2dm","priority":"6","details":"10j","howto":"275"},{"point":"2do","priority":"6","details":"10m","howto":"275"},"CWE-ID:514 Covert Channel","::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:SOAR Partial::",{"point":"382","priority":"6","details":"10p","howto":"383"},"CWE-ID:515 Covert Storage Channel",{"point":"385","priority":"6","details":"10s","howto":"275"},"CWE-ID:520 .NET Misconfiguration: Use of Impersonation",{"point":"387","priority":"6","details":"10v","howto":"275"},{"point":"2dq","priority":"6","details":"10y","howto":"26r"},{"point":"2ds","priority":"6","details":"111","howto":"26r"},"CWE-ID:524 Use of Cache Containing Sensitive Information",{"point":"38b","priority":"6","details":"117","howto":"26r"},"CWE-ID:525 Use of Web Browser Cache Containing Sensitive Information",{"point":"38d","priority":"6","details":"11a","howto":"275"},"CWE-ID:526 Cleartext Storage of Sensitive Information in an Environment Variable",{"point":"38f","priority":"6","details":"11d","howto":"26r"},{"point":"2dw","priority":"6","details":"11v","howto":"26r"},"CWE-ID:535 Exposure of Information Through Shell Error Message",{"point":"38i","priority":"6","details":"11y","howto":"26r"},"CWE-ID:536 Servlet Runtime Error Message Containing Sensitive Information",{"point":"38k","priority":"6","details":"121","howto":"275"},"CWE-ID:537 Java Runtime Error Message Containing Sensitive Information",{"point":"38m","priority":"6","details":"124","howto":"275"},"CWE-ID:538 Insertion of Sensitive Information into Externally-Accessible File or Directory",{"point":"38o","priority":"6","details":"127","howto":"26r"},"CWE-ID:539 Use of Persistent Cookies Containing Sensitive Information",{"point":"38q","priority":"6","details":"12a","howto":"26r"},"CWE-ID:540 Inclusion of Sensitive Information in Source Code",{"point":"38s","priority":"6","details":"12d","howto":"275"},"CWE-ID:541 Inclusion of Sensitive Information in an Include File",{"point":"38u","priority":"6","details":"12g","howto":"275"},"CWE-ID:543 Use of Singleton Pattern Without Synchronization in a Multithreaded Context",{"point":"38w","priority":"6","details":"12j","howto":"275"},"CWE-ID:546 Suspicious Comment",{"point":"38y","priority":"6","details":"12p","howto":"275"},"CWE-ID:547 Use of Hard-coded, Security-relevant Constants",{"point":"390","priority":"6","details":"12s","howto":"26r"},"CWE-ID:548 Exposure of Information Through Directory Listing",{"point":"392","priority":"6","details":"12v","howto":"26r"},"CWE-ID:549 Missing Password Field Masking",{"point":"394","priority":"6","details":"12y","howto":"26r"},"CWE-ID:550 Server-generated Error Message Containing Sensitive Information",{"point":"396","priority":"6","details":"131","howto":"275"},"CWE-ID:551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization",{"point":"398","priority":"6","details":"134","howto":"275"},{"point":"2e0","priority":"6","details":"137","howto":"26r"},"CWE-ID:553 Command Shell in Externally Accessible Directory",{"point":"39b","priority":"6","details":"13a","howto":"275"},"CWE-ID:554 ASP.NET Misconfiguration: Not Using Input Validation Framework",{"point":"39d","priority":"6","details":"13d","howto":"275"},"CWE-ID:555 J2EE Misconfiguration: Plaintext Password in Configuration File",{"point":"39f","priority":"6","details":"13g","howto":"275"},"CWE-ID:556 ASP.NET Misconfiguration: Use of Identity Impersonation",{"point":"39h","priority":"6","details":"13j","howto":"275"},"CWE-ID:558 Use of getlogin() in Multithreaded Application",{"point":"39j","priority":"6","details":"13m","howto":"275"},"CWE-ID:560 Use of umask() with chmod-style Argument",{"point":"39l","priority":"6","details":"13p","howto":"275"},"CWE-ID:561 Dead Code","::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Binary / Bytecode Quality Analysis Compare binary / bytecode to application permission manifest:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Automated Monitored Execution:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Permission Manifest Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source Code Quality Analyzer Cost effective for partial coverage: Warning Flags Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::",{"point":"39n","priority":"6","details":"13s","howto":"39o"},"CWE-ID:562 Return of Stack Variable Address",{"point":"39q","priority":"6","details":"13v","howto":"2tj"},"CWE-ID:563 Assignment to Variable without Use",{"point":"39s","priority":"6","details":"13y","howto":"26r"},"CWE-ID:564 SQL Injection: Hibernate",{"point":"39u","priority":"6","details":"141","howto":"275"},{"point":"2e2","priority":"6","details":"144","howto":"26r"},"CWE-ID:566 Authorization Bypass Through User-Controlled SQL Primary Key",{"point":"39x","priority":"6","details":"147","howto":"26r"},"CWE-ID:567 Unsynchronized Access to Shared Data in a Multithreaded Context",{"point":"39z","priority":"6","details":"14a","howto":"26r"},"CWE-ID:568 finalize() Method Without super.finalize()",{"point":"3a1","priority":"6","details":"14d","howto":"26r"},"CWE-ID:570 Expression is Always False",{"point":"3a3","priority":"6","details":"14g","howto":"26r"},"CWE-ID:571 Expression is Always True",{"point":"3a5","priority":"6","details":"14j","howto":"26r"},"CWE-ID:572 Call to Thread run() instead of start()",{"point":"3a7","priority":"6","details":"14m","howto":"26r"},"CWE-ID:573 Improper Following of Specification by Caller",{"point":"3a9","priority":"6","details":"14p","howto":"275"},"CWE-ID:574 EJB Bad Practices: Use of Synchronization Primitives",{"point":"3ab","priority":"6","details":"14s","howto":"275"},"CWE-ID:575 EJB Bad Practices: Use of AWT Swing",{"point":"3ad","priority":"6","details":"14v","howto":"275"},"CWE-ID:576 EJB Bad Practices: Use of Java I/O",{"point":"3af","priority":"6","details":"14y","howto":"275"},"CWE-ID:577 EJB Bad Practices: Use of Sockets",{"point":"3ah","priority":"6","details":"151","howto":"275"},"CWE-ID:578 EJB Bad Practices: Use of Class Loader",{"point":"3aj","priority":"6","details":"154","howto":"275"},"CWE-ID:579 J2EE Bad Practices: Non-serializable Object Stored in Session",{"point":"3al","priority":"6","details":"157","howto":"26r"},"CWE-ID:580 clone() Method Without super.clone()",{"point":"3an","priority":"6","details":"15a","howto":"26r"},"CWE-ID:581 Object Model Violation: Just One of Equals and Hashcode Defined",{"point":"3ap","priority":"6","details":"15d","howto":"26r"},"CWE-ID:582 Array Declared Public, Final, and Static",{"point":"3ar","priority":"6","details":"15g","howto":"275"},"CWE-ID:583 finalize() Method Declared Public",{"point":"3at","priority":"6","details":"15j","howto":"26r"},"CWE-ID:584 Return Inside Finally Block",{"point":"3av","priority":"6","details":"15m","howto":"26r"},"CWE-ID:585 Empty Synchronized Block",{"point":"3ax","priority":"6","details":"15p","howto":"26r"},"CWE-ID:586 Explicit Call to Finalize()",{"point":"3az","priority":"6","details":"15s","howto":"26r"},"CWE-ID:587 Assignment of a Fixed Address to a Pointer",{"point":"3b1","priority":"6","details":"15v","howto":"275"},"CWE-ID:588 Attempt to Access Child of a Non-structure Pointer",{"point":"3b3","priority":"6","details":"15y","howto":"275"},"CWE-ID:589 Call to Non-ubiquitous API",{"point":"3b5","priority":"6","details":"161","howto":"26r"},"CWE-ID:590 Free of Memory not on the Heap",{"point":"3b7","priority":"6","details":"164","howto":"2tj"},"CWE-ID:591 Sensitive Data Storage in Improperly Locked Memory",{"point":"3b9","priority":"6","details":"167","howto":"275"},"CWE-ID:593 Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created",{"point":"3bb","priority":"6","details":"16a","howto":"275"},"CWE-ID:594 J2EE Framework: Saving Unserializable Objects to Disk",{"point":"3bd","priority":"6","details":"16d","howto":"275"},"CWE-ID:595 Comparison of Object References Instead of Object Contents",{"point":"3bf","priority":"6","details":"16g","howto":"26r"},"CWE-ID:597 Use of Wrong Operator in String Comparison",{"point":"3bh","priority":"6","details":"16j","howto":"26r"},"CWE-ID:598 Use of GET Request Method With Sensitive Query Strings",{"point":"3bj","priority":"6","details":"16m","howto":"26r"},"CWE-ID:599 Missing Validation of OpenSSL Certificate",{"point":"3bl","priority":"6","details":"16p","howto":"275"},"CWE-ID:600 Uncaught Exception in Servlet ",{"point":"3bn","priority":"6","details":"16s","howto":"275"},{"point":"2e4","priority":"6","details":"16v","howto":"2e5"},{"point":"2e9","priority":"6","details":"171","howto":"275"},"CWE-ID:605 Multiple Binds to the Same Port",{"point":"3br","priority":"6","details":"174","howto":"275"},"CWE-ID:606 Unchecked Input for Loop Condition",{"point":"3bt","priority":"6","details":"177","howto":"26r"},"CWE-ID:607 Public Static Final Field References Mutable Object",{"point":"3bv","priority":"6","details":"17a","howto":"26r"},"CWE-ID:608 Struts: Non-private Field in ActionForm Class",{"point":"3bx","priority":"6","details":"17d","howto":"275"},"CWE-ID:609 Double-Checked Locking",{"point":"3bz","priority":"6","details":"17g","howto":"275"},"CWE-ID:611 Improper Restriction of XML External Entity Reference",{"point":"3c1","priority":"6","details":"17m","howto":"26r"},{"point":"2ed","priority":"6","details":"17p","howto":"275"},{"point":"2ef","priority":"6","details":"17s","howto":"26r"},"CWE-ID:614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute",{"point":"3c5","priority":"6","details":"17v","howto":"26r"},"CWE-ID:615 Inclusion of Sensitive Information in Source Code Comments",{"point":"3c7","priority":"6","details":"17y","howto":"26r"},"CWE-ID:616 Incomplete Identification of Uploaded File Variables (PHP)",{"point":"3c9","priority":"6","details":"181","howto":"275"},"CWE-ID:617 Reachable Assertion",{"point":"3cb","priority":"6","details":"184","howto":"26r"},"CWE-ID:618 Exposed Unsafe ActiveX Method",{"point":"3cd","priority":"6","details":"187","howto":"26r"},"CWE-ID:619 Dangling Database Cursor ('Cursor Injection')",{"point":"3cf","priority":"6","details":"18a","howto":"275"},{"point":"2eh","priority":"6","details":"18d","howto":"275"},"CWE-ID:621 Variable Extraction Error",{"point":"3ci","priority":"6","details":"18g","howto":"275"},"CWE-ID:622 Improper Validation of Function Hook Arguments",{"point":"3ck","priority":"6","details":"18j","howto":"275"},"CWE-ID:623 Unsafe ActiveX Control Marked Safe For Scripting",{"point":"3cm","priority":"6","details":"18m","howto":"275"},"CWE-ID:624 Executable Regular Expression Error",{"point":"3co","priority":"6","details":"18p","howto":"275"},"CWE-ID:625 Permissive Regular Expression",{"point":"3cq","priority":"6","details":"18s","howto":"26r"},"CWE-ID:626 Null Byte Interaction Error (Poison Null Byte)",{"point":"3cs","priority":"6","details":"18v","howto":"275"},"CWE-ID:627 Dynamic Variable Evaluation",{"point":"3cu","priority":"6","details":"18y","howto":"275"},"CWE-ID:628 Function Call with Incorrectly Specified Arguments","::METHOD:Other:DESCRIPTION:Since these bugs typically introduce incorrect behavior that is obvious to users, they are found quickly, unless they occur in rarely-tested code paths. Managing the correct number of arguments can be made more difficult in cases where format strings are used, or when variable numbers of arguments are supported.::",{"point":"3cw","priority":"6","details":"191","howto":"3cx"},{"point":"2ej","priority":"6","details":"194","howto":"275"},{"point":"2el","priority":"6","details":"197","howto":"275"},"CWE-ID:638 Not Using Complete Mediation",{"point":"3d1","priority":"6","details":"19a","howto":"275"},{"point":"2ep","priority":"6","details":"19g","howto":"275"},{"point":"2er","priority":"6","details":"19j","howto":"275"},{"point":"2et","priority":"6","details":"19m","howto":"26r"},"CWE-ID:643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')",{"point":"3d6","priority":"6","details":"19p","howto":"26r"},"CWE-ID:644 Improper Neutralization of HTTP Headers for Scripting Syntax",{"point":"3d8","priority":"6","details":"19s","howto":"275"},"CWE-ID:646 Reliance on File Name or Extension of Externally-Supplied File",{"point":"3da","priority":"6","details":"19y","howto":"275"},"CWE-ID:647 Use of Non-Canonical URL Paths for Authorization Decisions",{"point":"3dc","priority":"6","details":"1a1","howto":"26r"},{"point":"2ex","priority":"6","details":"1a4","howto":"275"},{"point":"2ez","priority":"6","details":"1a7","howto":"275"},"CWE-ID:650 Trusting HTTP Permission Methods on the Server Side",{"point":"3dg","priority":"6","details":"1aa","howto":"275"},"CWE-ID:651 Exposure of WSDL File Containing Sensitive Information",{"point":"3di","priority":"6","details":"1ad","howto":"275"},"CWE-ID:652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')",{"point":"3dk","priority":"6","details":"1ag","howto":"275"},{"point":"2f1","priority":"6","details":"1aj","howto":"2f2"},{"point":"2f4","priority":"6","details":"1am","howto":"275"},{"point":"2f8","priority":"6","details":"1as","howto":"275"},{"point":"2fa","priority":"6","details":"1av","howto":"275"},{"point":"2fc","priority":"6","details":"1ay","howto":"275"},"CWE-ID:663 Use of a Non-reentrant Function in a Concurrent Context",{"point":"3dr","priority":"6","details":"1b1","howto":"275"},"CWE-ID:664 Improper Control of a Resource Through its Lifetime",{"point":"3dt","priority":"6","details":"1b4","howto":"275"},"CWE-ID:665 Improper Initialization","::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Initialization problems may be detected with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"3dv","priority":"6","details":"1b7","howto":"3dw"},"CWE-ID:666 Operation on Resource in Wrong Phase of Lifetime",{"point":"3dy","priority":"6","details":"1ba","howto":"275"},{"point":"2fe","priority":"6","details":"1bd","howto":"26r"},{"point":"2fg","priority":"6","details":"1bg","howto":"275"},{"point":"2fi","priority":"6","details":"1bj","howto":"275"},"CWE-ID:670 Always-Incorrect Control Flow Implementation",{"point":"3e3","priority":"6","details":"1bm","howto":"275"},{"point":"2fk","priority":"6","details":"1bp","howto":"275"},"CWE-ID:672 Operation on a Resource after Expiration or Release",{"point":"3e6","priority":"6","details":"1bs","howto":"275"},{"point":"2fm","priority":"6","details":"1bv","howto":"275"},"CWE-ID:674 Uncontrolled Recursion",{"point":"3e9","priority":"6","details":"1by","howto":"26r"},"CWE-ID:675 Multiple Operations on Resource in Single-Operation Context",{"point":"3eb","priority":"6","details":"1c1","howto":"275"},"CWE-ID:676 Use of Potentially Dangerous Function","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary / Bytecode Quality Analysis Binary / Bytecode simple extractor - strings, ELF readers, etc.:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Debugger Cost effective for partial coverage: Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Warning Flags Source Code Quality Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Origin Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"3ed","priority":"6","details":"1c4","howto":"3ee"},"CWE-ID:681 Incorrect Conversion between Numeric Types",{"point":"3eg","priority":"6","details":"1ca","howto":"275"},"CWE-ID:682 Incorrect Calculation","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of allocation calculations. This can be useful for detecting overflow conditions (CWE-190) or similar weaknesses that might have serious security impacts on the program.:EFFECTIVENESS:High::",{"point":"3ei","priority":"6","details":"1cd","howto":"3ej"},"CWE-ID:683 Function Call With Incorrect Order of Arguments",{"point":"3el","priority":"6","details":"1cg","howto":"275"},"CWE-ID:684 Incorrect Provision of Specified Functionality",{"point":"3en","priority":"6","details":"1cj","howto":"275"},"CWE-ID:685 Function Call With Incorrect Number of Arguments","::METHOD:Other:DESCRIPTION:While this weakness might be caught by the compiler in some languages, it can occur more frequently in cases in which the called function accepts variable numbers of arguments, such as format strings in C. It also can occur in languages or environments that do not require that functions always be called with the correct number of arguments, such as Perl.::",{"point":"3ep","priority":"6","details":"1cm","howto":"3eq"},"CWE-ID:686 Function Call With Incorrect Argument Type",{"point":"3es","priority":"6","details":"1cp","howto":"275"},"CWE-ID:687 Function Call With Incorrectly Specified Argument Value","::METHOD:Manual Static Analysis:DESCRIPTION:This might require an understanding of intended program behavior or design to determine whether the value is incorrect.::",{"point":"3eu","priority":"6","details":"1cs","howto":"3ev"},"CWE-ID:688 Function Call With Incorrect Variable or Reference as Argument","::METHOD:Other:DESCRIPTION:While this weakness might be caught by the compiler in some languages, it can occur more frequently in cases in which the called function accepts variable numbers of arguments, such as format strings in C. It also can occur in loosely typed languages or environments. This might require an understanding of intended program behavior or design to determine whether the value is incorrect.::",{"point":"3ex","priority":"6","details":"1cv","howto":"3ey"},"CWE-ID:689 Permission Race Condition During Resource Copy",{"point":"3f0","priority":"6","details":"1cy","howto":"275"},"CWE-ID:690 Unchecked Return Value to NULL Pointer Dereference","::METHOD:Black Box:DESCRIPTION:This typically occurs in rarely-triggered error conditions, reducing the chances of detection during black box testing.::METHOD:White Box:DESCRIPTION:Code analysis can require knowledge of API behaviors for library functions that might return NULL, reducing the chances of detection when unknown libraries are used.::",{"point":"3f2","priority":"6","details":"1d1","howto":"3f3"},"CWE-ID:691 Insufficient Control Flow Management",{"point":"3f5","priority":"6","details":"1d4","howto":"275"},"CWE-ID:693 Protection Mechanism Failure",{"point":"3f7","priority":"6","details":"1da","howto":"275"},{"point":"2fo","priority":"6","details":"1dd","howto":"275"},"CWE-ID:695 Use of Low-Level Functionality",{"point":"3fa","priority":"6","details":"1dg","howto":"26r"},{"point":"2fq","priority":"6","details":"1dj","howto":"275"},"CWE-ID:697 Incorrect Comparison",{"point":"3fd","priority":"6","details":"1dm","howto":"275"},"CWE-ID:698 Execution After Redirect (EAR)","::METHOD:Black Box:DESCRIPTION:This issue might not be detected if testing is performed using a web browser, because the browser might obey the redirect and move the user to a different page before the application has produced outputs that indicate something is amiss.::",{"point":"3ff","priority":"6","details":"1dp","howto":"3fg"},"CWE-ID:703 Improper Check or Handling of Exceptional Conditions","::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fault Injection - source code Fault Injection - binary Cost effective for partial coverage: Forced Path Execution:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"3fi","priority":"6","details":"1ds","howto":"3fj"},"CWE-ID:704 Incorrect Type Conversion or Cast",{"point":"3fl","priority":"6","details":"1dv","howto":"26u"},"CWE-ID:705 Incorrect Control Flow Scoping",{"point":"3fn","priority":"6","details":"1dy","howto":"275"},{"point":"2fs","priority":"6","details":"1e1","howto":"275"},"CWE-ID:707 Improper Neutralization",{"point":"3fq","priority":"6","details":"1e4","howto":"275"},{"point":"2fu","priority":"6","details":"1e7","howto":"275"},"CWE-ID:710 Improper Adherence to Coding Standards",{"point":"3ft","priority":"6","details":"1ea","howto":"275"},{"point":"2fw","priority":"6","details":"1ed","howto":"2fx"},{"point":"2fz","priority":"6","details":"1ej","howto":"26r"},"CWE-ID:754 Improper Check for Unusual or Exceptional Conditions","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis may be useful for detecting unusual conditions involving system resources or common programming idioms, but not for violations of business rules.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::",{"point":"3fx","priority":"6","details":"1em","howto":"3fy"},"CWE-ID:755 Improper Handling of Exceptional Conditions",{"point":"3g0","priority":"6","details":"1ep","howto":"275"},"CWE-ID:759 Use of a One-Way Hash without a Salt",{"point":"3g2","priority":"6","details":"1f1","howto":"2gt"},"CWE-ID:760 Use of a One-Way Hash with a Predictable Salt",{"point":"3g4","priority":"6","details":"1f4","howto":"26r"},"CWE-ID:761 Free of Pointer not at Start of Buffer",{"point":"3g6","priority":"6","details":"1f7","howto":"275"},"CWE-ID:762 Mismatched Memory Management Routines",{"point":"3g8","priority":"6","details":"1fa","howto":"275"},"CWE-ID:763 Release of Invalid Pointer or Reference",{"point":"3ga","priority":"6","details":"1fd","howto":"26u"},"CWE-ID:764 Multiple Locks of a Critical Resource",{"point":"3gc","priority":"6","details":"1fg","howto":"275"},"CWE-ID:765 Multiple Unlocks of a Critical Resource",{"point":"3ge","priority":"6","details":"1fj","howto":"275"},"CWE-ID:766 Critical Data Element Declared Public",{"point":"3gg","priority":"6","details":"1fm","howto":"26r"},"CWE-ID:767 Access to Critical Private Variable via Public Method",{"point":"3gi","priority":"6","details":"1fp","howto":"275"},"CWE-ID:768 Incorrect Short Circuit Evaluation",{"point":"3gk","priority":"6","details":"1fs","howto":"275"},{"point":"2g3","priority":"6","details":"1fv","howto":"2g4"},"CWE-ID:771 Missing Reference to Active Allocated Resource",{"point":"3gn","priority":"6","details":"1fy","howto":"275"},"CWE-ID:772 Missing Release of Resource after Effective Lifetime",{"point":"3gp","priority":"6","details":"1g1","howto":"275"},"CWE-ID:773 Missing Reference to Active File Descriptor or Handle",{"point":"3gr","priority":"6","details":"1g4","howto":"275"},"CWE-ID:774 Allocation of File Descriptors or Handles Without Limits or Throttling",{"point":"3gt","priority":"6","details":"1g7","howto":"275"},"CWE-ID:775 Missing Release of File Descriptor or Handle after Effective Lifetime",{"point":"3gv","priority":"6","details":"1ga","howto":"275"},"CWE-ID:776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')",{"point":"3gx","priority":"6","details":"1gd","howto":"26r"},"CWE-ID:777 Regular Expression without Anchors",{"point":"3gz","priority":"6","details":"1gg","howto":"275"},"CWE-ID:780 Use of RSA Algorithm without OAEP",{"point":"3h1","priority":"6","details":"1gp","howto":"26r"},"CWE-ID:781 Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code",{"point":"3h3","priority":"6","details":"1gs","howto":"275"},"CWE-ID:782 Exposed IOCTL with Insufficient Access Control",{"point":"3h5","priority":"6","details":"1gv","howto":"275"},"CWE-ID:783 Operator Precedence Logic Error",{"point":"3h7","priority":"6","details":"1gy","howto":"275"},"CWE-ID:784 Reliance on Cookies without Validation and Integrity Checking in a Security Decision",{"point":"3h9","priority":"6","details":"1h1","howto":"275"},"CWE-ID:785 Use of Path Manipulation Function without Maximum-sized Buffer",{"point":"3hb","priority":"6","details":"1h4","howto":"275"},"CWE-ID:787 Out-of-bounds Write","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::",{"point":"3hd","priority":"6","details":"1ha","howto":"3he"},"CWE-ID:789 Memory Allocation with Excessive Size Value",{"point":"3hg","priority":"6","details":"1hg","howto":"2tj"},"CWE-ID:790 Improper Filtering of Special Elements",{"point":"3hi","priority":"6","details":"1hj","howto":"275"},"CWE-ID:791 Incomplete Filtering of Special Elements",{"point":"3hk","priority":"6","details":"1hm","howto":"275"},"CWE-ID:792 Incomplete Filtering of One or More Instances of Special Elements",{"point":"3hm","priority":"6","details":"1hp","howto":"275"},"CWE-ID:793 Only Filtering One Instance of a Special Element",{"point":"3ho","priority":"6","details":"1hs","howto":"275"},"CWE-ID:794 Incomplete Filtering of Multiple Instances of Special Elements",{"point":"3hq","priority":"6","details":"1hv","howto":"275"},"CWE-ID:795 Only Filtering Special Elements at a Specified Location",{"point":"3hs","priority":"6","details":"1hy","howto":"275"},"CWE-ID:796 Only Filtering Special Elements Relative to a Marker",{"point":"3hu","priority":"6","details":"1i1","howto":"275"},"CWE-ID:797 Only Filtering Special Elements at an Absolute Position",{"point":"3hw","priority":"6","details":"1i4","howto":"275"},{"point":"2g9","priority":"6","details":"1ia","howto":"275"},{"point":"2gb","priority":"6","details":"1id","howto":"275"},"CWE-ID:805 Buffer Access with Incorrect Length Value","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.::",{"point":"3i0","priority":"6","details":"1ig","howto":"3i1"},"CWE-ID:806 Buffer Access Using Size of Source Buffer",{"point":"3i3","priority":"6","details":"1ij","howto":"275"},{"point":"2gd","priority":"6","details":"1im","howto":"2ge"},"CWE-ID:827 Improper Control of Document Type Definition",{"point":"3i6","priority":"6","details":"1ja","howto":"275"},"CWE-ID:829 Inclusion of Functionality from Untrusted Control Sphere","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Forced Path Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"3i8","priority":"6","details":"1jg","howto":"3i9"},"CWE-ID:830 Inclusion of Web Functionality from an Untrusted Source",{"point":"3ib","priority":"6","details":"1jj","howto":"275"},"CWE-ID:836 Use of Password Hash Instead of Password for Authentication",{"point":"3id","priority":"6","details":"1k1","howto":"275"},"CWE-ID:841 Improper Enforcement of Behavioral Workflow",{"point":"3if","priority":"6","details":"1kd","howto":"275"},"CWE-ID:842 Placement of User into Incorrect Group",{"point":"3ih","priority":"6","details":"1kg","howto":"275"},"CWE-ID:843 Access of Resource Using Incompatible Type ('Type Confusion')",{"point":"3ij","priority":"6","details":"1kj","howto":"275"},{"point":"2gg","priority":"6","details":"1km","howto":"2gh"},{"point":"2gj","priority":"6","details":"1kp","howto":"2gk"},"CWE-ID:908 Use of Uninitialized Resource",{"point":"3in","priority":"6","details":"1ks","howto":"275"},"CWE-ID:909 Missing Initialization of Resource",{"point":"3ip","priority":"6","details":"1kv","howto":"275"},"CWE-ID:910 Use of Expired File Descriptor",{"point":"3ir","priority":"6","details":"1ky","howto":"275"},"CWE-ID:911 Improper Update of Reference Count",{"point":"3it","priority":"6","details":"1l1","howto":"275"},{"point":"2gm","priority":"6","details":"1l4","howto":"275"},{"point":"2go","priority":"6","details":"1l7","howto":"26u"},"CWE-ID:914 Improper Control of Dynamically-Identified Variables",{"point":"3ix","priority":"6","details":"1la","howto":"275"},{"point":"2gq","priority":"6","details":"1ld","howto":"26r"},{"point":"2gv","priority":"6","details":"1lj","howto":"26r"},{"point":"2gx","priority":"6","details":"1lm","howto":"26r"},{"point":"2h3","priority":"6","details":"1lv","howto":"26r"},"CWE-ID:939 Improper Authorization in Handler for Custom URL Scheme",{"point":"3j3","priority":"6","details":"1md","howto":"275"},{"point":"2h9","priority":"6","details":"1mg","howto":"275"},{"point":"2hb","priority":"6","details":"1mj","howto":"275"},"CWE-ID:942 Permissive Cross-domain Policy with Untrusted Domains",{"point":"3j7","priority":"6","details":"1mm","howto":"26r"},"CWE-ID:943 Improper Neutralization of Special Elements in Data Query Logic",{"point":"3j9","priority":"6","details":"1mp","howto":"26r"},"CWE-ID:1004 Sensitive Cookie Without 'HttpOnly' Flag",{"point":"3jb","priority":"6","details":"1ms","howto":"26r"},{"point":"2hd","priority":"6","details":"1mv","howto":"2he"},"CWE-ID:1021 Improper Restriction of Rendered UI Layers or Frames",{"point":"3je","priority":"6","details":"1my","howto":"26r"},"CWE-ID:1022 Use of Web Link to Untrusted Target with window.opener Access",{"point":"3jg","priority":"6","details":"1n1","howto":"26r"},"CWE-ID:1023 Incomplete Comparison with Missing Factors",{"point":"3ji","priority":"6","details":"1n4","howto":"275"},"CWE-ID:1024 Comparison of Incompatible Types",{"point":"3jk","priority":"6","details":"1n7","howto":"275"},"CWE-ID:1025 Comparison Using Wrong Factors",{"point":"3jm","priority":"6","details":"1na","howto":"275"},"CWE-ID:1068 Inconsistency Between Implementation and Documented Design",{"point":"3jo","priority":"6","details":"1pv","howto":"275"},{"point":"2hr","priority":"6","details":"1uv","howto":"2hs"},"CWE-ID:1174 ASP.NET Misconfiguration: Improper Model Validation",{"point":"3jr","priority":"6","details":"1uy","howto":"275"},{"point":"2hu","priority":"6","details":"1v1","howto":"275"},"CWE-ID:1177 Use of Prohibited Code",{"point":"3ju","priority":"6","details":"1v4","howto":"275"},{"point":"2hw","priority":"6","details":"1va","howto":"2hx"},{"point":"2i1","priority":"6","details":"1vg","howto":"2i2"},{"point":"2i4","priority":"6","details":"1vj","howto":"275"},"CWE-ID:1204 Generation of Weak Initialization Vector (IV)",{"point":"3jz","priority":"6","details":"1vp","howto":"275"},{"point":"2i6","priority":"6","details":"1vs","howto":"275"},{"point":"2i8","priority":"6","details":"1vv","howto":"275"},"CWE-ID:1221 Incorrect Register Defaults or Module Parameters",{"point":"3k3","priority":"6","details":"1vy","howto":"275"},{"point":"2ic","priority":"6","details":"1w7","howto":"275"},{"point":"2ig","priority":"6","details":"1wg","howto":"2ih"},{"point":"2ij","priority":"6","details":"1wj","howto":"275"},{"point":"2il","priority":"6","details":"1wm","howto":"2im"},{"point":"2io","priority":"6","details":"1wp","howto":"275"},"CWE-ID:1235 Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations",{"point":"3ka","priority":"6","details":"1ws","howto":"275"},"CWE-ID:1236 Improper Neutralization of Formula Elements in a CSV File",{"point":"3kc","priority":"6","details":"1wv","howto":"275"},"CWE-ID:1239 Improper Zeroization of Hardware Register",{"point":"3ke","priority":"6","details":"1wy","howto":"275"},{"point":"2iq","priority":"6","details":"1x1","howto":"2ir"},{"point":"2it","priority":"6","details":"1x4","howto":"275"},{"point":"2iv","priority":"6","details":"1x7","howto":"275"},{"point":"2ix","priority":"6","details":"1xa","howto":"275"},{"point":"2iz","priority":"6","details":"1xd","howto":"2j0"},{"point":"2j2","priority":"6","details":"1xg","howto":"275"},{"point":"2j4","priority":"6","details":"1xj","howto":"275"},{"point":"2j6","priority":"6","details":"1xs","howto":"275"},{"point":"2ja","priority":"6","details":"1y4","howto":"275"},{"point":"2jc","priority":"6","details":"1y7","howto":"275"},"CWE-ID:1255 Comparison Logic is Vulnerable to Power Side-Channel Attacks",{"point":"3kq","priority":"6","details":"1ya","howto":"275"},{"point":"2je","priority":"6","details":"1yd","howto":"2jf"},{"point":"2jh","priority":"6","details":"1yg","howto":"275"},{"point":"2jj","priority":"6","details":"1yj","howto":"275"},{"point":"2jl","priority":"6","details":"1ym","howto":"275"},{"point":"2jn","priority":"6","details":"1yp","howto":"2jo"},{"point":"2jq","priority":"6","details":"1ys","howto":"275"},{"point":"2js","priority":"6","details":"1yv","howto":"2jt"},{"point":"2jx","priority":"6","details":"1z1","howto":"275"},{"point":"2jz","priority":"6","details":"1z7","howto":"275"},{"point":"2k1","priority":"6","details":"1za","howto":"275"},{"point":"2k3","priority":"6","details":"1zd","howto":"275"},"CWE-ID:1269 Product Released in Non-Release Configuration",{"point":"3l3","priority":"6","details":"1zg","howto":"275"},{"point":"2k5","priority":"6","details":"1zj","howto":"275"},"CWE-ID:1271 Uninitialized Value on Reset for Registers Holding Security Settings",{"point":"3l6","priority":"6","details":"1zm","howto":"275"},"CWE-ID:1275 Sensitive Cookie with Improper SameSite Attribute",{"point":"3l8","priority":"6","details":"1zy","howto":"26r"},"CWE-ID:1276 Hardware Child Block Incorrectly Connected to Parent System",{"point":"3la","priority":"6","details":"201","howto":"275"},{"point":"2kd","priority":"6","details":"204","howto":"2ke"},{"point":"2ki","priority":"6","details":"20a","howto":"275"},"CWE-ID:1280 Access Control Check Implemented After Asset is Accessed",{"point":"3le","priority":"6","details":"20d","howto":"275"},{"point":"2kk","priority":"6","details":"20g","howto":"275"},"CWE-ID:1282 Assumed-Immutable Data is Stored in Writable Memory",{"point":"3lh","priority":"6","details":"20j","howto":"275"},{"point":"2km","priority":"6","details":"20m","howto":"275"},"CWE-ID:1284 Improper Validation of Specified Quantity in Input",{"point":"3lk","priority":"6","details":"20p","howto":"275"},"CWE-ID:1285 Improper Validation of Specified Index, Position, or Offset in Input",{"point":"3lm","priority":"6","details":"20s","howto":"275"},"CWE-ID:1286 Improper Validation of Syntactic Correctness of Input",{"point":"3lo","priority":"6","details":"20v","howto":"275"},"CWE-ID:1287 Improper Validation of Specified Type of Input",{"point":"3lq","priority":"6","details":"20y","howto":"275"},"CWE-ID:1288 Improper Validation of Consistency within Input",{"point":"3ls","priority":"6","details":"211","howto":"275"},"CWE-ID:1289 Improper Validation of Unsafe Equivalence in Input",{"point":"3lu","priority":"6","details":"214","howto":"275"},{"point":"2ko","priority":"6","details":"217","howto":"275"},"CWE-ID:1291 Public Key Re-Use for Signing both Debug and Production Code","::METHOD:Architecture or Design Review:DESCRIPTION:Compare the debug key with the production key to make sure that they are not the same.:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Compare the debug key with the production key to make sure that they are not the same.:EFFECTIVENESS:High::",{"point":"3lx","priority":"6","details":"21a","howto":"3ly"},{"point":"2kq","priority":"6","details":"21d","howto":"275"},{"point":"2ks","priority":"6","details":"21g","howto":"275"},{"point":"2ku","priority":"6","details":"21j","howto":"275"},"CWE-ID:1295 Debug Messages Revealing Unnecessary Information",{"point":"3m3","priority":"6","details":"21m","howto":"275"},"CWE-ID:1296 Incorrect Chaining or Granularity of Debug Components","::METHOD:Architecture or Design Review:DESCRIPTION:Appropriate Post-Si tests should be carried out at various authorization levels to ensure that debug components are properly chained and accessible only to users with appropriate credentials.:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Appropriate Post-Si tests should be carried out at various authorization levels to ensure that debug components are properly chained and accessible only to users with appropriate credentials.:EFFECTIVENESS:High::",{"point":"3m5","priority":"6","details":"21p","howto":"3m6"},"CWE-ID:1297 Unprotected Confidential Information on Device is Accessible by OSAT Vendors","::METHOD:Architecture or Design Review:DESCRIPTION:Appropriate Post-Si tests should be carried out to ensure that residual confidential information is not left on parts leaving one facility for another facility.:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Appropriate Post-Si tests should be carried out to ensure that residual confidential information is not left on parts leaving one facility for another facility.:EFFECTIVENESS:Moderate::",{"point":"3m8","priority":"6","details":"21s","howto":"3m9"},{"point":"2kw","priority":"6","details":"21v","howto":"275"},{"point":"2ky","priority":"6","details":"21y","howto":"275"},"CWE-ID:1300 Improper Protection of Physical Side Channels","::METHOD:Manual Analysis:DESCRIPTION:Perform a set of leakage detection tests such as the procedure outlined in the Test Vector Leakage Assessment (TVLA) test requirements for AES [REF-1230]. TVLA is the basis for the ISO standard 17825 [REF-1229]. A separate methodology is provided by [REF-1228]. Note that sole reliance on this method might not yield expected results [REF-1239] [REF-1240].:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Post-silicon, perform full side-channel attacks (penetration testing) covering as many known leakage models as possible against test code.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Pre-silicon - while the aforementioned TVLA methods can be performed post-silicon, models of device power consumption or other physical emanations can be built from information present at various stages of the hardware design process before fabrication. TVLA or known side-channel attacks can be applied to these simulated traces and countermeasures applied before tape-out. Academic research in this field includes [REF-1231] [REF-1232] [REF-1233].:EFFECTIVENESS:Moderate::",{"point":"3md","priority":"6","details":"221","howto":"3me"},"CWE-ID:1301 Insufficient or Incomplete Data Removal within Hardware Component",{"point":"3mg","priority":"6","details":"224","howto":"275"},{"point":"2l0","priority":"6","details":"227","howto":"275"},{"point":"2l2","priority":"6","details":"22a","howto":"275"},{"point":"2l6","priority":"6","details":"22g","howto":"275"},{"point":"2l8","priority":"6","details":"22j","howto":"275"},{"point":"2la","priority":"6","details":"22m","howto":"2lb"},{"point":"2ld","priority":"6","details":"22p","howto":"275"},{"point":"2lf","priority":"6","details":"22s","howto":"275"},{"point":"2lh","priority":"6","details":"22v","howto":"275"},{"point":"2lj","priority":"6","details":"22y","howto":"2lk"},{"point":"2lm","priority":"6","details":"231","howto":"2ln"},{"point":"2lp","priority":"6","details":"234","howto":"2lq"},{"point":"2ls","priority":"6","details":"237","howto":"275"},{"point":"2lu","priority":"6","details":"23a","howto":"275"},"CWE-ID:1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')",{"point":"3mv","priority":"6","details":"23d","howto":"275"},"CWE-ID:1322 Use of Blocking Code in Single-threaded, Non-blocking Context",{"point":"3mx","priority":"6","details":"23g","howto":"275"},{"point":"2lw","priority":"6","details":"23j","howto":"275"},"CWE-ID:1325 Improperly Controlled Sequential Memory Allocation",{"point":"3n0","priority":"6","details":"23m","howto":"275"},{"point":"2ly","priority":"6","details":"23p","howto":"2lz"},{"point":"2m1","priority":"6","details":"23v","howto":"2m2"},{"point":"2m4","priority":"6","details":"23y","howto":"2m5"},"CWE-ID:1330 Remanent Data Readable after Memory Erase","::METHOD:Architecture or Design Review:DESCRIPTION:Testing of memory-device contents after clearing or erase commands. Dynamic analysis of memory contents during device operation to detect specific, confidential assets. Architecture and design analysis of memory clear and erase operations.::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Testing of memory-device contents after clearing or erase commands. Dynamic analysis of memory contents during device operation to detect specific, confidential assets. Architecture and design analysis of memory clear and erase operations.::",{"point":"3n5","priority":"6","details":"241","howto":"3n6"},{"point":"2m7","priority":"6","details":"244","howto":"2m8"},{"point":"2ma","priority":"6","details":"247","howto":"2mb"},"CWE-ID:1333 Inefficient Regular Expression Complexity",{"point":"3na","priority":"6","details":"24a","howto":"275"},{"point":"2md","priority":"6","details":"24d","howto":"275"},"CWE-ID:1335 Incorrect Bitwise Shift of Integer",{"point":"3nd","priority":"6","details":"24g","howto":"275"},{"point":"2mf","priority":"6","details":"24j","howto":"275"},{"point":"2mh","priority":"6","details":"24m","howto":"2mi"},"CWE-ID:1339 Insufficient Precision or Accuracy of a Real Number",{"point":"3nh","priority":"6","details":"24p","howto":"275"},"CWE-ID:1341 Multiple Releases of Same Resource or Handle","::METHOD:Automated Static Analysis:DESCRIPTION:For commonly-used APIs and resource types, automated tools often have signatures that can spot this issue.::METHOD:Automated Dynamic Analysis:DESCRIPTION:Some compiler instrumentation tools such as AddressSanitizer (ASan) can indirectly detect some instances of this weakness.::",{"point":"3nj","priority":"6","details":"24s","howto":"3nk"},{"point":"2mm","priority":"6","details":"24y","howto":"275"},"CWE-ID:1385 Missing Origin Validation in WebSockets",{"point":"3nn","priority":"6","details":"257","howto":"275"},"CWE-ID:1386 Insecure Operation on Windows Junction / Mount Point",{"point":"3np","priority":"6","details":"25a","howto":"275"},"CWE-ID:1389 Incorrect Parsing of Numbers with Different Radices",{"point":"3nr","priority":"6","details":"25d","howto":"275"},{"point":"2ms","priority":"6","details":"25g","howto":"275"},{"point":"2n2","priority":"6","details":"25v","howto":"2n3"},"CWE-ID:1419 Incorrect Initialization of Resource",{"point":"3nv","priority":"6","details":"25y","howto":"275"},{"point":"2n5","priority":"6","details":"261","howto":"2n6"},{"point":"2n8","priority":"6","details":"264","howto":"2n9"},{"point":"2ne","priority":"6","details":"26a","howto":"2nf"},["2np","2nr","2nt","2nv","2nx","2nz","2o1","2o3","2o6","2o8","2o9","2oc","2oe","2og","2oi","2ok","2om","2oo","2oq","2os","2ou","2ow","2oy","2p1","2p3","2p5","2p7","2p9","2pb","2pd","2pg","2pi","2pk","2pm","2po","2pq","2ps","2pu","2pw","2py","2q0","2q2","2q4","2q6","2q8","2qa","2qc","2qe","2qg","2qi","2qk","2qm","2qo","2qq","2qs","2qu","2qv","2qx","2qz","2r1","2r3","2r6","2r9","2rb","2rd","2rf","2rh","2rj","2rl","2rn","2rp","2rr","2ru","2rw","2ry","2s0","2s2","2s4","2s6","2s8","2sb","2sc","2se","2sg","2si","2sk","2sm","2so","2sq","2ss","2sv","2sx","2sz","2t1","2t3","2t4","2t7","2t9","2tb","2te","2th","2tk","2tm","2to","2tq","2ts","2tu","2tw","2ty","2u1","2u3","2u6","2u9","2ub","2ud","2uf","2uh","2uj","2ul","2un","2up","2ur","2ut","2uv","2ux","2uz","2v1","2v3","2v5","2v7","2v9","2vb","2vd","2vf","2vh","2vj","2vl","2vn","2vp","2vr","2vt","2vv","2vx","2vz","2w1","2w3","2w5","2w7","2w9","2wb","2wd","2wf","2wh","2wj","2wl","2wn","2wp","2wq","2ws","2wu","2ww","2wy","2x1","2x3","2x5","2x7","2x9","2xb","2xd","2xf","2xi","2xj","2xk","2xl","2xm","2xn","2xo","2xq","2xs","2xt","2xu","2xv","2xw","2xx","2xy","2xz","2y1","2y3","2y4","2y6","2y7","2y9","2yc","2ye","2yg","2yi","2yk","2ym","2yo","2yq","2ys","2yu","2yw","2yy","2z0","2z2","2z4","2z6","2z8","2za","2zc","2ze","2zf","2zh","2zj","2zl","2zo","2zp","2zr","2zs","2zt","2zu","2zv","2zw","2zz","301","303","304","306","308","30a","30c","30e","30f","30g","30h","30i","30k","30l","30n","30q","30s","30u","30v","30x","30z","311","313","315","316","318","319","31a","31c","31e","31f","31h","31j","31l","31m","31o","31p","31q","31r","31s","31t","31u","31v","31w","31x","31z","321","322","323","324","325","326","327","328","329","32a","32c","32e","32g","32h","32k","32m","32o","32q","32s","32u","32w","32y","330","332","334","335","336","338","33a","33c","33e","33g","33j","33l","33n","33o","33q","33r","33t","33w","33x","33y","33z","340","341","342","343","344","345","347","349","34a","34b","34d","34g","34i","34k","34m","34o","34q","34s","34t","34v","34w","34x","34y","34z","351","352","354","356","358","35a","35b","35d","35e","35g","35i","35k","35m","35o","35q","35s","35u","35w","35y","360","362","363","364","366","368","36a","36b","36e","36h","36j","36l","36o","36q","36s","36u","36x","36z","371","373","375","377","379","37b","37c","37e","37g","37i","37k","37m","37o","37p","37s","37u","37w","37y","37z","380","381","384","386","388","389","38a","38c","38e","38g","38h","38j","38l","38n","38p","38r","38t","38v","38x","38z","391","393","395","397","399","39a","39c","39e","39g","39i","39k","39m","39p","39r","39t","39v","39w","39y","3a0","3a2","3a4","3a6","3a8","3aa","3ac","3ae","3ag","3ai","3ak","3am","3ao","3aq","3as","3au","3aw","3ay","3b0","3b2","3b4","3b6","3b8","3ba","3bc","3be","3bg","3bi","3bk","3bm","3bo","3bp","3bq","3bs","3bu","3bw","3by","3c0","3c2","3c3","3c4","3c6","3c8","3ca","3cc","3ce","3cg","3ch","3cj","3cl","3cn","3cp","3cr","3ct","3cv","3cy","3cz","3d0","3d2","3d3","3d4","3d5","3d7","3d9","3db","3dd","3de","3df","3dh","3dj","3dl","3dm","3dn","3do","3dp","3dq","3ds","3du","3dx","3dz","3e0","3e1","3e2","3e4","3e5","3e7","3e8","3ea","3ec","3ef","3eh","3ek","3em","3eo","3er","3et","3ew","3ez","3f1","3f4","3f6","3f8","3f9","3fb","3fc","3fe","3fh","3fk","3fm","3fo","3fp","3fr","3fs","3fu","3fv","3fw","3fz","3g1","3g3","3g5","3g7","3g9","3gb","3gd","3gf","3gh","3gj","3gl","3gm","3go","3gq","3gs","3gu","3gw","3gy","3h0","3h2","3h4","3h6","3h8","3ha","3hc","3hf","3hh","3hj","3hl","3hn","3hp","3hr","3ht","3hv","3hx","3hy","3hz","3i2","3i4","3i5","3i7","3ia","3ic","3ie","3ig","3ii","3ik","3il","3im","3io","3iq","3is","3iu","3iv","3iw","3iy","3iz","3j0","3j1","3j2","3j4","3j5","3j6","3j8","3ja","3jc","3jd","3jf","3jh","3jj","3jl","3jn","3jp","3jq","3js","3jt","3jv","3jw","3jx","3jy","3k0","3k1","3k2","3k4","3k5","3k6","3k7","3k8","3k9","3kb","3kd","3kf","3kg","3kh","3ki","3kj","3kk","3kl","3km","3kn","3ko","3kp","3kr","3ks","3kt","3ku","3kv","3kw","3kx","3ky","3kz","3l0","3l1","3l2","3l4","3l5","3l7","3l9","3lb","3lc","3ld","3lf","3lg","3li","3lj","3ll","3ln","3lp","3lr","3lt","3lv","3lw","3lz","3m0","3m1","3m2","3m4","3m7","3ma","3mb","3mc","3mf","3mh","3mi","3mj","3mk","3ml","3mm","3mn","3mo","3mp","3mq","3mr","3ms","3mt","3mu","3mw","3my","3mz","3n1","3n2","3n3","3n4","3n7","3n8","3n9","3nb","3nc","3ne","3nf","3ng","3ni","3nl","3nm","3no","3nq","3ns","3nt","3nu","3nw","3nx","3ny","3nz"],"pink",{"title":"2nk","slug":"2nl","description":"2nm","icon":"2nn","intro":"2nm","checklist":"3o0","color":"3o1"},["26e","2nj","3o2"],{"R4G1hVIrQpw":"3o3"},"\u0001",200,"/automation/",{"loaders":"3o4","action":"3o5","status":"3o6","href":"3o7"}]} \ No newline at end of file diff --git a/dist/build/q-26e31889.js b/dist/build/q-26e31889.js deleted file mode 100644 index 8de96f6..0000000 --- a/dist/build/q-26e31889.js +++ /dev/null @@ -1 +0,0 @@ -import{e as r}from"./q-b628c5ca.js";const o=()=>r(()=>import("./q-8ea06850.js"),[]);export{o as ServiceworkerServiceWorker}; diff --git a/dist/build/q-4e54d9ab.js b/dist/build/q-4e54d9ab.js deleted file mode 100644 index 255b524..0000000 --- a/dist/build/q-4e54d9ab.js +++ /dev/null @@ -1 +0,0 @@ -import{u as s}from"./q-b628c5ca.js";const e=o=>{const[t]=s();if(!t.submitted)return t.submit(o)};export{e as s_uPHV2oGn4wc}; diff --git a/dist/build/q-84813efe.js b/dist/build/q-84813efe.js deleted file mode 100644 index 905d1aa..0000000 --- a/dist/build/q-84813efe.js +++ /dev/null @@ -1 +0,0 @@ -import{E as t}from"./q-b628c5ca.js";const o=t("psc.ChecklistContext");export{o as C}; diff --git a/dist/build/q-938c52b8.js b/dist/build/q-938c52b8.js deleted file mode 100644 index 3ae5f09..0000000 --- a/dist/build/q-938c52b8.js +++ /dev/null @@ -1 +0,0 @@ -import{c as r,s as t}from"./q-9bbcdbc0.js";import{u as m}from"./q-b628c5ca.js";import{v as F}from"./q-b628c5ca.js";const c=function({track:v}){const[l,u,o,e,i,a]=m();return v(()=>o.value),r(a.value),o.value?(l.value&&(e.value="enterFrom"),u.value=!0,l.value=!0,a.value=t(()=>{e.value="enterTo"})):u.value&&(e.value="leaveFrom",t(()=>{e.value="leaveTo"}),a.value=t(()=>{u.value=!1},i)),()=>{r(a.value)}};export{F as _hW,c as s_1SkPzUertu8}; diff --git a/dist/build/q-9bbcdbc0.js b/dist/build/q-9bbcdbc0.js deleted file mode 100644 index b6662d1..0000000 --- a/dist/build/q-9bbcdbc0.js +++ /dev/null @@ -1 +0,0 @@ -import{j as i,J as u,q as m,e as c}from"./q-b628c5ca.js";function f(e,{timeout:a=0,transitionOnAppear:o=!1}){const t=i(o?"enterFrom":"idle"),n=i(!1),s=i({}),r=i(e.value);return u(m(()=>c(()=>import("./q-938c52b8.js"),[]),"s_1SkPzUertu8",[n,r,e,t,a,s])),{stage:t,shouldMount:r}}function d(e,a=0){const o=performance.now(),t={};function n(){t.id=requestAnimationFrame(s=>{s-o>a?e():n()})}return n(),t}function _(e){e.id&&cancelAnimationFrame(e.id)}export{_ as c,d as s,f as u}; diff --git a/dist/build/q-b628c5ca.js b/dist/build/q-b628c5ca.js deleted file mode 100644 index 9998168..0000000 --- a/dist/build/q-b628c5ca.js +++ /dev/null @@ -1,6 +0,0 @@ -const Ys=function(){const t=typeof document<"u"&&document.createElement("link").relList;return t&&t.supports&&t.supports("modulepreload")?"modulepreload":"preload"}(),Zs=function(e){return"/"+e},mn={},js=function(t,n,s){if(!n||n.length===0)return t();const r=document.getElementsByTagName("link");return Promise.all(n.map(o=>{if(o=Zs(o),o in mn)return;mn[o]=!0;const $=o.endsWith(".css"),l=$?'[rel="stylesheet"]':"";if(!!s)for(let a=r.length-1;a>=0;a--){const u=r[a];if(u.href===o&&(!$||u.rel==="stylesheet"))return}else if(document.querySelector(`link[href="${o}"]${l}`))return;const c=document.createElement("link");if(c.rel=$?"stylesheet":Ys,$||(c.as="script",c.crossOrigin=""),c.href=o,document.head.appendChild(c),$)return new Promise((a,u)=>{c.addEventListener("load",a),c.addEventListener("error",()=>u(new Error(`Unable to preload CSS for ${o}`)))})})).then(()=>t()).catch(o=>{const $=new Event("vite:preloadError",{cancelable:!0});if($.payload=o,window.dispatchEvent($),!$.defaultPrevented)throw o})},er=!1,me=e=>e&&typeof e.nodeType=="number",Dn=e=>e.nodeType===9,$e=e=>e.nodeType===1,ie=e=>{const t=e.nodeType;return t===1||t===111},tr=e=>{const t=e.nodeType;return t===1||t===111||t===3},V=e=>e.nodeType===111,Ct=e=>e.nodeType===3,Be=e=>e.nodeType===8,pe=(e,...t)=>kt(!1,e,...t),nr=(e,...t)=>{throw kt(!1,e,...t)},Mt=(e,...t)=>kt(!0,e,...t),Ie=()=>{},sr=e=>e,kt=(e,t,...n)=>{const s=t instanceof Error?t:new Error(t);return console.error("%cQWIK ERROR","",s.message,...sr(n),s.stack),e&&setTimeout(()=>{throw s},0),s};const it=e=>`Code(${e}) https://github.com/QwikDev/qwik/blob/main/packages/qwik/src/core/error/error.ts#L${8+e}`,I=(e,...t)=>{const n=it(e,...t);return Mt(n,...t)},rr=()=>({isServer:er,importSymbol(e,t,n){if(!t)throw I(31,n);if(!e)throw I(30,t,n);const s=or(e.ownerDocument,e,t).toString(),r=new URL(s);return r.hash="",r.search="",js(()=>import(r.href),[]).then(o=>o[n])},raf:e=>new Promise(t=>{requestAnimationFrame(()=>{t(e())})}),nextTick:e=>new Promise(t=>{setTimeout(()=>{t(e())})}),chunkForSymbol:(e,t)=>[e,t??"_"]}),or=(e,t,n)=>{const s=e.baseURI,r=new URL(t.getAttribute("q:base")??s,s);return new URL(n,r)};let Fn=rr();const Nt=()=>Fn,ct=()=>Fn.isServer,lt=e=>{const t=Object.getPrototypeOf(e);return t===Object.prototype||t===null},ce=e=>!!e&&typeof e=="object",q=e=>Array.isArray(e),ge=e=>typeof e=="string",X=e=>typeof e=="function",W=e=>e&&typeof e.then=="function",at=(e,t,n)=>{try{const s=e();return W(s)?s.then(t,n):t(s)}catch(s){return n(s)}},T=(e,t)=>W(e)?e.then(t):t(e),zt=e=>e.some(W)?Promise.all(e):e,Ee=e=>e.length>0?Promise.all(e):e,Qn=e=>e!=null,$r=e=>new Promise(t=>{setTimeout(t,e)}),G=[],L={},Ue=e=>typeof document<"u"?document:e.nodeType===9?e:e.ownerDocument,ir="q:renderFn",te="q:slot",Wn="q:s",Ot="q:style",vt=Symbol("proxy target"),we=Symbol("proxy flags"),J=Symbol("proxy manager"),P=Symbol("IMMUTABLE"),Lt="_qc_",D=(e,t,n)=>e.setAttribute(t,n),U=(e,t)=>e.getAttribute(t),Dt=e=>e.replace(/([A-Z])/g,"-$1").toLowerCase(),cr=e=>e.replace(/-./g,t=>t[1].toUpperCase()),lr=/^(on|window:|document:)/,ar="preventdefault:",Bn=e=>e.endsWith("$")&&lr.test(e),ur=e=>{if(e.length===0)return G;if(e.length===1){const n=e[0];return[[n[0],[n[1]]]]}const t=[];for(let n=0;n[n,e.filter(s=>s[0]===n).map(s=>s[1])])},Un=(e,t,n,s)=>{if(t.endsWith("$"),t=xt(t.slice(0,-1)),n)if(q(n)){const r=n.flat(1/0).filter(o=>o!=null).map(o=>[t,yn(o,s)]);e.push(...r)}else e.push([t,yn(n,s)]);return t},gn=["on","window:on","document:on"],fr=["on","on-window","on-document"],xt=e=>{let t="on";for(let n=0;n(e.$setContainer$(t),e),dr=(e,t)=>{const n=e.$element$.attributes,s=[];for(let r=0;r{Qt(Ft(e,void 0),t)},Sn=(e,t)=>{Qt(Ft(e,"document"),t)},si=(e,t)=>{Qt(Ft(e,"window"),t)},Ft=(e,t)=>{const n=t!==void 0?t+":":"";return Array.isArray(e)?e.map(s=>`${n}on-${s}`):`${n}on-${e}`},Qt=(e,t)=>{if(t){const n=ls(),s=N(n.$hostElement$,n.$renderCtx$.$static$.$containerState$);typeof e=="string"?s.li.push([xt(e),t]):s.li.push(...e.map(r=>[xt(r),t])),s.$flags$|=_t}},hr=(e,t,n,s)=>{e&&e.dispatchEvent(new CustomEvent(t,{detail:n,bubbles:s,composed:s}))},Wt=(e,t,n=0)=>t.$proxyMap$.get(e)||(n!==0&&ut(e,n),He(e,t,void 0)),He=(e,t,n)=>{gt(e),t.$proxyMap$.has(e);const s=t.$subsManager$.$createManager$(n),r=new Proxy(e,new Hn(t,s));return t.$proxyMap$.set(e,r),r},Bt=()=>{const e={};return ut(e,2),e},ut=(e,t)=>{Object.defineProperty(e,we,{value:t,enumerable:!1})},ri=(e,t)=>{const n={};for(const s in e)t.includes(s)||(n[s]=e[s]);return n};class Hn{constructor(t,n){this.$containerState$=t,this.$manager$=n}deleteProperty(t,n){if(2&t[we])throw I(17);return typeof n=="string"&&delete t[n]&&(this.$manager$.$notifySubs$(q(t)?void 0:n),!0)}get(t,n){var c;if(typeof n=="symbol")return n===vt?t:n===J?this.$manager$:t[n];const s=t[we]??0,r=K(),o=!!(1&s),$=t["$$"+n];let l,i;if(r&&(l=r.$subscriber$),!(2&s)||n in t&&!mr((c=t[P])==null?void 0:c[n])||(l=null),$?(i=$.value,l=null):i=t[n],l){const a=q(t);this.$manager$.$addSub$(l,a?void 0:n)}return o?gr(i,this.$containerState$):i}set(t,n,s){if(typeof n=="symbol")return t[n]=s,!0;const r=t[we]??0;if(2&r)throw I(17);const o=1&r?gt(s):s;if(q(t))return t[n]=o,this.$manager$.$notifySubs$(),!0;const $=t[n];return t[n]=o,$!==o&&this.$manager$.$notifySubs$(n),!0}has(t,n){if(n===vt)return!0;const s=Object.prototype.hasOwnProperty;return!!s.call(t,n)||!(typeof n!="string"||!s.call(t,"$$"+n))}ownKeys(t){if(!(2&(t[we]??0))){let s=null;const r=K();r&&(s=r.$subscriber$),s&&this.$manager$.$addSub$(s)}return q(t)?Reflect.ownKeys(t):Reflect.ownKeys(t).map(s=>typeof s=="string"&&s.startsWith("$$")?s.slice(2):s)}getOwnPropertyDescriptor(t,n){return q(t)||typeof n=="symbol"?Object.getOwnPropertyDescriptor(t,n):{enumerable:!0,configurable:!0}}}const mr=e=>e===P||Q(e),gr=(e,t)=>{if(ce(e)){if(Object.isFrozen(e))return e;const n=gt(e);if(n!==e||Qs(n))return e;if(lt(n)||q(n))return t.$proxyMap$.get(n)||Wt(n,t,1)}return e},le=()=>{const e=ls(),t=N(e.$hostElement$,e.$renderCtx$.$static$.$containerState$),n=t.$seq$||(t.$seq$=[]),s=e.$i$++;return{val:n[s],set:r=>n[s]=r,i:s,iCtx:e,elCtx:t}},yr=e=>Object.freeze({id:Dt(e)}),oi=(e,t)=>{const{val:n,set:s,elCtx:r}=le();if(n!==void 0)return;(r.$contexts$||(r.$contexts$=new Map)).set(e.id,t),s(!0)},$i=(e,t)=>{const{val:n,set:s,iCtx:r,elCtx:o}=le();if(n!==void 0)return n;const $=Gn(e,o,r.$renderCtx$.$static$.$containerState$);if(typeof t=="function")return s(Y(void 0,t,$));if($!==void 0)return s($);if(t!==void 0)return s(t);throw I(13,e.id)},Sr=(e,t)=>{var r;let n=e,s=1;for(;n&&!((r=n.hasAttribute)!=null&&r.call(n,"q:container"));){for(;n=n.previousSibling;)if(Be(n)){const o=n.__virtual;if(o){const $=o[Lt];if(n===o.open)return $??N(o,t);if($!=null&&$.$parentCtx$)return $.$parentCtx$;n=o;continue}if(n.data==="/qv")s++;else if(n.data.startsWith("qv ")&&(s--,s===0))return N(Xe(n),t)}n=e.parentElement,e=n}return null},vr=(e,t)=>(e.$parentCtx$===void 0&&(e.$parentCtx$=Sr(e.$element$,t)),e.$parentCtx$),Gn=(e,t,n)=>{var o;const s=e.id;if(!t)return;let r=t;for(;r;){const $=(o=r.$contexts$)==null?void 0:o.get(s);if($)return $;r=vr(r,n)}},xr=yr("qk-error"),Ut=(e,t,n)=>{const s=F(t);{const r=Gn(xr,s,n.$static$.$containerState$);if(r===void 0)throw e;r.error=e}},Er=new Set(["animationIterationCount","aspectRatio","borderImageOutset","borderImageSlice","borderImageWidth","boxFlex","boxFlexGroup","boxOrdinalGroup","columnCount","columns","flex","flexGrow","flexShrink","gridArea","gridRow","gridRowEnd","gridRowStart","gridColumn","gridColumnEnd","gridColumnStart","fontWeight","lineClamp","lineHeight","opacity","order","orphans","scale","tabSize","widows","zIndex","zoom","MozAnimationIterationCount","MozBoxFlex","msFlex","msFlexPositive","WebkitAnimationIterationCount","WebkitBoxFlex","WebkitBoxOrdinalGroup","WebkitColumnCount","WebkitColumns","WebkitFlex","WebkitFlexGrow","WebkitFlexShrink","WebkitLineClamp"]),wr=e=>Er.has(e),Et=(e,t,n)=>{t.$flags$&=~Le,t.$flags$|=nn,t.$slots$=[],t.li.length=0;const s=t.$element$,r=t.$componentQrl$,o=t.$props$,$=Z(e.$static$.$locale$,s,void 0,"qRender"),l=$.$waitOn$=[],i=Ht(e);i.$cmpCtx$=t,i.$slotCtx$=void 0,$.$subscriber$=[0,s],$.$renderCtx$=e,r.$setContainer$(e.$static$.$containerState$.$containerEl$);const c=r.getFn($);return at(()=>c(o),a=>T(ct()?T(Ee(l),()=>T(eo(e.$static$.$containerState$,e),()=>Ee(l))):Ee(l),()=>{var u;if(t.$flags$&Le){if(!(n&&n>100))return Et(e,t,n?n+1:1);Ie(`Infinite loop detected. Element: ${(u=t.$componentQrl$)==null?void 0:u.$symbol$}`)}return{node:a,rCtx:i}}),a=>{var u;if(a===ps){if(!(n&&n>100))return T(Ee(l),()=>Et(e,t,n?n+1:1));Ie(`Infinite loop detected. Element: ${(u=t.$componentQrl$)==null?void 0:u.$symbol$}`)}return Ut(a,s,e),{node:Xn,rCtx:i}})},br=(e,t)=>({$static$:{$doc$:e,$locale$:t.$serverData$.locale,$containerState$:t,$hostElements$:new Set,$operations$:[],$postOperations$:[],$roots$:[],$addSlots$:[],$rmSlots$:[],$visited$:[]},$cmpCtx$:null,$slotCtx$:void 0}),Ht=e=>({$static$:e.$static$,$cmpCtx$:e.$cmpCtx$,$slotCtx$:e.$slotCtx$}),Gt=(e,t)=>{var n;return(n=t==null?void 0:t.$scopeIds$)!=null&&n.length?t.$scopeIds$.join(" ")+" "+wt(e):wt(e)},wt=e=>{if(!e)return"";if(ge(e))return e.trim();const t=[];if(q(e))for(const n of e){const s=wt(n);s&&t.push(s)}else for(const[n,s]of Object.entries(e))s&&t.push(n.trim());return t.join(" ")},Jt=e=>{if(e==null)return"";if(typeof e=="object"){if(q(e))throw I(0,e,"style");{const t=[];for(const n in e)if(Object.prototype.hasOwnProperty.call(e,n)){const s=e[n];s!=null&&(n.startsWith("--")?t.push(n+":"+s):t.push(Dt(n)+":"+_r(n,s)))}return t.join(";")}}return String(e)},_r=(e,t)=>typeof t!="number"||t===0||wr(e)?t:t+"px",Tr=e=>re(e.$static$.$containerState$.$elementIndex$++),Jn=(e,t)=>{const n=Tr(e);t.$id$=n},Vt=e=>Q(e)?Vt(e.value):e==null||typeof e=="boolean"?"":String(e);function Rr(e){return e.startsWith("aria-")}const Ir=(e,t)=>!!t.key&&(!ft(e)||!X(e.type)&&e.key!=t.key),ue="dangerouslySetInnerHTML",Pr=(e,t=0)=>{for(let n=0;n`${Pr(e.$hash$)}-${t}`,qr=e=>"⭐️"+e,Cr=e=>{const t=e.join("|");if(t.length>0)return t},ii=(e,t,n)=>new Tt(e,t,n),Mr=e=>{const t=e.$funcStr$;let n="";for(let s=0;s(${t})`},Vn=(e,t,n,s,r,o)=>{const $=o==null?null:String(o);return new qe(e,t||L,n,s,r,$)},ci=(e,t,n,s,r,o)=>{let $=null;return t&&"children"in t&&($=t.children,delete t.children),Vn(e,t,n,$,s,r)},Xt=(e,t,n,s,r)=>{const o=s==null?null:String(s),$=t??{};if(typeof e=="string"&&P in $){const i=$[P];delete $[P];const c=$.children;delete $.children;for(const[a,u]of Object.entries(i))u!==P&&(delete $[a],$[a]=u);return Vn(e,null,$,c,n,s)}const l=new qe(e,$,null,$.children,n,o);return typeof e=="string"&&t&&delete t.children,l},kr=(e,t,n)=>{const s=n==null?null:String(n),r=rn(()=>{const $=t.children;return typeof e=="string"&&delete t.children,$});return ge(e)&&"className"in t&&(t.class=t.className,delete t.className),new qe(e,t,null,r,0,s)};class qe{constructor(t,n,s,r,o,$=null){this.type=t,this.props=n,this.immutableProps=s,this.children=r,this.flags=o,this.key=$}}const ze=e=>e.children,ft=e=>e instanceof qe,Ye=e=>e.children,Xn=Symbol("skip render"),Kt=(e,t,n)=>{const s=!(t.$flags$&nn),r=t.$element$,o=e.$static$.$containerState$;return o.$hostsStaging$.delete(t),o.$subsManager$.$clearSub$(r),T(Et(e,t),$=>{const l=e.$static$,i=$.rCtx,c=Z(e.$static$.$locale$,r);if(l.$hostElements$.add(r),c.$subscriber$=[0,r],c.$renderCtx$=i,s&&t.$appendStyles$)for(const u of t.$appendStyles$)Lo(l,u);const a=ne($.node,c);return T(a,u=>{const p=Nr(r,u),m=Yt(t);return T(nt(i,m,p,n),()=>{t.$vdom$=p})})})},Yt=e=>(e.$vdom$||(e.$vdom$=st(e.$element$)),e.$vdom$);class ee{constructor(t,n,s,r,o,$){this.$type$=t,this.$props$=n,this.$immutableProps$=s,this.$children$=r,this.$flags$=o,this.$key$=$,this.$elm$=null,this.$text$="",this.$signal$=null,this.$id$=t+($?":"+$:"")}}const Kn=(e,t)=>{const{key:n,type:s,props:r,children:o,flags:$,immutableProps:l}=e;let i="";if(ge(s))i=s;else{if(s!==ze){if(X(s)){const a=Y(t,s,r,n,$,e.dev);return Ir(a,e)?Kn(Xt(ze,{children:a},0,n),t):ne(a,t)}throw I(25,s)}i=Pe}let c=G;return o!=null?T(ne(o,t),a=>(a!==void 0&&(c=q(a)?a:[a]),new ee(i,r,l,c,$,n))):new ee(i,r,l,c,$,n)},Nr=(e,t)=>{const n=t===void 0?G:q(t)?t:[t],s=new ee(":virtual",{},null,n,0,null);return s.$elm$=e,s},ne=(e,t)=>{if(e!=null&&typeof e!="boolean"){if(Yn(e)){const n=new ee("#text",L,null,G,0,null);return n.$text$=String(e),n}if(ft(e))return Kn(e,t);if(Q(e)){const n=new ee("#signal",L,null,G,0,null);return n.$signal$=e,n}if(q(e)){const n=zt(e.flatMap(s=>ne(s,t)));return T(n,s=>s.flat(100).filter(Qn))}return W(e)?e.then(n=>ne(n,t)):e===Xn?new ee(":skipRender",L,null,G,0,null):void Ie()}},Yn=e=>ge(e)||typeof e=="number",Zn=e=>{U(e,"q:container")==="paused"&&(Or(e),Br(e))},zr=e=>{const t=Ue(e),n=Qr(e===t.documentElement?t.body:e,"type");if(n)return JSON.parse(Dr(n.firstChild.data)||"{}")},li=(e,t)=>{const n=JSON.parse(e);if(typeof n!="object")return null;const{_objs:s,_entry:r}=n;if(s===void 0||r===void 0)return null;let o={},$={};if(me(t)&&ie(t)){const c=dt(t);c&&($=ye(c),o=c.ownerDocument)}const l=Ls($,o);for(let c=0;cs[H(c)];for(const c of s)jn(c,i,l);return i(r)},Or=e=>{if(!yo(e))return void Ie();const t=e._qwikjson_??zr(e);if(e._qwikjson_=null,!t)return void Ie();const n=Ue(e),s=Fr(e),r=ye(e),o=new Map,$=new Map;let l=null,i=0;const c=n.createTreeWalker(e,gs);for(;l=c.nextNode();){const f=l.data;if(i===0){if(f.startsWith("qv ")){const d=Ur(f);d>=0&&o.set(d,l)}else if(f.startsWith("t=")){const d=f.slice(2),y=H(d),w=Wr(l);o.set(y,w),$.set(y,w.data)}}f==="cq"?i++:f==="/cq"&&i--}const a=e.getElementsByClassName("qc📦").length!==0;e.querySelectorAll("[q\\:id]").forEach(f=>{if(a&&f.closest("[q\\:container]")!==e)return;const d=U(f,"q:id"),y=H(d);o.set(y,f)});const u=Ls(r,n),p=new Map,m=new Set,g=f=>(typeof f=="string"&&f.length>0,p.has(f)?p.get(f):S(f)),S=f=>{if(f.startsWith("#")){const v=f.slice(1),x=H(v);o.has(x);const E=o.get(x);if(Be(E)){if(!E.isConnected)return void p.set(f,void 0);const _=Xe(E);return p.set(f,_),N(_,r),_}return $e(E)?(p.set(f,E),N(E,r),E):(p.set(f,E),E)}if(f.startsWith("@")){const v=f.slice(1),x=H(v);return s[x]}if(f.startsWith("*")){const v=f.slice(1),x=H(v);o.has(x);const E=$.get(x);return p.set(f,E),E}const d=H(f),y=t.objs;y.length>d;let w=y[d];ge(w)&&(w=w===mt?void 0:u.prepare(w));let h=w;for(let v=f.length-1;v>=0;v--){const x=U$[f[v]];if(!x)break;h=x(h,r)}return p.set(f,h),Yn(w)||m.has(d)||(m.add(d),Lr(w,d,t.subs,g,r,u),jn(w,g,u)),h};r.$elementIndex$=1e5,r.$pauseCtx$={getObject:g,meta:t.ctx,refs:t.refs},D(e,"q:container","resumed"),hr(e,"qresume",void 0,!0)},Lr=(e,t,n,s,r,o)=>{const $=n[t];if($){const l=[];let i=0;for(const c of $)if(c.startsWith("_"))i=parseInt(c.slice(1),10);else{const a=V$(c,s);a&&l.push(a)}if(i>0&&ut(e,i),!o.subs(e,l)){const c=r.$proxyMap$.get(e);c?k(c).$addSubs$(l):He(e,r,l)}}},jn=(e,t,n)=>{if(!n.fill(e,t)&&e&&typeof e=="object"){if(q(e))for(let s=0;se.replace(/\\x3C(\/?script)/gi,"<$1"),Fr=e=>e.qFuncs??G,Qr=(e,t)=>{let n=e.lastElementChild;for(;n;){if(n.tagName==="SCRIPT"&&U(n,t)==="qwik/json")return n;n=n.previousElementSibling}},Wr=e=>{const t=e.nextSibling;if(Ct(t))return t;{const n=e.ownerDocument.createTextNode("");return e.parentElement.insertBefore(n,e),n}},Br=e=>{e.qwik={pause:()=>jo(e),state:ye(e)}},Ur=e=>{const t=e.indexOf("q:id=");return t>0?H(e.slice(t+5)):-1},Hr=()=>{const e=cs();let t=e.$qrl$;if(t)t.$captureRef$;else{const n=e.$element$,s=dt(n);t=ht(decodeURIComponent(String(e.$url$)),s),Zn(s);const r=N(n,ye(s));ks(t,r)}return t.$captureRef$},Gr=(e,t)=>{try{const n=t[0],s=e.$static$;switch(n){case 1:case 2:{let r,o;n===1?(r=t[1],o=t[3]):(r=t[3],o=t[1]);const $=F(r);if($==null)return;const l=t[4],i=r.namespaceURI===Ve;s.$containerState$.$subsManager$.$clearSignal$(t);let c=he(t[2],t.slice(0,-1));l==="class"?c=Gt(c,F(o)):l==="style"&&(c=Jt(c));const a=Yt($);return l in a.$props$&&a.$props$[l]===c?void 0:(a.$props$[l]=c,$n(s,r,l,c,i))}case 3:case 4:{const r=t[3];if(!s.$visited$.includes(r)){s.$containerState$.$subsManager$.$clearSignal$(t);const o=void 0;let $=he(t[2],t.slice(0,-1));const l=Y$();Array.isArray($)&&($=new qe(ze,{},null,$,0,null));let i=ne($,o);if(W(i))pe("Rendering promises in JSX signals is not supported");else{i===void 0&&(i=ne("",o));const c=Ss(r),a=Jr(t[1]);if(e.$cmpCtx$=N(a,e.$static$.$containerState$),c.$type$==i.$type$&&c.$key$==i.$key$&&c.$id$==i.$id$)xe(e,c,i,0);else{const u=[],p=c.$elm$,m=fe(e,i,0,u);u.length&&pe("Rendering promises in JSX signals is not supported"),l[3]=m,_e(e.$static$,r.parentElement,m,p),p&&ln(s,p)}}}}}}catch{}};function Jr(e){for(;e;){if(ie(e))return e;e=e.parentElement}throw new Error("Not found")}const Vr=(e,t)=>{if(e[0]===0){const n=e[1];tn(n)?Zt(n,t):Xr(n,t)}else Kr(e,t)},Xr=(e,t)=>{Zn(t.$containerEl$);const n=N(e,t);n.$componentQrl$,!(n.$flags$&Le)&&(n.$flags$|=Le,t.$hostsRendering$!==void 0?t.$hostsStaging$.add(n):(t.$hostsNext$.add(n),jt(t)))},Kr=(e,t)=>{const n=t.$hostsRendering$!==void 0;t.$opsNext$.add(e),n||jt(t)},Zt=(e,t)=>{e.$flags$&se||(e.$flags$|=se,t.$hostsRendering$!==void 0?t.$taskStaging$.add(e):(t.$taskNext$.add(e),jt(t)))},jt=e=>(e.$renderPromise$===void 0&&(e.$renderPromise$=Nt().nextTick(()=>es(e))),e.$renderPromise$),Yr=()=>{const[e]=Hr();Zt(e,ye(dt(e.$el$)))},es=async e=>{const t=e.$containerEl$,n=Ue(t);try{const s=br(n,e),r=s.$static$,o=e.$hostsRendering$=new Set(e.$hostsNext$);e.$hostsNext$.clear(),await jr(e,s),e.$hostsStaging$.forEach(i=>{o.add(i)}),e.$hostsStaging$.clear();const $=Array.from(e.$opsNext$);e.$opsNext$.clear();const l=Array.from(o);no(l),!e.$styleMoved$&&l.length>0&&(e.$styleMoved$=!0,(t===n.documentElement?n.body:t).querySelectorAll("style[q\\:style]").forEach(i=>{e.$styleIds$.add(U(i,Ot)),Rs(r,n.head,i)}));for(const i of l){const c=i.$element$;if(!r.$hostElements$.has(c)&&i.$componentQrl$){c.isConnected,r.$roots$.push(i);try{await Kt(s,i,Zr(c.parentElement))}catch(a){pe(a)}}}return $.forEach(i=>{Gr(s,i)}),r.$operations$.push(...r.$postOperations$),r.$operations$.length===0?(qn(r),void await vn(e,s)):(await qo(r),qn(r),vn(e,s))}catch(s){pe(s)}},Zr=e=>{let t=0;return e&&(e.namespaceURI===Ve&&(t|=O),e.tagName==="HEAD"&&(t|=et)),t},vn=async(e,t)=>{const n=t.$static$.$hostElements$;await to(e,t,(s,r)=>!!(s.$flags$&ts)&&(!r||n.has(s.$el$))),e.$hostsStaging$.forEach(s=>{e.$hostsNext$.add(s)}),e.$hostsStaging$.clear(),e.$hostsRendering$=void 0,e.$renderPromise$=void 0,e.$hostsNext$.size+e.$taskNext$.size+e.$opsNext$.size>0&&(e.$renderPromise$=es(e))},bt=e=>!!(e.$flags$&ns),xn=e=>!!(e.$flags$&en),jr=async(e,t)=>{const n=e.$containerEl$,s=[],r=[];e.$taskNext$.forEach(o=>{bt(o)&&(r.push(T(o.$qrl$.$resolveLazy$(n),()=>o)),e.$taskNext$.delete(o)),xn(o)&&(s.push(T(o.$qrl$.$resolveLazy$(n),()=>o)),e.$taskNext$.delete(o))});do if(e.$taskStaging$.forEach(o=>{bt(o)?r.push(T(o.$qrl$.$resolveLazy$(n),()=>o)):xn(o)?s.push(T(o.$qrl$.$resolveLazy$(n),()=>o)):e.$taskNext$.add(o)}),e.$taskStaging$.clear(),r.length>0){const o=await Promise.all(r);Ze(o),await Promise.all(o.map($=>je($,e,t))),r.length=0}while(e.$taskStaging$.size>0);if(s.length>0){const o=await Promise.all(s);Ze(o);for(const $ of o)je($,e,t)}},eo=(e,t)=>{const n=e.$containerEl$,s=e.$taskStaging$;if(!s.size)return;const r=[];let o=20;const $=()=>{if(s.forEach(l=>{console.error("task",l.$qrl$.$symbol$),bt(l)&&r.push(T(l.$qrl$.$resolveLazy$(n),()=>l))}),s.clear(),r.length>0)return Promise.all(r).then(async l=>{if(Ze(l),await Promise.all(l.map(i=>je(i,e,t))),r.length=0,--o&&s.size>0)return $();o||Ie(`Infinite task loop detected. Tasks: -${Array.from(s).map(i=>` ${i.$qrl$.$symbol$}`).join(` -`)}`)})};return $()},to=async(e,t,n)=>{const s=[],r=e.$containerEl$;e.$taskNext$.forEach(o=>{n(o,!1)&&(o.$el$.isConnected&&s.push(T(o.$qrl$.$resolveLazy$(r),()=>o)),e.$taskNext$.delete(o))});do if(e.$taskStaging$.forEach(o=>{o.$el$.isConnected&&(n(o,!0)?s.push(T(o.$qrl$.$resolveLazy$(r),()=>o)):e.$taskNext$.add(o))}),e.$taskStaging$.clear(),s.length>0){const o=await Promise.all(s);Ze(o);for(const $ of o)je($,e,t);s.length=0}while(e.$taskStaging$.size>0)},no=e=>{e.sort((t,n)=>2&t.$element$.compareDocumentPosition(ot(n.$element$))?1:-1)},Ze=e=>{e.sort((t,n)=>t.$el$===n.$el$?t.$index${const{val:n,set:s,iCtx:r,i:o,elCtx:$}=le();if(n)return;const l=r.$renderCtx$.$static$.$containerState$,i=new Ge(se|ns,o,$.$element$,e,void 0);s(!0),e.$resolveLazy$(l.$containerEl$),$.$tasks$||($.$tasks$=[]),$.$tasks$.push(i),po(r,()=>os(i,l,r.$renderCtx$))},ui=(e,t)=>{const{val:n,set:s,i:r,iCtx:o,elCtx:$}=le(),l=(t==null?void 0:t.strategy)??"intersection-observer";if(n)return void ct();const i=new Ge(ts,r,$.$element$,e,void 0),c=o.$renderCtx$.$static$.$containerState$;$.$tasks$||($.$tasks$=[]),$.$tasks$.push(i),s(i),oo(i,l),e.$resolveLazy$(c.$containerEl$),Zt(i,c)},ss=e=>!!(e.$flags$&en),so=e=>!!(8&e.$flags$),je=async(e,t,n)=>(e.$flags$&se,ss(e)?rs(e,t,n):so(e)?ro(e,t,n):os(e,t,n)),rs=(e,t,n,s)=>{e.$flags$&=~se,Oe(e);const r=Z(n.$static$.$locale$,e.$el$,void 0,"qTask"),{$subsManager$:o}=t;r.$renderCtx$=n;const $=e.$qrl$.getFn(r,()=>{o.$clearSub$(e)}),l=[],i=e.$state$,c=gt(i),a={track:(d,y)=>{if(X(d)){const h=Z();return h.$renderCtx$=n,h.$subscriber$=[0,e],Y(h,d)}const w=k(d);return w?w.$addSub$([0,e],y):Mt(it(26),d),y?d[y]:Q(d)?d.value:d},cleanup(d){l.push(d)},cache(d){let y=0;y=d==="immutable"?1/0:d,i._cache=y},previous:c._resolved};let u,p,m=!1;const g=(d,y)=>!m&&(m=!0,d?(m=!0,i.loading=!1,i._state="resolved",i._resolved=y,i._error=void 0,u(y)):(m=!0,i.loading=!1,i._state="rejected",i._error=y,p(y)),!0);Y(r,()=>{i._state="pending",i.loading=!ct(),i.value=new Promise((d,y)=>{u=d,p=y})}),e.$destroy$=Bs(()=>{m=!0,l.forEach(d=>d())});const S=at(()=>T(s,()=>$(a)),d=>{g(!0,d)},d=>{g(!1,d)}),f=c._timeout;return f>0?Promise.race([S,$r(f).then(()=>{g(!1,new Error("timeout"))&&Oe(e)})]):S},os=(e,t,n)=>{e.$flags$&=~se,Oe(e);const s=e.$el$,r=Z(n.$static$.$locale$,s,void 0,"qTask");r.$renderCtx$=n;const{$subsManager$:o}=t,$=e.$qrl$.getFn(r,()=>{o.$clearSub$(e)}),l=[];e.$destroy$=Bs(()=>{l.forEach(c=>c())});const i={track:(c,a)=>{if(X(c)){const p=Z();return p.$subscriber$=[0,e],Y(p,c)}const u=k(c);return u?u.$addSub$([0,e],a):Mt(it(26),c),a?c[a]:Q(c)?c.value:c},cleanup(c){l.push(c)}};return at(()=>$(i),c=>{X(c)&&l.push(c)},c=>{Ut(c,s,n)})},ro=(e,t,n)=>{e.$state$,e.$flags$&=~se,Oe(e);const s=e.$el$,r=Z(n.$static$.$locale$,s,void 0,"qComputed");r.$subscriber$=[0,e],r.$renderCtx$=n;const{$subsManager$:o}=t,$=e.$qrl$.getFn(r,()=>{o.$clearSub$(e)});return at($,l=>rn(()=>{const i=e.$state$;i[De]&=~ds,i.untrackedValue=l,i[J].$notifySubs$()}),l=>{Ut(l,s,n)})},Oe=e=>{const t=e.$destroy$;if(t){e.$destroy$=void 0;try{t()}catch(n){pe(n)}}},$s=e=>{32&e.$flags$?(e.$flags$&=-33,(0,e.$qrl$)()):Oe(e)},oo=(e,t)=>{t==="visible"||t==="intersection-observer"?pr("qvisible",yt(e)):t==="load"||t==="document-ready"?Sn("qinit",yt(e)):t!=="idle"&&t!=="document-idle"||Sn("qidle",yt(e))},yt=e=>{const t=e.$qrl$;return Ke(t.$chunk$,"_hW",Yr,null,null,[e],t.$symbol$)},tn=e=>ce(e)&&e instanceof Ge,$o=(e,t)=>{let n=`${re(e.$flags$)} ${re(e.$index$)} ${t(e.$qrl$)} ${t(e.$el$)}`;return e.$state$&&(n+=` ${t(e.$state$)}`),n},io=e=>{const[t,n,s,r,o]=e.split(" ");return new Ge(H(t),H(n),r,s,o)};class Ge{constructor(t,n,s,r,o){this.$flags$=t,this.$index$=n,this.$el$=s,this.$qrl$=r,this.$state$=o}}function co(e){return lo(e)&&e.nodeType===1}function lo(e){return e&&typeof e.nodeType=="number"}const Le=1,_t=2,nn=4,is=8,F=e=>e[Lt],N=(e,t)=>{const n=F(e);if(n)return n;const s=sn(e),r=U(e,"q:id");if(r){const o=t.$pauseCtx$;if(s.$id$=r,o){const{getObject:$,meta:l,refs:i}=o;if(co(e)){const c=i[r];c&&(s.$refMap$=c.split(" ").map($),s.li=dr(s,t.$containerEl$))}else{const c=e.getAttribute("q:sstyle");s.$scopeIds$=c?c.split("|"):null;const a=l[r];if(a){const u=a.s,p=a.h,m=a.c,g=a.w;if(u&&(s.$seq$=u.split(" ").map($)),g&&(s.$tasks$=g.split(" ").map($)),m){s.$contexts$=new Map;for(const S of m.split(" ")){const[f,d]=S.split("=");s.$contexts$.set(f,$(d))}}if(p){const[S,f]=p.split(" ");if(s.$flags$=nn,S&&(s.$componentQrl$=$(S)),f){const d=$(f);s.$props$=d,ut(d,2),d[P]=ao(d)}else s.$props$=He(Bt(),t)}}}}}return s},ao=e=>{const t={},n=Se(e);for(const s in n)s.startsWith("$$")&&(t[s.slice(2)]=n[s]);return t},sn=e=>{const t={$flags$:0,$id$:"",$element$:e,$refMap$:[],li:[],$tasks$:null,$seq$:null,$slots$:null,$scopeIds$:null,$appendStyles$:null,$props$:null,$vdom$:null,$componentQrl$:null,$contexts$:null,$dynamicSlots$:null,$parentCtx$:void 0,$realParentCtx$:void 0};return e[Lt]=t,t},uo=(e,t)=>{var n;(n=e.$tasks$)==null||n.forEach(s=>{t.$clearSub$(s),$s(s)}),e.$componentQrl$=null,e.$seq$=null,e.$tasks$=null};let Te;function fi(e){if(Te===void 0){const t=K();if(t&&t.$locale$)return t.$locale$;if(e!==void 0)return e;throw new Error("Reading `locale` outside of context.")}return Te}function di(e,t){const n=Te;try{return Te=e,t()}finally{Te=n}}function fo(e){Te=e}let ke;const K=()=>{if(!ke){const e=typeof document<"u"&&document&&document.__q_context__;return e?q(e)?document.__q_context__=us(e):e:void 0}return ke},cs=()=>{const e=K();if(!e)throw I(14);return e},ls=()=>{const e=K();if(!e||e.$event$!=="qRender")throw I(20);return e.$hostElement$,e.$waitOn$,e.$renderCtx$,e.$subscriber$,e};function En(e){if(e==null)return e;const t=cs();return function(...n){return as.call(this,t,e,n)}}function Y(e,t,...n){return as.call(this,e,t,n)}function as(e,t,n){const s=ke;let r;try{ke=e,r=t.apply(this,n)}finally{ke=s}return r}const po=(e,t)=>{const n=e.$waitOn$;if(n.length===0){const s=t();W(s)&&n.push(s)}else n.push(Promise.all(n).then(t))},us=([e,t,n])=>{const s=e.closest("[q\\:container]"),r=(s==null?void 0:s.getAttribute("q:locale"))||void 0;return r&&fo(r),Z(r,void 0,e,t,n)},Z=(e,t,n,s,r)=>({$url$:r,$i$:0,$hostElement$:t,$element$:n,$event$:s,$qrl$:void 0,$waitOn$:void 0,$subscriber$:void 0,$renderCtx$:void 0,$locale$:e||(typeof s=="object"&&s&&"locale"in s?s.locale:void 0)}),dt=e=>e.closest("[q\\:container]"),rn=e=>Y(void 0,e),wn=Z(void 0,void 0,void 0,"qRender"),he=(e,t)=>(wn.$subscriber$=t,Y(wn,()=>e.value)),pi=()=>{var t;const e=K();if(e)return e.$element$??e.$hostElement$??((t=e.$qrl$)==null?void 0:t.$setContainer$(void 0))},hi=e=>{const t=K();return t&&t.$hostElement$&&t.$renderCtx$&&(N(t.$hostElement$,t.$renderCtx$.$static$.$containerState$).$flags$|=is),e},mi=e=>{const t=dt(e);return t?ye(t).$renderPromise$??Promise.resolve():Promise.resolve()};var fs;const ho=(e,t,n,s)=>{const r=t.$subsManager$.$createManager$(s);return new Fe(e,r,n)},De=Symbol("proxy manager"),mo=1,ds=2,ps=Symbol("unassigned signal");class Je{}class Fe extends Je{constructor(t,n,s){super(),this[fs]=0,this.untrackedValue=t,this[J]=n,this[De]=s}valueOf(){}toString(){return`[Signal ${String(this.value)}]`}toJSON(){return{value:this.value}}get value(){var n;if(this[De]&ds)throw ps;const t=(n=K())==null?void 0:n.$subscriber$;return t&&this[J].$addSub$(t),this.untrackedValue}set value(t){const n=this[J];n&&this.untrackedValue!==t&&(this.untrackedValue=t,n.$notifySubs$())}}fs=De;class Tt extends Je{constructor(t,n,s){super(),this.$func$=t,this.$args$=n,this.$funcStr$=s}get value(){return this.$func$.apply(void 0,this.$args$)}}class Rt extends Je{constructor(t,n){super(),this.ref=t,this.prop=n}get[J](){return k(this.ref)}get value(){return this.ref[this.prop]}set value(t){this.ref[this.prop]=t}}const Q=e=>e instanceof Je,go=(e,t)=>{var r,o;if(!ce(e))return e[t];if(e instanceof Je)return e;const n=Se(e);if(n){const $=n["$$"+t];if($)return $;if(((r=n[P])==null?void 0:r[t])!==!0)return new Rt(e,t)}const s=(o=e[P])==null?void 0:o[t];return Q(s)?s:P},gi=(e,t)=>{const n=go(e,t);return n===P?e[t]:n},bn=Symbol("ContainerState"),ye=e=>{let t=e[bn];return t||(e[bn]=t=hs(e,U(e,"q:base")??"/")),t},hs=(e,t)=>{const n={$containerEl$:e,$elementIndex$:0,$styleMoved$:!1,$proxyMap$:new WeakMap,$opsNext$:new Set,$taskNext$:new Set,$taskStaging$:new Set,$hostsNext$:new Set,$hostsStaging$:new Set,$styleIds$:new Set,$events$:new Set,$serverData$:{},$base$:t,$renderPromise$:void 0,$hostsRendering$:void 0,$pauseCtx$:void 0,$subsManager$:null,$inlineFns$:new Map};return n.$subsManager$=X$(n),n},ms=(e,t)=>{if(X(e))return e(t);if(Q(e))return e.value=t;throw I(32,e)},gs=128,yo=e=>$e(e)&&e.hasAttribute("q:container"),re=e=>e.toString(36),H=e=>parseInt(e,36),So=e=>{const t=e.indexOf(":");return e&&cr(e.slice(t+1))},Ve="http://www.w3.org/2000/svg",O=1,et=2,tt=[],nt=(e,t,n,s)=>{t.$elm$;const r=n.$children$;if(r.length===1&&r[0].$type$===":skipRender")return void(n.$children$=t.$children$);const o=t.$elm$;let $=rt;t.$children$===tt&&o.nodeName==="HEAD"&&($=Eo,s|=et);const l=vo(t,$);return l.length>0&&r.length>0?xo(e,o,l,r,s):l.length>0&&r.length===0?on(e.$static$,l,0,l.length-1):r.length>0?xs(e,o,null,r,0,r.length-1,s):void 0},vo=(e,t)=>{const n=e.$children$;return n===tt?e.$children$=ys(e.$elm$,t):n},xo=(e,t,n,s,r)=>{let o=0,$=0,l=n.length-1,i=n[0],c=n[l],a=s.length-1,u=s[0],p=s[a],m,g,S;const f=[],d=e.$static$;for(;o<=l&&$<=a;)if(i==null)i=n[++o];else if(c==null)c=n[--l];else if(u==null)u=s[++$];else if(p==null)p=s[--a];else if(i.$id$===u.$id$)f.push(xe(e,i,u,r)),i=n[++o],u=s[++$];else if(c.$id$===p.$id$)f.push(xe(e,c,p,r)),c=n[--l],p=s[--a];else if(i.$key$&&i.$id$===p.$id$)i.$elm$,c.$elm$,f.push(xe(e,i,p,r)),Oo(d,t,i.$elm$,c.$elm$),i=n[++o],p=s[--a];else if(c.$key$&&c.$id$===u.$id$)i.$elm$,c.$elm$,f.push(xe(e,c,u,r)),_e(d,t,c.$elm$,i.$elm$),c=n[--l],u=s[++$];else{if(m===void 0&&(m=ko(n,o,l)),g=m[u.$key$],g===void 0){const w=fe(e,u,r,f);_e(d,t,w,i==null?void 0:i.$elm$)}else if(S=n[g],S.$type$!==u.$type$){const w=fe(e,u,r,f);T(w,h=>{_e(d,t,h,i==null?void 0:i.$elm$)})}else f.push(xe(e,S,u,r)),n[g]=void 0,S.$elm$,_e(d,t,S.$elm$,i.$elm$);u=s[++$]}$<=a&&f.push(xs(e,t,s[a+1]==null?null:s[a+1].$elm$,s,$,a,r));let y=zt(f);return o<=l&&(y=T(y,()=>{on(d,n,o,l)})),y},be=(e,t)=>{const n=V(e)?e.close:null,s=[];let r=e.firstChild;for(;(r=an(r))&&(t(r)&&s.push(r),r=r.nextSibling,r!==n););return s},ys=(e,t)=>be(e,t).map(Ss),Ss=e=>{var t;return $e(e)?((t=F(e))==null?void 0:t.$vdom$)??st(e):st(e)},st=e=>{if(ie(e)){const t=new ee(e.localName,{},null,tt,0,Pt(e));return t.$elm$=e,t}if(Ct(e)){const t=new ee(e.nodeName,L,null,tt,0,null);return t.$text$=e.data,t.$elm$=e,t}},Eo=e=>{const t=e.nodeType;return t===1?e.hasAttribute("q:head"):t===111},It=e=>e.nodeName==="Q:TEMPLATE",rt=e=>{const t=e.nodeType;if(t===3||t===111)return!0;if(t!==1)return!1;const n=e.nodeName;return n!=="Q:TEMPLATE"&&(n==="HEAD"?e.hasAttribute("q:head"):n!=="STYLE"||!e.hasAttribute(Ot))},vs=e=>{const t={};for(const n of e){const s=wo(n);(t[s]??(t[s]=new ee(Pe,{[Wn]:""},null,[],0,s))).$children$.push(n)}return t},xe=(e,t,n,s)=>{t.$type$,n.$type$,t.$key$,n.$key$,t.$id$,n.$id$;const r=t.$elm$,o=n.$type$,$=e.$static$,l=$.$containerState$,i=e.$cmpCtx$;if(n.$elm$=r,o==="#text"){$.$visited$.push(r);const p=n.$signal$;return p&&(n.$text$=Vt(he(p,[4,i.$element$,p,r]))),void oe($,r,"data",n.$text$)}if(o==="#signal")return;const c=n.$props$,a=n.$flags$,u=N(r,l);if(o!==Pe){let p=!!(s&O);if(p||o!=="svg"||(s|=O,p=!0),c!==L){1&a||(u.li.length=0);const m=t.$props$;n.$props$=m;for(const g in c){let S=c[g];if(g!=="ref")if(Bn(g)){const f=Un(u.li,g,S,l.$containerEl$);bs($,r,f)}else Q(S)&&(S=he(S,[1,i.$element$,S,r,g])),g==="class"?S=Gt(S,i):g==="style"&&(S=Jt(S)),m[g]!==S&&(m[g]=S,$n($,r,g,S,p));else S!==void 0&&ms(S,r)}}return 2&a||(p&&o==="foreignObject"&&(s&=~O),c[ue]!==void 0)||o==="textarea"?void 0:nt(e,t,n,s)}if("q:renderFn"in c){const p=c.props;Ao(l,u,p);let m=!!(u.$flags$&Le);return m||u.$componentQrl$||u.$element$.hasAttribute("q:id")||(Jn(e,u),u.$componentQrl$=p["q:renderFn"],u.$componentQrl$,m=!0),m?T(Kt(e,u,s),()=>_n(e,u,n,s)):_n(e,u,n,s)}if("q:s"in c)return i.$slots$,void i.$slots$.push(n);if(ue in c)oe($,r,"innerHTML",c[ue]);else if(!(2&a))return nt(e,t,n,s)},_n=(e,t,n,s)=>{if(2&n.$flags$)return;const r=e.$static$,o=vs(n.$children$),$=ws(t);for(const l in $.slots)if(!o[l]){const i=$.slots[l],c=ys(i,rt);if(c.length>0){const a=F(i);a&&a.$vdom$&&(a.$vdom$.$children$=[]),on(r,c,0,c.length-1)}}for(const l in $.templates){const i=$.templates[l];i&&!o[l]&&($.templates[l]=void 0,ln(r,i))}return zt(Object.keys(o).map(l=>{const i=o[l],c=Es(r,$,t,l,e.$static$.$containerState$),a=Yt(c),u=Ht(e),p=c.$element$;u.$slotCtx$=c,c.$vdom$=i,i.$elm$=p;let m=s&~O;p.isSvg&&(m|=O);const g=r.$addSlots$.findIndex(S=>S[0]===p);return g>=0&&r.$addSlots$.splice(g,1),nt(u,a,i,m)}))},xs=(e,t,n,s,r,o,$)=>{const l=[];for(;r<=o;++r){const i=s[r],c=fe(e,i,$,l);_e(e.$static$,t,c,n)}return Ee(l)},on=(e,t,n,s)=>{for(;n<=s;++n){const r=t[n];r&&(r.$elm$,ln(e,r.$elm$))}},Es=(e,t,n,s,r)=>{const o=t.slots[s];if(o)return N(o,r);const $=t.templates[s];if($)return N($,r);const l=Is(e.$doc$,s),i=sn(l);return i.$parentCtx$=n,Fo(e,n.$element$,l),t.templates[s]=l,i},wo=e=>e.$props$[te]??"",fe=(e,t,n,s)=>{const r=t.$type$,o=e.$static$.$doc$,$=e.$cmpCtx$;if(r==="#text")return t.$elm$=o.createTextNode(t.$text$);if(r==="#signal"){const f=t.$signal$,d=f.value;if(ft(d)){const y=ne(d);if(Q(y))throw new Error("NOT IMPLEMENTED: Promise");if(Array.isArray(y))throw new Error("NOT IMPLEMENTED: Array");{const w=fe(e,y,n,s);return he(f,4&n?[3,w,f,w]:[4,$.$element$,f,w]),t.$elm$=w}}{const y=o.createTextNode(t.$text$);return y.data=t.$text$=Vt(d),he(f,4&n?[3,y,f,y]:[4,$.$element$,f,y]),t.$elm$=y}}let l,i=!!(n&O);i||r!=="svg"||(n|=O,i=!0);const c=r===Pe,a=t.$props$,u=e.$static$,p=u.$containerState$;c?l=Ho(o,i):r==="head"?(l=o.head,n|=et):(l=cn(o,r,i),n&=~et),2&t.$flags$&&(n|=4),t.$elm$=l;const m=sn(l);if(e.$slotCtx$?(m.$parentCtx$=e.$slotCtx$,m.$realParentCtx$=e.$cmpCtx$):m.$parentCtx$=e.$cmpCtx$,c){if("q:renderFn"in a){const f=a["q:renderFn"],d=Bt(),y=p.$subsManager$.$createManager$(),w=new Proxy(d,new Hn(p,y)),h=a.props;if(p.$proxyMap$.set(d,w),m.$props$=w,h!==L){const x=d[P]=h[P]??L;for(const E in h)if(E!=="children"&&E!==te){const _=x[E];Q(_)?d["$$"+E]=_:d[E]=h[E]}}Jn(e,m),m.$componentQrl$=f;const v=T(Kt(e,m,n),()=>{let x=t.$children$;if(x.length===0)return;x.length===1&&x[0].$type$===":skipRender"&&(x=x[0].$children$);const E=ws(m),_=[],C=vs(x);for(const M in C){const B=C[M],ae=Es(u,E,m,M,u.$containerState$),j=Ht(e),ve=ae.$element$;j.$slotCtx$=ae,ae.$vdom$=B,B.$elm$=ve;let z=n&~O;ve.isSvg&&(z|=O);for(const A of B.$children$){const Ce=fe(j,A,z,_);A.$elm$,A.$elm$,Rs(u,ve,Ce)}}return Ee(_)});return W(v)&&s.push(v),l}if("q:s"in a)$.$slots$,Bo(l,t.$key$),D(l,"q:sref",$.$id$),D(l,"q:s",""),$.$slots$.push(t),u.$addSlots$.push([l,$.$element$]);else if(ue in a)return oe(u,l,"innerHTML",a[ue]),l}else{if(t.$immutableProps$){const f=a!==L?Object.fromEntries(Object.entries(t.$immutableProps$).map(([d,y])=>[d,y===P?a[d]:y])):t.$immutableProps$;In(u,m,$,f,i,!0)}if(a!==L){m.$vdom$=t;const f=t.$immutableProps$?Object.fromEntries(Object.entries(a).filter(([d])=>!(d in t.$immutableProps$))):a;t.$props$=In(u,m,$,f,i,!1)}if(i&&r==="foreignObject"&&(i=!1,n&=~O),$){const f=$.$scopeIds$;f&&f.forEach(d=>{l.classList.add(d)}),$.$flags$&_t&&(m.li.push(...$.li),$.$flags$&=~_t)}for(const f of m.li)bs(u,l,f[0]);if(a[ue]!==void 0)return l;i&&r==="foreignObject"&&(i=!1,n&=~O)}let g=t.$children$;if(g.length===0)return l;g.length===1&&g[0].$type$===":skipRender"&&(g=g[0].$children$);const S=g.map(f=>fe(e,f,n,s));for(const f of S)Qe(l,f);return l},bo=e=>{const t=e.$slots$;return t||(e.$element$.parentElement,e.$slots$=_o(e))},ws=e=>{const t=bo(e),n={},s={},r=Array.from(e.$element$.childNodes).filter(It);for(const o of t)o.$elm$,n[o.$key$??""]=o.$elm$;for(const o of r)s[U(o,te)??""]=o;return{slots:n,templates:s}},_o=e=>{const t=e.$element$.parentElement;return Xo(t,"q:sref",e.$id$).map(st)},To=(e,t,n)=>(oe(e,t.style,"cssText",n),!0),Tn=(e,t,n)=>(t.namespaceURI===Ve?We(e,t,"class",n):oe(e,t,"className",n),!0),Rn=(e,t,n,s)=>s in t&&((t[s]!==n||s==="value"&&!t.hasAttribute(s))&&(s==="value"&&t.tagName!=="OPTION"?zo(e,t,s,n):oe(e,t,s,n)),!0),Me=(e,t,n,s)=>(We(e,t,s.toLowerCase(),n),!0),Ro=(e,t,n)=>(oe(e,t,"innerHTML",n),!0),Io=()=>!0,Po={style:To,class:Tn,className:Tn,value:Rn,checked:Rn,href:Me,list:Me,form:Me,tabIndex:Me,download:Me,innerHTML:Io,[ue]:Ro},$n=(e,t,n,s,r)=>{if(Rr(n))return void We(e,t,n,s!=null?String(s):s);const o=Po[n];o&&o(e,t,s,n)||(r||!(n in t)?(n.startsWith(ar)&&_s(n.slice(15)),We(e,t,n,s)):oe(e,t,n,s))},In=(e,t,n,s,r,o)=>{const $={},l=t.$element$;for(const i in s){let c=s[i];if(i!=="ref")if(Bn(i))Un(t.li,i,c,e.$containerState$.$containerEl$);else{if(Q(c)&&(c=he(c,o?[1,l,c,n.$element$,i]:[2,n.$element$,c,l,i])),i==="class"){if(c=Gt(c,n),!c)continue}else i==="style"&&(c=Jt(c));$[i]=c,$n(e,l,i,c,r)}else c!==void 0&&ms(c,l)}return $},Ao=(e,t,n)=>{let s=t.$props$;if(s||(t.$props$=s=He(Bt(),e)),n===L)return;const r=k(s),o=Se(s),$=o[P]=n[P]??L;for(const l in n)if(l!=="children"&&l!==te&&!$[l]){const i=n[l];o[l]!==i&&(o[l]=i,r.$notifySubs$(l))}},Ne=(e,t,n,s)=>{if(n.$clearSub$(e),ie(e)){if(s&&e.hasAttribute("q:s"))return void t.$rmSlots$.push(e);const r=F(e);r&&uo(r,n);const o=V(e)?e.close:null;let $=e.firstChild;for(;($=an($))&&(Ne($,t,n,!0),$=$.nextSibling,$!==o););}},Pn=()=>{document.__q_scroll_restore__&&(document.__q_scroll_restore__(),document.__q_scroll_restore__=void 0)},qo=async e=>{document.__q_view_transition__&&(document.__q_view_transition__=void 0,document.startViewTransition)?await document.startViewTransition(()=>{An(e),Pn()}).finished:(An(e),Pn())},Qe=(e,t)=>{V(t)?t.appendTo(e):e.appendChild(t)},Co=(e,t)=>{V(t)?t.remove():e.removeChild(t)},Mo=(e,t,n)=>{V(t)?t.insertBeforeTo(e,(n==null?void 0:n.nextSibling)??null):e.insertBefore(t,(n==null?void 0:n.nextSibling)??null)},pt=(e,t,n)=>{V(t)?t.insertBeforeTo(e,ot(n)):e.insertBefore(t,ot(n))},ko=(e,t,n)=>{const s={};for(let r=t;r<=n;++r){const o=e[r].$key$;o!=null&&(s[o]=r)}return s},bs=(e,t,n)=>{n.startsWith("on:")||We(e,t,n,""),_s(n)},_s=e=>{var t;{const n=So(e);try{((t=globalThis).qwikevents||(t.qwikevents=[])).push(n)}catch{}}},We=(e,t,n,s)=>{e.$operations$.push({$operation$:No,$args$:[t,n,s]})},No=(e,t,n)=>{if(n==null||n===!1)e.removeAttribute(t);else{const s=n===!0?"":String(n);D(e,t,s)}},oe=(e,t,n,s)=>{e.$operations$.push({$operation$:Ts,$args$:[t,n,s]})},zo=(e,t,n,s)=>{e.$postOperations$.push({$operation$:Ts,$args$:[t,n,s]})},Ts=(e,t,n)=>{try{e[t]=n??"",n==null&&me(e)&&$e(e)&&e.removeAttribute(t)}catch(s){pe(it(6),t,{node:e,value:n},s)}},cn=(e,t,n)=>n?e.createElementNS(Ve,t):e.createElement(t),_e=(e,t,n,s)=>(e.$operations$.push({$operation$:pt,$args$:[t,n,s||null]}),n),Oo=(e,t,n,s)=>(e.$operations$.push({$operation$:Mo,$args$:[t,n,s||null]}),n),Rs=(e,t,n)=>(e.$operations$.push({$operation$:Qe,$args$:[t,n]}),n),Lo=(e,t)=>{e.$containerState$.$styleIds$.add(t.styleId),e.$postOperations$.push({$operation$:Do,$args$:[e.$containerState$,t]})},Do=(e,t)=>{const n=e.$containerEl$,s=Ue(n),r=s.documentElement===n,o=s.head,$=s.createElement("style");D($,Ot,t.styleId),D($,"hidden",""),$.textContent=t.content,r&&o?Qe(o,$):pt(n,$,n.firstChild)},Fo=(e,t,n)=>{e.$operations$.push({$operation$:Qo,$args$:[t,n]})},Qo=(e,t)=>{pt(e,t,e.firstChild)},ln=(e,t)=>{ie(t)&&Ne(t,e,e.$containerState$.$subsManager$,!0),e.$operations$.push({$operation$:Wo,$args$:[t,e]})},Wo=e=>{const t=e.parentElement;t&&Co(t,e)},Is=(e,t)=>{const n=cn(e,"q:template",!1);return D(n,te,t),D(n,"hidden",""),D(n,"aria-hidden","true"),n},An=e=>{for(const t of e.$operations$)t.$operation$.apply(void 0,t.$args$);Uo(e)},Pt=e=>U(e,"q:key"),Bo=(e,t)=>{t!==null&&D(e,"q:key",t)},Uo=e=>{const t=e.$containerState$.$subsManager$;for(const n of e.$rmSlots$){const s=Pt(n),r=be(n,rt);if(r.length>0){const o=n.getAttribute("q:sref"),$=e.$roots$.find(l=>l.$id$===o);if($){const l=$.$element$;if(l.isConnected)if(be(l,It).some(i=>U(i,te)===s))Ne(n,e,t,!1);else{const i=Is(e.$doc$,s);for(const c of r)Qe(i,c);pt(l,i,l.firstChild)}else Ne(n,e,t,!1)}else Ne(n,e,t,!1)}}for(const[n,s]of e.$addSlots$){const r=Pt(n),o=be(s,It).find($=>$.getAttribute(te)===r);o&&(be(o,rt).forEach($=>{Qe(n,$)}),o.remove())}},qn=()=>{},Ho=(e,t)=>{const n=e.createComment("qv "),s=e.createComment("/qv");return new Ps(n,s,t)},Go=e=>{if(!e)return{};const t=e.split(" ");return Object.fromEntries(t.map(n=>{const s=n.indexOf("=");return s>=0?[n.slice(0,s),Yo(n.slice(s+1))]:[n,""]}))},Jo=e=>{const t=[];return Object.entries(e).forEach(([n,s])=>{t.push(s?`${n}=${Ko(s)}`:`${n}`)}),t.join(" ")},Vo=(e,t,n)=>e.ownerDocument.createTreeWalker(e,128,{acceptNode(s){const r=Xe(s);return r&&U(r,t)===n?1:2}}),Xo=(e,t,n)=>{const s=Vo(e,t,n),r=[];let o=null;for(;o=s.nextNode();)r.push(Xe(o));return r},Ko=e=>e.replace(/ /g,"+"),Yo=e=>e.replace(/\+/g," "),Pe=":virtual";class Ps{constructor(t,n,s){this.open=t,this.close=n,this.isSvg=s,this._qc_=null,this.nodeType=111,this.localName=Pe,this.nodeName=Pe;const r=this.ownerDocument=t.ownerDocument;this.$template$=cn(r,"template",!1),this.$attributes$=Go(t.data.slice(3)),t.data.startsWith("qv "),t.__virtual=this,n.__virtual=this}insertBefore(t,n){const s=this.parentElement;return s?s.insertBefore(t,n||this.close):this.$template$.insertBefore(t,n),t}remove(){const t=this.parentElement;if(t){const n=this.childNodes;this.$template$.childElementCount,t.removeChild(this.open);for(let s=0;s{ie(s)&&(s.matches(t)&&n.push(s),n.concat(Array.from(s.querySelectorAll(t))))}),n}querySelector(t){for(const n of this.childNodes)if($e(n)){if(n.matches(t))return n;const s=n.querySelector(t);if(s!==null)return s}return null}get innerHTML(){return""}set innerHTML(t){const n=this.parentElement;n?(this.childNodes.forEach(s=>this.removeChild(s)),this.$template$.innerHTML=t,n.insertBefore(this.$template$.content,this.close)):this.$template$.innerHTML=t}get firstChild(){if(this.parentElement){const t=this.open.nextSibling;return t===this.close?null:t}return this.$template$.firstChild}get nextSibling(){return this.close.nextSibling}get previousSibling(){return this.open.previousSibling}get childNodes(){if(!this.parentElement)return Array.from(this.$template$.childNodes);const t=[];let n=this.open;for(;(n=n.nextSibling)&&n!==this.close;)t.push(n);return t}get isConnected(){return this.open.isConnected}get parentElement(){return this.open.parentElement}}const Cn=e=>`qv ${Jo(e)}`,an=e=>{if(e==null)return null;if(Be(e)){const t=Xe(e);if(t)return t}return e},Zo=e=>{let t=e,n=1;for(;t=t.nextSibling;)if(Be(t)){const s=t.__virtual;if(s)t=s;else if(t.data.startsWith("qv "))n++;else if(t.data==="/qv"&&(n--,n===0))return t}},Xe=e=>{var n;const t=e.__virtual;if(t)return t;if(e.data.startsWith("qv ")){const s=Zo(e);return new Ps(e,s,((n=e.parentElement)==null?void 0:n.namespaceURI)===Ve)}return null},ot=e=>e==null?null:V(e)?e.open:e,yi=async e=>{const t=hs(null,null),n=As(t);let s;for(b(e,n,!1);(s=n.$promises$).length>0;){n.$promises$=[];const c=await Promise.allSettled(s);for(const a of c)a.status==="rejected"&&console.error(a.reason)}const r=Array.from(n.$objSet$.keys());let o=0;const $=new Map;for(const c of r)$.set(c,re(o)),o++;if(n.$noSerialize$.length>0){const c=$.get(void 0);for(const a of n.$noSerialize$)$.set(a,c)}const l=c=>{let a="";if(W(c)){const p=qs(c);if(!p)throw I(27,c);c=p.value,a+=p.resolved?"~":"_"}if(ce(c)){const p=Se(c);p&&(a+="!",c=p)}const u=$.get(c);if(u===void 0)throw I(27,c);return u+a},i=Ms(r,l,null,n,t);return JSON.stringify({_entry:l(e),_objs:i})},jo=async e=>{const t=Ue(e),n=t.documentElement,s=Dn(e)?n:e;if(U(s,"q:container")==="paused")throw I(21);const r=s===t.documentElement?t.body:s,o=ye(s),$=t$(s,c$);D(s,"q:container","paused");for(const u of $){const p=u.$element$,m=u.li;if(u.$scopeIds$){const g=Cr(u.$scopeIds$);g&&p.setAttribute("q:sstyle",g)}if(u.$id$&&p.setAttribute("q:id",u.$id$),$e(p)&&m.length>0){const g=ur(m);for(const S of g)p.setAttribute(S[0],h$(S[1],o,u))}}const l=await e$($,o,u=>me(u)&&Ct(u)?u$(u,o):null),i=t.createElement("script");D(i,"type","qwik/json"),i.textContent=o$(JSON.stringify(l.state,void 0,void 0)),r.appendChild(i);const c=Array.from(o.$events$,u=>JSON.stringify(u)),a=t.createElement("script");return a.textContent=`(window.qwikevents||=[]).push(${c.join(", ")})`,r.appendChild(a),l},e$=async(e,t,n,s)=>{var w;const r=As(t);s==null||s.forEach((h,v)=>{r.$seen$.add(v)});let o=!1;for(const h of e)if(h.$tasks$)for(const v of h.$tasks$)ss(v)&&r.$resources$.push(v.$state$),$s(v);for(const h of e){const v=h.$element$,x=h.li;for(const E of x)if($e(v)){const _=E[1],C=_.$captureRef$;if(C)for(const M of C)b(M,r,!0);r.$qrls$.push(_),o=!0}}if(!o)return{state:{refs:{},ctx:{},objs:[],subs:[]},objs:[],funcs:[],qrls:[],resources:r.$resources$,mode:"static"};let $;for(;($=r.$promises$).length>0;)r.$promises$=[],await Promise.all($);const l=r.$elements$.length>0;if(l){for(const h of r.$deferElements$)un(h,r,h.$element$);for(const h of e)n$(h,r)}for(;($=r.$promises$).length>0;)r.$promises$=[],await Promise.all($);const i=new Map,c=Array.from(r.$objSet$.keys()),a=new Map,u=h=>{let v="";if(W(h)){const _=qs(h);if(!_)return null;h=_.value,v+=_.resolved?"~":"_"}if(ce(h)){const _=Se(h);if(_)v+="!",h=_;else if(ie(h)){const C=(M=>{let B=i.get(M);return B===void 0&&(B=a$(M),B||console.warn("Missing ID",M),i.set(M,B)),B})(h);return C?"#"+C+v:null}}const x=a.get(h);if(x)return x+v;const E=s==null?void 0:s.get(h);return E?"*"+E:n?n(h):null},p=h=>{const v=u(h);if(v===null){if(pn(h)){const x=re(a.size);return a.set(h,x),x}throw I(27,h)}return v},m=new Map;for(const h of c){const v=(w=l$(h,t))==null?void 0:w.$subs$;if(!v)continue;const x=Us(h)??0,E=[];1&x&&E.push(x);for(const _ of v){const C=_[1];_[0]===0&&me(C)&&V(C)&&!r.$elements$.includes(F(C))||E.push(_)}E.length>0&&m.set(h,E)}c.sort((h,v)=>(m.has(h)?0:1)-(m.has(v)?0:1));let g=0;for(const h of c)a.set(h,re(g)),g++;if(r.$noSerialize$.length>0){const h=a.get(void 0);for(const v of r.$noSerialize$)a.set(v,h)}const S=[];for(const h of c){const v=m.get(h);if(v==null)break;S.push(v.map(x=>typeof x=="number"?`_${x}`:J$(x,u)).filter(Qn))}S.length,m.size;const f=Ms(c,p,u,r,t),d={},y={};for(const h of e){const v=h.$element$,x=h.$id$,E=h.$refMap$,_=h.$props$,C=h.$contexts$,M=h.$tasks$,B=h.$componentQrl$,ae=h.$seq$,j={},ve=V(v)&&r.$elements$.includes(h);if(E.length>0){const z=de(E,p," ");z&&(y[x]=z)}else if(l){let z=!1;if(ve){const A=u(_);j.h=p(B)+(A?" "+A:""),z=!0}else{const A=u(_);A&&(j.h=" "+A,z=!0)}if(M&&M.length>0){const A=de(M,u," ");A&&(j.w=A,z=!0)}if(ve&&ae&&ae.length>0){const A=de(ae,p," ");j.s=A,z=!0}if(C){const A=[];C.forEach((Xs,Ks)=>{const hn=u(Xs);hn&&A.push(`${Ks}=${hn}`)});const Ce=A.join(" ");Ce&&(j.c=Ce,z=!0)}z&&(d[x]=j)}}return{state:{refs:y,ctx:d,objs:f,subs:S},objs:c,funcs:r.$inlinedFunctions$,resources:r.$resources$,qrls:r.$qrls$,mode:l?"render":"listeners"}},de=(e,t,n)=>{let s="";for(const r of e){const o=t(r);o!==null&&(s!==""&&(s+=n),s+=o)}return s},t$=(e,t)=>{const n=[],s=t(e);s!==void 0&&n.push(s);const r=e.ownerDocument.createTreeWalker(e,1|gs,{acceptNode(o){if(i$(o))return 2;const $=t(o);return $!==void 0&&n.push($),3}});for(;r.nextNode(););return n},n$=(e,t)=>{var r;const n=e.$realParentCtx$||e.$parentCtx$,s=e.$props$;if(n&&s&&!Cs(s)&&t.$elements$.includes(n)){const o=(r=k(s))==null?void 0:r.$subs$,$=e.$element$;if(o)for(const[l,i]of o)l===0?(i!==$&&Ae(k(s),t,!1),me(i)?r$(i,t):b(i,t,!0)):(b(s,t,!1),Ae(k(s),t,!1))}},As=e=>{const t=[];return e.$inlineFns$.forEach((n,s)=>{for(;t.length<=n;)t.push("");t[n]=s}),{$containerState$:e,$seen$:new Set,$objSet$:new Set,$prefetch$:0,$noSerialize$:[],$inlinedFunctions$:t,$resources$:[],$elements$:[],$qrls$:[],$deferElements$:[],$promises$:[]}},s$=(e,t)=>{const n=F(e);t.$elements$.includes(n)||(t.$elements$.push(n),n.$flags$&is?(t.$prefetch$++,un(n,t,!0),t.$prefetch$--):t.$deferElements$.push(n))},r$=(e,t)=>{const n=F(e);if(n){if(t.$elements$.includes(n))return;t.$elements$.push(n),un(n,t,e)}},un=(e,t,n)=>{if(e.$props$&&!Cs(e.$props$)&&(b(e.$props$,t,n),Ae(k(e.$props$),t,n)),e.$componentQrl$&&b(e.$componentQrl$,t,n),e.$seq$)for(const s of e.$seq$)b(s,t,n);if(e.$tasks$){const s=t.$containerState$.$subsManager$.$groupToManagers$;for(const r of e.$tasks$)s.has(r)&&b(r,t,n)}if(n===!0&&(Mn(e,t),e.$dynamicSlots$))for(const s of e.$dynamicSlots$)Mn(s,t)},Mn=(e,t)=>{for(;e;){if(e.$contexts$)for(const n of e.$contexts$.values())b(n,t,!0);e=e.$parentCtx$}},o$=e=>e.replace(/<(\/?script)/gi,"\\x3C$1"),Ae=(e,t,n)=>{if(t.$seen$.has(e))return;t.$seen$.add(e);const s=e.$subs$;for(const r of s)if(r[0]>0&&b(r[2],t,n),n===!0){const o=r[1];me(o)&&V(o)?r[0]===0&&s$(o,t):b(o,t,!0)}},At=Symbol(),$$=e=>e.then(t=>(e[At]={resolved:!0,value:t},t),t=>(e[At]={resolved:!1,value:t},t)),qs=e=>e[At],b=(e,t,n)=>{if(e!=null){const s=typeof e;switch(s){case"function":case"object":{if(t.$seen$.has(e))return;if(t.$seen$.add(e),Qs(e))return t.$objSet$.add(void 0),void t.$noSerialize$.push(e);const r=e,o=Se(e);if(o){const $=!(2&Us(e=o));if(n&&$&&Ae(k(r),t,n),Ws(r))return void t.$objSet$.add(e)}if(W$(e,t,n))return void t.$objSet$.add(e);if(W(e))return void t.$promises$.push($$(e).then($=>{b($,t,n)}));if(s==="object"){if(me(e))return;if(q(e))for(let $=0;$$e(e)&&e.hasAttribute("q:container"),c$=e=>{const t=an(e);if(ie(t)){const n=F(t);if(n&&n.$id$)return n}},l$=(e,t)=>{if(!ce(e))return;if(e instanceof Fe)return k(e);const n=t.$proxyMap$.get(e);return n?k(n):void 0},a$=e=>{const t=F(e);return t?t.$id$:null},u$=(e,t)=>{const n=e.previousSibling;if(n&&Be(n)&&n.data.startsWith("t="))return"#"+n.data.slice(2);const s=e.ownerDocument,r=re(t.$elementIndex$++),o=s.createComment(`t=${r}`),$=s.createComment(""),l=e.parentElement;return l.insertBefore(o,e),l.insertBefore($,e.nextSibling),"#"+r},Cs=e=>Object.keys(e).length===0;function Ms(e,t,n,s,r){return e.map(o=>{if(o===null)return null;const $=typeof o;switch($){case"undefined":return mt;case"number":if(!Number.isFinite(o))break;return o;case"string":if(o.charCodeAt(0)<32)break;return o;case"boolean":return o}const l=B$(o,t,s,r);if(l!==void 0)return l;if($==="object"){if(q(o))return o.map(t);if(lt(o)){const i={};for(const c in o)if(n){const a=n(o[c]);a!==null&&(i[c]=a)}else i[c]=t(o[c]);return i}}throw I(3,o)})}const f$=/\(\s*(['"])([^\1]+)\1\s*\)/,d$=/Promise\s*\.\s*resolve/,p$=/[\\/(]([\w\d.\-_]+\.(js|ts)x?):/,kn=new Set,Si=(e,t,n=G,s=0)=>{let r=null,o=null;if(X(e)){o=e;{let $;const l=String(e);if(($=l.match(f$))&&$[2])r=$[2];else{if(!($=l.match(d$)))throw I(11,l);{const i="QWIK-SELF",c=new Error(i).stack.split(` -`),a=c.findIndex(u=>u.includes(i));$=c[a+2+s].match(p$),r=$?$[1]:"main"}}}}else{if(!ge(e))throw I(12,e);r=e}return kn.has(t)||(kn.add(t),Js("qprefetch",{symbols:[Gs(t)],bundles:[r]})),Ke(r,t,null,o,null,n,null)},vi=(e,t=G)=>Ke(null,e,null,null,null,t,null),fn=(e,t={})=>{let n=e.$symbol$,s=e.$chunk$;const r=e.$refSymbol$??n,o=Nt();if(o){const c=o.chunkForSymbol(r,s);c&&(s=c[1],e.$refSymbol$||(n=c[0]))}if(s==null)throw I(31,e.$symbol$);if(s.startsWith("./")&&(s=s.slice(2)),Z$(e))if(t.$containerState$){const c=t.$containerState$,a=e.resolved.toString();let u=c.$inlineFns$.get(a);u===void 0&&(u=c.$inlineFns$.size,c.$inlineFns$.set(a,u)),n=String(u)}else nr("Sync QRL without containerState");let $=`${s}#${n}`;const l=e.$capture$,i=e.$captureRef$;return i&&i.length?t.$getObjId$?$+=`[${de(i,t.$getObjId$," ")}]`:t.$addRefMap$&&($+=`[${de(i,t.$addRefMap$," ")}]`):l&&l.length>0&&($+=`[${l.join(" ")}]`),$},h$=(e,t,n)=>{n.$element$;const s={$containerState$:t,$addRefMap$:r=>m$(n.$refMap$,r)};return de(e,r=>fn(r,s),` -`)},ht=(e,t)=>{const n=e.length,s=Nn(e,0,"#"),r=Nn(e,s,"["),o=Math.min(s,r),$=e.substring(0,o),l=s==n?s:s+1,i=l==r?"default":e.substring(l,r),c=r===n?G:e.substring(r+1,n-1).split(" "),a=Ke($,i,null,null,c,null,null);return t&&a.$setContainer$(t),a},Nn=(e,t,n)=>{const s=e.length,r=e.indexOf(n,t==s?0:t);return r==-1?s:r},m$=(e,t)=>{const n=e.indexOf(t);return n===-1?(e.push(t),String(e.length-1)):String(n)},ks=(e,t)=>(e.$capture$,e.$captureRef$=e.$capture$.map(n=>{const s=parseInt(n,10),r=t.$refMap$[s];return t.$refMap$.length>s,r})),xi=(e,t)=>{const{val:n,set:s,i:r,iCtx:o,elCtx:$}=le();if(n!=null)return n;const l=o.$renderCtx$.$static$.$containerState$,i=g$(l,t),c=new Ge(se|en,r,$.$element$,e,i),a=Promise.all(o.$waitOn$.slice());return rs(c,l,o.$renderCtx$,a),$.$tasks$||($.$tasks$=[]),$.$tasks$.push(c),s(i),i},Ei=e=>{const t=e.value;let n;if(zs(t)){{if(e.onRejected&&(t.value.catch(()=>{}),t._state==="rejected"))return e.onRejected(t._error);if(e.onPending){const s=t._state;if(s==="resolved")return e.onResolved(t._resolved);if(s==="pending")return e.onPending();if(s==="rejected")throw t._error}if(rn(()=>t._resolved)!==void 0)return e.onResolved(t._resolved)}n=t.value}else if(W(t))n=t;else{if(!Q(t))return e.onResolved(t);n=Promise.resolve(t.value)}return kr(Ye,{children:n.then(En(e.onResolved),En(e.onRejected))})},Ns=e=>({__brand:"resource",value:void 0,loading:!ct(),_resolved:void 0,_error:void 0,_state:"pending",_timeout:(e==null?void 0:e.timeout)??-1,_cache:0}),g$=(e,t,n)=>{const s=Ns(t);return s.value=n,He(s,e,void 0)},zs=e=>ce(e)&&e.__brand==="resource",y$=(e,t)=>{const n=e._state;return n==="resolved"?`0 ${t(e._resolved)}`:n==="pending"?"1":`2 ${t(e._error)}`},S$=e=>{const[t,n]=e.split(" "),s=Ns(void 0);return s.value=Promise.resolve(),t==="0"?(s._state="resolved",s._resolved=n,s.loading=!1):t==="1"?(s._state="pending",s.value=new Promise(()=>{}),s.loading=!0):t==="2"&&(s._state="rejected",s._error=n,s.loading=!1),s},qt=e=>Xt(ze,{[Wn]:""},0,e.name??""),mt="";function R(e){return{$prefixCode$:e.$prefix$.charCodeAt(0),$prefixChar$:e.$prefix$,$test$:e.$test$,$serialize$:e.$serialize$,$prepare$:e.$prepare$,$fill$:e.$fill$,$collect$:e.$collect$,$subs$:e.$subs$}}const v$=R({$prefix$:"",$test$:e=>pn(e),$collect$:(e,t,n)=>{if(e.$captureRef$)for(const s of e.$captureRef$)b(s,t,n);t.$prefetch$===0&&t.$qrls$.push(e)},$serialize$:(e,t)=>fn(e,{$getObjId$:t}),$prepare$:(e,t)=>ht(e,t.$containerEl$),$fill$:(e,t)=>{e.$capture$&&e.$capture$.length>0&&(e.$captureRef$=e.$capture$.map(t),e.$capture$=null)}}),x$=R({$prefix$:"",$test$:e=>tn(e),$collect$:(e,t,n)=>{b(e.$qrl$,t,n),e.$state$&&(b(e.$state$,t,n),n===!0&&e.$state$ instanceof Fe&&Ae(e.$state$[J],t,!0))},$serialize$:(e,t)=>$o(e,t),$prepare$:e=>io(e),$fill$:(e,t)=>{e.$el$=t(e.$el$),e.$qrl$=t(e.$qrl$),e.$state$&&(e.$state$=t(e.$state$))}}),E$=R({$prefix$:"",$test$:e=>zs(e),$collect$:(e,t,n)=>{b(e.value,t,n),b(e._resolved,t,n)},$serialize$:(e,t)=>y$(e,t),$prepare$:e=>S$(e),$fill$:(e,t)=>{if(e._state==="resolved")e._resolved=t(e._resolved),e.value=Promise.resolve(e._resolved);else if(e._state==="rejected"){const n=Promise.reject(e._error);n.catch(()=>null),e._error=t(e._error),e.value=n}}}),w$=R({$prefix$:"",$test$:e=>e instanceof URL,$serialize$:e=>e.href,$prepare$:e=>new URL(e)}),b$=R({$prefix$:"",$test$:e=>e instanceof Date,$serialize$:e=>e.toISOString(),$prepare$:e=>new Date(e)}),_$=R({$prefix$:"\x07",$test$:e=>e instanceof RegExp,$serialize$:e=>`${e.flags} ${e.source}`,$prepare$:e=>{const t=e.indexOf(" "),n=e.slice(t+1),s=e.slice(0,t);return new RegExp(n,s)}}),T$=R({$prefix$:"",$test$:e=>e instanceof Error,$serialize$:e=>e.message,$prepare$:e=>{const t=new Error(e);return t.stack=void 0,t}}),R$=R({$prefix$:"",$test$:e=>!!e&&typeof e=="object"&&Dn(e),$prepare$:(e,t,n)=>n}),$t=Symbol("serializable-data"),I$=R({$prefix$:"",$test$:e=>Vs(e),$serialize$:(e,t)=>{const[n]=e[$t];return fn(n,{$getObjId$:t})},$prepare$:(e,t)=>{const n=ht(e,t.$containerEl$);return ti(n)},$fill$:(e,t)=>{var s;const[n]=e[$t];(s=n.$capture$)!=null&&s.length&&(n.$captureRef$=n.$capture$.map(t),n.$capture$=null)}}),P$=R({$prefix$:"",$test$:e=>e instanceof Tt,$collect$:(e,t,n)=>{if(e.$args$)for(const s of e.$args$)b(s,t,n)},$serialize$:(e,t,n)=>{const s=Mr(e);let r=n.$inlinedFunctions$.indexOf(s);return r<0&&(r=n.$inlinedFunctions$.length,n.$inlinedFunctions$.push(s)),de(e.$args$,t," ")+" @"+re(r)},$prepare$:e=>{const t=e.split(" "),n=t.slice(0,-1),s=t[t.length-1];return new Tt(s,n,s)},$fill$:(e,t)=>{e.$func$,e.$func$=t(e.$func$),e.$args$=e.$args$.map(t)}}),A$=R({$prefix$:"",$test$:e=>e instanceof Fe,$collect$:(e,t,n)=>(b(e.untrackedValue,t,n),n===!0&&!(e[De]&mo)&&Ae(e[J],t,!0),e),$serialize$:(e,t)=>t(e.untrackedValue),$prepare$:(e,t)=>{var n;return new Fe(e,(n=t==null?void 0:t.$subsManager$)==null?void 0:n.$createManager$(),0)},$subs$:(e,t)=>{e[J].$addSubs$(t)},$fill$:(e,t)=>{e.untrackedValue=t(e.untrackedValue)}}),q$=R({$prefix$:"",$test$:e=>e instanceof Rt,$collect$(e,t,n){if(b(e.ref,t,n),Ws(e.ref)){const s=k(e.ref);H$(t.$containerState$.$subsManager$,s,n)&&b(e.ref[e.prop],t,n)}return e},$serialize$:(e,t)=>`${t(e.ref)} ${e.prop}`,$prepare$:e=>{const[t,n]=e.split(" ");return new Rt(t,n)},$fill$:(e,t)=>{e.ref=t(e.ref)}}),C$=R({$prefix$:"",$test$:e=>typeof e=="number",$serialize$:e=>String(e),$prepare$:e=>Number(e)}),M$=R({$prefix$:"",$test$:e=>e instanceof URLSearchParams,$serialize$:e=>e.toString(),$prepare$:e=>new URLSearchParams(e)}),k$=R({$prefix$:"",$test$:e=>typeof FormData<"u"&&e instanceof globalThis.FormData,$serialize$:e=>{const t=[];return e.forEach((n,s)=>{t.push(typeof n=="string"?[s,n]:[s,n.name])}),JSON.stringify(t)},$prepare$:e=>{const t=JSON.parse(e),n=new FormData;for(const[s,r]of t)n.append(s,r);return n}}),N$=R({$prefix$:"",$test$:e=>ft(e),$collect$:(e,t,n)=>{b(e.children,t,n),b(e.props,t,n),b(e.immutableProps,t,n),b(e.key,t,n);let s=e.type;s===qt?s=":slot":s===Ye&&(s=":fragment"),b(s,t,n)},$serialize$:(e,t)=>{let n=e.type;return n===qt?n=":slot":n===Ye&&(n=":fragment"),`${t(n)} ${t(e.props)} ${t(e.immutableProps)} ${t(e.key)} ${t(e.children)} ${e.flags}`},$prepare$:e=>{const[t,n,s,r,o,$]=e.split(" ");return new qe(t,n,s,o,parseInt($,10),r)},$fill$:(e,t)=>{e.type=G$(t(e.type)),e.props=t(e.props),e.immutableProps=t(e.immutableProps),e.key=t(e.key),e.children=t(e.children)}}),z$=R({$prefix$:"",$test$:e=>typeof e=="bigint",$serialize$:e=>e.toString(),$prepare$:e=>BigInt(e)}),O$=R({$prefix$:"",$test$:e=>e instanceof Uint8Array,$serialize$:e=>{let t="";for(const n of e)t+=String.fromCharCode(n);return btoa(t).replace(/=+$/,"")},$prepare$:e=>{const t=atob(e),n=new Uint8Array(t.length);let s=0;for(const r of t)n[s++]=r.charCodeAt(0);return n},$fill$:void 0}),Re=Symbol(),L$=R({$prefix$:"",$test$:e=>e instanceof Set,$collect$:(e,t,n)=>{e.forEach(s=>b(s,t,n))},$serialize$:(e,t)=>Array.from(e).map(t).join(" "),$prepare$:e=>{const t=new Set;return t[Re]=e,t},$fill$:(e,t)=>{const n=e[Re];e[Re]=void 0;const s=n.length===0?[]:n.split(" ");for(const r of s)e.add(t(r))}}),D$=R({$prefix$:"",$test$:e=>e instanceof Map,$collect$:(e,t,n)=>{e.forEach((s,r)=>{b(s,t,n),b(r,t,n)})},$serialize$:(e,t)=>{const n=[];return e.forEach((s,r)=>{n.push(t(r)+" "+t(s))}),n.join(" ")},$prepare$:e=>{const t=new Map;return t[Re]=e,t},$fill$:(e,t)=>{const n=e[Re];e[Re]=void 0;const s=n.length===0?[]:n.split(" ");s.length%2;for(let r=0;r!!Os(e)||e===mt,$serialize$:e=>e,$prepare$:e=>e}),dn=[v$,x$,E$,w$,b$,_$,T$,R$,I$,P$,A$,q$,C$,M$,k$,N$,z$,L$,D$,F$,O$],zn=(()=>{const e=[];return dn.forEach(t=>{const n=t.$prefixCode$;for(;e.lengthe.$collect$),W$=(e,t,n)=>{for(const s of Q$)if(s.$test$(e))return s.$collect$(e,t,n),!0;return!1},B$=(e,t,n,s)=>{for(const r of dn)if(r.$test$(e)){let o=r.$prefixChar$;return r.$serialize$&&(o+=r.$serialize$(e,t,n,s)),o}if(typeof e=="string")return e},Ls=(e,t)=>{const n=new Map,s=new Map;return{prepare(r){const o=Os(r);if(o){const $=o.$prepare$(r.slice(1),e,t);return o.$fill$&&n.set($,o),o.$subs$&&s.set($,o),$}return r},subs(r,o){const $=s.get(r);return!!$&&($.$subs$(r,o,e),!0)},fill(r,o){const $=n.get(r);return!!$&&($.$fill$(r,o,e),!0)}}},U$={"!":(e,t)=>t.$proxyMap$.get(e)??Wt(e,t),"~":e=>Promise.resolve(e),_:e=>Promise.reject(e)},H$=(e,t,n)=>{if(typeof n=="boolean")return n;const s=e.$groupToManagers$.get(n);return!!(s&&s.length>0)&&(s.length!==1||s[0]!==t)},G$=e=>e===":slot"?qt:e===":fragment"?Ye:e,Ds=new WeakSet,Fs=new WeakSet,Qs=e=>Ds.has(e),Ws=e=>Fs.has(e),Bs=e=>(e!=null&&Ds.add(e),e),wi=e=>(Fs.add(e),e),gt=e=>ce(e)?Se(e)??e:e,Se=e=>e[vt],k=e=>e[J],Us=e=>e[we],J$=(e,t)=>{const n=e[0],s=typeof e[1]=="string"?e[1]:t(e[1]);if(!s)return;let r=n+" "+s,o;if(n===0)o=e[2];else{const $=t(e[2]);if(!$)return;n<=2?(o=e[5],r+=` ${$} ${On(t(e[3]))} ${e[4]}`):n<=4&&(o=e[4],r+=` ${$} ${typeof e[3]=="string"?e[3]:On(t(e[3]))}`)}return o&&(r+=` ${encodeURI(o)}`),r},V$=(e,t)=>{const n=e.split(" "),s=parseInt(n[0],10);n.length>=2;const r=t(n[1]);if(!r||tn(r)&&!r.$el$)return;const o=[s,r];return s===0?(n.length<=3,o.push(St(n[2]))):s<=2?(n.length===5||n.length,o.push(t(n[2]),t(n[3]),n[4],St(n[5]))):s<=4&&(n.length===4||n.length,o.push(t(n[2]),t(n[3]),St(n[4]))),o},St=e=>{if(e!==void 0)return decodeURI(e)},X$=e=>{const t=new Map;return{$groupToManagers$:t,$createManager$:s=>new K$(t,e,s),$clearSub$:s=>{const r=t.get(s);if(r){for(const o of r)o.$unsubGroup$(s);t.delete(s),r.length=0}},$clearSignal$:s=>{const r=t.get(s[1]);if(r)for(const o of r)o.$unsubEntry$(s)}}};class K${constructor(t,n,s){this.$groupToManagers$=t,this.$containerState$=n,this.$subs$=[],s&&this.$addSubs$(s)}$addSubs$(t){this.$subs$.push(...t);for(const n of this.$subs$)this.$addToGroup$(n[1],this)}$addToGroup$(t,n){let s=this.$groupToManagers$.get(t);s||this.$groupToManagers$.set(t,s=[]),s.includes(n)||s.push(n)}$unsubGroup$(t){const n=this.$subs$;for(let s=0;so===0&&$===r&&l===n)||(s.push(Hs=[...t,n]),this.$addToGroup$(r,this))}$notifySubs$(t){const n=this.$subs$;for(const s of n){const r=s[s.length-1];t&&r&&r!==t||Vr(s,this.$containerState$)}}}let Hs;function Y$(){return Hs}const On=e=>{if(e==null)throw pe("must be non null",e);return e},pn=e=>typeof e=="function"&&typeof e.getSymbol=="function",Z$=e=>pn(e)&&e.$symbol$=="",Ke=(e,t,n,s,r,o,$)=>{let l;const i=async function(...f){return await p.call(this,K())(...f)},c=f=>(l||(l=f),l),a=async f=>{if(f&&c(f),e==""&&(i.resolved=n=(l.qFuncs||[])[Number(t)]),n!==null)return n;if(s!==null)return n=s().then(d=>i.resolved=n=d[t]);{const d=Nt().importSymbol(l,e,t);return n=T(d,y=>i.resolved=n=y)}},u=f=>n!==null?n:a(f);function p(f,d){return(...y)=>{const w=ei(),h=u();return T(h,v=>{if(X(v)){if(d&&d()===!1)return;const x={...m(f),$qrl$:i};return x.$event$===void 0&&(x.$event$=this),j$(t,x.$element$,w),Y.call(this,x,v,...y)}throw I(10)})}}const m=f=>f==null?Z():q(f)?us(f):f,g=$??t,S=Gs(g);return Object.assign(i,{getSymbol:()=>g,getHash:()=>S,getCaptured:()=>o,resolve:a,$resolveLazy$:u,$setContainer$:c,$chunk$:e,$symbol$:t,$refSymbol$:$,$hash$:S,getFn:p,$capture$:r,$captureRef$:o,dev:null,resolved:void 0}),n&&T(n,f=>i.resolved=n=f),i},Gs=e=>{const t=e.lastIndexOf("_");return t>-1?e.slice(t+1):e};const Ln=new Set,j$=(e,t,n)=>{Ln.has(e)||(Ln.add(e),Js("qsymbol",{symbol:e,element:t,reqTime:n}))},Js=(e,t)=>{typeof document!="object"||document.dispatchEvent(new CustomEvent(e,{bubbles:!1,detail:t}))},ei=()=>typeof performance=="object"?performance.now():0,bi=function(e,t){return t===void 0&&(t=e.toString()),Ke("","",e,null,null,null,null)},ti=e=>{function t(n,s,r){const o=e.$hash$.slice(0,4)+":"+(s||"");return Xt(ze,{[ir]:e,[te]:n[te],[P]:n[P],children:n.children,props:n},r,o)}return t[$t]=[e],t},Vs=e=>typeof e=="function"&&e[$t]!==void 0,_i=(e,t)=>{const{val:n,set:s,iCtx:r}=le();if(n!=null)return n;const o=X(e)?Y(void 0,e):e;if((t==null?void 0:t.reactive)===!1)return s(o),o;{const $=Wt(o,r.$renderCtx$.$static$.$containerState$,(t==null?void 0:t.deep)??!0?1:0);return s($),$}};function Ti(e,t){var s;const n=K();return((s=n==null?void 0:n.$renderCtx$)==null?void 0:s.$static$.$containerState$.$serverData$[e])??t}const Ri=e=>{ni(e,t=>t,!1)},ni=(e,t,n)=>{const{val:s,set:r,iCtx:o,i:$,elCtx:l}=le();if(s)return s;const i=Ar(e,$),c=o.$renderCtx$.$static$.$containerState$;if(r(i),l.$appendStyles$||(l.$appendStyles$=[]),l.$scopeIds$||(l.$scopeIds$=[]),n&&l.$scopeIds$.push(qr(i)),c.$styleIds$.has(i))return i;c.$styleIds$.add(i);const a=e.$resolveLazy$(c.$containerEl$),u=p=>{l.$appendStyles$,l.$appendStyles$.push({styleId:i,content:t(p,i)})};return W(a)?o.$waitOn$.push(a.then(u)):u(a),i},Ii=e=>{const{val:t,set:n,iCtx:s}=le();if(t!=null)return t;const r=s.$renderCtx$.$static$.$containerState$,o=X(e)&&!Vs(e)?Y(void 0,e):e;return n(ho(o,r,0,void 0))};export{xi as A,ti as B,go as C,si as D,yr as E,Ye as F,yi as G,li as H,di as I,ui as J,vi as K,Ei as R,qt as S,ri as _,ci as a,P as b,ii as c,Xt as d,js as e,Vn as f,rn as g,bi as h,_i as i,Ii as j,oi as k,pi as l,fi as m,Bs as n,mi as o,Ri as p,Si as q,Ti as r,wi as s,ai as t,Hr as u,Yr as v,gi as w,hi as x,$i as y,Xn as z}; diff --git a/dist/build/q-c4a611d9.js b/dist/build/q-c4a611d9.js deleted file mode 100644 index 1143d9c..0000000 --- a/dist/build/q-c4a611d9.js +++ /dev/null @@ -1 +0,0 @@ -import{u,n as c}from"./q-b628c5ca.js";const b=(e={})=>{const[r,o,m,t]=u();let a,s;return e instanceof SubmitEvent?(s=e.target,a=new FormData(s),(e.submitter instanceof HTMLInputElement||e.submitter instanceof HTMLButtonElement)&&e.submitter.name&&e.submitter.name&&a.append(e.submitter.name,e.submitter.value)):a=e,new Promise(n=>{a instanceof FormData&&(t.formData=a),t.submitted=!0,t.isRunning=!0,m.isNavigating=!0,r.value={data:a,id:o,resolve:c(n)}}).then(({result:n,status:i})=>{if(t.isRunning=!1,t.status=i,t.value=n,s){s.getAttribute("data-spa-reset")==="true"&&s.reset();const l={status:i,value:n};s.dispatchEvent(new CustomEvent("submitcompleted",{bubbles:!1,cancelable:!1,composed:!1,detail:l}))}return{status:i,value:n}})};export{b as s_A5bZC7WO00A}; diff --git a/dist/build/q-d237ffe2.js b/dist/build/q-d237ffe2.js deleted file mode 100644 index b681322..0000000 --- a/dist/build/q-d237ffe2.js +++ /dev/null @@ -1 +0,0 @@ -const t="_container_wegdn_3",e="_checklistItemDescription_wegdn_13",c={container:t,checklistItemDescription:e};export{c as s}; diff --git a/dist/build/q-f6920a84.css b/dist/build/q-f6920a84.css deleted file mode 100644 index 99c92f9..0000000 --- a/dist/build/q-f6920a84.css +++ /dev/null @@ -1 +0,0 @@ -@import"https://fonts.googleapis.com/css2?family=Catamaran:wght@900&family=Poppins&display=swap";._psc_article_h9hpt_1 img{display:inline;margin:0 auto;border-radius:4px}._container_wegdn_3{grid-template-columns:repeat(auto-fit,minmax(350px,1fr))}._checklistItemDescription_wegdn_13 a{text-decoration:underline}h1,h2,h3,h4,h5,h6{font-family:Catamaran,sans-serif}p,a,li,span{font-family:Poppins,sans-serif} diff --git a/dist/checklist/index.html b/dist/checklist/index.html index 97a54c1..ead605f 100644 --- a/dist/checklist/index.html +++ b/dist/checklist/index.html @@ -1,5 +1,5 @@ -QA Supervisor - The ultimate quality checklist and framework

AI Accelerated Quality -PRO

Settings

About

CWE: Categorization for Assurance

CWE: Weaknesses During Design

CWE :Weaknesses During Implementation

\ No newline at end of file +QA Supervisor - The ultimate quality checklist and framework

AI Accelerated Quality -PRO

Settings

About

CWE: Categorization for Assurance

CWE: Weaknesses During Design

CWE :Weaknesses During Implementation

\ No newline at end of file diff --git a/dist/checklist/q-data.json b/dist/checklist/q-data.json index c52f435..3d336fc 100644 --- a/dist/checklist/q-data.json +++ b/dist/checklist/q-data.json @@ -1 +1 @@ -{"_entry":"3o8","_objs":["CWE: Categorization for Assurance","cwe-security","Researchers can use this view to evaluate the breadth and depth of software assurance with respect to mitigating and managing weaknesses before they become vulnerabilities","dev","This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.","CWE-ID: 5J2EE Misconfiguration: Data Transmission Without Encryption","Essential","Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.Guidelines:::TYPE:Other:NOTE:If an application uses SSL to guarantee confidential communication with client browsers, the application configuration should make it impossible to view any access controlled page without SSL. There are three common ways for SSL to be bypassed: A user manually enters URL and types HTTP rather than HTTPS. Attackers intentionally send a user to an insecure URL. A programmer erroneously creates a relative link to a page in the application, which does not switch from HTTP to HTTPS. (This is particularly easy to do when the link moves between public and secured areas on a web site.)::",{"point":"5","priority":"6","details":"7"},"CWE-ID: 6J2EE Misconfiguration: Insufficient Session-ID Length","The J2EE application is configured to use an insufficient session ID length.Guidelines:",{"point":"9","priority":"6","details":"a"},"CWE-ID: 7J2EE Misconfiguration: Missing Custom Error Page","The default error page of a web application should not display sensitive information about the product.Guidelines:",{"point":"c","priority":"6","details":"d"},"CWE-ID: 8J2EE Misconfiguration: Entity Bean Declared Remote","When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean's data. These methods could be leveraged to read sensitive information, or to change data in ways that violate the application's expectations, potentially leading to other vulnerabilities.Guidelines:::TYPE:Other:NOTE:Entity beans that expose a remote interface become part of an application's attack surface. For performance reasons, an application should rarely use remote entity beans, so there is a good chance that a remote entity bean declaration is an error.::",{"point":"f","priority":"6","details":"g"},"CWE-ID: 9J2EE Misconfiguration: Weak Access Permissions for EJB Methods","If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the product.Guidelines:",{"point":"i","priority":"6","details":"j"},"CWE-ID: 11ASP.NET Misconfiguration: Creating Debug Binary","Debugging messages help attackers learn about the system and plan a form of attack.Guidelines:",{"point":"l","priority":"6","details":"m"},"CWE-ID: 12ASP.NET Misconfiguration: Missing Custom Error Page","An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses.Guidelines:",{"point":"o","priority":"6","details":"p"},"CWE-ID: 13ASP.NET Misconfiguration: Password in Configuration File","Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers.Guidelines:",{"point":"r","priority":"6","details":"s"},"CWE-ID: 14Compiler Removal of Code to Clear Buffers","Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka dead store removal.Guidelines:",{"point":"u","priority":"6","details":"v"},"CWE-ID: 15External Control of System or Configuration Setting","One or more system settings or configuration elements can be externally controlled by a user.Guidelines:",{"point":"x","priority":"6","details":"y"},"CWE-ID: 20Improper Input Validation","The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Guidelines:::TYPE:Relationship:NOTE:CWE-116 and CWE-20 have a close association because, depending on the nature of the structured message, proper input validation can indirectly prevent special characters from changing the meaning of a structured message. For example, by validating that a numeric ID field should only contain the 0-9 characters, the programmer effectively prevents injection attacks.::TYPE:Maintenance:NOTE:As of 2020, this entry is used more often than preferred, and it is a source of frequent confusion. It is being actively modified for CWE 4.1 and subsequent versions.::TYPE:Maintenance:NOTE:Concepts such as validation, data transformation, and neutralization are being refined, so relationships between CWE-20 and other entries such as CWE-707 may change in future versions, along with an update to the Vulnerability Theory document.::TYPE:Maintenance:NOTE:Input validation - whether missing or incorrect - is such an essential and widespread part of secure development that it is implicit in many different weaknesses. Traditionally, problems such as buffer overflows and XSS have been classified as input validation problems by many security professionals. However, input validation is not necessarily the only protection mechanism available for avoiding such problems, and in some cases it is not even sufficient. The CWE team has begun capturing these subtleties in chains within the Research Concepts view (CWE-1000), but more work is needed.::TYPE:Terminology:NOTE:The input validation term is extremely common, but it is used in many different ways. In some cases its usage can obscure the real underlying weakness or otherwise hide chaining and composite relationships. Some people use input validation as a general term that covers many different neutralization techniques for ensuring that input is appropriate, such as filtering, canonicalization, and escaping. Others use the term in a more narrow context to simply mean checking if an input conforms to expectations without changing it. CWE uses this more narrow interpretation.::",{"point":"10","priority":"6","details":"11"},"CWE-ID: 22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Guidelines:::TYPE:Relationship:NOTE:Pathname equivalence can be regarded as a type of canonicalization error.::TYPE:Relationship:NOTE:Some pathname equivalence issues are not directly related to directory traversal, rather are used to bypass security-relevant checks for whether a file/directory can be accessed by the attacker (e.g. a trailing / on a filename could bypass access rules that don't expect a trailing /, causing a server to provide the file when it normally would not).::TYPE:Terminology:NOTE:Like other weaknesses, terminology is often based on the types of manipulations used, instead of the underlying weaknesses. Some people use directory traversal only to refer to the injection of .. and equivalent sequences whose specific meaning is to traverse directories. Other variants like absolute pathname and drive letter have the *effect* of directory traversal, but some people may not call it such, since it doesn't involve .. or equivalent.::TYPE:Research Gap:NOTE:Many variants of path traversal attacks are probably under-studied with respect to root cause. CWE-790 and CWE-182 begin to cover part of this gap.::TYPE:Research Gap:NOTE:Incomplete diagnosis or reporting of vulnerabilities can make it difficult to know which variant is affected. For example, a researcher might say that .. is vulnerable, but not test ../ which may also be vulnerable. Any combination of directory separators (/, , etc.) and numbers of . (e.g. ....) can produce unique variants; for example, the //../ variant is not listed (CVE-2004-0325). See this entry's children and lower-level descendants.::",{"point":"13","priority":"6","details":"14"},"CWE-ID: 23Relative Path Traversal","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as .. that can resolve to a location that is outside of that directory.Guidelines:",{"point":"16","priority":"6","details":"17"},"CWE-ID: 24Path Traversal: '../filedir'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize ../ sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"19","priority":"6","details":"1a"},"CWE-ID: 25Path Traversal: '/../filedir'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize /../ sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1c","priority":"6","details":"1d"},"CWE-ID: 26Path Traversal: '/dir/../filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize /dir/../filename sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1f","priority":"6","details":"1g"},"CWE-ID: 27Path Traversal: 'dir/../../filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize multiple internal ../ sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1i","priority":"6","details":"1j"},"CWE-ID: 28Path Traversal: '..filedir'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize .. sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1l","priority":"6","details":"1m"},"CWE-ID: 29Path Traversal: '..filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '..filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1o","priority":"6","details":"1p"},"CWE-ID: 30Path Traversal: 'dir..filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize 'dir..filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1r","priority":"6","details":"1s"},"CWE-ID: 31Path Traversal: 'dir....filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize 'dir....filename' (multiple internal backslash dot dot) sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1u","priority":"6","details":"1v"},"CWE-ID: 32Path Traversal: '...' (Triple Dot)","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '...' (triple dot) sequences that can resolve to a location that is outside of that directory.Guidelines:::TYPE:Maintenance:NOTE:This manipulation-focused entry is currently hiding two distinct weaknesses, so it might need to be split. The manipulation is effective in two different contexts: it is equivalent to .... on Windows, or it can take advantage of incomplete filtering, e.g. if the programmer does a single-pass removal of ./ in a string (collapse of data into unsafe value, CWE-182).::",{"point":"1x","priority":"6","details":"1y"},"CWE-ID: 33Path Traversal: '....' (Multiple Dot)","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....' (multiple dot) sequences that can resolve to a location that is outside of that directory.Guidelines:::TYPE:Maintenance:NOTE:Like the triple-dot CWE-32, this manipulation probably hides multiple weaknesses that should be made more explicit.::",{"point":"20","priority":"6","details":"21"},"CWE-ID: 34Path Traversal: '....//'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....//' (doubled dot dot slash) sequences that can resolve to a location that is outside of that directory.Guidelines:::TYPE:Relationship:NOTE:This could occur due to a cleansing error that removes a single ../ from ....//::",{"point":"23","priority":"6","details":"24"},"CWE-ID: 35Path Traversal: '.../...//'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"26","priority":"6","details":"27"},"CWE-ID: 36Absolute Path Traversal","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as /abs/path that can resolve to a location that is outside of that directory.Guidelines:",{"point":"29","priority":"6","details":"2a"},"CWE-ID: 37Path Traversal: '/absolute/pathname/here'","The product accepts input in the form of a slash absolute path ('/absolute/pathname/here') without appropriate validation, which can allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"2c","priority":"6","details":"2d"},"CWE-ID: 38Path Traversal: 'absolutepathnamehere'","The product accepts input in the form of a backslash absolute path ('absolutepathnamehere') without appropriate validation, which can allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"2f","priority":"6","details":"2g"},"CWE-ID: 39Path Traversal: 'C:dirname'","The product accepts input that contains a drive letter or Windows volume letter ('C:dirname') that potentially redirects access to an unintended location or arbitrary file.Guidelines:",{"point":"2i","priority":"6","details":"2j"},"CWE-ID: 40Path Traversal: 'UNCsharename' (Windows UNC Share)","The product accepts input that identifies a Windows UNC share ('UNCsharename') that potentially redirects access to an unintended location or arbitrary file.Guidelines:",{"point":"2l","priority":"6","details":"2m"},"CWE-ID: 41Improper Resolution of Path Equivalence","The product is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object.Guidelines:::TYPE:Relationship:NOTE:Some of these manipulations could be effective in path traversal issues, too.::",{"point":"2o","priority":"6","details":"2p"},"CWE-ID: 42Path Equivalence: 'filename.' (Trailing Dot)","The product accepts path input in the form of trailing dot ('filedir.') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"2r","priority":"6","details":"2s"},"CWE-ID: 43Path Equivalence: 'filename....' (Multiple Trailing Dot)","The product accepts path input in the form of multiple trailing dot ('filedir....') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"2u","priority":"6","details":"2v"},"CWE-ID: 44Path Equivalence: 'file.name' (Internal Dot)","The product accepts path input in the form of internal dot ('file.ordir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:::TYPE:Relationship:NOTE:An improper attempt to remove the internal dots from the string could lead to CWE-181 (Incorrect Behavior Order: Validate Before Filter).::",{"point":"2x","priority":"6","details":"2y"},"CWE-ID: 45Path Equivalence: 'file...name' (Multiple Internal Dot)","The product accepts path input in the form of multiple internal dot ('file...dir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:::TYPE:Relationship:NOTE:An improper attempt to remove the internal dots from the string could lead to CWE-181 (Incorrect Behavior Order: Validate Before Filter).::",{"point":"30","priority":"6","details":"31"},"CWE-ID: 46Path Equivalence: 'filename ' (Trailing Space)","The product accepts path input in the form of trailing space ('filedir ') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"33","priority":"6","details":"34"},"CWE-ID: 47Path Equivalence: ' filename' (Leading Space)","The product accepts path input in the form of leading space (' filedir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"36","priority":"6","details":"37"},"CWE-ID: 48Path Equivalence: 'file name' (Internal Whitespace)","The product accepts path input in the form of internal space ('file(SPACE)name') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:::TYPE:Relationship:NOTE:This weakness is likely to overlap quoting problems, e.g. the Program Files unquoted search path (CWE-428). It also could be an equivalence issue if filtering removes all extraneous spaces.::TYPE:Relationship:NOTE:Whitespace can be a factor in other weaknesses not directly related to equivalence. It can also be used to spoof icons or hide files with dangerous names (see icon manipulation and visual truncation in CWE-451).::",{"point":"39","priority":"6","details":"3a"},"CWE-ID: 49Path Equivalence: 'filename/' (Trailing Slash)","The product accepts path input in the form of trailing slash ('filedir/') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3c","priority":"6","details":"3d"},"CWE-ID: 50Path Equivalence: '//multiple/leading/slash'","The product accepts path input in the form of multiple leading slash ('//multiple/leading/slash') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3f","priority":"6","details":"3g"},"CWE-ID: 51Path Equivalence: '/multiple//internal/slash'","The product accepts path input in the form of multiple internal slash ('/multiple//internal/slash/') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3i","priority":"6","details":"3j"},"CWE-ID: 52Path Equivalence: '/multiple/trailing/slash//'","The product accepts path input in the form of multiple trailing slash ('/multiple/trailing/slash//') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3l","priority":"6","details":"3m"},"CWE-ID: 53Path Equivalence: 'multipleinternalbackslash'","The product accepts path input in the form of multiple internal backslash ('multipletrailingslash') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3o","priority":"6","details":"3p"},"CWE-ID: 54Path Equivalence: 'filedir' (Trailing Backslash)","The product accepts path input in the form of trailing backslash ('filedir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3r","priority":"6","details":"3s"},"CWE-ID: 55Path Equivalence: '/./' (Single Dot Directory)","The product accepts path input in the form of single dot directory exploit ('/./') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3u","priority":"6","details":"3v"},"CWE-ID: 56Path Equivalence: 'filedir*' (Wildcard)","The product accepts path input in the form of asterisk wildcard ('filedir*') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3x","priority":"6","details":"3y"},"CWE-ID: 57Path Equivalence: 'fakedir/../realdir/filename'","The product contains protection mechanisms to restrict access to 'realdir/filename', but it constructs pathnames using external input in the form of 'fakedir/../realdir/filename' that are not handled by those mechanisms. This allows attackers to perform unauthorized actions against the targeted file.Guidelines:::TYPE:Theoretical:NOTE:This is a manipulation that uses an injection for one consequence (containment violation using relative path) to achieve a different consequence (equivalence by alternate name).::",{"point":"40","priority":"6","details":"41"},"CWE-ID: 58Path Equivalence: Windows 8.3 Filename","The product contains a protection mechanism that restricts access to a long filename on a Windows operating system, but it does not properly restrict access to the equivalent short 8.3 filename.Guidelines:::TYPE:Research Gap:NOTE:Probably under-studied.::",{"point":"43","priority":"6","details":"44"},"CWE-ID: 59Improper Link Resolution Before File Access ('Link Following')","The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.Guidelines:::TYPE:Theoretical:NOTE:Link following vulnerabilities are Multi-factor Vulnerabilities (MFV). They are the combination of multiple elements: file or directory permissions, filename predictability, race conditions, and in some cases, a design limitation in which there is no mechanism for performing atomic file creation operations. Some potential factors are race conditions, permissions, and predictability.::",{"point":"46","priority":"6","details":"47"},"CWE-ID: 61UNIX Symbolic Link (Symlink) Following","The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.Guidelines:::TYPE:Research Gap:NOTE:Symlink vulnerabilities are regularly found in C and shell programs, but all programming languages can have this problem. Even shell programs are probably under-reported. Second-order symlink vulnerabilities may exist in programs that invoke other programs that follow symlinks. They are rarely reported but are likely to be fairly common when process invocation is used [REF-493].::",{"point":"49","priority":"6","details":"4a"},"CWE-ID: 62UNIX Hard Link","The product, when opening a file or directory, does not sufficiently account for when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.Guidelines:",{"point":"4c","priority":"6","details":"4d"},"CWE-ID: 64Windows Shortcut Following (.LNK)","The product, when opening a file or directory, does not sufficiently handle when the file is a Windows shortcut (.LNK) whose target is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.Guidelines:::TYPE:Research Gap:NOTE:Under-studied. Windows .LNK files are more portable than Unix symlinks and have been used in remote exploits. Some Windows API's will access LNK's as if they are regular files, so one would expect that they would be reported more frequently.::",{"point":"4f","priority":"6","details":"4g"},"CWE-ID: 65Windows Hard Link","The product, when opening a file or directory, does not sufficiently handle when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.Guidelines:",{"point":"4i","priority":"6","details":"4j"},"CWE-ID: 66Improper Handling of File Names that Identify Virtual Resources","The product does not handle or incorrectly handles a file name that identifies a virtual resource that is not directly specified within the directory that is associated with the file name, causing the product to perform file-based operations on a resource that is not a file.Guidelines:",{"point":"4l","priority":"6","details":"4m"},"CWE-ID: 67Improper Handling of Windows Device Names","The product constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.Guidelines:",{"point":"4o","priority":"6","details":"4p"},"CWE-ID: 69Improper Handling of Windows ::DATA Alternate Data Stream","The product does not properly prevent access to, or detect usage of, alternate data streams (ADS).Guidelines:::TYPE:Theoretical:NOTE:This and similar problems exist because the same resource can have multiple identifiers that dictate which behavior can be performed on the resource.::",{"point":"4r","priority":"6","details":"4s"},"CWE-ID: 72Improper Handling of Apple HFS+ Alternate Data Stream Path","The product does not properly handle special paths that may identify the data or resource fork of a file on the HFS+ file system.Guidelines:::TYPE:Theoretical:NOTE:This and similar problems exist because the same resource can have multiple identifiers that dictate which behavior can be performed on the resource.::TYPE:Research Gap:NOTE:Under-studied::",{"point":"4u","priority":"6","details":"4v"},"CWE-ID: 73External Control of File Name or Path","The product allows user input to control or influence paths or file names that are used in filesystem operations.Guidelines:::TYPE:Maintenance:NOTE:CWE-114 is a Class, but it is listed a child of CWE-73 in view 1000. This suggests some abstraction problems that should be resolved in future versions.::TYPE:Relationship:NOTE:The external control of filenames can be the primary link in chains with other file-related weaknesses, as seen in the CanPrecede relationships. This is because software systems use files for many different purposes: to execute programs, load code libraries, to store application data, to store configuration settings, record temporary data, act as signals or semaphores to other processes, etc. However, those weaknesses do not always require external control. For example, link-following weaknesses (CWE-59) often involve pathnames that are not controllable by the attacker at all. The external control can be resultant from other issues. For example, in PHP applications, the register_globals setting can allow an attacker to modify variables that the programmer thought were immutable, enabling file inclusion (CWE-98) and path traversal (CWE-22). Operating with excessive privileges (CWE-250) might allow an attacker to specify an input filename that is not directly readable by the attacker, but is accessible to the privileged program. A buffer overflow (CWE-119) might give an attacker control over nearby memory locations that are related to pathnames, but were not directly modifiable by the attacker.::",{"point":"4x","priority":"6","details":"4y"},"CWE-ID: 74Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')","The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Guidelines:::TYPE:Theoretical:NOTE:Many people treat injection only as an input validation problem (CWE-20) because many people do not distinguish between the consequence/attack (injection) and the protection mechanism that prevents the attack from succeeding. However, input validation is only one potential protection mechanism (output encoding is another), and there is a chaining relationship between improper input validation and the improper enforcement of the structure of messages to other components. Other issues not directly related to input validation, such as race conditions, could similarly impact message structure.::",{"point":"50","priority":"6","details":"51"},"CWE-ID: 75Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)","The product does not adequately filter user-controlled input for special elements with control implications.Guidelines:",{"point":"53","priority":"6","details":"54"},"CWE-ID: 76Improper Neutralization of Equivalent Special Elements","The product correctly neutralizes certain special elements, but it improperly neutralizes equivalent special elements.Guidelines:",{"point":"56","priority":"6","details":"57"},"CWE-ID: 77Improper Neutralization of Special Elements used in a Command ('Command Injection')","The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.Guidelines:::TYPE:Terminology:NOTE:The command injection phrase carries different meanings to different people. For some people, it refers to any type of attack that can allow the attacker to execute commands of their own choosing, regardless of how those commands are inserted. The command injection could thus be resultant from another weakness. This usage also includes cases in which the functionality allows the user to specify an entire command, which is then executed; within CWE, this situation might be better regarded as an authorization problem (since an attacker should not be able to specify arbitrary commands.) Another common usage, which includes CWE-77 and its descendants, involves cases in which the attacker injects separators into the command being constructed.::",{"point":"59","priority":"6","details":"5a"},"CWE-ID: 78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Guidelines:::TYPE:Terminology:NOTE:The OS command injection phrase carries different meanings to different people. For some people, it only refers to cases in which the attacker injects command separators into arguments for an application-controlled program that is being invoked. For some people, it refers to any type of attack that can allow the attacker to execute OS commands of their own choosing. This usage could include untrusted search path weaknesses (CWE-426) that cause the application to find and execute an attacker-controlled program. Further complicating the issue is the case when argument injection (CWE-88) allows alternate command-line switches or options to be inserted into the command line, such as an -exec switch whose purpose may be to execute the subsequent argument as a command (this -exec switch exists in the UNIX find command, for example). In this latter case, however, CWE-88 could be regarded as the primary weakness in a chain with CWE-78.::TYPE:Research Gap:NOTE:More investigation is needed into the distinction between the OS command injection variants, including the role with argument injection (CWE-88). Equivalent distinctions may exist in other injection-related problems such as SQL injection.::",{"point":"5c","priority":"6","details":"5d"},"CWE-ID: 79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Guidelines:::TYPE:Relationship:NOTE:There can be a close relationship between XSS and CSRF (CWE-352). An attacker might use CSRF in order to trick the victim into submitting requests to the server in which the requests contain an XSS payload. A well-known example of this was the Samy worm on MySpace [REF-956]. The worm used XSS to insert malicious HTML sequences into a user's profile and add the attacker as a MySpace friend. MySpace friends of that victim would then execute the payload to modify their own profiles, causing the worm to propagate exponentially. Since the victims did not intentionally insert the malicious script themselves, CSRF was a root cause.::TYPE:Applicable Platform:NOTE:XSS flaws are very common in web applications, since they require a great deal of developer discipline to avoid them.::",{"point":"5f","priority":"6","details":"5g"},"CWE-ID: 80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as <, >, and & that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.Guidelines:",{"point":"5i","priority":"6","details":"5j"},"CWE-ID: 81Improper Neutralization of Script in an Error Message Web Page","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters that could be interpreted as web-scripting elements when they are sent to an error page.Guidelines:",{"point":"5l","priority":"6","details":"5m"},"CWE-ID: 82Improper Neutralization of Script in Attributes of IMG Tags in a Web Page","The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute.Guidelines:",{"point":"5o","priority":"6","details":"5p"},"CWE-ID: 83Improper Neutralization of Script in Attributes in a Web Page","The product does not neutralize or incorrectly neutralizes javascript: or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.Guidelines:",{"point":"5r","priority":"6","details":"5s"},"CWE-ID: 84Improper Neutralization of Encoded URI Schemes in a Web Page","The web application improperly neutralizes user-controlled input for executable script disguised with URI encodings.Guidelines:",{"point":"5u","priority":"6","details":"5v"},"CWE-ID: 85Doubled Character XSS Manipulations","The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters.Guidelines:",{"point":"5x","priority":"6","details":"5y"},"CWE-ID: 86Improper Neutralization of Invalid Characters in Identifiers in Web Pages","The product does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers.Guidelines:",{"point":"60","priority":"6","details":"61"},"CWE-ID: 87Improper Neutralization of Alternate XSS Syntax","The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.Guidelines:",{"point":"63","priority":"6","details":"64"},"CWE-ID: 88Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')","The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.Guidelines:::TYPE:Relationship:NOTE:At one layer of abstraction, this can overlap other weaknesses that have whitespace problems, e.g. injection of javascript into attributes of HTML tags.::",{"point":"66","priority":"6","details":"67"},"CWE-ID: 89Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:SQL injection can be resultant from special character mismanagement, MAID, or denylist/allowlist problems. It can be primary to authentication errors.::",{"point":"69","priority":"6","details":"6a"},"CWE-ID: 90Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')","The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:Factors: resultant to special character mismanagement, MAID, or denylist/allowlist problems. Can be primary to authentication and verification errors.::",{"point":"6c","priority":"6","details":"6d"},"CWE-ID: 91XML Injection (aka Blind XPath Injection)","The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.Guidelines:::TYPE:Maintenance:NOTE:The description for this entry is generally applicable to XML, but the name includes blind XPath injection which is more closely associated with CWE-643. Therefore this entry might need to be deprecated or converted to a general category - although injection into raw XML is not covered by CWE-643 or CWE-652.::TYPE:Theoretical:NOTE:In vulnerability theory terms, this is a representation-specific case of a Data/Directive Boundary Error.::TYPE:Research Gap:NOTE:Under-reported. This is likely found regularly by third party code auditors, but there are very few publicly reported examples.::",{"point":"6f","priority":"6","details":"6g"},"CWE-ID: 93Improper Neutralization of CRLF Sequences ('CRLF Injection')","The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.Guidelines:",{"point":"6i","priority":"6","details":"6j"},"CWE-ID: 94Improper Control of Generation of Code ('Code Injection')","The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.Guidelines:",{"point":"6l","priority":"6","details":"6m"},"CWE-ID: 95Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. eval).Guidelines:::TYPE:Other:NOTE:Factors: special character errors can play a role in increasing the variety of code that can be injected, although some vulnerabilities do not require special characters at all, e.g. when a single function without arguments can be referenced and a terminator character is not necessary.::",{"point":"6o","priority":"6","details":"6p"},"CWE-ID: 96Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.Guidelines:::TYPE:Relationship:NOTE:HTML injection (see CWE-79: XSS) could be thought of as an example of this, but the code is injected and executed on the client side, not the server side. Server-Side Includes (SSI) are an example of direct static code injection.::",{"point":"6r","priority":"6","details":"6s"},"CWE-ID: 97Improper Neutralization of Server-Side Includes (SSI) Within a Web Page","The product generates a web page, but does not neutralize or incorrectly neutralizes user-controllable input that could be interpreted as a server-side include (SSI) directive.Guidelines:::TYPE:Relationship:NOTE:This can be resultant from XSS/HTML injection because the same special characters can be involved. However, this is server-side code execution, not client-side.::",{"point":"6u","priority":"6","details":"6v"},"CWE-ID: 98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')","The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in require, include, or similar functions.Guidelines:::TYPE:Relationship:NOTE:This is frequently a functional consequence of other weaknesses. It is usually multi-factor with other factors (e.g. MAID), although not all inclusion bugs involve assumed-immutable data. Direct request weaknesses frequently play a role. Can overlap directory traversal in local inclusion problems.::",{"point":"6x","priority":"6","details":"6y"},"CWE-ID: 99Improper Control of Resource Identifiers ('Resource Injection')","The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.Guidelines:::TYPE:Relationship:NOTE:Resource injection that involves resources stored on the filesystem goes by the name path manipulation (CWE-73).::TYPE:Maintenance:NOTE:The relationship between CWE-99 and CWE-610 needs further investigation and clarification. They might be duplicates. CWE-99 Resource Injection, as originally defined in Seven Pernicious Kingdoms taxonomy, emphasizes the identifier used to access a system resource such as a file name or port number, yet it explicitly states that the resource injection term does not apply to path manipulation, which effectively identifies the path at which a resource can be found and could be considered to be one aspect of a resource identifier. Also, CWE-610 effectively covers any type of resource, whether that resource is at the system layer, the application layer, or the code layer.::",{"point":"70","priority":"6","details":"71"},"CWE-ID: 102Struts: Duplicate Validation Forms","The product uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not expect.Guidelines:",{"point":"73","priority":"6","details":"74"},"CWE-ID: 103Struts: Incomplete validate() Method Definition","The product has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate().Guidelines:::TYPE:Relationship:NOTE:This could introduce other weaknesses related to missing input validation.::TYPE:Maintenance:NOTE:The current description implies a loose composite of two separate weaknesses, so this node might need to be split or converted into a low-level category.::",{"point":"76","priority":"6","details":"77"},"CWE-ID: 104Struts: Form Bean Does Not Extend Validation Class","If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation.Guidelines:",{"point":"79","priority":"6","details":"7a"},"CWE-ID: 105Struts: Form Field Without Validator","The product has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation.Guidelines:",{"point":"7c","priority":"6","details":"7d"},"CWE-ID: 106Struts: Plug-in Framework not in Use","When an application does not use an input validation framework such as the Struts Validator, there is a greater risk of introducing weaknesses related to insufficient input validation.Guidelines:",{"point":"7f","priority":"6","details":"7g"},"CWE-ID: 107Struts: Unused Validation Form","An unused validation form indicates that validation logic is not up-to-date.Guidelines:",{"point":"7i","priority":"6","details":"7j"},"CWE-ID: 108Struts: Unvalidated Action Form","Every Action Form must have a corresponding validation form.Guidelines:",{"point":"7l","priority":"6","details":"7m"},"CWE-ID: 109Struts: Validator Turned Off","Automatic filtering via a Struts bean has been turned off, which disables the Struts Validator and custom validation logic. This exposes the application to other weaknesses related to insufficient input validation.Guidelines:::TYPE:Other:NOTE:The Action Form mapping in the demonstrative example disables the form's validate() method. The Struts bean: write tag automatically encodes special HTML characters, replacing a < with < and a > with >. This action can be disabled by specifying filter=false as an attribute of the tag to disable specified JSP pages. However, being disabled makes these pages susceptible to cross-site scripting attacks. An attacker may be able to insert malicious scripts as user input to write to these JSP pages.::",{"point":"7o","priority":"6","details":"7p"},"CWE-ID: 110Struts: Validator Without Form Field","Validation fields that do not appear in forms they are associated with indicate that the validation logic is out of date.Guidelines:",{"point":"7r","priority":"6","details":"7s"},"CWE-ID: 111Direct Use of Unsafe JNI","When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that code, even if those weaknesses cannot occur in Java.Guidelines:",{"point":"7u","priority":"6","details":"7v"},"CWE-ID: 112Missing XML Validation","The product accepts XML from an untrusted source but does not validate the XML against the proper schema.Guidelines:",{"point":"7x","priority":"6","details":"7y"},"CWE-ID: 113Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')","The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.Guidelines:",{"point":"80","priority":"6","details":"81"},"CWE-ID: 114Process Control","Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) on behalf of an attacker.Guidelines:::TYPE:Maintenance:NOTE:CWE-114 is a Class, but it is listed a child of CWE-73 in view 1000. This suggests some abstraction problems that should be resolved in future versions.::TYPE:Maintenance:NOTE:This entry seems to have close relationships with CWE-426/CWE-427. It seems more attack-oriented.::",{"point":"83","priority":"6","details":"84"},"CWE-ID: 115Misinterpretation of Input","The product misinterprets an input, whether from an attacker or another product, in a security-relevant fashion.Guidelines:::TYPE:Research Gap:NOTE:This concept needs further study. It is likely a factor in several weaknesses, possibly resultant as well. Overlaps Multiple Interpretation Errors (MIE).::",{"point":"86","priority":"6","details":"87"},"CWE-ID: 116Improper Encoding or Escaping of Output","The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.Guidelines:::TYPE:Relationship:NOTE:This weakness is primary to all weaknesses related to injection (CWE-74) since the inherent nature of injection involves the violation of structured messages.::TYPE:Relationship:NOTE:CWE-116 and CWE-20 have a close association because, depending on the nature of the structured message, proper input validation can indirectly prevent special characters from changing the meaning of a structured message. For example, by validating that a numeric ID field should only contain the 0-9 characters, the programmer effectively prevents injection attacks. However, input validation is not always sufficient, especially when less stringent data types must be supported, such as free-form text. Consider a SQL injection scenario in which a last name is inserted into a query. The name O'Reilly would likely pass the validation step since it is a common last name in the English language. However, it cannot be directly inserted into the database because it contains the ' apostrophe character, which would need to be escaped or otherwise neutralized. In this case, stripping the apostrophe might reduce the risk of SQL injection, but it would produce incorrect behavior because the wrong name would be recorded.::TYPE:Terminology:NOTE:The usage of the encoding and escaping terms varies widely. For example, in some programming languages, the terms are used interchangeably, while other languages provide APIs that use both terms for different tasks. This overlapping usage extends to the Web, such as the escape JavaScript function whose purpose is stated to be encoding. The concepts of encoding and escaping predate the Web by decades. Given such a context, it is difficult for CWE to adopt a consistent vocabulary that will not be misinterpreted by some constituency.::TYPE:Theoretical:NOTE:This is a data/directive boundary error in which data boundaries are not sufficiently enforced before it is sent to a different control sphere.::TYPE:Research Gap:NOTE:While many published vulnerabilities are related to insufficient output encoding, there is such an emphasis on input validation as a protection mechanism that the underlying causes are rarely described. Within CVE, the focus is primarily on well-understood issues like cross-site scripting and SQL injection. It is likely that this weakness frequently occurs in custom protocols that support multiple encodings, which are not necessarily detectable with automated techniques.::",{"point":"89","priority":"6","details":"8a"},"CWE-ID: 117Improper Output Neutralization for Logs","The product does not neutralize or incorrectly neutralizes output that is written to logs.Guidelines:",{"point":"8c","priority":"6","details":"8d"},"CWE-ID: 118Incorrect Access of Indexable Resource ('Range Error')","The product does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files.Guidelines:",{"point":"8f","priority":"6","details":"8g"},"CWE-ID: 119Improper Restriction of Operations within the Bounds of a Memory Buffer","The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.Guidelines:::TYPE:Applicable Platform:NOTE:It is possible in any programming languages without memory management support to attempt an operation outside of the bounds of a memory buffer, but the consequences will vary widely depending on the language, platform, and chip architecture.::",{"point":"8i","priority":"6","details":"8j"},"CWE-ID: 120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')","The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.Guidelines:::TYPE:Relationship:NOTE:At the code level, stack-based and heap-based overflows do not differ significantly, so there usually is not a need to distinguish them. From the attacker perspective, they can be quite different, since different techniques are required to exploit them.::TYPE:Terminology:NOTE:Many issues that are now called buffer overflows are substantively different than the classic overflow, including entirely different bug types that rely on overflow exploit techniques, such as integer signedness errors, integer overflows, and format string bugs. This imprecise terminology can make it difficult to determine which variant is being reported.::",{"point":"8l","priority":"6","details":"8m"},"CWE-ID: 121Stack-based Buffer Overflow","A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).Guidelines:::TYPE:Other:NOTE:Stack-based buffer overflows can instantiate in return address overwrites, stack pointer overwrites or frame pointer overwrites. They can also be considered function pointer overwrites, array indexer overwrites or write-what-where condition, etc.::",{"point":"8o","priority":"6","details":"8p"},"CWE-ID: 122Heap-based Buffer Overflow","A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().Guidelines:::TYPE:Relationship:NOTE:Heap-based buffer overflows are usually just as dangerous as stack-based buffer overflows.::",{"point":"8r","priority":"6","details":"8s"},"CWE-ID: 123Write-what-where Condition","Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow.Guidelines:",{"point":"8u","priority":"6","details":"8v"},"CWE-ID: 124Buffer Underwrite ('Buffer Underflow')","The product writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.Guidelines:::TYPE:Relationship:NOTE:This could be resultant from several errors, including a bad offset or an array index that decrements before the beginning of the buffer (see CWE-129).::",{"point":"8x","priority":"6","details":"8y"},"CWE-ID: 125Out-of-bounds Read","The product reads data past the end, or before the beginning, of the intended buffer.Guidelines:",{"point":"90","priority":"6","details":"91"},"CWE-ID: 126Buffer Over-read","The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.Guidelines:::TYPE:Relationship:NOTE:These problems may be resultant from missing sentinel values (CWE-463) or trusting a user-influenced input length variable.::",{"point":"93","priority":"6","details":"94"},"CWE-ID: 127Buffer Under-read","The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"96","priority":"6","details":"97"},"CWE-ID: 128Wrap-around Error","Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore wraps around to a very small, negative, or undefined value.Guidelines:::TYPE:Relationship:NOTE:The relationship between overflow and wrap-around needs to be examined more closely, since several entries (including CWE-190) are closely related.::",{"point":"99","priority":"6","details":"9a"},"CWE-ID: 129Improper Validation of Array Index","The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.Guidelines:::TYPE:Relationship:NOTE:This weakness can precede uncontrolled memory allocation (CWE-789) in languages that automatically expand an array when an index is used that is larger than the size of the array, such as JavaScript.::TYPE:Theoretical:NOTE:An improperly validated array index might lead directly to the always-incorrect behavior of access of array using out-of-bounds index.::",{"point":"9c","priority":"6","details":"9d"},"CWE-ID: 130Improper Handling of Length Parameter Inconsistency","The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.Guidelines:::TYPE:Relationship:NOTE:This probably overlaps other categories including zero-length issues.::",{"point":"9f","priority":"6","details":"9g"},"CWE-ID: 131Incorrect Calculation of Buffer Size","The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.Guidelines:::TYPE:Maintenance:NOTE:This is a broad category. Some examples include: simple math errors, incorrectly updating parallel counters, not accounting for size differences when transforming one input to another format (e.g. URL canonicalization or other transformation that can generate a result that's larger than the original input, i.e. expansion). This level of detail is rarely available in public reports, so it is difficult to find good examples.::TYPE:Maintenance:NOTE:This weakness may be a composite or a chain. It also may contain layering or perspective differences. This issue may be associated with many different types of incorrect calculations (CWE-682), although the integer overflow (CWE-190) is probably the most prevalent. This can be primary to resource consumption problems (CWE-400), including uncontrolled memory allocation (CWE-789). However, its relationship with out-of-bounds buffer access (CWE-119) must also be considered.::",{"point":"9i","priority":"6","details":"9j"},"CWE-ID: 134Use of Externally-Controlled Format String","The product uses a function that accepts a format string as an argument, but the format string originates from an external source.Guidelines:::TYPE:Applicable Platform:NOTE:This weakness is possible in any programming language that support format strings.::TYPE:Other:NOTE:While Format String vulnerabilities typically fall under the Buffer Overflow category, technically they are not overflowed buffers. The Format String vulnerability is fairly new (circa 1999) and stems from the fact that there is no realistic way for a function that takes a variable number of arguments to determine just how many arguments were passed in. The most common functions that take a variable number of arguments, including C-runtime functions, are the printf() family of calls. The Format String problem appears in a number of ways. A *printf() call without a format specifier is dangerous and can be exploited. For example, printf(input); is exploitable, while printf(y, input); is not exploitable in that context. The result of the first call, used incorrectly, allows for an attacker to be able to peek at stack memory since the input string will be used as the format specifier. The attacker can stuff the input string with format specifiers and begin reading stack values, since the remaining parameters will be pulled from the stack. Worst case, this improper use may give away enough control to allow an arbitrary value (or values in the case of an exploit program) to be written into the memory of the running program. Frequently targeted entities are file names, process names, identifiers. Format string problems are a classic C/C++ issue that are now rare due to the ease of discovery. One main reason format string vulnerabilities can be exploited is due to the %n operator. The %n operator will write the number of characters, which have been printed by the format string therefore far, to the memory pointed to by its argument. Through skilled creation of a format string, a malicious user may use values on the stack to create a write-what-where condition. Once this is achieved, they can execute arbitrary code. Other operators can be used as well; for example, a %9999s operator could also trigger a buffer overflow, or when used in file-formatting functions like fprintf, it can generate a much larger output than intended.::TYPE:Research Gap:NOTE:Format string issues are under-studied for languages other than C. Memory or disk consumption, control flow or variable alteration, and data corruption may result from format string exploitation in applications written in other languages such as Perl, PHP, Python, etc.::",{"point":"9l","priority":"6","details":"9m"},"CWE-ID: 135Incorrect Calculation of Multi-Byte String Length","The product does not correctly calculate the length of strings that can contain wide or multi-byte characters.Guidelines:",{"point":"9o","priority":"6","details":"9p"},"CWE-ID: 138Improper Neutralization of Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:This weakness can be related to interpretation conflicts or interaction errors in intermediaries (such as proxies or application firewalls) when the intermediary's model of an endpoint does not account for protocol-specific special elements.::TYPE:Relationship:NOTE:See this entry's children for different types of special elements that have been observed at one point or another. However, it can be difficult to find suitable CVE examples. In an attempt to be complete, CWE includes some types that do not have any associated observed example.::TYPE:Research Gap:NOTE:This weakness is probably under-studied for proprietary or custom formats. It is likely that these issues are fairly common in applications that use their own custom format for configuration files, logs, meta-data, messaging, etc. They would only be found by accident or with a focused effort based on an understanding of the format.::",{"point":"9r","priority":"6","details":"9s"},"CWE-ID: 140Improper Neutralization of Delimiters","The product does not neutralize or incorrectly neutralizes delimiters.Guidelines:",{"point":"9u","priority":"6","details":"9v"},"CWE-ID: 141Improper Neutralization of Parameter/Argument Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component.Guidelines:",{"point":"9x","priority":"6","details":"9y"},"CWE-ID: 142Improper Neutralization of Value Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component.Guidelines:",{"point":"a0","priority":"6","details":"a1"},"CWE-ID: 143Improper Neutralization of Record Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component.Guidelines:",{"point":"a3","priority":"6","details":"a4"},"CWE-ID: 144Improper Neutralization of Line Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as line delimiters when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:Depending on the language and syntax being used, this could be the same as the record delimiter (CWE-143).::",{"point":"a6","priority":"6","details":"a7"},"CWE-ID: 145Improper Neutralization of Section Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as section delimiters when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:Depending on the language and syntax being used, this could be the same as the record delimiter (CWE-143).::",{"point":"a9","priority":"6","details":"aa"},"CWE-ID: 146Improper Neutralization of Expression/Command Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:A shell metacharacter (covered in CWE-150) is one example of a potential delimiter that may need to be neutralized.::",{"point":"ac","priority":"6","details":"ad"},"CWE-ID: 147Improper Neutralization of Input Terminators","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as input terminators when they are sent to a downstream component.Guidelines:",{"point":"af","priority":"6","details":"ag"},"CWE-ID: 148Improper Neutralization of Input Leaders","The product does not properly handle when a leading character or sequence (leader) is missing or malformed, or if multiple leaders are used when only one should be allowed.Guidelines:",{"point":"ai","priority":"6","details":"aj"},"CWE-ID: 149Improper Neutralization of Quoting Syntax","Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.Guidelines:",{"point":"al","priority":"6","details":"am"},"CWE-ID: 150Improper Neutralization of Escape, Meta, or Control Sequences","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.Guidelines:",{"point":"ao","priority":"6","details":"ap"},"CWE-ID: 151Improper Neutralization of Comment Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as comment delimiters when they are sent to a downstream component.Guidelines:",{"point":"ar","priority":"6","details":"as"},"CWE-ID: 152Improper Neutralization of Macro Symbols","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as macro symbols when they are sent to a downstream component.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"au","priority":"6","details":"av"},"CWE-ID: 153Improper Neutralization of Substitution Characters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as substitution characters when they are sent to a downstream component.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"ax","priority":"6","details":"ay"},"CWE-ID: 154Improper Neutralization of Variable Name Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as variable name delimiters when they are sent to a downstream component.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"b0","priority":"6","details":"b1"},"CWE-ID: 155Improper Neutralization of Wildcards or Matching Symbols","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as wildcards or matching symbols when they are sent to a downstream component.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"b3","priority":"6","details":"b4"},"CWE-ID: 156Improper Neutralization of Whitespace","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as whitespace when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:Can overlap other separator characters or delimiters.::",{"point":"b6","priority":"6","details":"b7"},"CWE-ID: 157Failure to Sanitize Paired Delimiters","The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"b9","priority":"6","details":"ba"},"CWE-ID: 158Improper Neutralization of Null Byte or NUL Character","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:This can be a factor in multiple interpretation errors, other interaction errors, filename equivalence, etc.::",{"point":"bc","priority":"6","details":"bd"},"CWE-ID: 159Improper Handling of Invalid Use of Special Elements","The product does not properly filter, remove, quote, or otherwise manage the invalid use of special elements in user-controlled input, which could cause adverse effect on its behavior and integrity.Guidelines:::TYPE:Maintenance:NOTE:The list of children for this entry is far from complete. However, the types of special elements might be too precise for use within CWE.::TYPE:Terminology:NOTE:Precise terminology for the underlying weaknesses does not exist. Therefore, these weaknesses use the terminology associated with the manipulation.::TYPE:Research Gap:NOTE:Customized languages and grammars, even those that are specific to a particular product, are potential sources of weaknesses that are related to special elements. However, most researchers concentrate on the most commonly used representations for data transmission, such as HTML and SQL. Any representation that is commonly used is likely to be a rich source of weaknesses; researchers are encouraged to investigate previously unexplored representations.::",{"point":"bf","priority":"6","details":"bg"},"CWE-ID: 160Improper Neutralization of Leading Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes leading special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bi","priority":"6","details":"bj"},"CWE-ID: 161Improper Neutralization of Multiple Leading Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple leading special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bl","priority":"6","details":"bm"},"CWE-ID: 162Improper Neutralization of Trailing Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes trailing special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bo","priority":"6","details":"bp"},"CWE-ID: 163Improper Neutralization of Multiple Trailing Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple trailing special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"br","priority":"6","details":"bs"},"CWE-ID: 164Improper Neutralization of Internal Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes internal special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bu","priority":"6","details":"bv"},"CWE-ID: 165Improper Neutralization of Multiple Internal Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple internal special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bx","priority":"6","details":"by"},"CWE-ID: 166Improper Handling of Missing Special Element","The product receives input from an upstream component, but it does not handle or incorrectly handles when an expected special element is missing.Guidelines:",{"point":"c0","priority":"6","details":"c1"},"CWE-ID: 167Improper Handling of Additional Special Element","The product receives input from an upstream component, but it does not handle or incorrectly handles when an additional unexpected special element is provided.Guidelines:",{"point":"c3","priority":"6","details":"c4"},"CWE-ID: 168Improper Handling of Inconsistent Special Elements","The product does not properly handle input in which an inconsistency exists between two or more special characters or reserved words.Guidelines:",{"point":"c6","priority":"6","details":"c7"},"CWE-ID: 170Improper Null Termination","The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.Guidelines:::TYPE:Relationship:NOTE:Factors: this is usually resultant from other weaknesses such as off-by-one errors, but it can be primary to boundary condition violations such as buffer overflows. In buffer overflows, it can act as an expander for assumed-immutable data.::TYPE:Relationship:NOTE:Overlaps missing input terminator.::TYPE:Applicable Platform:NOTE:Conceptually, this does not just apply to the C language; any language or representation that involves a terminator could have this type of problem.::TYPE:Maintenance:NOTE:As currently described, this entry is more like a category than a weakness.::",{"point":"c9","priority":"6","details":"ca"},"CWE-ID: 172Encoding Error","The product does not properly encode or decode the data, resulting in unexpected values.Guidelines:::TYPE:Relationship:NOTE:Partially overlaps path traversal and equivalence weaknesses.::TYPE:Maintenance:NOTE:This is more like a category than a weakness.::TYPE:Maintenance:NOTE:Many other types of encodings should be listed in this category.::",{"point":"cc","priority":"6","details":"cd"},"CWE-ID: 173Improper Handling of Alternate Encoding","The product does not properly handle when an input uses an alternate encoding that is valid for the control sphere to which the input is being sent.Guidelines:",{"point":"cf","priority":"6","details":"cg"},"CWE-ID: 174Double Decoding of the Same Data","The product decodes the same input twice, which can limit the effectiveness of any protection mechanism that occurs in between the decoding operations.Guidelines:::TYPE:Research Gap:NOTE:Probably under-studied.::",{"point":"ci","priority":"6","details":"cj"},"CWE-ID: 175Improper Handling of Mixed Encoding","The product does not properly handle when the same input uses several different (mixed) encodings.Guidelines:",{"point":"cl","priority":"6","details":"cm"},"CWE-ID: 176Improper Handling of Unicode Encoding","The product does not properly handle when an input contains Unicode encoding.Guidelines:",{"point":"co","priority":"6","details":"cp"},"CWE-ID: 177Improper Handling of URL Encoding (Hex Encoding)","The product does not properly handle when all or part of an input has been URL encoded.Guidelines:",{"point":"cr","priority":"6","details":"cs"},"CWE-ID: 178Improper Handling of Case Sensitivity","The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.Guidelines:::TYPE:Research Gap:NOTE:These are probably under-studied in Windows and Mac environments, where file names are case-insensitive and thus are subject to equivalence manipulations involving case.::",{"point":"cu","priority":"6","details":"cv"},"CWE-ID: 179Incorrect Behavior Order: Early Validation","The product validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous inputs that only arise after the modification.Guidelines:::TYPE:Research Gap:NOTE:These errors are mostly reported in path traversal vulnerabilities, but the concept applies whenever validation occurs.::",{"point":"cx","priority":"6","details":"cy"},"CWE-ID: 180Incorrect Behavior Order: Validate Before Canonicalize","The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step.Guidelines:::TYPE:Relationship:NOTE:This overlaps other categories.::",{"point":"d0","priority":"6","details":"d1"},"CWE-ID: 181Incorrect Behavior Order: Validate Before Filter","The product validates data before it has been filtered, which prevents the product from detecting data that becomes invalid after the filtering step.Guidelines:::TYPE:Research Gap:NOTE:This category is probably under-studied.::",{"point":"d3","priority":"6","details":"d4"},"CWE-ID: 182Collapse of Data into Unsafe Value","The product filters data in a way that causes it to be reduced or collapsed into an unsafe value that violates an expected security property.Guidelines:::TYPE:Relationship:NOTE:Overlaps regular expressions, although an implementation might not necessarily use regexp's.::",{"point":"d6","priority":"6","details":"d7"},"CWE-ID: 183Permissive List of Allowed Inputs","The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.Guidelines:",{"point":"d9","priority":"6","details":"da"},"CWE-ID: 184Incomplete List of Disallowed Inputs","The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses.Guidelines:::TYPE:Relationship:NOTE:Multiple interpretation errors can indirectly introduce inputs that should be disallowed. For example, a list of dangerous shell metacharacters might not include a metacharacter that only has meaning in one particular shell, not all of them; or a check for XSS manipulations might ignore an unusual construct that is supported by one web browser, but not others.::",{"point":"dc","priority":"6","details":"dd"},"CWE-ID: 185Incorrect Regular Expression","The product specifies a regular expression in a way that causes data to be improperly matched or compared.Guidelines:::TYPE:Relationship:NOTE:While there is some overlap with allowlist/denylist problems, this entry is intended to deal with incorrectly written regular expressions, regardless of their intended use. Not every regular expression is intended for use as an allowlist or denylist. In addition, allowlists and denylists can be implemented using other mechanisms besides regular expressions.::TYPE:Research Gap:NOTE:Regexp errors are likely a primary factor in many MFVs, especially those that require multiple manipulations to exploit. However, they are rarely diagnosed at this level of detail.::",{"point":"df","priority":"6","details":"dg"},"CWE-ID: 186Overly Restrictive Regular Expression","A regular expression is overly restrictive, which prevents dangerous values from being detected.Guidelines:::TYPE:Relationship:NOTE:Can overlap allowlist/denylist errors (CWE-183/CWE-184)::",{"point":"di","priority":"6","details":"dj"},"CWE-ID: 187Partial String Comparison","The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.Guidelines:::TYPE:Relationship:NOTE:This is conceptually similar to other weaknesses, such as insufficient verification and regular expression errors. It is primary to some weaknesses.::",{"point":"dl","priority":"6","details":"dm"},"CWE-ID: 188Reliance on Data/Memory Layout","The product makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior.Guidelines:",{"point":"do","priority":"6","details":"dp"},"CWE-ID: 190Integer Overflow or Wraparound","The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.Guidelines:::TYPE:Relationship:NOTE:Integer overflows can be primary to buffer overflows.::TYPE:Terminology:NOTE:Integer overflow is sometimes used to cover several types of errors, including signedness errors, or buffer overflows that involve manipulation of integer data types instead of characters. Part of the confusion results from the fact that 0xffffffff is -1 in a signed context. Other confusion also arises because of the role that integer overflows have in chains.::",{"point":"dr","priority":"6","details":"ds"},"CWE-ID: 191Integer Underflow (Wrap or Wraparound)","The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.Guidelines:",{"point":"du","priority":"6","details":"dv"},"CWE-ID: 192Integer Coercion Error","Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types.Guidelines:::TYPE:Maintenance:NOTE:Within C, it might be that coercion is semantically different than casting, possibly depending on whether the programmer directly specifies the conversion, or if the compiler does it implicitly. This has implications for the presentation of this entry and others, such as CWE-681, and whether there is enough of a difference for these entries to be split.::",{"point":"dx","priority":"6","details":"dy"},"CWE-ID: 193Off-by-one Error","A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.Guidelines:::TYPE:Relationship:NOTE:This is not always a buffer overflow. For example, an off-by-one error could be a factor in a partial comparison, a read from the wrong memory location, an incorrect conditional, etc.::",{"point":"e0","priority":"6","details":"e1"},"CWE-ID: 194Unexpected Sign Extension","The product performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses.Guidelines:::TYPE:Relationship:NOTE:Sign extension errors can lead to buffer overflows and other memory-based problems. They are also likely to be factors in other weaknesses that are not based on memory operations, but rely on numeric calculation.::TYPE:Maintenance:NOTE:This entry is closely associated with signed-to-unsigned conversion errors (CWE-195) and other numeric errors. These relationships need to be more closely examined within CWE.::",{"point":"e3","priority":"6","details":"e4"},"CWE-ID: 195Signed to Unsigned Conversion Error","The product uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive.Guidelines:",{"point":"e6","priority":"6","details":"e7"},"CWE-ID: 196Unsigned to Signed Conversion Error","The product uses an unsigned primitive and performs a cast to a signed primitive, which can produce an unexpected value if the value of the unsigned primitive can not be represented using a signed primitive.Guidelines:",{"point":"e9","priority":"6","details":"ea"},"CWE-ID: 197Numeric Truncation Error","Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion.Guidelines:::TYPE:Research Gap:NOTE:This weakness has traditionally been under-studied and under-reported, although vulnerabilities in popular software have been published in 2008 and 2009.::",{"point":"ec","priority":"6","details":"ed"},"CWE-ID: 198Use of Incorrect Byte Ordering","The product receives input from an upstream component, but it does not account for byte ordering (e.g. big-endian and little-endian) when processing the input, causing an incorrect number or value to be used.Guidelines:::TYPE:Research Gap:NOTE:Under-reported.::",{"point":"ef","priority":"6","details":"eg"},"CWE-ID: 200Exposure of Sensitive Information to an Unauthorized Actor","The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Guidelines:::TYPE:Maintenance:NOTE:As a result of mapping analysis in the 2020 Top 25 and more recent versions, this weakness is under review, since it is frequently misused in mapping to cover many problems that lead to loss of confidentiality. See Mapping Notes, Extended Description, and Alternate Terms.::",{"point":"ei","priority":"6","details":"ej"},"CWE-ID: 201Insertion of Sensitive Information Into Sent Data","The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.Guidelines:",{"point":"el","priority":"6","details":"em"},"CWE-ID: 202Exposure of Sensitive Information Through Data Queries","When trying to keep information confidential, an attacker can often infer some of the information by using statistics.Guidelines:::TYPE:Maintenance:NOTE:The relationship between CWE-202 and CWE-612 needs to be investigated more closely, as they may be different descriptions of the same kind of problem. CWE-202 is also being considered for deprecation, as it is not clearly described and may have been misunderstood by CWE users. It could be argued that this issue is better covered by CAPEC; an attacker can utilize their data-query privileges to perform this kind of operation, and if the attacker should not be allowed to perform the operation - or if the sensitive data should not have been made accessible at all - then that is more appropriately classified as a separate CWE related to authorization (see the parent, CWE-1230).::",{"point":"eo","priority":"6","details":"ep"},"CWE-ID: 203Observable Discrepancy","The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.Guidelines:",{"point":"er","priority":"6","details":"es"},"CWE-ID: 204Observable Response Discrepancy","The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.Guidelines:::TYPE:Relationship:NOTE:can overlap errors related to escalated privileges::",{"point":"eu","priority":"6","details":"ev"},"CWE-ID: 205Observable Behavioral Discrepancy","The product's behaviors indicate important differences that may be observed by unauthorized actors in a way that reveals (1) its internal state or decision process, or (2) differences from other products with equivalent functionality.Guidelines:",{"point":"ex","priority":"6","details":"ey"},"CWE-ID: 206Observable Internal Behavioral Discrepancy","The product performs multiple behaviors that are combined to produce a single result, but the individual behaviors are observable separately in a way that allows attackers to reveal internal state or internal decision points.Guidelines:",{"point":"f0","priority":"6","details":"f1"},"CWE-ID: 207Observable Behavioral Discrepancy With Equivalent Products","The product operates in an environment in which its existence or specific identity should not be known, but it behaves differently than other products with equivalent functionality, in a way that is observable to an attacker.Guidelines:",{"point":"f3","priority":"6","details":"f4"},"CWE-ID: 208Observable Timing Discrepancy","Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.Guidelines:::TYPE:Relationship:NOTE:Often primary in cryptographic applications and algorithms.::",{"point":"f6","priority":"6","details":"f7"},"CWE-ID: 209Generation of Error Message Containing Sensitive Information","The product generates an error message that includes sensitive information about its environment, users, or associated data.Guidelines:",{"point":"f9","priority":"6","details":"fa"},"CWE-ID: 210Self-generated Error Message Containing Sensitive Information","The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.Guidelines:",{"point":"fc","priority":"6","details":"fd"},"CWE-ID: 211Externally-Generated Error Message Containing Sensitive Information","The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information.Guidelines:::TYPE:Relationship:NOTE:This is inherently a resultant vulnerability from a weakness within the product or an interaction error.::",{"point":"ff","priority":"6","details":"fg"},"CWE-ID: 212Improper Removal of Sensitive Information Before Storage or Transfer","The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.Guidelines:::TYPE:Relationship:NOTE:This entry is intended to be different from resultant information leaks, including those that occur from improper buffer initialization and reuse, improper encryption, interaction errors, and multiple interpretation errors. This entry could be regarded as a privacy leak, depending on the type of information that is leaked.::TYPE:Relationship:NOTE:There is a close association between CWE-226 and CWE-212. The difference is partially that of perspective. CWE-226 is geared towards the final stage of the resource lifecycle, in which the resource is deleted, eliminated, expired, or otherwise released for reuse. Technically, this involves a transfer to a different control sphere, in which the original contents of the resource are no longer relevant. CWE-212, however, is intended for sensitive data in resources that are intentionally shared with others, so they are still active. This distinction is useful from the perspective of the CWE research view (CWE-1000).::TYPE:Terminology:NOTE:The terms cleansing and scrubbing have multiple uses within computing. In information security, these are used for the removal of sensitive data, but they are also used for the modification of incoming/outgoing data so that it conforms to specifications.::",{"point":"fi","priority":"6","details":"fj"},"CWE-ID: 213Exposure of Sensitive Information Due to Incompatible Policies","The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product's administrator, users, or others whose information is being processed.Guidelines:::TYPE:Maintenance:NOTE:This entry is being considered for deprecation. It overlaps many other entries related to information exposures. It might not be essential to preserve this entry, since other key stakeholder policies are covered elsewhere, e.g. personal privacy leaks (CWE-359) and system-level exposures that are important to system administrators (CWE-497).::TYPE:Theoretical:NOTE:In vulnerability theory terms, this covers cases in which the developer's Intended Policy allows the information to be made available, but the information might be in violation of a Universal Policy in which the product's administrator should have control over which information is considered sensitive and therefore should not be exposed.::",{"point":"fl","priority":"6","details":"fm"},"CWE-ID: 214Invocation of Process Using Visible Sensitive Information","A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system.Guidelines:::TYPE:Research Gap:NOTE:Under-studied, especially environment variables.::",{"point":"fo","priority":"6","details":"fp"},"CWE-ID: 215Insertion of Sensitive Information Into Debugging Code","The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.Guidelines:::TYPE:Relationship:NOTE:This overlaps other categories.::",{"point":"fr","priority":"6","details":"fs"},"CWE-ID: 219Storage of File with Sensitive Data Under Web Root","The product stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties.Guidelines:",{"point":"fu","priority":"6","details":"fv"},"CWE-ID: 220Storage of File With Sensitive Data Under FTP Root","The product stores sensitive data under the FTP server root with insufficient access control, which might make it accessible to untrusted parties.Guidelines:",{"point":"fx","priority":"6","details":"fy"},"CWE-ID: 221Information Loss or Omission","The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.Guidelines:",{"point":"g0","priority":"6","details":"g1"},"CWE-ID: 222Truncation of Security-relevant Information","The product truncates the display, recording, or processing of security-relevant information in a way that can obscure the source or nature of an attack.Guidelines:",{"point":"g3","priority":"6","details":"g4"},"CWE-ID: 223Omission of Security-relevant Information","The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.Guidelines:",{"point":"g6","priority":"6","details":"g7"},"CWE-ID: 224Obscured Security-relevant Information by Alternate Name","The product records security-relevant information according to an alternate name of the affected entity, instead of the canonical name.Guidelines:",{"point":"g9","priority":"6","details":"ga"},"CWE-ID: 226Sensitive Information in Resource Not Removed Before Reuse","The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or zeroize the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.Guidelines:::TYPE:Relationship:NOTE:There is a close association between CWE-226 and CWE-212. The difference is partially that of perspective. CWE-226 is geared towards the final stage of the resource lifecycle, in which the resource is deleted, eliminated, expired, or otherwise released for reuse. Technically, this involves a transfer to a different control sphere, in which the original contents of the resource are no longer relevant. CWE-212, however, is intended for sensitive data in resources that are intentionally shared with others, so they are still active. This distinction is useful from the perspective of the CWE research view (CWE-1000).::TYPE:Maintenance:NOTE:This entry needs modification to clarify the differences with CWE-212. The description also combines two problems that are distinct from the CWE research perspective: the inadvertent transfer of information to another sphere, and improper initialization/shutdown. Some of the associated taxonomy mappings reflect these different uses.::TYPE:Research Gap:NOTE:This is frequently found for network packets, but it can also exist in local memory allocation, files, etc.::",{"point":"gc","priority":"6","details":"gd"},"CWE-ID: 228Improper Handling of Syntactically Invalid Structure","The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification.Guidelines:::TYPE:Maintenance:NOTE:This entry needs more investigation. Public vulnerability research generally focuses on the manipulations that generate invalid structure, instead of the weaknesses that are exploited by those manipulations. For example, a common attack involves making a request that omits a required field, which can trigger a crash in some cases. The crash could be due to a named chain such as CWE-690 (Unchecked Return Value to NULL Pointer Dereference), but public reports rarely cover this aspect of a vulnerability.::TYPE:Theoretical:NOTE:The validity of input could be roughly classified along syntactic, semantic, and lexical dimensions. If the specification requires that an input value should be delimited with the [ and ] square brackets, then any input that does not follow this specification would be syntactically invalid. If the input between the brackets is expected to be a number, but the letters aaa are provided, then the input is syntactically invalid. If the input is a number and enclosed in brackets, but the number is outside of the allowable range, then it is semantically invalid. The inter-relationships between these properties - and their associated weaknesses- need further exploration.::",{"point":"gf","priority":"6","details":"gg"},"CWE-ID: 229Improper Handling of Values","The product does not properly handle when the expected number of values for parameters, fields, or arguments is not provided in input, or if those values are undefined.Guidelines:",{"point":"gi","priority":"6","details":"gj"},"CWE-ID: 230Improper Handling of Missing Values","The product does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empty, blank, or null.Guidelines:::TYPE:Research Gap:NOTE:Some crash by port scan bugs are probably due to this, but lack of diagnosis makes it difficult to be certain.::",{"point":"gl","priority":"6","details":"gm"},"CWE-ID: 231Improper Handling of Extra Values","The product does not handle or incorrectly handles when more values are provided than expected.Guidelines:::TYPE:Relationship:NOTE:This can overlap buffer overflows.::",{"point":"go","priority":"6","details":"gp"},"CWE-ID: 232Improper Handling of Undefined Values","The product does not handle or incorrectly handles when a value is not defined or supported for the associated parameter, field, or argument name.Guidelines:",{"point":"gr","priority":"6","details":"gs"},"CWE-ID: 233Improper Handling of Parameters","The product does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined.Guidelines:",{"point":"gu","priority":"6","details":"gv"},"CWE-ID: 234Failure to Handle Missing Parameter","If too few arguments are sent to a function, the function will still pop the expected number of arguments from the stack. Potentially, a variable number of arguments could be exhausted in a function as well.Guidelines:::TYPE:Maintenance:NOTE:This entry will be deprecated in a future version of CWE. The term missing parameter was used in both PLOVER and CLASP, with completely different meanings. However, data from both taxonomies was merged into this entry. In PLOVER, it was meant to cover malformed inputs that do not contain required parameters, such as a missing parameter in a CGI request. This entry's observed examples and classification came from PLOVER. However, the description, demonstrative example, and other information are derived from CLASP. They are related to an incorrect number of function arguments, which is already covered by CWE-685.::",{"point":"gx","priority":"6","details":"gy"},"CWE-ID: 235Improper Handling of Extra Parameters","The product does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount.Guidelines:::TYPE:Relationship:NOTE:This type of problem has a big role in multiple interpretation vulnerabilities and various HTTP attacks.::",{"point":"h0","priority":"6","details":"h1"},"CWE-ID: 236Improper Handling of Undefined Parameters","The product does not handle or incorrectly handles when a particular parameter, field, or argument name is not defined or supported by the product.Guidelines:",{"point":"h3","priority":"6","details":"h4"},"CWE-ID: 237Improper Handling of Structural Elements","The product does not handle or incorrectly handles inputs that are related to complex structures.Guidelines:",{"point":"h6","priority":"6","details":"h7"},"CWE-ID: 238Improper Handling of Incomplete Structural Elements","The product does not handle or incorrectly handles when a particular structural element is not completely specified.Guidelines:::TYPE:Relationship:NOTE:Can be primary to other problems.::",{"point":"h9","priority":"6","details":"ha"},"CWE-ID: 239Failure to Handle Incomplete Element","The product does not properly handle when a particular element is not completely specified.Guidelines:",{"point":"hc","priority":"6","details":"hd"},"CWE-ID: 240Improper Handling of Inconsistent Structural Elements","The product does not handle or incorrectly handles when two or more structural elements should be consistent, but are not.Guidelines:",{"point":"hf","priority":"6","details":"hg"},"CWE-ID: 241Improper Handling of Unexpected Data Type","The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).Guidelines:::TYPE:Research Gap:NOTE:Probably under-studied.::",{"point":"hi","priority":"6","details":"hj"},"CWE-ID: 242Use of Inherently Dangerous Function","The product calls a function that can never be guaranteed to work safely.Guidelines:",{"point":"hl","priority":"6","details":"hm"},"CWE-ID: 243Creation of chroot Jail Without Changing Working Directory","The product uses the chroot() system call to create a jail, but does not change the working directory afterward. This does not prevent access to files outside of the jail.Guidelines:",{"point":"ho","priority":"6","details":"hp"},"CWE-ID: 244Improper Clearing of Heap Memory Before Release ('Heap Inspection')","Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory.Guidelines:",{"point":"hr","priority":"6","details":"hs"},"CWE-ID: 245J2EE Bad Practices: Direct Management of Connections","The J2EE application directly manages connections, instead of using the container's connection management facilities.Guidelines:",{"point":"hu","priority":"6","details":"hv"},"CWE-ID: 246J2EE Bad Practices: Direct Use of Sockets","The J2EE application directly uses sockets instead of using framework method calls.Guidelines:",{"point":"hx","priority":"6","details":"hy"},"CWE-ID: 248Uncaught Exception","An exception is thrown from a function, but it is not caught.Guidelines:",{"point":"i0","priority":"6","details":"i1"},"CWE-ID: 250Execution with Unnecessary Privileges","The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.Guidelines:::TYPE:Relationship:NOTE:There is a close association with CWE-653 (Insufficient Separation of Privileges). CWE-653 is about providing separate components for each privilege; CWE-250 is about ensuring that each component has the least amount of privileges possible.::TYPE:Maintenance:NOTE:CWE-271, CWE-272, and CWE-250 are all closely related and possibly overlapping. CWE-271 is probably better suited as a category. Both CWE-272 and CWE-250 are in active use by the community. The least privilege phrase has multiple interpretations.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"i3","priority":"6","details":"i4"},"CWE-ID: 252Unchecked Return Value","The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.Guidelines:",{"point":"i6","priority":"6","details":"i7"},"CWE-ID: 253Incorrect Check of Function Return Value","The product incorrectly checks a return value from a function, which prevents it from detecting errors or exceptional conditions.Guidelines:",{"point":"i9","priority":"6","details":"ia"},"CWE-ID: 256Plaintext Storage of a Password","Storing a password in plaintext may result in a system compromise.Guidelines:",{"point":"ic","priority":"6","details":"id"},"CWE-ID: 257Storing Passwords in a Recoverable Format","The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.Guidelines:::TYPE:Maintenance:NOTE:The meaning of this entry needs to be investigated more closely, especially with respect to what is meant by recoverable.::",{"point":"if","priority":"6","details":"ig"},"CWE-ID: 258Empty Password in Configuration File","Using an empty string as a password is insecure.Guidelines:",{"point":"ii","priority":"6","details":"ij"},"CWE-ID: 259Use of Hard-coded Password","The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.Guidelines:::TYPE:Maintenance:NOTE:This entry could be split into multiple variants: an inbound variant (as seen in the second demonstrative example) and an outbound variant (as seen in the first demonstrative example). These variants are likely to have different consequences, detectability, etc. More importantly, from a vulnerability theory perspective, they could be characterized as different behaviors.::",{"point":"il","priority":"6","details":"im"},"CWE-ID: 260Password in Configuration File","The product stores a password in a configuration file that might be accessible to actors who do not know the password.Guidelines:",{"point":"io","priority":"6","details":"ip"},"CWE-ID: 261Weak Encoding for Password","Obscuring a password with a trivial encoding does not protect the password.Guidelines:::TYPE:Other:NOTE:The crypt family of functions uses weak cryptographic algorithms and should be avoided. It may be present in some projects for compatibility.::",{"point":"ir","priority":"6","details":"is"},"CWE-ID: 262Not Using Password Aging","The product does not have a mechanism in place for managing password aging.Guidelines:",{"point":"iu","priority":"6","details":"iv"},"CWE-ID: 263Password Aging with Long Expiration","The product supports password aging, but the expiration period is too long.Guidelines:",{"point":"ix","priority":"6","details":"iy"},"CWE-ID: 266Incorrect Privilege Assignment","A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.Guidelines:",{"point":"j0","priority":"6","details":"j1"},"CWE-ID: 267Privilege Defined With Unsafe Actions","A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity.Guidelines:::TYPE:Maintenance:NOTE:Note: there are 2 separate sub-categories here: - privilege incorrectly allows entities to perform certain actions - object is incorrectly accessible to entities with a given privilege::",{"point":"j3","priority":"6","details":"j4"},"CWE-ID: 268Privilege Chaining","Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination.Guidelines:::TYPE:Relationship:NOTE:There is some conceptual overlap with Unsafe Privilege.::",{"point":"j6","priority":"6","details":"j7"},"CWE-ID: 269Improper Privilege Management","The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.Guidelines:::TYPE:Maintenance:NOTE:The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693).::",{"point":"j9","priority":"6","details":"ja"},"CWE-ID: 270Privilege Context Switching Error","The product does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control.Guidelines:::TYPE:Research Gap:NOTE:This concept needs more study.::",{"point":"jc","priority":"6","details":"jd"},"CWE-ID: 271Privilege Dropping / Lowering Errors","The product does not drop privileges before passing control of a resource to an actor that does not have those privileges.Guidelines:::TYPE:Maintenance:NOTE:CWE-271, CWE-272, and CWE-250 are all closely related and possibly overlapping. CWE-271 is probably better suited as a category.::",{"point":"jf","priority":"6","details":"jg"},"CWE-ID: 272Least Privilege Violation","The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.Guidelines:::TYPE:Maintenance:NOTE:CWE-271, CWE-272, and CWE-250 are all closely related and possibly overlapping. CWE-271 is probably better suited as a category.::TYPE:Other:NOTE:If system privileges are not dropped when it is reasonable to do so, this is not a vulnerability by itself. According to the principle of least privilege, access should be allowed only when it is absolutely necessary to the function of a given system, and only for the minimal necessary amount of time. Any further allowance of privilege widens the window of time during which a successful exploitation of the system will provide an attacker with that same privilege. If at all possible, limit the allowance of system privilege to small, simple sections of code that may be called atomically. When a program calls a privileged function, such as chroot(), it must first acquire root privilege. As soon as the privileged operation has completed, the program should drop root privilege and return to the privilege level of the invoking user.::",{"point":"ji","priority":"6","details":"jj"},"CWE-ID: 273Improper Check for Dropped Privileges","The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.Guidelines:",{"point":"jl","priority":"6","details":"jm"},"CWE-ID: 274Improper Handling of Insufficient Privileges","The product does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses.Guidelines:::TYPE:Maintenance:NOTE:CWE-280 and CWE-274 are too similar. It is likely that CWE-274 will be deprecated in the future.::TYPE:Relationship:NOTE:Overlaps dropped privileges, insufficient permissions.::TYPE:Theoretical:NOTE:This has a layering relationship with Unchecked Error Condition and Unchecked Return Value.::TYPE:Theoretical:NOTE:Within the context of vulnerability theory, privileges and permissions are two sides of the same coin. Privileges are associated with actors, and permissions are associated with resources. To perform access control, at some point the product makes a decision about whether the actor (and the privileges that have been assigned to that actor) is allowed to access the resource (based on the permissions that have been specified for that resource).::",{"point":"jo","priority":"6","details":"jp"},"CWE-ID: 276Incorrect Default Permissions","During installation, installed file permissions are set to allow anyone to modify those files.Guidelines:",{"point":"jr","priority":"6","details":"js"},"CWE-ID: 277Insecure Inherited Permissions","A product defines a set of insecure permissions that are inherited by objects that are created by the program.Guidelines:",{"point":"ju","priority":"6","details":"jv"},"CWE-ID: 278Insecure Preserved Inherited Permissions","A product inherits a set of insecure permissions for an object, e.g. when copying from an archive file, without user awareness or involvement.Guidelines:",{"point":"jx","priority":"6","details":"jy"},"CWE-ID: 279Incorrect Execution-Assigned Permissions","While it is executing, the product sets the permissions of an object in a way that violates the intended permissions that have been specified by the user.Guidelines:",{"point":"k0","priority":"6","details":"k1"},"CWE-ID: 280Improper Handling of Insufficient Permissions or Privileges","The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.Guidelines:::TYPE:Maintenance:NOTE:CWE-280 and CWE-274 are too similar. It is likely that CWE-274 will be deprecated in the future.::TYPE:Relationship:NOTE:This can be both primary and resultant. When primary, it can expose a variety of weaknesses because a resource might not have the expected state, and subsequent operations might fail. It is often resultant from Unchecked Error Condition (CWE-391).::TYPE:Theoretical:NOTE:Within the context of vulnerability theory, privileges and permissions are two sides of the same coin. Privileges are associated with actors, and permissions are associated with resources. To perform access control, at some point the software makes a decision about whether the actor (and the privileges that have been assigned to that actor) is allowed to access the resource (based on the permissions that have been specified for that resource).::TYPE:Research Gap:NOTE:This type of issue is under-studied, since researchers often concentrate on whether an object has too many permissions, instead of not enough. These weaknesses are likely to appear in environments with fine-grained models for permissions and privileges, which can include operating systems and other large-scale software packages. However, even highly simplistic permission/privilege models are likely to contain these issues if the developer has not considered the possibility of access failure.::",{"point":"k3","priority":"6","details":"k4"},"CWE-ID: 281Improper Preservation of Permissions","The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.Guidelines:",{"point":"k6","priority":"6","details":"k7"},"CWE-ID: 282Improper Ownership Management","The product assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.Guidelines:::TYPE:Maintenance:NOTE:The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693).::",{"point":"k9","priority":"6","details":"ka"},"CWE-ID: 283Unverified Ownership","The product does not properly verify that a critical resource is owned by the proper entity.Guidelines:::TYPE:Relationship:NOTE:This overlaps insufficient comparison, verification errors, permissions, and privileges.::",{"point":"kc","priority":"6","details":"kd"},"CWE-ID: 284Improper Access Control","The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.Guidelines:::TYPE:Maintenance:NOTE:This entry needs more work. Possible sub-categories include: Trusted group includes undesired entities (partially covered by CWE-286) Group can perform undesired actions ACL parse error does not fail closed::",{"point":"kf","priority":"6","details":"kg"},"CWE-ID: 285Improper Authorization","The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.Guidelines:",{"point":"ki","priority":"6","details":"kj"},"CWE-ID: 286Incorrect User Management","The product does not properly manage a user within its environment.Guidelines:::TYPE:Maintenance:NOTE:The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693).::TYPE:Maintenance:NOTE:This item needs more work. Possible sub-categories include: user in wrong group, and user with insecure profile or configuration. It also might be better expressed as a category than a weakness.::",{"point":"kl","priority":"6","details":"km"},"CWE-ID: 287Improper Authentication","When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Guidelines:::TYPE:Relationship:NOTE:This can be resultant from SQL injection vulnerabilities and other issues.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"ko","priority":"6","details":"kp"},"CWE-ID: 288Authentication Bypass Using an Alternate Path or Channel","A product requires authentication, but the product has an alternate path or channel that does not require authentication.Guidelines:::TYPE:Relationship:NOTE:overlaps Unprotected Alternate Channel::",{"point":"kr","priority":"6","details":"ks"},"CWE-ID: 289Authentication Bypass by Alternate Name","The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.Guidelines:::TYPE:Relationship:NOTE:Overlaps equivalent encodings, canonicalization, authorization, multiple trailing slash, trailing space, mixed case, and other equivalence issues.::TYPE:Theoretical:NOTE:Alternate names are useful in data driven manipulation attacks, not just for authentication.::",{"point":"ku","priority":"6","details":"kv"},"CWE-ID: 290Authentication Bypass by Spoofing","This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.Guidelines:::TYPE:Relationship:NOTE:This can be resultant from insufficient verification.::",{"point":"kx","priority":"6","details":"ky"},"CWE-ID: 291Reliance on IP Address for Authentication","The product uses an IP address for authentication.Guidelines:",{"point":"l0","priority":"6","details":"l1"},"CWE-ID: 293Using Referer Field for Authentication","The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking.Guidelines:",{"point":"l3","priority":"6","details":"l4"},"CWE-ID: 294Authentication Bypass by Capture-replay","A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).Guidelines:",{"point":"l6","priority":"6","details":"l7"},"CWE-ID: 295Improper Certificate Validation","The product does not validate, or incorrectly validates, a certificate.Guidelines:",{"point":"l9","priority":"6","details":"la"},"CWE-ID: 296Improper Following of a Certificate's Chain of Trust","The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.Guidelines:",{"point":"lc","priority":"6","details":"ld"},"CWE-ID: 297Improper Validation of Certificate with Host Mismatch","The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.Guidelines:",{"point":"lf","priority":"6","details":"lg"},"CWE-ID: 298Improper Validation of Certificate Expiration","A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age.Guidelines:",{"point":"li","priority":"6","details":"lj"},"CWE-ID: 299Improper Check for Certificate Revocation","The product does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised.Guidelines:",{"point":"ll","priority":"6","details":"lm"},"CWE-ID: 300Channel Accessible by Non-Endpoint","The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.Guidelines:::TYPE:Maintenance:NOTE:The summary identifies multiple distinct possibilities, suggesting that this is a category that must be broken into more specific weaknesses.::",{"point":"lo","priority":"6","details":"lp"},"CWE-ID: 301Reflection Attack in an Authentication Protocol","Simple authentication protocols are subject to reflection attacks if a malicious user can use the target machine to impersonate a trusted user.Guidelines:::TYPE:Maintenance:NOTE:The term reflection is used in multiple ways within CWE and the community, so its usage should be reviewed.::",{"point":"lr","priority":"6","details":"ls"},"CWE-ID: 302Authentication Bypass by Assumed-Immutable Data","The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.Guidelines:",{"point":"lu","priority":"6","details":"lv"},"CWE-ID: 303Incorrect Implementation of Authentication Algorithm","The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.Guidelines:",{"point":"lx","priority":"6","details":"ly"},"CWE-ID: 304Missing Critical Step in Authentication","The product implements an authentication technique, but it skips a step that weakens the technique.Guidelines:",{"point":"m0","priority":"6","details":"m1"},"CWE-ID: 305Authentication Bypass by Primary Weakness","The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.Guidelines:::TYPE:Relationship:NOTE:Most authentication bypass errors are resultant, not primary.::",{"point":"m3","priority":"6","details":"m4"},"CWE-ID: 306Missing Authentication for Critical Function","The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.Guidelines:",{"point":"m6","priority":"6","details":"m7"},"CWE-ID: 307Improper Restriction of Excessive Authentication Attempts","The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.Guidelines:",{"point":"m9","priority":"6","details":"ma"},"CWE-ID: 308Use of Single-factor Authentication","The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme.Guidelines:",{"point":"mc","priority":"6","details":"md"},"CWE-ID: 309Use of Password System for Primary Authentication","The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.Guidelines:",{"point":"mf","priority":"6","details":"mg"},"CWE-ID: 311Missing Encryption of Sensitive Data","The product does not encrypt sensitive or critical information before storage or transmission.Guidelines:::TYPE:Relationship:NOTE:There is an overlapping relationship between insecure storage of sensitive information (CWE-922) and missing encryption of sensitive information (CWE-311). Encryption is often used to prevent an attacker from reading the sensitive data. However, encryption does not prevent the attacker from erasing or overwriting the data.::",{"point":"mi","priority":"6","details":"mj"},"CWE-ID: 312Cleartext Storage of Sensitive Information","The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"ml","priority":"6","details":"mm"},"CWE-ID: 313Cleartext Storage in a File or on Disk","The product stores sensitive information in cleartext in a file, or on disk.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"mo","priority":"6","details":"mp"},"CWE-ID: 314Cleartext Storage in the Registry","The product stores sensitive information in cleartext in the registry.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"mr","priority":"6","details":"ms"},"CWE-ID: 315Cleartext Storage of Sensitive Information in a Cookie","The product stores sensitive information in cleartext in a cookie.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"mu","priority":"6","details":"mv"},"CWE-ID: 316Cleartext Storage of Sensitive Information in Memory","The product stores sensitive information in cleartext in memory.Guidelines:::TYPE:Relationship:NOTE:This could be a resultant weakness, e.g. if the compiler removes code that was intended to wipe memory.::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"mx","priority":"6","details":"my"},"CWE-ID: 317Cleartext Storage of Sensitive Information in GUI","The product stores sensitive information in cleartext within the GUI.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"n0","priority":"6","details":"n1"},"CWE-ID: 318Cleartext Storage of Sensitive Information in Executable","The product stores sensitive information in cleartext in an executable.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"n3","priority":"6","details":"n4"},"CWE-ID: 319Cleartext Transmission of Sensitive Information","The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.Guidelines:::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"n6","priority":"6","details":"n7"},"CWE-ID: 321Use of Hard-coded Cryptographic Key","The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.Guidelines:::TYPE:Other:NOTE:The main difference between the use of hard-coded passwords and the use of hard-coded cryptographic keys is the false sense of security that the former conveys. Many people believe that simply hashing a hard-coded password before storage will protect the information from malicious users. However, many hashes are reversible (or at least vulnerable to brute force attacks) -- and further, many authentication protocols simply request the hash itself, making it no better than a password.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"n9","priority":"6","details":"na"},"CWE-ID: 322Key Exchange without Entity Authentication","The product performs a key exchange with an actor without verifying the identity of that actor.Guidelines:",{"point":"nc","priority":"6","details":"nd"},"CWE-ID: 323Reusing a Nonce, Key Pair in Encryption","Nonces should be used for the present occasion and only once.Guidelines:",{"point":"nf","priority":"6","details":"ng"},"CWE-ID: 324Use of a Key Past its Expiration Date","The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.Guidelines:",{"point":"ni","priority":"6","details":"nj"},"CWE-ID: 325Missing Cryptographic Step","The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.Guidelines:::TYPE:Relationship:NOTE:Overlaps incomplete/missing security check.::TYPE:Relationship:NOTE:Can be resultant.::",{"point":"nl","priority":"6","details":"nm"},"CWE-ID: 326Inadequate Encryption Strength","The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.Guidelines:",{"point":"no","priority":"6","details":"np"},"CWE-ID: 327Use of a Broken or Risky Cryptographic Algorithm","The product uses a broken or risky cryptographic algorithm or protocol.Guidelines:::TYPE:Maintenance:NOTE:Since CWE 4.4, various cryptography-related entries, including CWE-327 and CWE-1240, have been slated for extensive research, analysis, and community consultation to define consistent terminology, improve relationships, and reduce overlap or duplication. As of CWE 4.6, this work is still ongoing.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"nr","priority":"6","details":"ns"},"CWE-ID: 328Use of Weak Hash","The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).Guidelines:::TYPE:Maintenance:NOTE:Since CWE 4.4, various cryptography-related entries including CWE-328 have been slated for extensive research, analysis, and community consultation to define consistent terminology, improve relationships, and reduce overlap or duplication. As of CWE 4.6, this work is still ongoing.::",{"point":"nu","priority":"6","details":"nv"},"CWE-ID: 329Generation of Predictable IV with CBC Mode","The product generates and uses a predictable initialization Vector (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible to dictionary attacks when they are encrypted under the same key.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"nx","priority":"6","details":"ny"},"CWE-ID: 330Use of Insufficiently Random Values","The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.Guidelines:::TYPE:Relationship:NOTE:This can be primary to many other weaknesses such as cryptographic errors, authentication errors, symlink following, information leaks, and others.::TYPE:Maintenance:NOTE:As of CWE 4.3, CWE-330 and its descendants are being investigated by the CWE crypto team to identify gaps related to randomness and unpredictability, as well as the relationships between randomness and cryptographic primitives. This subtree analysis might result in the addition or deprecation of existing entries; the reorganization of relationships in some views, e.g. the research view (CWE-1000); more consistent use of terminology; and/or significant modifications to related entries.::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"o0","priority":"6","details":"o1"},"CWE-ID: 331Insufficient Entropy","The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"o3","priority":"6","details":"o4"},"CWE-ID: 332Insufficient Entropy in PRNG","The lack of entropy available for, or used by, a Pseudo-Random Number Generator (PRNG) can be a stability and security threat.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"o6","priority":"6","details":"o7"},"CWE-ID: 333Improper Handling of Insufficient Entropy in TRNG","True random number generators (TRNG) generally have a limited source of entropy and therefore can fail or block.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"o9","priority":"6","details":"oa"},"CWE-ID: 334Small Space of Random Values","The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"oc","priority":"6","details":"od"},"CWE-ID: 335Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)","The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"of","priority":"6","details":"og"},"CWE-ID: 336Same Seed in Pseudo-Random Number Generator (PRNG)","A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"oi","priority":"6","details":"oj"},"CWE-ID: 337Predictable Seed in Pseudo-Random Number Generator (PRNG)","A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"ol","priority":"6","details":"om"},"CWE-ID: 338Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)","The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"oo","priority":"6","details":"op"},"CWE-ID: 339Small Seed Space in PRNG","A Pseudo-Random Number Generator (PRNG) uses a relatively small seed space, which makes it more susceptible to brute force attacks.Guidelines:::TYPE:Maintenance:NOTE:This entry may have a chaining relationship with predictable from observable state (CWE-341).::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"or","priority":"6","details":"os"},"CWE-ID: 340Generation of Predictable Numbers or Identifiers","The product uses a scheme that generates numbers or identifiers that are more predictable than required.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"ou","priority":"6","details":"ov"},"CWE-ID: 341Predictable from Observable State","A number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"ox","priority":"6","details":"oy"},"CWE-ID: 342Predictable Exact Value from Previous Values","An exact value or random number can be precisely predicted by observing previous values.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"p0","priority":"6","details":"p1"},"CWE-ID: 343Predictable Value Range from Previous Values","The product's random number generator produces a series of values which, when observed, can be used to infer a relatively small range of possibilities for the next value that could be generated.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"p3","priority":"6","details":"p4"},"CWE-ID: 344Use of Invariant Value in Dynamically Changing Context","The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.Guidelines:::TYPE:Relationship:NOTE:overlaps default configuration.::",{"point":"p6","priority":"6","details":"p7"},"CWE-ID: 345Insufficient Verification of Data Authenticity","The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.Guidelines:::TYPE:Relationship:NOTE:origin validation could fall under this.::TYPE:Maintenance:NOTE:The specific ways in which the origin is not properly identified should be laid out as separate weaknesses. In some sense, this is more like a category.::",{"point":"p9","priority":"6","details":"pa"},"CWE-ID: 346Origin Validation Error","The product does not properly verify that the source of data or communication is valid.Guidelines:::TYPE:Maintenance:NOTE:This entry has some significant overlap with other CWE entries and may need some clarification. See terminology notes.::TYPE:Terminology:NOTE:The Origin Validation Error term was originally used in a 1995 thesis [REF-324]. Although not formally defined, an issue is considered to be an origin validation error if either (1) an object [accepts] input from an unauthorized subject, or (2) the system [fails] to properly or completely authenticate a subject. A later section says that an origin validation error can occur when the system (1) does not properly authenticate a user or process or (2) does not properly authenticate the shared data or libraries. The only example provided in the thesis (covered by OSVDB:57615) involves a setuid program running command-line arguments without dropping privileges. So, this definition (and its examples in the thesis) effectively cover other weaknesses such as CWE-287 (Improper Authentication), CWE-285 (Improper Authorization), and CWE-250 (Execution with Unnecessary Privileges). There appears to be little usage of this term today, except in the SecurityFocus vulnerability database, where the term is used for a variety of issues, including web-browser problems that allow violation of the Same Origin Policy and improper validation of the source of an incoming message.::",{"point":"pc","priority":"6","details":"pd"},"CWE-ID: 347Improper Verification of Cryptographic Signature","The product does not verify, or incorrectly verifies, the cryptographic signature for data.Guidelines:",{"point":"pf","priority":"6","details":"pg"},"CWE-ID: 348Use of Less Trusted Source","The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.Guidelines:",{"point":"pi","priority":"6","details":"pj"},"CWE-ID: 349Acceptance of Extraneous Untrusted Data With Trusted Data","The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.Guidelines:",{"point":"pl","priority":"6","details":"pm"},"CWE-ID: 350Reliance on Reverse DNS Resolution for a Security-Critical Action","The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.Guidelines:::TYPE:Maintenance:NOTE:CWE-350, CWE-247, and CWE-292 were merged into CWE-350 in CWE 2.5. CWE-247 was originally derived from Seven Pernicious Kingdoms, CWE-350 from PLOVER, and CWE-292 from CLASP. All taxonomies focused closely on the use of reverse DNS for authentication of incoming requests.::",{"point":"po","priority":"6","details":"pp"},"CWE-ID: 351Insufficient Type Distinction","The product does not properly distinguish between different types of elements in a way that leads to insecure behavior.Guidelines:::TYPE:Relationship:NOTE:Overlaps others, e.g. Multiple Interpretation Errors.::",{"point":"pr","priority":"6","details":"ps"},"CWE-ID: 352Cross-Site Request Forgery (CSRF)","The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.Guidelines:::TYPE:Relationship:NOTE:There can be a close relationship between XSS and CSRF (CWE-352). An attacker might use CSRF in order to trick the victim into submitting requests to the server in which the requests contain an XSS payload. A well-known example of this was the Samy worm on MySpace [REF-956]. The worm used XSS to insert malicious HTML sequences into a user's profile and add the attacker as a MySpace friend. MySpace friends of that victim would then execute the payload to modify their own profiles, causing the worm to propagate exponentially. Since the victims did not intentionally insert the malicious script themselves, CSRF was a root cause.::TYPE:Theoretical:NOTE:The CSRF topology is multi-channel: Attacker (as outsider) to intermediary (as user). The interaction point is either an external or internal channel. Intermediary (as user) to server (as victim). The activation point is an internal channel.::",{"point":"pu","priority":"6","details":"pv"},"CWE-ID: 353Missing Support for Integrity Check","The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.Guidelines:",{"point":"px","priority":"6","details":"py"},"CWE-ID: 354Improper Validation of Integrity Check Value","The product does not validate or incorrectly validates the integrity check values or checksums of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.Guidelines:",{"point":"q0","priority":"6","details":"q1"},"CWE-ID: 356Product UI does not Warn User of Unsafe Actions","The product's user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick users into inflicting damage to their system.Guidelines:::TYPE:Relationship:NOTE:Often resultant, e.g. in unhandled error conditions.::TYPE:Relationship:NOTE:Can overlap privilege errors, conceptually at least.::",{"point":"q3","priority":"6","details":"q4"},"CWE-ID: 357Insufficient UI Warning of Dangerous Operations","The user interface provides a warning to a user regarding dangerous or sensitive operations, but the warning is not noticeable enough to warrant attention.Guidelines:",{"point":"q6","priority":"6","details":"q7"},"CWE-ID: 358Improperly Implemented Security Check for Standard","The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.Guidelines:::TYPE:Relationship:NOTE:This is a missing step error on the product side, which can overlap weaknesses such as insufficient verification and spoofing. It is frequently found in cryptographic and authentication errors. It is sometimes resultant.::",{"point":"q9","priority":"6","details":"qa"},"CWE-ID: 359Exposure of Private Personal Information to an Unauthorized Actor","The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.Guidelines:::TYPE:Maintenance:NOTE:This entry overlaps many other entries that are not organized around the kind of sensitive information that is exposed. However, because privacy is treated with such importance due to regulations and other factors, and it may be useful for weakness-finding tools to highlight capabilities that detect personal private information instead of system information, it is not clear whether - and how - this entry should be deprecated.::",{"point":"qc","priority":"6","details":"qd"},"CWE-ID: 360Trust of System Event Data","Security based on event locations are insecure and can be spoofed.Guidelines:",{"point":"qf","priority":"6","details":"qg"},"CWE-ID: 362Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')","The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.Guidelines:::TYPE:Maintenance:NOTE:The relationship between race conditions and synchronization problems (CWE-662) needs to be further developed. They are not necessarily two perspectives of the same core concept, since synchronization is only one technique for avoiding race conditions, and synchronization can be used for other purposes besides race condition prevention.::TYPE:Research Gap:NOTE:Race conditions in web applications are under-studied and probably under-reported. However, in 2008 there has been growing interest in this area.::TYPE:Research Gap:NOTE:Much of the focus of race condition research has been in Time-of-check Time-of-use (TOCTOU) variants (CWE-367), but many race conditions are related to synchronization problems that do not necessarily require a time-of-check.::TYPE:Research Gap:NOTE:From a classification/taxonomy perspective, the relationships between concurrency and program state need closer investigation and may be useful in organizing related issues.::",{"point":"qi","priority":"6","details":"qj"},"CWE-ID: 363Race Condition Enabling Link Following","The product checks the status of a file or directory before accessing it, which produces a race condition in which the file can be replaced with a link before the access is performed, causing the product to access the wrong file.Guidelines:::TYPE:Relationship:NOTE:This is already covered by the Link Following weakness (CWE-59). It is included here because so many people associate race conditions with link problems; however, not all link following issues involve race conditions.::",{"point":"ql","priority":"6","details":"qm"},"CWE-ID: 364Signal Handler Race Condition","The product uses a signal handler that introduces a race condition.Guidelines:",{"point":"qo","priority":"6","details":"qp"},"CWE-ID: 366Race Condition within a Thread","If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.Guidelines:",{"point":"qr","priority":"6","details":"qs"},"CWE-ID: 367Time-of-check Time-of-use (TOCTOU) Race Condition","The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.Guidelines:::TYPE:Relationship:NOTE:TOCTOU issues do not always involve symlinks, and not every symlink issue is a TOCTOU problem.::TYPE:Research Gap:NOTE:Non-symlink TOCTOU issues are not reported frequently, but they are likely to occur in code that attempts to be secure.::",{"point":"qu","priority":"6","details":"qv"},"CWE-ID: 368Context Switching Race Condition","A product performs a series of non-atomic actions to switch between contexts that cross privilege or other security boundaries, but a race condition allows an attacker to modify or misrepresent the product's behavior during the switch.Guidelines:::TYPE:Relationship:NOTE:Can overlap signal handler race conditions.::TYPE:Research Gap:NOTE:Under-studied as a concept. Frequency unknown; few vulnerability reports give enough detail to know when a context switching race condition is a factor.::",{"point":"qx","priority":"6","details":"qy"},"CWE-ID: 369Divide By Zero","The product divides a value by zero.Guidelines:",{"point":"r0","priority":"6","details":"r1"},"CWE-ID: 370Missing Check for Certificate Revocation after Initial Check","The product does not check the revocation status of a certificate after its initial revocation check, which can cause the product to perform privileged actions even after the certificate is revoked at a later time.Guidelines:",{"point":"r3","priority":"6","details":"r4"},"CWE-ID: 372Incomplete Internal State Distinction","The product does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect operations in a security-relevant manner.Guidelines:::TYPE:Relationship:NOTE:This conceptually overlaps other categories such as insufficient verification, but this entry refers to the product's incorrect perception of its own state.::TYPE:Relationship:NOTE:This is probably resultant from other weaknesses such as unhandled error conditions, inability to handle out-of-order steps, multiple interpretation errors, etc.::TYPE:Maintenance:NOTE:This entry is being considered for deprecation. It was poorly-defined in PLOVER and is not easily described using the behavior/resource/property model of vulnerability theory.::",{"point":"r6","priority":"6","details":"r7"},"CWE-ID: 374Passing Mutable Objects to an Untrusted Method","The product sends non-cloned mutable data as an argument to a method or function.Guidelines:",{"point":"r9","priority":"6","details":"ra"},"CWE-ID: 375Returning a Mutable Object to an Untrusted Caller","Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function.Guidelines:",{"point":"rc","priority":"6","details":"rd"},"CWE-ID: 377Insecure Temporary File","Creating and using insecure temporary files can leave application and system data vulnerable to attack.Guidelines:::TYPE:Other:NOTE:Applications require temporary files so frequently that many different mechanisms exist for creating them in the C Library and Windows(R) API. Most of these functions are vulnerable to various forms of attacks. The functions designed to aid in the creation of temporary files can be broken into two groups based whether they simply provide a filename or actually open a new file. - Group 1: Unique Filenames: The first group of C Library and WinAPI functions designed to help with the process of creating temporary files do so by generating a unique file name for a new temporary file, which the program is then supposed to open. This group includes C Library functions like tmpnam(), tempnam(), mktemp() and their C++ equivalents prefaced with an _ (underscore) as well as the GetTempFileName() function from the Windows API. This group of functions suffers from an underlying race condition on the filename chosen. Although the functions guarantee that the filename is unique at the time it is selected, there is no mechanism to prevent another process or an attacker from creating a file with the same name after it is selected but before the application attempts to open the file. Beyond the risk of a legitimate collision caused by another call to the same function, there is a high probability that an attacker will be able to create a malicious collision because the filenames generated by these functions are not sufficiently randomized to make them difficult to guess. If a file with the selected name is created, then depending on how the file is opened the existing contents or access permissions of the file may remain intact. If the existing contents of the file are malicious in nature, an attacker may be able to inject dangerous data into the application when it reads data back from the temporary file. If an attacker pre-creates the file with relaxed access permissions, then data stored in the temporary file by the application may be accessed, modified or corrupted by an attacker. On Unix based systems an even more insidious attack is possible if the attacker pre-creates the file as a link to another important file. Then, if the application truncates or writes data to the file, it may unwittingly perform damaging operations for the attacker. This is an especially serious threat if the program operates with elevated permissions. Finally, in the best case the file will be opened with the a call to open() using the O_CREAT and O_EXCL flags or to CreateFile() using the CREATE_NEW attribute, which will fail if the file already exists and therefore prevent the types of attacks described above. However, if an attacker is able to accurately predict a sequence of temporary file names, then the application may be prevented from opening necessary temporary storage causing a denial of service (DoS) attack. This type of attack would not be difficult to mount given the small amount of randomness used in the selection of the filenames generated by these functions. - Group 2: Unique Files: The second group of C Library functions attempts to resolve some of the security problems related to temporary files by not only generating a unique file name, but also opening the file. This group includes C Library functions like tmpfile() and its C++ equivalents prefaced with an _ (underscore), as well as the slightly better-behaved C Library function mkstemp(). The tmpfile() style functions construct a unique filename and open it in the same way that fopen() would if passed the flags wb+, that is, as a binary file in read/write mode. If the file already exists, tmpfile() will truncate it to size zero, possibly in an attempt to assuage the security concerns mentioned earlier regarding the race condition that exists between the selection of a supposedly unique filename and the subsequent opening of the selected file. However, this behavior clearly does not solve the function's security problems. First, an attacker can pre-create the file with relaxed access-permissions that will likely be retained by the file opened by tmpfile(). Furthermore, on Unix based systems if the attacker pre-creates the file as a link to another important file, the application may use its possibly elevated permissions to truncate that file, thereby doing damage on behalf of the attacker. Finally, if tmpfile() does create a new file, the access permissions applied to that file will vary from one operating system to another, which can leave application data vulnerable even if an attacker is unable to predict the filename to be used in advance. Finally, mkstemp() is a reasonably safe way create temporary files. It will attempt to create and open a unique file based on a filename template provided by the user combined with a series of randomly generated characters. If it is unable to create such a file, it will fail and return -1. On modern systems the file is opened using mode 0600, which means the file will be secure from tampering unless the user explicitly changes its access permissions. However, mkstemp() still suffers from the use of predictable file names and can leave an application vulnerable to denial of service attacks if an attacker causes mkstemp() to fail by predicting and pre-creating the filenames to be used.::",{"point":"rf","priority":"6","details":"rg"},"CWE-ID: 378Creation of Temporary File With Insecure Permissions","Opening temporary files without appropriate measures or controls can leave the file, its contents and any function that it impacts vulnerable to attack.Guidelines:",{"point":"ri","priority":"6","details":"rj"},"CWE-ID: 379Creation of Temporary File in Directory with Insecure Permissions","The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.Guidelines:",{"point":"rl","priority":"6","details":"rm"},"CWE-ID: 382J2EE Bad Practices: Use of System.exit()","A J2EE application uses System.exit(), which also shuts down its container.Guidelines:",{"point":"ro","priority":"6","details":"rp"},"CWE-ID: 383J2EE Bad Practices: Direct Use of Threads","Thread management in a Web application is forbidden in some circumstances and is always highly error prone.Guidelines:",{"point":"rr","priority":"6","details":"rs"},"CWE-ID: 384Session Fixation","Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.Guidelines:::TYPE:Other:NOTE:Other attack vectors include DNS poisoning and related network based attacks where an attacker causes the user to visit a malicious site by redirecting a request for a valid site. Network based attacks typically involve a physical presence on the victim's network or control of a compromised machine on the network, which makes them harder to exploit remotely, but their significance should not be overlooked. Less secure session management mechanisms, such as the default implementation in Apache Tomcat, allow session identifiers normally expected in a cookie to be specified on the URL as well, which enables an attacker to cause a victim to use a fixed session identifier simply by emailing a malicious URL.::",{"point":"ru","priority":"6","details":"rv"},"CWE-ID: 385Covert Timing Channel","Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are working to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks that create or exploit covert channels. As a result of that work, this entry might change in CWE 4.10.::",{"point":"rx","priority":"6","details":"ry"},"CWE-ID: 386Symbolic Name not Mapping to Correct Object","A constant symbolic reference to an object is used, even though the reference can resolve to a different object over time.Guidelines:",{"point":"s0","priority":"6","details":"s1"},"CWE-ID: 390Detection of Error Condition Without Action","The product detects a specific error, but takes no actions to handle the error.Guidelines:",{"point":"s3","priority":"6","details":"s4"},"CWE-ID: 391Unchecked Error Condition","[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.Guidelines:::TYPE:Maintenance:NOTE:This entry is slated for deprecation; it has multiple widespread interpretations by CWE analysts. It currently combines information from three different taxonomies, but each taxonomy is talking about a slightly different issue. CWE analysts might map to this entry based on any of these issues. 7PK has Empty Catch Block which has an association with empty exception block (CWE-1069); in this case, the exception has performed the check, but does not handle. In PLOVER there is Unchecked Return Value which is CWE-252, but unlike Empty Catch Block there isn't even a check of the issue - and Unchecked Error Condition implies lack of a check. For CLASP, Uncaught Exception (CWE-248) is associated with incorrect error propagation - uncovered in CWE 3.2 and earlier, at least. There are other issues related to error handling and checks.::TYPE:Other:NOTE:When a programmer ignores an exception, they implicitly state that they are operating under one of two assumptions: This method call can never fail. It doesn't matter if this call fails.::",{"point":"s6","priority":"6","details":"s7"},"CWE-ID: 392Missing Report of Error Condition","The product encounters an error but does not provide a status code or return value to indicate that an error has occurred.Guidelines:",{"point":"s9","priority":"6","details":"sa"},"CWE-ID: 393Return of Wrong Status Code","A function or operation returns an incorrect return value or status code that does not indicate an error, but causes the product to modify its behavior based on the incorrect result.Guidelines:::TYPE:Relationship:NOTE:This can be primary or resultant, but it is probably most often primary to other issues.::",{"point":"sc","priority":"6","details":"sd"},"CWE-ID: 394Unexpected Status Code or Return Value","The product does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the product.Guidelines:::TYPE:Relationship:NOTE:Usually primary, but can be resultant from issues such as behavioral change or API abuse. This can produce resultant vulnerabilities.::",{"point":"sf","priority":"6","details":"sg"},"CWE-ID: 395Use of NullPointerException Catch to Detect NULL Pointer Dereference","Catching NullPointerException should not be used as an alternative to programmatic checks to prevent dereferencing a null pointer.Guidelines:",{"point":"si","priority":"6","details":"sj"},"CWE-ID: 396Declaration of Catch for Generic Exception","Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.Guidelines:",{"point":"sl","priority":"6","details":"sm"},"CWE-ID: 397Declaration of Throws for Generic Exception","Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.Guidelines:::TYPE:Applicable Platform:NOTE:For C++, this weakness only applies to C++98, C++03, and C++11. It relies on a feature known as Dynamic Exception Specification, which was part of early versions of C++ but was deprecated in C++11. It has been removed for C++17 and later.::",{"point":"so","priority":"6","details":"sp"},"CWE-ID: 400Uncontrolled Resource Consumption","The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Guidelines:::TYPE:Maintenance:NOTE:Resource consumption could be interpreted as a consequence instead of an insecure behavior, so this entry is being considered for modification. It appears to be referenced too frequently when more precise mappings are available. Some of its children, such as CWE-771, might be better considered as a chain.::TYPE:Theoretical:NOTE:Vulnerability theory is largely about how behaviors and resources interact. Resource exhaustion can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect the underlying weaknesses that enable these attacks (or consequences) to take place.::TYPE:Other:NOTE:Database queries that take a long time to process are good DoS targets. An attacker would have to write a few lines of Perl code to generate enough traffic to exceed the site's ability to keep up. This would effectively prevent authorized users from using the site at all. Resources can be exploited simply by ensuring that the target machine must do much more work and consume more resources in order to service a request than the attacker must do to initiate a request. A prime example of this can be found in old switches that were vulnerable to macof attacks (so named for a tool developed by Dugsong). These attacks flooded a switch with random IP and MAC address combinations, therefore exhausting the switch's cache, which held the information of which port corresponded to which MAC addresses. Once this cache was exhausted, the switch would fail in an insecure way and would begin to act simply as a hub, broadcasting all traffic on all ports and allowing for basic sniffing attacks.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"sr","priority":"6","details":"ss"},"CWE-ID: 401Missing Release of Memory after Effective Lifetime","The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.Guidelines:::TYPE:Relationship:NOTE:This is often a resultant weakness due to improper handling of malformed data or early termination of sessions.::TYPE:Terminology:NOTE:memory leak has sometimes been used to describe other kinds of issues, e.g. for information leaks in which the contents of memory are inadvertently leaked (CVE-2003-0400 is one such example of this terminology conflict).::",{"point":"su","priority":"6","details":"sv"},"CWE-ID: 402Transmission of Private Resources into a New Sphere ('Resource Leak')","The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product.Guidelines:",{"point":"sx","priority":"6","details":"sy"},"CWE-ID: 403Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')","A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors.Guidelines:",{"point":"t0","priority":"6","details":"t1"},"CWE-ID: 404Improper Resource Shutdown or Release","The product does not release or incorrectly releases a resource before it is made available for re-use.Guidelines:::TYPE:Relationship:NOTE:Overlaps memory leaks, asymmetric resource consumption, malformed input errors.::",{"point":"t3","priority":"6","details":"t4"},"CWE-ID: 405Asymmetric Resource Consumption (Amplification)","The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is asymmetric.Guidelines:",{"point":"t6","priority":"6","details":"t7"},"CWE-ID: 406Insufficient Control of Network Message Volume (Network Amplification)","The product does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the product to transmit more traffic than should be allowed for that actor.Guidelines:::TYPE:Relationship:NOTE:This can be resultant from weaknesses that simplify spoofing attacks.::TYPE:Theoretical:NOTE:Network amplification, when performed with spoofing, is normally a multi-channel attack from attacker (acting as user) to amplifier, and amplifier to victim.::",{"point":"t9","priority":"6","details":"ta"},"CWE-ID: 407Inefficient Algorithmic Complexity","An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.Guidelines:",{"point":"tc","priority":"6","details":"td"},"CWE-ID: 408Incorrect Behavior Order: Early Amplification","The product allows an entity to perform a legitimate but expensive operation before authentication or authorization has taken place.Guidelines:::TYPE:Relationship:NOTE:Overlaps authentication errors.::",{"point":"tf","priority":"6","details":"tg"},"CWE-ID: 409Improper Handling of Highly Compressed Data (Data Amplification)","The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.Guidelines:",{"point":"ti","priority":"6","details":"tj"},"CWE-ID: 410Insufficient Resource Pool","The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.Guidelines:",{"point":"tl","priority":"6","details":"tm"},"CWE-ID: 412Unrestricted Externally Accessible Lock","The product properly checks for the existence of a lock, but the lock can be externally controlled or influenced by an actor that is outside of the intended sphere of control.Guidelines:::TYPE:Relationship:NOTE:This overlaps Insufficient Resource Pool when the pool is of size 1. It can also be resultant from race conditions, although the timing window could be quite large in some cases.::",{"point":"to","priority":"6","details":"tp"},"CWE-ID: 413Improper Resource Locking","The product does not lock or does not correctly lock a resource when the product must have exclusive access to the resource.Guidelines:",{"point":"tr","priority":"6","details":"ts"},"CWE-ID: 414Missing Lock Check","A product does not check to see if a lock is present before performing sensitive operations on a resource.Guidelines:",{"point":"tu","priority":"6","details":"tv"},"CWE-ID: 415Double Free","The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.Guidelines:::TYPE:Relationship:NOTE:This is usually resultant from another weakness, such as an unhandled error or race condition between threads. It could also be primary to weaknesses such as buffer overflows.::TYPE:Theoretical:NOTE:It could be argued that Double Free would be most appropriately located as a child of Use after Free, but Use and Release are considered to be distinct operations within vulnerability theory, therefore this is more accurately Release of a Resource after Expiration or Release, which doesn't exist yet.::",{"point":"tx","priority":"6","details":"ty"},"CWE-ID: 416Use After Free","Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.Guidelines:",{"point":"u0","priority":"6","details":"u1"},"CWE-ID: 419Unprotected Primary Channel","The product uses a primary channel for administration or restricted functionality, but it does not properly protect the channel.Guidelines:",{"point":"u3","priority":"6","details":"u4"},"CWE-ID: 420Unprotected Alternate Channel","The product protects a primary channel, but it does not use the same level of protection for an alternate channel.Guidelines:::TYPE:Relationship:NOTE:This can be primary to authentication errors, and resultant from unhandled error conditions.::",{"point":"u6","priority":"6","details":"u7"},"CWE-ID: 421Race Condition During Access to Alternate Channel","The product opens an alternate channel to communicate with an authorized user, but the channel is accessible to other actors.Guidelines:",{"point":"u9","priority":"6","details":"ua"},"CWE-ID: 422Unprotected Windows Messaging Channel ('Shatter')","The product does not properly verify the source of a message in the Windows Messaging System while running at elevated privileges, creating an alternate channel through which an attacker can directly send a message to the product.Guidelines:::TYPE:Relationship:NOTE:Overlaps privilege errors and UI errors.::TYPE:Research Gap:NOTE:Possibly under-reported, probably under-studied. It is suspected that a number of publicized vulnerabilities that involve local privilege escalation on Windows systems may be related to Shatter attacks, but they are not labeled as such. Alternate channel attacks likely exist in other operating systems and messaging models, e.g. in privileged X Windows applications, but examples are not readily available.::",{"point":"uc","priority":"6","details":"ud"},"CWE-ID: 424Improper Protection of Alternate Path","The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.Guidelines:",{"point":"uf","priority":"6","details":"ug"},"CWE-ID: 425Direct Request ('Forced Browsing')","The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.Guidelines:::TYPE:Relationship:NOTE:Overlaps Modification of Assumed-Immutable Data (MAID), authorization errors, container errors; often primary to other weaknesses such as XSS and SQL injection.::TYPE:Theoretical:NOTE:Forced browsing is a step-based manipulation involving the omission of one or more steps, whose order is assumed to be immutable. The application does not verify that the first step was performed successfully before the second step. The consequence is typically authentication bypass or path disclosure, although it can be primary to all kinds of weaknesses, especially in languages such as PHP, which allow external modification of assumed-immutable variables.::",{"point":"ui","priority":"6","details":"uj"},"CWE-ID: 426Untrusted Search Path","The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.Guidelines:",{"point":"ul","priority":"6","details":"um"},"CWE-ID: 427Uncontrolled Search Path Element","The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.Guidelines:::TYPE:Relationship:NOTE:Unlike untrusted search path (CWE-426), which inherently involves control over the definition of a control sphere (i.e., modification of a search path), this entry concerns a fixed control sphere in which some part of the sphere may be under attacker control (i.e., the search path cannot be modified by an attacker, but one element of the path can be under attacker control).::TYPE:Theoretical:NOTE:This weakness is not a clean fit under CWE-668 or CWE-610, which suggests that the control sphere model might need enhancement or clarification.::",{"point":"uo","priority":"6","details":"up"},"CWE-ID: 428Unquoted Search Path or Element","The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.Guidelines:::TYPE:Applicable Platform:NOTE:This weakness could apply to any OS that supports spaces in filenames, especially any OS that make it easy for a user to insert spaces into filenames or folders, such as Windows. While spaces are technically supported in Unix, the practice is generally avoided. .::TYPE:Maintenance:NOTE:This weakness primarily involves the lack of quoting, which is not explicitly stated as a part of CWE-116. CWE-116 also describes output in light of structured messages, but the generation of a filename or search path (as in this weakness) might not be considered a structured message. An additional complication is the relationship to control spheres. Unlike untrusted search path (CWE-426), which inherently involves control over the definition of a control sphere, this entry concerns a fixed control sphere in which some part of the sphere may be under attacker control. This is not a clean fit under CWE-668 or CWE-610, which suggests that the control sphere model needs enhancement or clarification.::",{"point":"ur","priority":"6","details":"us"},"CWE-ID: 430Deployment of Wrong Handler","The wrong handler is assigned to process an object.Guidelines:",{"point":"uu","priority":"6","details":"uv"},"CWE-ID: 431Missing Handler","A handler is not available or implemented.Guidelines:",{"point":"ux","priority":"6","details":"uy"},"CWE-ID: 432Dangerous Signal Handler not Disabled During Sensitive Operations","The product uses a signal handler that shares state with other signal handlers, but it does not properly mask or prevent those signal handlers from being invoked while the original signal handler is still running.Guidelines:",{"point":"v0","priority":"6","details":"v1"},"CWE-ID: 433Unparsed Raw Web Content Delivery","The product stores raw content or supporting code under the web document root with an extension that is not specifically handled by the server.Guidelines:::TYPE:Relationship:NOTE:This overlaps direct requests (CWE-425), alternate path (CWE-424), permissions (CWE-275), and sensitive file under web root (CWE-219).::",{"point":"v3","priority":"6","details":"v4"},"CWE-ID: 434Unrestricted Upload of File with Dangerous Type","The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.Guidelines:::TYPE:Relationship:NOTE:This can have a chaining relationship with incomplete denylist / permissive allowlist errors when the product tries, but fails, to properly limit which types of files are allowed (CWE-183, CWE-184). This can also overlap multiple interpretation errors for intermediaries, e.g. anti-virus products that do not remove or quarantine attachments with certain file extensions that can be processed by client systems.::",{"point":"v6","priority":"6","details":"v7"},"CWE-ID: 435Improper Interaction Between Multiple Correctly-Behaving Entities","An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses.Guidelines:::TYPE:Research Gap:NOTE:Weaknesses related to this Pillar appear to be under-studied, especially with respect to classification schemes. Input from academic and other communities could help identify and resolve gaps or organizational difficulties within CWE.::TYPE:Relationship:NOTE:The Interaction Error term, in CWE and elsewhere, is only intended to describe products that behave according to specification. When one or more of the products do not comply with specifications, then it is more likely to be API Abuse (CWE-227) or an interpretation conflict (CWE-436). This distinction can be blurred in real world scenarios, especially when de facto standards do not comply with specifications, or when there are no standards but there is widespread adoption. As a result, it can be difficult to distinguish these weaknesses during mapping and classification.::",{"point":"v9","priority":"6","details":"va"},"CWE-ID: 436Interpretation Conflict","Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.Guidelines:",{"point":"vc","priority":"6","details":"vd"},"CWE-ID: 437Incomplete Model of Endpoint Features","A product acts as an intermediary or monitor between two or more endpoints, but it does not have a complete model of an endpoint's features, behaviors, or state, potentially causing the product to perform incorrect actions based on this incomplete model.Guidelines:::TYPE:Relationship:NOTE:This can be related to interaction errors, although in some cases, one of the endpoints is not performing correctly according to specification.::",{"point":"vf","priority":"6","details":"vg"},"CWE-ID: 439Behavioral Change in New Version or Environment","A's behavior or functionality changes with a new version of A, or a new environment, which is not known (or manageable) by B.Guidelines:",{"point":"vi","priority":"6","details":"vj"},"CWE-ID: 440Expected Behavior Violation","A feature, API, or function does not perform according to its specification.Guidelines:::TYPE:Theoretical:NOTE:The behavior of an application that is not consistent with the expectations of the developer may lead to incorrect use of the software.::",{"point":"vl","priority":"6","details":"vm"},"CWE-ID: 441Unintended Proxy or Intermediary ('Confused Deputy')","The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.Guidelines:::TYPE:Relationship:NOTE:This weakness has a chaining relationship with CWE-668 (Exposure of Resource to Wrong Sphere) because the proxy effectively provides the attacker with access to the target's resources that the attacker cannot directly obtain.::TYPE:Maintenance:NOTE:This could possibly be considered as an emergent resource.::TYPE:Theoretical:NOTE:It could be argued that the confused deputy is a fundamental aspect of most vulnerabilities that require an active attacker. Even for common implementation issues such as buffer overflows, SQL injection, OS command injection, and path traversal, the vulnerable program already has the authorization to run code or access files. The vulnerability arises when the attacker causes the program to run unexpected code or access unexpected files.::",{"point":"vo","priority":"6","details":"vp"},"CWE-ID: 444Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')","The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.Guidelines:::TYPE:Theoretical:NOTE:Request smuggling can be performed due to a multiple interpretation error, where the target is an intermediary or monitor, via a consistency manipulation (Transfer-Encoding and Content-Length headers).::",{"point":"vr","priority":"6","details":"vs"},"CWE-ID: 446UI Discrepancy for Security Feature","The user interface does not correctly enable or configure a security feature, but the interface provides feedback that causes the user to believe that the feature is in a secure state.Guidelines:::TYPE:Maintenance:NOTE:This entry is likely a loose composite that could be broken down into the different types of errors that cause the user interface to have incorrect interactions with the underlying security feature.::",{"point":"vu","priority":"6","details":"vv"},"CWE-ID: 447Unimplemented or Unsupported Feature in UI","A UI function for a security feature appears to be supported and gives feedback to the user that suggests that it is supported, but the underlying functionality is not implemented.Guidelines:::TYPE:Research Gap:NOTE:This issue needs more study, as there are not many examples. It is not clear whether it is primary or resultant.::",{"point":"vx","priority":"6","details":"vy"},"CWE-ID: 448Obsolete Feature in UI","A UI function is obsolete and the product does not warn the user.Guidelines:",{"point":"w0","priority":"6","details":"w1"},"CWE-ID: 449The UI Performs the Wrong Action","The UI performs the wrong action with respect to the user's request.Guidelines:",{"point":"w3","priority":"6","details":"w4"},"CWE-ID: 450Multiple Interpretations of UI Input","The UI has multiple interpretations of user input but does not prompt the user when it selects the less secure interpretation.Guidelines:",{"point":"w6","priority":"6","details":"w7"},"CWE-ID: 451User Interface (UI) Misrepresentation of Critical Information","The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks.Guidelines:::TYPE:Maintenance:NOTE:This entry should be broken down into more precise entries. See extended description.::TYPE:Research Gap:NOTE:Misrepresentation problems are frequently studied in web browsers, but there are no known efforts for classifying these kinds of problems in terms of the shortcomings of the interface. In addition, many misrepresentation issues are resultant.::",{"point":"w9","priority":"6","details":"wa"},"CWE-ID: 453Insecure Default Variable Initialization","The product, by default, initializes an internal variable with an insecure or less secure value than is possible.Guidelines:::TYPE:Maintenance:NOTE:This overlaps other categories, probably should be split into separate items.::",{"point":"wc","priority":"6","details":"wd"},"CWE-ID: 454External Initialization of Trusted Variables or Data Stores","The product initializes critical internal variables or data stores using inputs that can be modified by untrusted actors.Guidelines:::TYPE:Relationship:NOTE:Overlaps Missing variable initialization, especially in PHP.::TYPE:Applicable Platform:NOTE:This is often found in PHP due to register_globals and the common practice of storing library/include files under the web document root so that they are available using a direct request.::",{"point":"wf","priority":"6","details":"wg"},"CWE-ID: 455Non-exit on Failed Initialization","The product does not exit or otherwise modify its operation when security-relevant errors occur during initialization, such as when a configuration file has a format error or a hardware security module (HSM) cannot be activated, which can cause the product to execute in a less secure fashion than intended by the administrator.Guidelines:::TYPE:Research Gap:NOTE:Under-studied. These issues are not frequently reported, and it is difficult to find published examples.::",{"point":"wi","priority":"6","details":"wj"},"CWE-ID: 456Missing Initialization of a Variable","The product does not initialize critical variables, which causes the execution environment to use unexpected values.Guidelines:::TYPE:Relationship:NOTE:This weakness is a major factor in a number of resultant weaknesses, especially in web applications that allow global variable initialization (such as PHP) with libraries that can be directly requested.::TYPE:Research Gap:NOTE:It is highly likely that a large number of resultant weaknesses have missing initialization as a primary factor, but researcher reports generally do not provide this level of detail.::",{"point":"wl","priority":"6","details":"wm"},"CWE-ID: 457Use of Uninitialized Variable","The code uses a variable that has not been initialized, leading to unpredictable or unintended results.Guidelines:",{"point":"wo","priority":"6","details":"wp"},"CWE-ID: 459Incomplete Cleanup","The product does not properly clean up and remove temporary or supporting resources after they have been used.Guidelines:::TYPE:Relationship:NOTE:CWE-459 is a child of CWE-404 because, while CWE-404 covers any type of improper shutdown or release of a resource, CWE-459 deals specifically with a multi-step shutdown process in which a crucial step for proper cleanup is omitted or impossible. That is, CWE-459 deals specifically with a cleanup or shutdown process that does not successfully remove all potentially sensitive data.::TYPE:Relationship:NOTE:Overlaps other categories such as permissions and containment. Concept needs further development. This could be primary (e.g. leading to infoleak) or resultant (e.g. resulting from unhandled error conditions or early termination).::",{"point":"wr","priority":"6","details":"ws"},"CWE-ID: 460Improper Cleanup on Thrown Exception","The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow.Guidelines:",{"point":"wu","priority":"6","details":"wv"},"CWE-ID: 462Duplicate Key in Associative List (Alist)","Duplicate keys in associative lists can lead to non-unique keys being mistaken for an error.Guidelines:",{"point":"wx","priority":"6","details":"wy"},"CWE-ID: 463Deletion of Data Structure Sentinel","The accidental deletion of a data-structure sentinel can cause serious programming logic problems.Guidelines:",{"point":"x0","priority":"6","details":"x1"},"CWE-ID: 464Addition of Data Structure Sentinel","The accidental addition of a data-structure sentinel can cause serious programming logic problems.Guidelines:",{"point":"x3","priority":"6","details":"x4"},"CWE-ID: 466Return of Pointer Value Outside of Expected Range","A function can return a pointer to memory that is outside of the buffer that the pointer is expected to reference.Guidelines:::TYPE:Maintenance:NOTE:This entry should have a chaining relationship with CWE-119 instead of a parent / child relationship, however the focus of this weakness does not map cleanly to any existing entries in CWE. A new parent is being considered which covers the more generic problem of incorrect return values. There is also an abstract relationship to weaknesses in which one component sends incorrect messages to another component; in this case, one routine is sending an incorrect value to another.::",{"point":"x6","priority":"6","details":"x7"},"CWE-ID: 467Use of sizeof() on a Pointer Type","The code calls sizeof() on a malloced pointer type, which always returns the wordsize/8. This can produce an unexpected result if the programmer intended to determine how much memory has been allocated.Guidelines:",{"point":"x9","priority":"6","details":"xa"},"CWE-ID: 468Incorrect Pointer Scaling","In C and C++, one may often accidentally refer to the wrong memory due to the semantics of when math operations are implicitly scaled.Guidelines:",{"point":"xc","priority":"6","details":"xd"},"CWE-ID: 469Use of Pointer Subtraction to Determine Size","The product subtracts one pointer from another in order to determine size, but this calculation can be incorrect if the pointers do not exist in the same memory chunk.Guidelines:",{"point":"xf","priority":"6","details":"xg"},"CWE-ID: 470Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')","The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.Guidelines:",{"point":"xi","priority":"6","details":"xj"},"CWE-ID: 471Modification of Assumed-Immutable Data (MAID)","The product does not properly protect an assumed-immutable element from being modified by an attacker.Guidelines:::TYPE:Relationship:NOTE:MAID issues can be primary to many other weaknesses, and they are a major factor in languages that provide easy access to internal program constructs, such as PHP's register_globals and similar features. However, MAID issues can also be resultant from weaknesses that modify internal state; for example, a program might validate some data and store it in memory, but a buffer overflow could overwrite that validated data, leading to a change in program logic.::TYPE:Theoretical:NOTE:There are many examples where the MUTABILITY property is a major factor in a vulnerability.::",{"point":"xl","priority":"6","details":"xm"},"CWE-ID: 472External Control of Assumed-Immutable Web Parameter","The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.Guidelines:::TYPE:Relationship:NOTE:This is a primary weakness for many other weaknesses and functional consequences, including XSS, SQL injection, path disclosure, and file inclusion.::TYPE:Theoretical:NOTE:This is a technology-specific MAID problem.::",{"point":"xo","priority":"6","details":"xp"},"CWE-ID: 473PHP External Variable Modification","A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies. This can expose the application to numerous weaknesses that would not exist otherwise.Guidelines:::TYPE:Relationship:NOTE:This is a language-specific instance of Modification of Assumed-Immutable Data (MAID). This can be resultant from direct request (alternate path) issues. It can be primary to weaknesses such as PHP file inclusion, SQL injection, XSS, authentication bypass, and others.::",{"point":"xr","priority":"6","details":"xs"},"CWE-ID: 474Use of Function with Inconsistent Implementations","The code uses a function that has inconsistent implementations across operating systems and versions.Guidelines:",{"point":"xu","priority":"6","details":"xv"},"CWE-ID: 475Undefined Behavior for Input to API","The behavior of this function is undefined unless its control parameter is set to a specific value.Guidelines:::TYPE:Other:NOTE:The Linux Standard Base Specification 2.0.1 for libc places constraints on the arguments to some internal functions [21]. If the constraints are not met, the behavior of the functions is not defined. It is unusual for this function to be called directly. It is almost always invoked through a macro defined in a system header file, and the macro ensures that the following constraints are met: The value 1 must be passed to the third parameter (the version number) of the following file system function: __xmknod The value 2 must be passed to the third parameter (the group argument) of the following wide character string functions: __wcstod_internal __wcstof_internal __wcstol_internal __wcstold_internal __wcstoul_internal The value 3 must be passed as the first parameter (the version number) of the following file system functions: __xstat __lxstat __fxstat __xstat64 __lxstat64 __fxstat64::",{"point":"xx","priority":"6","details":"xy"},"CWE-ID: 476NULL Pointer Dereference","A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.Guidelines:",{"point":"y0","priority":"6","details":"y1"},"CWE-ID: 477Use of Obsolete Function","The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained.Guidelines:",{"point":"y3","priority":"6","details":"y4"},"CWE-ID: 478Missing Default Case in Multiple Condition Expression","The code does not have a default case in an expression with multiple conditions, such as a switch statement.Guidelines:",{"point":"y6","priority":"6","details":"y7"},"CWE-ID: 479Signal Handler Use of a Non-reentrant Function","The product defines a signal handler that calls a non-reentrant function.Guidelines:",{"point":"y9","priority":"6","details":"ya"},"CWE-ID: 480Use of Incorrect Operator","The product accidentally uses the wrong operator, which changes the logic in security-relevant ways.Guidelines:",{"point":"yc","priority":"6","details":"yd"},"CWE-ID: 481Assigning instead of Comparing","The code uses an operator for assignment when the intention was to perform a comparison.Guidelines:",{"point":"yf","priority":"6","details":"yg"},"CWE-ID: 482Comparing instead of Assigning","The code uses an operator for comparison when the intention was to perform an assignment.Guidelines:",{"point":"yi","priority":"6","details":"yj"},"CWE-ID: 483Incorrect Block Delimitation","The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.Guidelines:",{"point":"yl","priority":"6","details":"ym"},"CWE-ID: 484Omitted Break Statement in Switch","The product omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition.Guidelines:",{"point":"yo","priority":"6","details":"yp"},"CWE-ID: 486Comparison of Classes by Name","The product compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name.Guidelines:",{"point":"yr","priority":"6","details":"ys"},"CWE-ID: 487Reliance on Package-level Scope","Java packages are not inherently closed; therefore, relying on them for code security is not a good practice.Guidelines:",{"point":"yu","priority":"6","details":"yv"},"CWE-ID: 488Exposure of Data Element to Wrong Session","The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.Guidelines:",{"point":"yx","priority":"6","details":"yy"},"CWE-ID: 489Active Debug Code","The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.Guidelines:::TYPE:Other:NOTE:In J2EE a main method may be a good indicator that debug code has been left in the application, although there may not be any direct security impact.::",{"point":"z0","priority":"6","details":"z1"},"CWE-ID: 491Public cloneable() Method Without Final ('Object Hijack')","A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state.Guidelines:",{"point":"z3","priority":"6","details":"z4"},"CWE-ID: 492Use of Inner Class Containing Sensitive Data","Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers.Guidelines:::TYPE:Other:NOTE:Mobile code, in this case a Java Applet, is code that is transmitted across a network and executed on a remote machine. Because mobile code developers have little if any control of the environment in which their code will execute, special security concerns become relevant. One of the biggest environmental threats results from the risk that the mobile code will run side-by-side with other, potentially malicious, mobile code. Because all of the popular web browsers execute code from multiple sources together in the same JVM, many of the security guidelines for mobile code are focused on preventing manipulation of your objects' state and behavior by adversaries who have access to the same virtual machine where your program is running.::",{"point":"z6","priority":"6","details":"z7"},"CWE-ID: 493Critical Public Variable Without Final Modifier","The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.Guidelines:",{"point":"z9","priority":"6","details":"za"},"CWE-ID: 494Download of Code Without Integrity Check","The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.Guidelines:::TYPE:Research Gap:NOTE:This is critical for mobile code, but it is likely to become more and more common as developers continue to adopt automated, network-based product distributions and upgrades. Software-as-a-Service (SaaS) might introduce additional subtleties. Common exploitation scenarios may include ad server compromises and bad upgrades.::",{"point":"zc","priority":"6","details":"zd"},"CWE-ID: 495Private Data Structure Returned From A Public Method","The product has a method that is declared public, but returns a reference to a private data structure, which could then be modified in unexpected ways.Guidelines:",{"point":"zf","priority":"6","details":"zg"},"CWE-ID: 496Public Data Assigned to Private Array-Typed Field","Assigning public data to a private array is equivalent to giving public access to the array.Guidelines:",{"point":"zi","priority":"6","details":"zj"},"CWE-ID: 497Exposure of Sensitive System Information to an Unauthorized Control Sphere","The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.Guidelines:",{"point":"zl","priority":"6","details":"zm"},"CWE-ID: 498Cloneable Class Containing Sensitive Information","The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class.Guidelines:",{"point":"zo","priority":"6","details":"zp"},"CWE-ID: 499Serializable Class Containing Sensitive Data","The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another class.Guidelines:",{"point":"zr","priority":"6","details":"zs"},"CWE-ID: 500Public Static Field Not Marked Final","An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways.Guidelines:",{"point":"zu","priority":"6","details":"zv"},"CWE-ID: 501Trust Boundary Violation","The product mixes trusted and untrusted data in the same data structure or structured message.Guidelines:",{"point":"zx","priority":"6","details":"zy"},"CWE-ID: 502Deserialization of Untrusted Data","The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.Guidelines:::TYPE:Maintenance:NOTE:The relationships between CWE-502 and CWE-915 need further exploration. CWE-915 is more narrowly scoped to object modification, and is not necessarily used for deserialization.::",{"point":"100","priority":"6","details":"101"},"CWE-ID: 506Embedded Malicious Code","The product contains code that appears to be malicious in nature.Guidelines:::TYPE:Terminology:NOTE:The term Trojan horse was introduced by Dan Edwards and recorded by James Anderson [18] to characterize a particular computer security threat; it has been redefined many times [4,18-20].::",{"point":"103","priority":"6","details":"104"},"CWE-ID: 507Trojan Horse","The product appears to contain benign or useful functionality, but it also contains code that is hidden from normal operation that violates the intended security policy of the user or the system administrator.Guidelines:::TYPE:Other:NOTE:Potentially malicious dynamic code compiled at runtime can conceal any number of attacks that will not appear in the baseline. The use of dynamically compiled code could also allow the injection of attacks on post-deployed applications.::TYPE:Terminology:NOTE:Definitions of Trojan horse and related terms have varied widely over the years, but common usage in 2008 generally refers to software that performs a legitimate function, but also contains malicious code. Almost any malicious code can be called a Trojan horse, since the author of malicious code needs to disguise it somehow so that it will be invoked by a nonmalicious user (unless the author means also to invoke the code, in which case they presumably already possess the authorization to perform the intended sabotage). A Trojan horse that replicates itself by copying its code into other program files (see case MA1) is commonly referred to as a virus. One that replicates itself by creating new processes or files to contain its code, instead of modifying existing storage entities, is often called a worm. Denning provides a general discussion of these terms; differences of opinion about the term applicable to a particular flaw or its exploitations sometimes occur.::",{"point":"106","priority":"6","details":"107"},"CWE-ID: 508Non-Replicating Malicious Code","Non-replicating malicious code only resides on the target system or product that is attacked; it does not attempt to spread to other systems.Guidelines:",{"point":"109","priority":"6","details":"10a"},"CWE-ID: 509Replicating Malicious Code (Virus or Worm)","Replicating malicious code, including viruses and worms, will attempt to attack other systems once it has successfully compromised the target system or the product.Guidelines:",{"point":"10c","priority":"6","details":"10d"},"CWE-ID: 510Trapdoor","A trapdoor is a hidden piece of code that responds to a special input, allowing its user access to resources without passing through the normal security enforcement mechanism.Guidelines:",{"point":"10f","priority":"6","details":"10g"},"CWE-ID: 511Logic/Time Bomb","The product contains code that is designed to disrupt the legitimate operation of the product (or its environment) when a certain time passes, or when a certain logical condition is met.Guidelines:",{"point":"10i","priority":"6","details":"10j"},"CWE-ID: 512Spyware","The product collects personally identifiable information about a human user or the user's activities, but the product accesses this information using other resources besides itself, and it does not require that user's explicit approval or direct input into the product.Guidelines:",{"point":"10l","priority":"6","details":"10m"},"CWE-ID: 514Covert Channel","A covert channel is a path that can be used to transfer information in a way not intended by the system's designers.Guidelines:::TYPE:Theoretical:NOTE:A covert channel can be thought of as an emergent resource, meaning that it was not an originally intended resource, however it exists due the application's behaviors.::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are working to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks that create or exploit covert channels. As a result of that work, this entry might change in CWE 4.10.::",{"point":"10o","priority":"6","details":"10p"},"CWE-ID: 515Covert Storage Channel","A covert storage channel transfers information through the setting of bits by one program and the reading of those bits by another. What distinguishes this case from that of ordinary operation is that the bits are used to convey encoded information.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are working to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks that create or exploit covert channels. As a result of that work, this entry might change in CWE 4.10.::",{"point":"10r","priority":"6","details":"10s"},"CWE-ID: 520.NET Misconfiguration: Use of Impersonation","Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms of attacks.Guidelines:",{"point":"10u","priority":"6","details":"10v"},"CWE-ID: 521Weak Password Requirements","The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.Guidelines:",{"point":"10x","priority":"6","details":"10y"},"CWE-ID: 522Insufficiently Protected Credentials","The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.Guidelines:",{"point":"110","priority":"6","details":"111"},"CWE-ID: 523Unprotected Transport of Credentials","Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.Guidelines:",{"point":"113","priority":"6","details":"114"},"CWE-ID: 524Use of Cache Containing Sensitive Information","The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.Guidelines:",{"point":"116","priority":"6","details":"117"},"CWE-ID: 525Use of Web Browser Cache Containing Sensitive Information","The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.Guidelines:",{"point":"119","priority":"6","details":"11a"},"CWE-ID: 526Cleartext Storage of Sensitive Information in an Environment Variable","The product uses an environment variable to store unencrypted sensitive information.Guidelines:",{"point":"11c","priority":"6","details":"11d"},"CWE-ID: 527Exposure of Version-Control Repository to an Unauthorized Control Sphere","The product stores a CVS, git, or other repository in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.Guidelines:",{"point":"11f","priority":"6","details":"11g"},"CWE-ID: 528Exposure of Core Dump File to an Unauthorized Control Sphere","The product generates a core dump file in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.Guidelines:",{"point":"11i","priority":"6","details":"11j"},"CWE-ID: 529Exposure of Access Control List Files to an Unauthorized Control Sphere","The product stores access control list files in a directory or other container that is accessible to actors outside of the intended control sphere.Guidelines:",{"point":"11l","priority":"6","details":"11m"},"CWE-ID: 530Exposure of Backup File to an Unauthorized Control Sphere","A backup file is stored in a directory or archive that is made accessible to unauthorized actors.Guidelines:",{"point":"11o","priority":"6","details":"11p"},"CWE-ID: 531Inclusion of Sensitive Information in Test Code","Accessible test applications can pose a variety of security risks. Since developers or administrators rarely consider that someone besides themselves would even know about the existence of these applications, it is common for them to contain sensitive information or functions.Guidelines:",{"point":"11r","priority":"6","details":"11s"},"CWE-ID: 532Insertion of Sensitive Information into Log File","Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.Guidelines:",{"point":"11u","priority":"6","details":"11v"},"CWE-ID: 535Exposure of Information Through Shell Error Message","A command shell error message indicates that there exists an unhandled exception in the web application code. In many cases, an attacker can leverage the conditions that cause these errors in order to gain unauthorized access to the system.Guidelines:",{"point":"11x","priority":"6","details":"11y"},"CWE-ID: 536Servlet Runtime Error Message Containing Sensitive Information","A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker.Guidelines:",{"point":"120","priority":"6","details":"121"},"CWE-ID: 537Java Runtime Error Message Containing Sensitive Information","In many cases, an attacker can leverage the conditions that cause unhandled exception errors in order to gain unauthorized access to the system.Guidelines:",{"point":"123","priority":"6","details":"124"},"CWE-ID: 538Insertion of Sensitive Information into Externally-Accessible File or Directory","The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.Guidelines:::TYPE:Maintenance:NOTE:Depending on usage, this could be a weakness or a category. Further study of all its children is needed, and the entire sub-tree may need to be clarified. The current organization is based primarily on the exposure of sensitive information as a consequence, instead of as a primary weakness.::TYPE:Maintenance:NOTE:There is a close relationship with CWE-552, which is more focused on weaknesses. As a result, it may be more appropriate to convert CWE-538 to a category.::",{"point":"126","priority":"6","details":"127"},"CWE-ID: 539Use of Persistent Cookies Containing Sensitive Information","The web application uses persistent cookies, but the cookies contain sensitive information.Guidelines:",{"point":"129","priority":"6","details":"12a"},"CWE-ID: 540Inclusion of Sensitive Information in Source Code","Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.Guidelines:",{"point":"12c","priority":"6","details":"12d"},"CWE-ID: 541Inclusion of Sensitive Information in an Include File","If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system.Guidelines:",{"point":"12f","priority":"6","details":"12g"},"CWE-ID: 543Use of Singleton Pattern Without Synchronization in a Multithreaded Context","The product uses the singleton pattern when creating a resource within a multithreaded environment.Guidelines:",{"point":"12i","priority":"6","details":"12j"},"CWE-ID: 544Missing Standardized Error Handling Mechanism","The product does not use a standardized method for handling errors throughout the code, which might introduce inconsistent error handling and resultant weaknesses.Guidelines:",{"point":"12l","priority":"6","details":"12m"},"CWE-ID: 546Suspicious Comment","The code contains comments that suggest the presence of bugs, incomplete functionality, or weaknesses.Guidelines:",{"point":"12o","priority":"6","details":"12p"},"CWE-ID: 547Use of Hard-coded, Security-relevant Constants","The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change.Guidelines:",{"point":"12r","priority":"6","details":"12s"},"CWE-ID: 548Exposure of Information Through Directory Listing","A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers.Guidelines:",{"point":"12u","priority":"6","details":"12v"},"CWE-ID: 549Missing Password Field Masking","The product does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords.Guidelines:",{"point":"12x","priority":"6","details":"12y"},"CWE-ID: 550Server-generated Error Message Containing Sensitive Information","Certain conditions, such as network failure, will cause a server error message to be displayed.Guidelines:",{"point":"130","priority":"6","details":"131"},"CWE-ID: 551Incorrect Behavior Order: Authorization Before Parsing and Canonicalization","If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.Guidelines:",{"point":"133","priority":"6","details":"134"},"CWE-ID: 552Files or Directories Accessible to External Parties","The product makes files or directories accessible to unauthorized actors, even though they should not be.Guidelines:",{"point":"136","priority":"6","details":"137"},"CWE-ID: 553Command Shell in Externally Accessible Directory","A possible shell file exists in /cgi-bin/ or other accessible directories. This is extremely dangerous and can be used by an attacker to execute commands on the web server.Guidelines:",{"point":"139","priority":"6","details":"13a"},"CWE-ID: 554ASP.NET Misconfiguration: Not Using Input Validation Framework","The ASP.NET application does not use an input validation framework.Guidelines:",{"point":"13c","priority":"6","details":"13d"},"CWE-ID: 555J2EE Misconfiguration: Plaintext Password in Configuration File","The J2EE application stores a plaintext password in a configuration file.Guidelines:",{"point":"13f","priority":"6","details":"13g"},"CWE-ID: 556ASP.NET Misconfiguration: Use of Identity Impersonation","Configuring an ASP.NET application to run with impersonated credentials may give the application unnecessary privileges.Guidelines:",{"point":"13i","priority":"6","details":"13j"},"CWE-ID: 558Use of getlogin() in Multithreaded Application","The product uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values.Guidelines:",{"point":"13l","priority":"6","details":"13m"},"CWE-ID: 560Use of umask() with chmod-style Argument","The product calls umask() with an incorrect argument that is specified as if it is an argument to chmod().Guidelines:::TYPE:Other:NOTE:Some umask() manual pages begin with the false statement: umask sets the umask to mask & 0777 Although this behavior would better align with the usage of chmod(), where the user provided argument specifies the bits to enable on the specified file, the behavior of umask() is in fact opposite: umask() sets the umask to ~mask & 0777. The documentation goes on to describe the correct usage of umask(): The umask is used by open() to set initial file permissions on a newly-created file. Specifically, permissions in the umask are turned off from the mode argument to open(2) (so, for example, the common umask default value of 022 results in new files being created with permissions 0666 & ~022 = 0644 = rw-r--r-- in the usual case where the mode is specified as 0666).::",{"point":"13o","priority":"6","details":"13p"},"CWE-ID: 561Dead Code","The product contains dead code, which can never be executed.Guidelines:",{"point":"13r","priority":"6","details":"13s"},"CWE-ID: 562Return of Stack Variable Address","A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.Guidelines:",{"point":"13u","priority":"6","details":"13v"},"CWE-ID: 563Assignment to Variable without Use","The variable's value is assigned but never used, making it a dead store.Guidelines:",{"point":"13x","priority":"6","details":"13y"},"CWE-ID: 564SQL Injection: Hibernate","Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.Guidelines:",{"point":"140","priority":"6","details":"141"},"CWE-ID: 565Reliance on Cookies without Validation and Integrity Checking","The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.Guidelines:::TYPE:Relationship:NOTE:This problem can be primary to many types of weaknesses in web applications. A developer may perform proper validation against URL parameters while assuming that attackers cannot modify cookies. As a result, the program might skip basic input validation to enable cross-site scripting, SQL injection, price tampering, and other attacks..::",{"point":"143","priority":"6","details":"144"},"CWE-ID: 566Authorization Bypass Through User-Controlled SQL Primary Key","The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.Guidelines:",{"point":"146","priority":"6","details":"147"},"CWE-ID: 567Unsynchronized Access to Shared Data in a Multithreaded Context","The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.Guidelines:",{"point":"149","priority":"6","details":"14a"},"CWE-ID: 568finalize() Method Without super.finalize()","The product contains a finalize() method that does not call super.finalize().Guidelines:",{"point":"14c","priority":"6","details":"14d"},"CWE-ID: 570Expression is Always False","The product contains an expression that will always evaluate to false.Guidelines:",{"point":"14f","priority":"6","details":"14g"},"CWE-ID: 571Expression is Always True","The product contains an expression that will always evaluate to true.Guidelines:",{"point":"14i","priority":"6","details":"14j"},"CWE-ID: 572Call to Thread run() instead of start()","The product calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee.Guidelines:",{"point":"14l","priority":"6","details":"14m"},"CWE-ID: 573Improper Following of Specification by Caller","The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.Guidelines:",{"point":"14o","priority":"6","details":"14p"},"CWE-ID: 574EJB Bad Practices: Use of Synchronization Primitives","The product violates the Enterprise JavaBeans (EJB) specification by using thread synchronization primitives.Guidelines:",{"point":"14r","priority":"6","details":"14s"},"CWE-ID: 575EJB Bad Practices: Use of AWT Swing","The product violates the Enterprise JavaBeans (EJB) specification by using AWT/Swing.Guidelines:",{"point":"14u","priority":"6","details":"14v"},"CWE-ID: 576EJB Bad Practices: Use of Java I/O","The product violates the Enterprise JavaBeans (EJB) specification by using the java.io package.Guidelines:",{"point":"14x","priority":"6","details":"14y"},"CWE-ID: 577EJB Bad Practices: Use of Sockets","The product violates the Enterprise JavaBeans (EJB) specification by using sockets.Guidelines:",{"point":"150","priority":"6","details":"151"},"CWE-ID: 578EJB Bad Practices: Use of Class Loader","The product violates the Enterprise JavaBeans (EJB) specification by using the class loader.Guidelines:",{"point":"153","priority":"6","details":"154"},"CWE-ID: 579J2EE Bad Practices: Non-serializable Object Stored in Session","The product stores a non-serializable object as an HttpSession attribute, which can hurt reliability.Guidelines:",{"point":"156","priority":"6","details":"157"},"CWE-ID: 580clone() Method Without super.clone()","The product contains a clone() method that does not call super.clone() to obtain the new object.Guidelines:",{"point":"159","priority":"6","details":"15a"},"CWE-ID: 581Object Model Violation: Just One of Equals and Hashcode Defined","The product does not maintain equal hashcodes for equal objects.Guidelines:",{"point":"15c","priority":"6","details":"15d"},"CWE-ID: 582Array Declared Public, Final, and Static","The product declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified.Guidelines:",{"point":"15f","priority":"6","details":"15g"},"CWE-ID: 583finalize() Method Declared Public","The product violates secure coding principles for mobile code by declaring a finalize() method public.Guidelines:",{"point":"15i","priority":"6","details":"15j"},"CWE-ID: 584Return Inside Finally Block","The code has a return statement inside a finally block, which will cause any thrown exception in the try block to be discarded.Guidelines:",{"point":"15l","priority":"6","details":"15m"},"CWE-ID: 585Empty Synchronized Block","The product contains an empty synchronized block.Guidelines:",{"point":"15o","priority":"6","details":"15p"},"CWE-ID: 586Explicit Call to Finalize()","The product makes an explicit call to the finalize() method from outside the finalizer.Guidelines:",{"point":"15r","priority":"6","details":"15s"},"CWE-ID: 587Assignment of a Fixed Address to a Pointer","The product sets a pointer to a specific address other than NULL or 0.Guidelines:",{"point":"15u","priority":"6","details":"15v"},"CWE-ID: 588Attempt to Access Child of a Non-structure Pointer","Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption.Guidelines:",{"point":"15x","priority":"6","details":"15y"},"CWE-ID: 589Call to Non-ubiquitous API","The product uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allow denial of service or other consequences.Guidelines:",{"point":"160","priority":"6","details":"161"},"CWE-ID: 590Free of Memory not on the Heap","The product calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc().Guidelines:::TYPE:Other:NOTE:In C++, if the new operator was used to allocate the memory, it may be allocated with the malloc(), calloc() or realloc() family of functions in the implementation. Someone aware of this behavior might choose to map this problem to CWE-590 or to its parent, CWE-762, depending on their perspective.::",{"point":"163","priority":"6","details":"164"},"CWE-ID: 591Sensitive Data Storage in Improperly Locked Memory","The product stores sensitive data in memory that is not locked, or that has been incorrectly locked, which might cause the memory to be written to swap files on disk by the virtual memory manager. This can make the data more accessible to external actors.Guidelines:",{"point":"166","priority":"6","details":"167"},"CWE-ID: 593Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created","The product modifies the SSL context after connection creation has begun.Guidelines:",{"point":"169","priority":"6","details":"16a"},"CWE-ID: 594J2EE Framework: Saving Unserializable Objects to Disk","When the J2EE container attempts to write unserializable objects to disk there is no guarantee that the process will complete successfully.Guidelines:",{"point":"16c","priority":"6","details":"16d"},"CWE-ID: 595Comparison of Object References Instead of Object Contents","The product compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects.Guidelines:",{"point":"16f","priority":"6","details":"16g"},"CWE-ID: 597Use of Wrong Operator in String Comparison","The product uses the wrong operator when comparing a string, such as using == when the .equals() method should be used instead.Guidelines:",{"point":"16i","priority":"6","details":"16j"},"CWE-ID: 598Use of GET Request Method With Sensitive Query Strings","The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.Guidelines:",{"point":"16l","priority":"6","details":"16m"},"CWE-ID: 599Missing Validation of OpenSSL Certificate","The product uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all necessary security requirements.Guidelines:::TYPE:Relationship:NOTE:CWE-295 and CWE-599 are very similar, although CWE-599 has a more narrow scope that is only applied to OpenSSL certificates. As a result, other children of CWE-295 can be regarded as children of CWE-599 as well. CWE's use of one-dimensional hierarchical relationships is not well-suited to handle different kinds of abstraction relationships based on concepts like types of resources (OpenSSL certificate as a child of any certificate) and types of behaviors (not validating expiration as a child of improper validation).::",{"point":"16o","priority":"6","details":"16p"},"CWE-ID: 600Uncaught Exception in Servlet","The Servlet does not catch all exceptions, which may reveal sensitive debugging information.Guidelines:::TYPE:Maintenance:NOTE:The Missing Catch Block concept is probably broader than just Servlets, but the broader concept is not sufficiently covered in CWE.::",{"point":"16r","priority":"6","details":"16s"},"CWE-ID: 601URL Redirection to Untrusted Site ('Open Redirect')","A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.Guidelines:",{"point":"16u","priority":"6","details":"16v"},"CWE-ID: 602Client-Side Enforcement of Server-Side Security","The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.Guidelines:",{"point":"16x","priority":"6","details":"16y"},"CWE-ID: 603Use of Client-Side Authentication","A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check.Guidelines:",{"point":"170","priority":"6","details":"171"},"CWE-ID: 605Multiple Binds to the Same Port","When multiple sockets are allowed to bind to the same port, other services on that port may be stolen or spoofed.Guidelines:",{"point":"173","priority":"6","details":"174"},"CWE-ID: 606Unchecked Input for Loop Condition","The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping.Guidelines:",{"point":"176","priority":"6","details":"177"},"CWE-ID: 607Public Static Final Field References Mutable Object","A public or protected static final field references a mutable object, which allows the object to be changed by malicious code, or accidentally from another package.Guidelines:",{"point":"179","priority":"6","details":"17a"},"CWE-ID: 608Struts: Non-private Field in ActionForm Class","An ActionForm class contains a field that has not been declared private, which can be accessed without using a setter or getter.Guidelines:",{"point":"17c","priority":"6","details":"17d"},"CWE-ID: 609Double-Checked Locking","The product uses double-checked locking to access a resource without the overhead of explicit synchronization, but the locking is insufficient.Guidelines:",{"point":"17f","priority":"6","details":"17g"},"CWE-ID: 610Externally Controlled Reference to a Resource in Another Sphere","The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.Guidelines:::TYPE:Relationship:NOTE:This is a general class of weakness, but most research is focused on more specialized cases, such as path traversal (CWE-22) and symlink following (CWE-61). A symbolic link has a name; in general, it appears like any other file in the file system. However, the link includes a reference to another file, often in another directory - perhaps in another sphere of control. Many common library functions that accept filenames will follow a symbolic link and use the link's target instead.::TYPE:Maintenance:NOTE:The relationship between CWE-99 and CWE-610 needs further investigation and clarification. They might be duplicates. CWE-99 Resource Injection, as originally defined in Seven Pernicious Kingdoms taxonomy, emphasizes the identifier used to access a system resource such as a file name or port number, yet it explicitly states that the resource injection term does not apply to path manipulation, which effectively identifies the path at which a resource can be found and could be considered to be one aspect of a resource identifier. Also, CWE-610 effectively covers any type of resource, whether that resource is at the system layer, the application layer, or the code layer.::",{"point":"17i","priority":"6","details":"17j"},"CWE-ID: 611Improper Restriction of XML External Entity Reference","The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.Guidelines:::TYPE:Relationship:NOTE:CWE-918 (SSRF) and CWE-611 (XXE) are closely related, because they both involve web-related technologies and can launch outbound requests to unexpected destinations. However, XXE can be performed client-side, or in other contexts in which the software is not acting directly as a server, so the Server portion of the SSRF acronym does not necessarily apply.::",{"point":"17l","priority":"6","details":"17m"},"CWE-ID: 612Improper Authorization of Index Containing Sensitive Information","The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the original information.Guidelines:::TYPE:Research Gap:NOTE:This weakness is probably under-studied and under-reported.::",{"point":"17o","priority":"6","details":"17p"},"CWE-ID: 613Insufficient Session Expiration","According to WASC, Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.Guidelines:::TYPE:Other:NOTE:The lack of proper session expiration may improve the likely success of certain attacks. For example, an attacker may intercept a session ID, possibly via a network sniffer or Cross-site Scripting attack. Although short session expiration times do not help if a stolen token is immediately used, they will protect against ongoing replaying of the session ID. In another scenario, a user might access a web site from a shared computer (such as at a library, Internet cafe, or open work environment). Insufficient Session Expiration could allow an attacker to use the browser's back button to access web pages previously accessed by the victim.::",{"point":"17r","priority":"6","details":"17s"},"CWE-ID: 614Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.Guidelines:",{"point":"17u","priority":"6","details":"17v"},"CWE-ID: 615Inclusion of Sensitive Information in Source Code Comments","While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc.Guidelines:",{"point":"17x","priority":"6","details":"17y"},"CWE-ID: 616Incomplete Identification of Uploaded File Variables (PHP)","The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files.Guidelines:",{"point":"180","priority":"6","details":"181"},"CWE-ID: 617Reachable Assertion","The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.Guidelines:",{"point":"183","priority":"6","details":"184"},"CWE-ID: 618Exposed Unsafe ActiveX Method","An ActiveX control is intended for use in a web browser, but it exposes dangerous methods that perform actions that are outside of the browser's security model (e.g. the zone or domain).Guidelines:",{"point":"186","priority":"6","details":"187"},"CWE-ID: 619Dangling Database Cursor ('Cursor Injection')","If a database cursor is not closed properly, then it could become accessible to other users while retaining the same privileges that were originally assigned, leaving the cursor dangling.Guidelines:",{"point":"189","priority":"6","details":"18a"},"CWE-ID: 620Unverified Password Change","When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.Guidelines:",{"point":"18c","priority":"6","details":"18d"},"CWE-ID: 621Variable Extraction Error","The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables.Guidelines:::TYPE:Research Gap:NOTE:Probably under-reported for PHP. Seems under-studied for other interpreted languages.::",{"point":"18f","priority":"6","details":"18g"},"CWE-ID: 622Improper Validation of Function Hook Arguments","The product adds hooks to user-accessible API functions, but it does not properly validate the arguments. This could lead to resultant vulnerabilities.Guidelines:",{"point":"18i","priority":"6","details":"18j"},"CWE-ID: 623Unsafe ActiveX Control Marked Safe For Scripting","An ActiveX control is intended for restricted use, but it has been marked as safe-for-scripting.Guidelines:",{"point":"18l","priority":"6","details":"18m"},"CWE-ID: 624Executable Regular Expression Error","The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.Guidelines:::TYPE:Research Gap:NOTE:Under-studied. The existing PHP reports are limited to highly skilled researchers, but there are few examples for other languages. It is suspected that this is under-reported for all languages. Usability factors might make it more prevalent in PHP, but this theory has not been investigated.::",{"point":"18o","priority":"6","details":"18p"},"CWE-ID: 625Permissive Regular Expression","The product uses a regular expression that does not sufficiently restrict the set of allowed values.Guidelines:",{"point":"18r","priority":"6","details":"18s"},"CWE-ID: 626Null Byte Interaction Error (Poison Null Byte)","The product does not properly handle null bytes or NUL characters when passing data between different representations or components.Guidelines:::TYPE:Terminology:NOTE:Current usage of poison null byte is typically related to this C/Perl/PHP interaction error, but the original term in 1998 was applied to an off-by-one buffer overflow involving a null byte.::TYPE:Research Gap:NOTE:There are not many CVE examples, because the poison NULL byte is a design limitation, which typically is not included in CVE by itself. It is typically used as a facilitator manipulation to widen the scope of potential attacks against other vulnerabilities.::",{"point":"18u","priority":"6","details":"18v"},"CWE-ID: 627Dynamic Variable Evaluation","In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions.Guidelines:::TYPE:Research Gap:NOTE:Under-studied, probably under-reported. Few researchers look for this issue; most public reports are for PHP, although other languages are affected. This issue is likely to grow in PHP as developers begin to implement functionality in place of register_globals.::",{"point":"18x","priority":"6","details":"18y"},"CWE-ID: 628Function Call with Incorrectly Specified Arguments","The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.Guidelines:",{"point":"190","priority":"6","details":"191"},"CWE-ID: 636Not Failing Securely ('Failing Open')","When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.Guidelines:::TYPE:Research Gap:NOTE:Since design issues are hard to fix, they are rarely publicly reported, so there are few CVE examples of this problem as of January 2008. Most publicly reported issues occur as the result of an implementation error instead of design, such as CVE-2005-3177 (Improper handling of large numbers of resources) or CVE-2005-2969 (inadvertently disabling a verification step, leading to selection of a weaker protocol).::",{"point":"193","priority":"6","details":"194"},"CWE-ID: 637Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')","The product uses a more complex mechanism than necessary, which could lead to resultant weaknesses when the mechanism is not correctly understood, modeled, configured, implemented, or used.Guidelines:",{"point":"196","priority":"6","details":"197"},"CWE-ID: 638Not Using Complete Mediation","The product does not perform access checks on a resource every time the resource is accessed by an entity, which can create resultant weaknesses if that entity's rights or privileges change over time.Guidelines:",{"point":"199","priority":"6","details":"19a"},"CWE-ID: 639Authorization Bypass Through User-Controlled Key","The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.Guidelines:",{"point":"19c","priority":"6","details":"19d"},"CWE-ID: 640Weak Password Recovery Mechanism for Forgotten Password","The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.Guidelines:::TYPE:Maintenance:NOTE:This entry might be reclassified as a category or loose composite, since it lists multiple specific errors that can make the mechanism weak. However, under view 1000, it could be a weakness under protection mechanism failure, although it is different from most PMF issues since it is related to a feature that is designed to bypass a protection mechanism (specifically, the lack of knowledge of a password).::TYPE:Maintenance:NOTE:This entry probably needs to be split; see extended description.::",{"point":"19f","priority":"6","details":"19g"},"CWE-ID: 641Improper Restriction of Names for Files and Other Resources","The product constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name.Guidelines:",{"point":"19i","priority":"6","details":"19j"},"CWE-ID: 642External Control of Critical State Data","The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.Guidelines:",{"point":"19l","priority":"6","details":"19m"},"CWE-ID: 643Improper Neutralization of Data within XPath Expressions ('XPath Injection')","The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.Guidelines:::TYPE:Relationship:NOTE:This weakness is similar to other weaknesses that enable injection style attacks, such as SQL injection, command injection and LDAP injection. The main difference is that the target of attack here is the XML database.::",{"point":"19o","priority":"6","details":"19p"},"CWE-ID: 644Improper Neutralization of HTTP Headers for Scripting Syntax","The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.Guidelines:",{"point":"19r","priority":"6","details":"19s"},"CWE-ID: 645Overly Restrictive Account Lockout Mechanism","The product contains an account lockout protection mechanism, but the mechanism is too restrictive and can be triggered too easily, which allows attackers to deny service to legitimate users by causing their accounts to be locked out.Guidelines:",{"point":"19u","priority":"6","details":"19v"},"CWE-ID: 646Reliance on File Name or Extension of Externally-Supplied File","The product allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attackers to cause the file to be misclassified and processed in a dangerous fashion.Guidelines:",{"point":"19x","priority":"6","details":"19y"},"CWE-ID: 647Use of Non-Canonical URL Paths for Authorization Decisions","The product defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization.Guidelines:",{"point":"1a0","priority":"6","details":"1a1"},"CWE-ID: 648Incorrect Use of Privileged APIs","The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.Guidelines:",{"point":"1a3","priority":"6","details":"1a4"},"CWE-ID: 649Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking","The product uses obfuscation or encryption of inputs that should not be mutable by an external actor, but the product does not use integrity checks to detect if those inputs have been modified.Guidelines:",{"point":"1a6","priority":"6","details":"1a7"},"CWE-ID: 650Trusting HTTP Permission Methods on the Server Side","The server contains a protection mechanism that assumes that any URI that is accessed using HTTP GET will not cause a state change to the associated resource. This might allow attackers to bypass intended access restrictions and conduct resource modification and deletion attacks, since some applications allow GET to modify state.Guidelines:",{"point":"1a9","priority":"6","details":"1aa"},"CWE-ID: 651Exposure of WSDL File Containing Sensitive Information","The Web services architecture may require exposing a Web Service Definition Language (WSDL) file that contains information on the publicly accessible services and how callers of these services should interact with them (e.g. what parameters they expect and what types they return).Guidelines:",{"point":"1ac","priority":"6","details":"1ad"},"CWE-ID: 652Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')","The product uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.Guidelines:::TYPE:Relationship:NOTE:This weakness is similar to other weaknesses that enable injection style attacks, such as SQL injection, command injection and LDAP injection. The main difference is that the target of attack here is the XML database.::",{"point":"1af","priority":"6","details":"1ag"},"CWE-ID: 653Improper Isolation or Compartmentalization","The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.Guidelines:::TYPE:Relationship:NOTE:There is a close association with CWE-250 (Execution with Unnecessary Privileges). CWE-653 is about providing separate components for each privilege; CWE-250 is about ensuring that each component has the least amount of privileges possible. In this fashion, compartmentalization becomes one mechanism for reducing privileges.::TYPE:Terminology:NOTE:The term Separation of Privilege is used in several different ways in the industry, but they generally combine two closely related principles: compartmentalization (this node) and using only one factor in a security decision (CWE-654). Proper compartmentalization implicitly introduces multiple factors into a security decision, but there can be cases in which multiple factors are required for authentication or other mechanisms that do not involve compartmentalization, such as performing all required checks on a submitted certificate. It is likely that CWE-653 and CWE-654 will provoke further discussion.::",{"point":"1ai","priority":"6","details":"1aj"},"CWE-ID: 654Reliance on a Single Factor in a Security Decision","A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality.Guidelines:::TYPE:Maintenance:NOTE:This entry is closely associated with the term Separation of Privilege. This term is used in several different ways in the industry, but they generally combine two closely related principles: compartmentalization (CWE-653) and using only one factor in a security decision (this entry). Proper compartmentalization implicitly introduces multiple factors into a security decision, but there can be cases in which multiple factors are required for authentication or other mechanisms that do not involve compartmentalization, such as performing all required checks on a submitted certificate. It is likely that CWE-653 and CWE-654 will provoke further discussion.::",{"point":"1al","priority":"6","details":"1am"},"CWE-ID: 655Insufficient Psychological Acceptability","The product has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose.Guidelines:::TYPE:Other:NOTE:This weakness covers many security measures causing user inconvenience, requiring effort or causing frustration, that are disproportionate to the risks or value of the protected assets, or that are perceived to be ineffective.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"1ao","priority":"6","details":"1ap"},"CWE-ID: 656Reliance on Security Through Obscurity","The product uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism.Guidelines:::TYPE:Relationship:NOTE:Note that there is a close relationship between this weakness and CWE-603 (Use of Client-Side Authentication). If developers do not believe that a user can reverse engineer a client, then they are more likely to choose client-side authentication in the belief that it is safe.::",{"point":"1ar","priority":"6","details":"1as"},"CWE-ID: 657Violation of Secure Design Principles","The product violates well-established principles for secure design.Guidelines:::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"1au","priority":"6","details":"1av"},"CWE-ID: 662Improper Synchronization","The product utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.Guidelines:::TYPE:Maintenance:NOTE:Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships.::",{"point":"1ax","priority":"6","details":"1ay"},"CWE-ID: 663Use of a Non-reentrant Function in a Concurrent Context","The product calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity to call the same function or otherwise influence its state.Guidelines:",{"point":"1b0","priority":"6","details":"1b1"},"CWE-ID: 664Improper Control of a Resource Through its Lifetime","The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.Guidelines:::TYPE:Maintenance:NOTE:More work is needed on this entry and its children. There are perspective/layering issues; for example, one breakdown is based on lifecycle phase (CWE-404, CWE-665), while other children are independent of lifecycle, such as CWE-400. Others do not specify as many bases or variants, such as CWE-704, which primarily covers numbers at this stage.::",{"point":"1b3","priority":"6","details":"1b4"},"CWE-ID: 665Improper Initialization","The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.Guidelines:",{"point":"1b6","priority":"6","details":"1b7"},"CWE-ID: 666Operation on Resource in Wrong Phase of Lifetime","The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors.Guidelines:",{"point":"1b9","priority":"6","details":"1ba"},"CWE-ID: 667Improper Locking","The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.Guidelines:::TYPE:Maintenance:NOTE:Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships.::",{"point":"1bc","priority":"6","details":"1bd"},"CWE-ID: 668Exposure of Resource to Wrong Sphere","The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.Guidelines:::TYPE:Theoretical:NOTE:A control sphere is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product's security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for administrators who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be users who are authenticated to the operating system on which the product is installed. Each sphere has different sets of actors and allowable behaviors.::",{"point":"1bf","priority":"6","details":"1bg"},"CWE-ID: 669Incorrect Resource Transfer Between Spheres","The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.Guidelines:",{"point":"1bi","priority":"6","details":"1bj"},"CWE-ID: 670Always-Incorrect Control Flow Implementation","The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.Guidelines:::TYPE:Maintenance:NOTE:This node could possibly be split into lower-level nodes. Early Return is for returning control to the caller too soon (e.g., CWE-584). Excess Return is when control is returned too far up the call stack (CWE-600, CWE-395). Improper control limitation occurs when the product maintains control at a lower level of execution, when control should be returned further up the call stack (CWE-455). Incorrect syntax covers code that's just plain wrong such as CWE-484 and CWE-483.::",{"point":"1bl","priority":"6","details":"1bm"},"CWE-ID: 671Lack of Administrator Control over Security","The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.Guidelines:",{"point":"1bo","priority":"6","details":"1bp"},"CWE-ID: 672Operation on a Resource after Expiration or Release","The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.Guidelines:",{"point":"1br","priority":"6","details":"1bs"},"CWE-ID: 673External Influence of Sphere Definition","The product does not prevent the definition of control spheres from external actors.Guidelines:::TYPE:Theoretical:NOTE:A control sphere is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product's security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for administrators who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be users who are authenticated to the operating system on which the product is installed. Each sphere has different sets of actors and allowable behaviors.::",{"point":"1bu","priority":"6","details":"1bv"},"CWE-ID: 674Uncontrolled Recursion","The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.Guidelines:",{"point":"1bx","priority":"6","details":"1by"},"CWE-ID: 675Multiple Operations on Resource in Single-Operation Context","The product performs the same operation on a resource two or more times, when the operation should only be applied once.Guidelines:::TYPE:Relationship:NOTE:This weakness is probably closely associated with other issues related to doubling, such as CWE-462 (duplicate key in alist) or CWE-102 (Struts duplicate validation forms). It's usually a case of an API contract violation (CWE-227).::",{"point":"1c0","priority":"6","details":"1c1"},"CWE-ID: 676Use of Potentially Dangerous Function","The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.Guidelines:::TYPE:Relationship:NOTE:This weakness is different than CWE-242 (Use of Inherently Dangerous Function). CWE-242 covers functions with such significant security problems that they can never be guaranteed to be safe. Some functions, if used properly, do not directly pose a security risk, but can introduce a weakness if not called correctly. These are regarded as potentially dangerous. A well-known example is the strcpy() function. When provided with a destination buffer that is larger than its source, strcpy() will not overflow. However, it is so often misused that some developers prohibit strcpy() entirely.::",{"point":"1c3","priority":"6","details":"1c4"},"CWE-ID: 680Integer Overflow to Buffer Overflow","The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow.Guidelines:",{"point":"1c6","priority":"6","details":"1c7"},"CWE-ID: 681Incorrect Conversion between Numeric Types","When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.Guidelines:",{"point":"1c9","priority":"6","details":"1ca"},"CWE-ID: 682Incorrect Calculation","The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.Guidelines:::TYPE:Research Gap:NOTE:Weaknesses related to this Pillar appear to be under-studied, especially with respect to classification schemes. Input from academic and other communities could help identify and resolve gaps or organizational difficulties within CWE.::",{"point":"1cc","priority":"6","details":"1cd"},"CWE-ID: 683Function Call With Incorrect Order of Arguments","The product calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses.Guidelines:",{"point":"1cf","priority":"6","details":"1cg"},"CWE-ID: 684Incorrect Provision of Specified Functionality","The code does not function according to its published specifications, potentially leading to incorrect usage.Guidelines:",{"point":"1ci","priority":"6","details":"1cj"},"CWE-ID: 685Function Call With Incorrect Number of Arguments","The product calls a function, procedure, or routine, but the caller specifies too many arguments, or too few arguments, which may lead to undefined behavior and resultant weaknesses.Guidelines:",{"point":"1cl","priority":"6","details":"1cm"},"CWE-ID: 686Function Call With Incorrect Argument Type","The product calls a function, procedure, or routine, but the caller specifies an argument that is the wrong data type, which may lead to resultant weaknesses.Guidelines:",{"point":"1co","priority":"6","details":"1cp"},"CWE-ID: 687Function Call With Incorrectly Specified Argument Value","The product calls a function, procedure, or routine, but the caller specifies an argument that contains the wrong value, which may lead to resultant weaknesses.Guidelines:::TYPE:Relationship:NOTE:When primary, this weakness is most likely to occur in rarely-tested code, since the wrong value can change the semantic meaning of the program's execution and lead to obviously-incorrect behavior. It can also be resultant from issues in which the program assigns the wrong value to a variable, and that variable is later used in a function call. In that sense, this issue could be argued as having chaining relationships with many implementation errors in CWE.::",{"point":"1cr","priority":"6","details":"1cs"},"CWE-ID: 688Function Call With Incorrect Variable or Reference as Argument","The product calls a function, procedure, or routine, but the caller specifies the wrong variable or reference as one of the arguments, which may lead to undefined behavior and resultant weaknesses.Guidelines:",{"point":"1cu","priority":"6","details":"1cv"},"CWE-ID: 689Permission Race Condition During Resource Copy","The product, while copying or cloning a resource, does not set the resource's permissions or access control until the copy is complete, leaving the resource exposed to other spheres while the copy is taking place.Guidelines:::TYPE:Research Gap:NOTE:Under-studied. It seems likely that this weakness could occur in any situation in which a complex or large copy operation occurs, when the resource can be made available to other spheres as soon as it is created, but before its initialization is complete.::",{"point":"1cx","priority":"6","details":"1cy"},"CWE-ID: 690Unchecked Return Value to NULL Pointer Dereference","The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference.Guidelines:",{"point":"1d0","priority":"6","details":"1d1"},"CWE-ID: 691Insufficient Control Flow Management","The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.Guidelines:",{"point":"1d3","priority":"6","details":"1d4"},"CWE-ID: 692Incomplete Denylist to Cross-Site Scripting","The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.Guidelines:",{"point":"1d6","priority":"6","details":"1d7"},"CWE-ID: 693Protection Mechanism Failure","The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.Guidelines:::TYPE:Research Gap:NOTE:The concept of protection mechanisms is well established, but protection mechanism failures have not been studied comprehensively. It is suspected that protection mechanisms can have significantly different types of weaknesses than the weaknesses that they are intended to prevent.::",{"point":"1d9","priority":"6","details":"1da"},"CWE-ID: 694Use of Multiple Resources with Duplicate Identifier","The product uses multiple resources that can have the same identifier, in a context in which unique identifiers are required.Guidelines:::TYPE:Relationship:NOTE:This weakness is probably closely associated with other issues related to doubling, such as CWE-675 (Duplicate Operations on Resource). It's often a case of an API contract violation (CWE-227).::",{"point":"1dc","priority":"6","details":"1dd"},"CWE-ID: 695Use of Low-Level Functionality","The product uses low-level functionality that is explicitly prohibited by the framework or specification under which the product is supposed to operate.Guidelines:",{"point":"1df","priority":"6","details":"1dg"},"CWE-ID: 696Incorrect Behavior Order","The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses.Guidelines:",{"point":"1di","priority":"6","details":"1dj"},"CWE-ID: 697Incorrect Comparison","The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.Guidelines:::TYPE:Research Gap:NOTE:Weaknesses related to this Pillar appear to be under-studied, especially with respect to classification schemes. Input from academic and other communities could help identify and resolve gaps or organizational difficulties within CWE.::TYPE:Maintenance:NOTE:This entry likely has some relationships with case sensitivity (CWE-178), but case sensitivity is a factor in other types of weaknesses besides comparison. Also, in cryptography, certain attacks are possible when certain comparison operations do not take place in constant time, causing a timing-related information leak (CWE-208).::",{"point":"1dl","priority":"6","details":"1dm"},"CWE-ID: 698Execution After Redirect (EAR)","The web application sends a redirect to another location, but instead of exiting, it executes additional code.Guidelines:",{"point":"1do","priority":"6","details":"1dp"},"CWE-ID: 703Improper Check or Handling of Exceptional Conditions","The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.Guidelines:::TYPE:Relationship:NOTE:This is a high-level class that might have some overlap with other classes. It could be argued that even normal weaknesses such as buffer overflows involve unusual or exceptional conditions. In that sense, this might be an inherent aspect of most other weaknesses within CWE, similar to API Abuse (CWE-227) and Indicator of Poor Code Quality (CWE-398). However, this entry is currently intended to unify disparate concepts that do not have other places within the Research Concepts view (CWE-1000).::",{"point":"1dr","priority":"6","details":"1ds"},"CWE-ID: 704Incorrect Type Conversion or Cast","The product does not correctly convert an object, resource, or structure from one type to a different type.Guidelines:",{"point":"1du","priority":"6","details":"1dv"},"CWE-ID: 705Incorrect Control Flow Scoping","The product does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.Guidelines:",{"point":"1dx","priority":"6","details":"1dy"},"CWE-ID: 706Use of Incorrectly-Resolved Name or Reference","The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.Guidelines:",{"point":"1e0","priority":"6","details":"1e1"},"CWE-ID: 707Improper Neutralization","The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.Guidelines:::TYPE:Maintenance:NOTE:Concepts such as validation, data transformation, and neutralization are being refined, so relationships between CWE-20 and other entries such as CWE-707 may change in future versions, along with an update to the Vulnerability Theory document.::",{"point":"1e3","priority":"6","details":"1e4"},"CWE-ID: 708Incorrect Ownership Assignment","The product assigns an owner to a resource, but the owner is outside of the intended control sphere.Guidelines:::TYPE:Maintenance:NOTE:This overlaps verification errors, permissions, and privileges. A closely related weakness is the incorrect assignment of groups to a resource. It is not clear whether it would fall under this entry or require a different entry.::",{"point":"1e6","priority":"6","details":"1e7"},"CWE-ID: 710Improper Adherence to Coding Standards","The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.Guidelines:",{"point":"1e9","priority":"6","details":"1ea"},"CWE-ID: 732Incorrect Permission Assignment for Critical Resource","The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.Guidelines:::TYPE:Maintenance:NOTE:The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693).::",{"point":"1ec","priority":"6","details":"1ed"},"CWE-ID: 733Compiler Optimization Removal or Modification of Security-critical Code","The developer builds a security-critical protection mechanism into the software, but the compiler optimizes the program such that the mechanism is removed or modified.Guidelines:",{"point":"1ef","priority":"6","details":"1eg"},"CWE-ID: 749Exposed Dangerous Method or Function","The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.Guidelines:::TYPE:Research Gap:NOTE:Under-reported and under-studied. This weakness could appear in any technology, language, or framework that allows the programmer to provide a functional interface to external parties, but it is not heavily reported. In 2007, CVE began showing a notable increase in reports of exposed method vulnerabilities in ActiveX applications, as well as IOCTL access to OS-level resources. These weaknesses have been documented for Java applications in various secure programming sources, but there are few reports in CVE, which suggests limited awareness in most parts of the vulnerability research community.::",{"point":"1ei","priority":"6","details":"1ej"},"CWE-ID: 754Improper Check for Unusual or Exceptional Conditions","The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.Guidelines:::TYPE:Relationship:NOTE:Sometimes, when a return value can be used to indicate an error, an unchecked return value is a code-layer instance of a missing application-layer check for exceptional conditions. However, return values are not always needed to communicate exceptional conditions. For example, expiration of resources, values passed by reference, asynchronously modified data, sockets, etc. may indicate exceptional conditions without the use of a return value.::",{"point":"1el","priority":"6","details":"1em"},"CWE-ID: 755Improper Handling of Exceptional Conditions","The product does not handle or incorrectly handles an exceptional condition.Guidelines:",{"point":"1eo","priority":"6","details":"1ep"},"CWE-ID: 756Missing Custom Error Page","The product does not return custom error pages to the user, possibly exposing sensitive information.Guidelines:",{"point":"1er","priority":"6","details":"1es"},"CWE-ID: 757Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')","A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties.Guidelines:::TYPE:Relationship:NOTE:This is related to CWE-300, although not all downgrade attacks necessarily require an entity that redirects or interferes with the network. See examples.::",{"point":"1eu","priority":"6","details":"1ev"},"CWE-ID: 758Reliance on Undefined, Unspecified, or Implementation-Defined Behavior","The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity.Guidelines:",{"point":"1ex","priority":"6","details":"1ey"},"CWE-ID: 759Use of a One-Way Hash without a Salt","The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.Guidelines:",{"point":"1f0","priority":"6","details":"1f1"},"CWE-ID: 760Use of a One-Way Hash with a Predictable Salt","The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"1f3","priority":"6","details":"1f4"},"CWE-ID: 761Free of Pointer not at Start of Buffer","The product calls free() on a pointer to a memory resource that was allocated on the heap, but the pointer is not at the start of the buffer.Guidelines:::TYPE:Maintenance:NOTE:Currently, CWE-763 is the parent, however it may be desirable to have an intermediate parent which is not function-specific, similar to how CWE-762 is an intermediate parent between CWE-763 and CWE-590.::",{"point":"1f6","priority":"6","details":"1f7"},"CWE-ID: 762Mismatched Memory Management Routines","The product attempts to return a memory resource to the system, but it calls a release function that is not compatible with the function that was originally used to allocate that resource.Guidelines:::TYPE:Applicable Platform:NOTE:This weakness is possible in any programming language that allows manual management of memory.::",{"point":"1f9","priority":"6","details":"1fa"},"CWE-ID: 763Release of Invalid Pointer or Reference","The product attempts to return a memory resource to the system, but it calls the wrong release function or calls the appropriate release function incorrectly.Guidelines:::TYPE:Maintenance:NOTE:The view-1000 subtree that is associated with this weakness needs additional work. Several entries will likely be created in this branch. Currently the focus is on free() of memory, but delete and other related release routines may require the creation of intermediate entries that are not specific to a particular function. In addition, the role of other types of invalid pointers, such as an expired pointer, i.e. CWE-415 Double Free and release of uninitialized pointers, related to CWE-457.::",{"point":"1fc","priority":"6","details":"1fd"},"CWE-ID: 764Multiple Locks of a Critical Resource","The product locks a critical resource more times than intended, leading to an unexpected state in the system.Guidelines:::TYPE:Maintenance:NOTE:An alternate way to think about this weakness is as an imbalance between the number of locks / unlocks in the control flow. Over the course of execution, if each lock call is not followed by a subsequent call to unlock in a reasonable amount of time, then system performance may be degraded or at least operating at less than peak levels if there is competition for the locks. This entry may need to be modified to reflect these concepts in the future.::",{"point":"1ff","priority":"6","details":"1fg"},"CWE-ID: 765Multiple Unlocks of a Critical Resource","The product unlocks a critical resource more times than intended, leading to an unexpected state in the system.Guidelines:::TYPE:Maintenance:NOTE:An alternate way to think about this weakness is as an imbalance between the number of locks / unlocks in the control flow. Over the course of execution, if each lock call is not followed by a subsequent call to unlock in a reasonable amount of time, then system performance may be degraded or at least operating at less than peak levels if there is competition for the locks. This entry may need to be modified to reflect these concepts in the future.::",{"point":"1fi","priority":"6","details":"1fj"},"CWE-ID: 766Critical Data Element Declared Public","The product declares a critical variable, field, or member to be public when intended security policy requires it to be private.Guidelines:",{"point":"1fl","priority":"6","details":"1fm"},"CWE-ID: 767Access to Critical Private Variable via Public Method","The product defines a public method that reads or modifies a private variable.Guidelines:::TYPE:Maintenance:NOTE:This entry is closely associated with access control for public methods. If the public methods are restricted with proper access controls, then the information in the private variable will not be exposed to unexpected parties. There may be chaining or composite relationships between improper access controls and this weakness.::",{"point":"1fo","priority":"6","details":"1fp"},"CWE-ID: 768Incorrect Short Circuit Evaluation","The product contains a conditional statement with multiple logical expressions in which one of the non-leading expressions may produce side effects. This may lead to an unexpected state in the program after the execution of the conditional, because short-circuiting logic may prevent the side effects from occurring.Guidelines:",{"point":"1fr","priority":"6","details":"1fs"},"CWE-ID: 770Allocation of Resources Without Limits or Throttling","The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.Guidelines:::TYPE:Relationship:NOTE:This entry is different from uncontrolled resource consumption (CWE-400) in that there are other weaknesses that are related to inability to control resource consumption, such as holding on to a resource too long after use, or not correctly keeping track of active resources so that they can be managed and released when they are finished (CWE-771).::TYPE:Theoretical:NOTE:Vulnerability theory is largely about how behaviors and resources interact. Resource exhaustion can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect one of the underlying weaknesses that enable these attacks (or consequences) to take place.::",{"point":"1fu","priority":"6","details":"1fv"},"CWE-ID: 771Missing Reference to Active Allocated Resource","The product does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed.Guidelines:",{"point":"1fx","priority":"6","details":"1fy"},"CWE-ID: 772Missing Release of Resource after Effective Lifetime","The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.Guidelines:::TYPE:Maintenance:NOTE:Resource exhaustion (CWE-400) is currently treated as a weakness, although it is more like a category of weaknesses that all have the same type of consequence. While this entry treats CWE-400 as a parent in view 1000, the relationship is probably more appropriately described as a chain.::TYPE:Theoretical:NOTE:Vulnerability theory is largely about how behaviors and resources interact. Resource exhaustion can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect one of the underlying weaknesses that enable these attacks (or consequences) to take place.::",{"point":"1g0","priority":"6","details":"1g1"},"CWE-ID: 773Missing Reference to Active File Descriptor or Handle","The product does not properly maintain references to a file descriptor or handle, which prevents that file descriptor/handle from being reclaimed.Guidelines:",{"point":"1g3","priority":"6","details":"1g4"},"CWE-ID: 774Allocation of File Descriptors or Handles Without Limits or Throttling","The product allocates file descriptors or handles on behalf of an actor without imposing any restrictions on how many descriptors can be allocated, in violation of the intended security policy for that actor.Guidelines:",{"point":"1g6","priority":"6","details":"1g7"},"CWE-ID: 775Missing Release of File Descriptor or Handle after Effective Lifetime","The product does not release a file descriptor or handle after its effective lifetime has ended, i.e., after the file descriptor/handle is no longer needed.Guidelines:",{"point":"1g9","priority":"6","details":"1ga"},"CWE-ID: 776Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.Guidelines:",{"point":"1gc","priority":"6","details":"1gd"},"CWE-ID: 777Regular Expression without Anchors","The product uses a regular expression to perform neutralization, but the regular expression is not anchored and may allow malicious or malformed data to slip through.Guidelines:",{"point":"1gf","priority":"6","details":"1gg"},"CWE-ID: 778Insufficient Logging","When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.Guidelines:",{"point":"1gi","priority":"6","details":"1gj"},"CWE-ID: 779Logging of Excessive Data","The product logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack.Guidelines:",{"point":"1gl","priority":"6","details":"1gm"},"CWE-ID: 780Use of RSA Algorithm without OAEP","The product uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption.Guidelines:::TYPE:Maintenance:NOTE:This entry could probably have a new parent related to improper padding, however the role of padding in cryptographic algorithms can vary, such as hiding the length of the plaintext and providing additional random bits for the cipher. In general, cryptographic problems in CWE are not well organized and further research is needed.::",{"point":"1go","priority":"6","details":"1gp"},"CWE-ID: 781Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code","The product defines an IOCTL that uses METHOD_NEITHER for I/O, but it does not validate or incorrectly validates the addresses that are provided.Guidelines:::TYPE:Applicable Platform:NOTE:Because IOCTL functionality is typically performing low-level actions and closely interacts with the operating system, this weakness may only appear in code that is written in low-level languages.::TYPE:Research Gap:NOTE:While this type of issue has been known since 2006, it is probably still under-studied and under-reported. Most of the focus has been on high-profile software and security products, but other kinds of system software also use drivers. Since exploitation requires the development of custom code, it requires some skill to find this weakness. Because exploitation typically requires local privileges, it might not be a priority for active attackers. However, remote exploitation may be possible for software such as device drivers. Even when remote vectors are not available, it may be useful as the final privilege-escalation step in multi-stage remote attacks against application-layer software, or as the primary attack by a local user on a multi-user system.::",{"point":"1gr","priority":"6","details":"1gs"},"CWE-ID: 782Exposed IOCTL with Insufficient Access Control","The product implements an IOCTL with functionality that should be restricted, but it does not properly enforce access control for the IOCTL.Guidelines:::TYPE:Relationship:NOTE:This can be primary to many other weaknesses when the programmer assumes that the IOCTL can only be accessed by trusted parties. For example, a program or driver might not validate incoming addresses in METHOD_NEITHER IOCTLs in Windows environments (CWE-781), which could allow buffer overflow and similar attacks to take place, even when the attacker never should have been able to access the IOCTL at all.::TYPE:Applicable Platform:NOTE:Because IOCTL functionality is typically performing low-level actions and closely interacts with the operating system, this weakness may only appear in code that is written in low-level languages.::",{"point":"1gu","priority":"6","details":"1gv"},"CWE-ID: 783Operator Precedence Logic Error","The product uses an expression in which operator precedence causes incorrect logic to be used.Guidelines:",{"point":"1gx","priority":"6","details":"1gy"},"CWE-ID: 784Reliance on Cookies without Validation and Integrity Checking in a Security Decision","The product uses a protection mechanism that relies on the existence or values of a cookie, but it does not properly ensure that the cookie is valid for the associated user.Guidelines:::TYPE:Maintenance:NOTE:A new parent might need to be defined for this entry. This entry is specific to cookies, which reflects the significant number of vulnerabilities being reported for cookie-based authentication in CVE during 2008 and 2009. However, other types of inputs - such as parameters or headers - could also be used for similar authentication or authorization. Similar issues (under the Research view) include CWE-247 and CWE-472.::",{"point":"1h0","priority":"6","details":"1h1"},"CWE-ID: 785Use of Path Manipulation Function without Maximum-sized Buffer","The product invokes a function for normalizing paths or file names, but it provides an output buffer that is smaller than the maximum possible size, such as PATH_MAX.Guidelines:::TYPE:Maintenance:NOTE:This entry is at a much lower level of abstraction than most entries because it is function-specific. It also has significant overlap with other entries that can vary depending on the perspective. For example, incorrect usage could trigger either a stack-based overflow (CWE-121) or a heap-based overflow (CWE-122). The CWE team has not decided how to handle such entries.::",{"point":"1h3","priority":"6","details":"1h4"},"CWE-ID: 786Access of Memory Location Before Start of Buffer","The product reads or writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.Guidelines:",{"point":"1h6","priority":"6","details":"1h7"},"CWE-ID: 787Out-of-bounds Write","The product writes data past the end, or before the beginning, of the intended buffer.Guidelines:",{"point":"1h9","priority":"6","details":"1ha"},"CWE-ID: 788Access of Memory Location After End of Buffer","The product reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer.Guidelines:",{"point":"1hc","priority":"6","details":"1hd"},"CWE-ID: 789Memory Allocation with Excessive Size Value","The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.Guidelines:::TYPE:Relationship:NOTE:This weakness can be closely associated with integer overflows (CWE-190). Integer overflow attacks would concentrate on providing an extremely large number that triggers an overflow that causes less memory to be allocated than expected. By providing a large value that does not trigger an integer overflow, the attacker could still cause excessive amounts of memory to be allocated.::TYPE:Applicable Platform:NOTE:Uncontrolled memory allocation is possible in many languages, such as dynamic array allocation in perl or initial size parameters in Collections in Java. However, languages like C and C++ where programmers have the power to more directly control memory management will be more susceptible.::",{"point":"1hf","priority":"6","details":"1hg"},"CWE-ID: 790Improper Filtering of Special Elements","The product receives data from an upstream component, but does not filter or incorrectly filters special elements before sending it to a downstream component.Guidelines:",{"point":"1hi","priority":"6","details":"1hj"},"CWE-ID: 791Incomplete Filtering of Special Elements","The product receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component.Guidelines:",{"point":"1hl","priority":"6","details":"1hm"},"CWE-ID: 792Incomplete Filtering of One or More Instances of Special Elements","The product receives data from an upstream component, but does not completely filter one or more instances of special elements before sending it to a downstream component.Guidelines:",{"point":"1ho","priority":"6","details":"1hp"},"CWE-ID: 793Only Filtering One Instance of a Special Element","The product receives data from an upstream component, but only filters a single instance of a special element before sending it to a downstream component.Guidelines:",{"point":"1hr","priority":"6","details":"1hs"},"CWE-ID: 794Incomplete Filtering of Multiple Instances of Special Elements","The product receives data from an upstream component, but does not filter all instances of a special element before sending it to a downstream component.Guidelines:",{"point":"1hu","priority":"6","details":"1hv"},"CWE-ID: 795Only Filtering Special Elements at a Specified Location","The product receives data from an upstream component, but only accounts for special elements at a specified location, thereby missing remaining special elements that may exist before sending it to a downstream component.Guidelines:",{"point":"1hx","priority":"6","details":"1hy"},"CWE-ID: 796Only Filtering Special Elements Relative to a Marker","The product receives data from an upstream component, but only accounts for special elements positioned relative to a marker (e.g. at the beginning/end of a string; the second argument), thereby missing remaining special elements that may exist before sending it to a downstream component.Guidelines:",{"point":"1i0","priority":"6","details":"1i1"},"CWE-ID: 797Only Filtering Special Elements at an Absolute Position","The product receives data from an upstream component, but only accounts for special elements at an absolute position (e.g. byte number 10), thereby missing remaining special elements that may exist before sending it to a downstream component.Guidelines:",{"point":"1i3","priority":"6","details":"1i4"},"CWE-ID: 798Use of Hard-coded Credentials","The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.Guidelines:::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"1i6","priority":"6","details":"1i7"},"CWE-ID: 799Improper Control of Interaction Frequency","The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.Guidelines:",{"point":"1i9","priority":"6","details":"1ia"},"CWE-ID: 804Guessable CAPTCHA","The product uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.Guidelines:",{"point":"1ic","priority":"6","details":"1id"},"CWE-ID: 805Buffer Access with Incorrect Length Value","The product uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer.Guidelines:",{"point":"1if","priority":"6","details":"1ig"},"CWE-ID: 806Buffer Access Using Size of Source Buffer","The product uses the size of a source buffer when reading from or writing to a destination buffer, which may cause it to access memory that is outside of the bounds of the buffer.Guidelines:",{"point":"1ii","priority":"6","details":"1ij"},"CWE-ID: 807Reliance on Untrusted Inputs in a Security Decision","The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.Guidelines:",{"point":"1il","priority":"6","details":"1im"},"CWE-ID: 820Missing Synchronization","The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.Guidelines:::TYPE:Maintenance:NOTE:Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships.::",{"point":"1io","priority":"6","details":"1ip"},"CWE-ID: 821Incorrect Synchronization","The product utilizes a shared resource in a concurrent manner, but it does not correctly synchronize access to the resource.Guidelines:::TYPE:Maintenance:NOTE:Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships.::",{"point":"1ir","priority":"6","details":"1is"},"CWE-ID: 822Untrusted Pointer Dereference","The product obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer.Guidelines:::TYPE:Maintenance:NOTE:There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.::TYPE:Terminology:NOTE:Many weaknesses related to pointer dereferences fall under the general term of memory corruption or memory safety. As of September 2010, there is no commonly-used terminology that covers the lower-level variants.::",{"point":"1iu","priority":"6","details":"1iv"},"CWE-ID: 823Use of Out-of-range Pointer Offset","The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.Guidelines:::TYPE:Maintenance:NOTE:There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.::TYPE:Terminology:NOTE:Many weaknesses related to pointer dereferences fall under the general term of memory corruption or memory safety. As of September 2010, there is no commonly-used terminology that covers the lower-level variants.::",{"point":"1ix","priority":"6","details":"1iy"},"CWE-ID: 824Access of Uninitialized Pointer","The product accesses or uses a pointer that has not been initialized.Guidelines:::TYPE:Maintenance:NOTE:There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.::TYPE:Terminology:NOTE:Many weaknesses related to pointer dereferences fall under the general term of memory corruption or memory safety. As of September 2010, there is no commonly-used terminology that covers the lower-level variants.::",{"point":"1j0","priority":"6","details":"1j1"},"CWE-ID: 825Expired Pointer Dereference","The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.Guidelines:::TYPE:Maintenance:NOTE:There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.::TYPE:Terminology:NOTE:Many weaknesses related to pointer dereferences fall under the general term of memory corruption or memory safety. As of September 2010, there is no commonly-used terminology that covers the lower-level variants.::",{"point":"1j3","priority":"6","details":"1j4"},"CWE-ID: 826Premature Release of Resource During Expected Lifetime","The product releases a resource that is still intended to be used by itself or another actor.Guidelines:::TYPE:Research Gap:NOTE:Under-studied and under-reported as of September 2010. This weakness has been reported in high-visibility software, although the focus has been primarily on memory allocation and de-allocation. There are very few examples of this weakness that are not directly related to memory management, although such weaknesses are likely to occur in real-world software for other types of resources.::",{"point":"1j6","priority":"6","details":"1j7"},"CWE-ID: 827Improper Control of Document Type Definition","The product does not restrict a reference to a Document Type Definition (DTD) to the intended control sphere. This might allow attackers to reference arbitrary DTDs, possibly causing the product to expose files, consume excessive system resources, or execute arbitrary http requests on behalf of the attacker.Guidelines:",{"point":"1j9","priority":"6","details":"1ja"},"CWE-ID: 828Signal Handler with Functionality that is not Asynchronous-Safe","The product defines a signal handler that contains code sequences that are not asynchronous-safe, i.e., the functionality is not reentrant, or it can be interrupted.Guidelines:",{"point":"1jc","priority":"6","details":"1jd"},"CWE-ID: 829Inclusion of Functionality from Untrusted Control Sphere","The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.Guidelines:",{"point":"1jf","priority":"6","details":"1jg"},"CWE-ID: 830Inclusion of Web Functionality from an Untrusted Source","The product includes web functionality (such as a web widget) from another domain, which causes it to operate within the domain of the product, potentially granting total access and control of the product to the untrusted source.Guidelines:",{"point":"1ji","priority":"6","details":"1jj"},"CWE-ID: 831Signal Handler Function Associated with Multiple Signals","The product defines a function that is used as a handler for more than one signal.Guidelines:",{"point":"1jl","priority":"6","details":"1jm"},"CWE-ID: 832Unlock of a Resource that is not Locked","The product attempts to unlock a resource that is not locked.Guidelines:",{"point":"1jo","priority":"6","details":"1jp"},"CWE-ID: 833Deadlock","The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.Guidelines:",{"point":"1jr","priority":"6","details":"1js"},"CWE-ID: 834Excessive Iteration","The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.Guidelines:",{"point":"1ju","priority":"6","details":"1jv"},"CWE-ID: 835Loop with Unreachable Exit Condition ('Infinite Loop')","The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.Guidelines:",{"point":"1jx","priority":"6","details":"1jy"},"CWE-ID: 836Use of Password Hash Instead of Password for Authentication","The product records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store.Guidelines:",{"point":"1k0","priority":"6","details":"1k1"},"CWE-ID: 837Improper Enforcement of a Single, Unique Action","The product requires that an actor should only be able to perform an action once, or to have only one unique action, but the product does not enforce or improperly enforces this restriction.Guidelines:",{"point":"1k3","priority":"6","details":"1k4"},"CWE-ID: 838Inappropriate Encoding for Output Context","The product uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is expected by the downstream component.Guidelines:",{"point":"1k6","priority":"6","details":"1k7"},"CWE-ID: 839Numeric Range Comparison Without Minimum Check","The product checks a value to ensure that it is less than or equal to a maximum, but it does not also verify that the value is greater than or equal to the minimum.Guidelines:",{"point":"1k9","priority":"6","details":"1ka"},"CWE-ID: 841Improper Enforcement of Behavioral Workflow","The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.Guidelines:::TYPE:Research Gap:NOTE:This weakness is typically associated with business logic flaws, except when it produces resultant weaknesses. The classification of business logic flaws has been under-studied, although exploitation of business flaws frequently happens in real-world systems, and many applied vulnerability researchers investigate them. The greatest focus is in web applications. There is debate within the community about whether these problems represent particularly new concepts, or if they are variations of well-known principles. Many business logic flaws appear to be oriented toward business processes, application flows, and sequences of behaviors, which are not as well-represented in CWE as weaknesses related to input validation, memory management, etc.::",{"point":"1kc","priority":"6","details":"1kd"},"CWE-ID: 842Placement of User into Incorrect Group","The product or the administrator places a user into an incorrect group.Guidelines:",{"point":"1kf","priority":"6","details":"1kg"},"CWE-ID: 843Access of Resource Using Incompatible Type ('Type Confusion')","The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.Guidelines:::TYPE:Applicable Platform:NOTE:This weakness is possible in any type-unsafe programming language.::TYPE:Research Gap:NOTE:Type confusion weaknesses have received some attention by applied researchers and major software vendors for C and C++ code. Some publicly-reported vulnerabilities probably have type confusion as a root-cause weakness, but these may be described as memory corruption instead. For other languages, there are very few public reports of type confusion weaknesses. These are probably under-studied. Since many programs rely directly or indirectly on loose typing, a potential type confusion behavior might be intentional, possibly requiring more manual analysis.::",{"point":"1ki","priority":"6","details":"1kj"},"CWE-ID: 862Missing Authorization","The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Guidelines:",{"point":"1kl","priority":"6","details":"1km"},"CWE-ID: 863Incorrect Authorization","The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.Guidelines:",{"point":"1ko","priority":"6","details":"1kp"},"CWE-ID: 908Use of Uninitialized Resource","The product uses or accesses a resource that has not been initialized.Guidelines:",{"point":"1kr","priority":"6","details":"1ks"},"CWE-ID: 909Missing Initialization of Resource","The product does not initialize a critical resource.Guidelines:",{"point":"1ku","priority":"6","details":"1kv"},"CWE-ID: 910Use of Expired File Descriptor","The product uses or accesses a file descriptor after it has been closed.Guidelines:",{"point":"1kx","priority":"6","details":"1ky"},"CWE-ID: 911Improper Update of Reference Count","The product uses a reference count to manage a resource, but it does not update or incorrectly updates the reference count.Guidelines:",{"point":"1l0","priority":"6","details":"1l1"},"CWE-ID: 912Hidden Functionality","The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the product's users or administrators.Guidelines:",{"point":"1l3","priority":"6","details":"1l4"},"CWE-ID: 913Improper Control of Dynamically-Managed Code Resources","The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.Guidelines:",{"point":"1l6","priority":"6","details":"1l7"},"CWE-ID: 914Improper Control of Dynamically-Identified Variables","The product does not properly restrict reading from or writing to dynamically-identified variables.Guidelines:",{"point":"1l9","priority":"6","details":"1la"},"CWE-ID: 915Improperly Controlled Modification of Dynamically-Determined Object Attributes","The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.Guidelines:::TYPE:Maintenance:NOTE:The relationships between CWE-502 and CWE-915 need further exploration. CWE-915 is more narrowly scoped to object modification, and is not necessarily used for deserialization.::",{"point":"1lc","priority":"6","details":"1ld"},"CWE-ID: 916Use of Password Hash With Insufficient Computational Effort","The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.Guidelines:",{"point":"1lf","priority":"6","details":"1lg"},"CWE-ID: 917Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')","The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.Guidelines:::TYPE:Maintenance:NOTE:The interrelationships and differences between CWE-917 and CWE-1336 need to be further clarified.::TYPE:Relationship:NOTE:In certain versions of Spring 3.0.5 and earlier, there was a vulnerability (CVE-2011-2730) in which Expression Language tags would be evaluated twice, which effectively exposed any application to EL injection. However, even for later versions, this weakness is still possible depending on configuration.::",{"point":"1li","priority":"6","details":"1lj"},"CWE-ID: 918Server-Side Request Forgery (SSRF)","The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.Guidelines:::TYPE:Relationship:NOTE:CWE-918 (SSRF) and CWE-611 (XXE) are closely related, because they both involve web-related technologies and can launch outbound requests to unexpected destinations. However, XXE can be performed client-side, or in other contexts in which the software is not acting directly as a server, so the Server portion of the SSRF acronym does not necessarily apply.::",{"point":"1ll","priority":"6","details":"1lm"},"CWE-ID: 920Improper Restriction of Power Consumption","The product operates in an environment in which power is a limited resource that cannot be automatically replenished, but the product does not properly restrict the amount of power that its operation consumes.Guidelines:",{"point":"1lo","priority":"6","details":"1lp"},"CWE-ID: 921Storage of Sensitive Data in a Mechanism without Access Control","The product stores sensitive information in a file system or device that does not have built-in access control.Guidelines:",{"point":"1lr","priority":"6","details":"1ls"},"CWE-ID: 922Insecure Storage of Sensitive Information","The product stores sensitive information without properly limiting read or write access by unauthorized actors.Guidelines:::TYPE:Relationship:NOTE:There is an overlapping relationship between insecure storage of sensitive information (CWE-922) and missing encryption of sensitive information (CWE-311). Encryption is often used to prevent an attacker from reading the sensitive data. However, encryption does not prevent the attacker from erasing or overwriting the data. While data tampering would be visible upon inspection, the integrity and availability of the data is compromised prior to the audit.::TYPE:Maintenance:NOTE:This is a high-level entry that includes children from various parts of the CWE research view (CWE-1000). Currently, most of the information is in these child entries. This entry will be made more comprehensive in later CWE versions.::",{"point":"1lu","priority":"6","details":"1lv"},"CWE-ID: 923Improper Restriction of Communication Channel to Intended Endpoints","The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.Guidelines:",{"point":"1lx","priority":"6","details":"1ly"},"CWE-ID: 924Improper Enforcement of Message Integrity During Transmission in a Communication Channel","The product establishes a communication channel with an endpoint and receives a message from that endpoint, but it does not sufficiently ensure that the message was not modified during transmission.Guidelines:::TYPE:Maintenance:NOTE:This entry should be made more comprehensive in later CWE versions, as it is likely an important design flaw that underlies (or chains to) other weaknesses.::",{"point":"1m0","priority":"6","details":"1m1"},"CWE-ID: 925Improper Verification of Intent by Broadcast Receiver","The Android application uses a Broadcast Receiver that receives an Intent but does not properly verify that the Intent came from an authorized source.Guidelines:::TYPE:Maintenance:NOTE:This entry will be made more comprehensive in later CWE versions.::",{"point":"1m3","priority":"6","details":"1m4"},"CWE-ID: 926Improper Export of Android Application Components","The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.Guidelines:",{"point":"1m6","priority":"6","details":"1m7"},"CWE-ID: 927Use of Implicit Intent for Sensitive Communication","The Android application uses an implicit intent for transmitting sensitive data to other applications.Guidelines:",{"point":"1m9","priority":"6","details":"1ma"},"CWE-ID: 939Improper Authorization in Handler for Custom URL Scheme","The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.Guidelines:",{"point":"1mc","priority":"6","details":"1md"},"CWE-ID: 940Improper Verification of Source of a Communication Channel","The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin.Guidelines:::TYPE:Relationship:NOTE:While many access control issues involve authenticating the user, this weakness is more about authenticating the actual source of the communication channel itself; there might not be any user in such cases.::",{"point":"1mf","priority":"6","details":"1mg"},"CWE-ID: 941Incorrectly Specified Destination in a Communication Channel","The product creates a communication channel to initiate an outgoing request to an actor, but it does not correctly specify the intended destination for that actor.Guidelines:",{"point":"1mi","priority":"6","details":"1mj"},"CWE-ID: 942Permissive Cross-domain Policy with Untrusted Domains","The product uses a cross-domain policy file that includes domains that should not be trusted.Guidelines:",{"point":"1ml","priority":"6","details":"1mm"},"CWE-ID: 943Improper Neutralization of Special Elements in Data Query Logic","The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.Guidelines:::TYPE:Relationship:NOTE:It could be argued that data query languages are effectively a command language - albeit with a limited set of commands - and thus any query-language injection issue could be treated as a child of CWE-74. However, CWE-943 is intended to better organize query-oriented issues to separate them from fully-functioning programming languages, and also to provide a more precise identifier for the many query languages that do not have their own CWE identifier.::",{"point":"1mo","priority":"6","details":"1mp"},"CWE-ID: 1004Sensitive Cookie Without 'HttpOnly' Flag","The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.Guidelines:",{"point":"1mr","priority":"6","details":"1ms"},"CWE-ID: 1007Insufficient Visual Distinction of Homoglyphs Presented to User","The product displays information or identifiers to a user, but the display mechanism does not make it easy for the user to distinguish between visually similar or identical glyphs (homoglyphs), which may cause the user to misinterpret a glyph and perform an unintended, insecure action.Guidelines:",{"point":"1mu","priority":"6","details":"1mv"},"CWE-ID: 1021Improper Restriction of Rendered UI Layers or Frames","The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.Guidelines:",{"point":"1mx","priority":"6","details":"1my"},"CWE-ID: 1022Use of Web Link to Untrusted Target with window.opener Access","The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property.Guidelines:",{"point":"1n0","priority":"6","details":"1n1"},"CWE-ID: 1023Incomplete Comparison with Missing Factors","The product performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors.Guidelines:",{"point":"1n3","priority":"6","details":"1n4"},"CWE-ID: 1024Comparison of Incompatible Types","The product performs a comparison between two entities, but the entities are of different, incompatible types that cannot be guaranteed to provide correct results when they are directly compared.Guidelines:",{"point":"1n6","priority":"6","details":"1n7"},"CWE-ID: 1025Comparison Using Wrong Factors","The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.Guidelines:",{"point":"1n9","priority":"6","details":"1na"},"CWE-ID: 1037Processor Optimization Removal or Modification of Security-critical Code","The developer builds a security-critical protection mechanism into the software, but the processor optimizes the execution of the program such that the mechanism is removed or modified.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. As a result, this entry might change significantly in CWE 4.10.::",{"point":"1nc","priority":"6","details":"1nd"},"CWE-ID: 1038Insecure Automated Optimizations","The product uses a mechanism that automatically optimizes code, e.g. to improve a characteristic such as performance, but the optimizations can have an unintended side effect that might violate an intended security assumption.Guidelines:",{"point":"1nf","priority":"6","details":"1ng"},"CWE-ID: 1039Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations","The product uses an automated mechanism such as machine learning to recognize complex data inputs (e.g. image or audio) as a particular concept or category, but it does not properly detect or handle inputs that have been modified or constructed in a way that causes the mechanism to detect a different, incorrect concept.Guidelines:::TYPE:Relationship:NOTE:Further investigation is needed to determine if better relationships exist or if additional organizational entries need to be created. For example, this issue might be better related to recognition of input as an incorrect type, which might place it as a sibling of CWE-704 (incorrect type conversion).::",{"point":"1ni","priority":"6","details":"1nj"},"CWE-ID: 1041Use of Redundant Code","The product has multiple functions, methods, procedures, macros, etc. that contain the same code.Guidelines:",{"point":"1nl","priority":"6","details":"1nm"},"CWE-ID: 1042Static Member Data Element outside of a Singleton Class Element","The code contains a member element that is declared as static (but not final), in which its parent class element is not a singleton class - that is, a class element that can be used only once in the 'to' association of a Create action.Guidelines:",{"point":"1no","priority":"6","details":"1np"},"CWE-ID: 1043Data Element Aggregating an Excessively Large Number of Non-Primitive Elements","The product uses a data element that has an excessively large number of sub-elements with non-primitive data types such as structures or aggregated objects.Guidelines:",{"point":"1nr","priority":"6","details":"1ns"},"CWE-ID: 1044Architecture with Number of Horizontal Layers Outside of Expected Range","The product's architecture contains too many - or too few - horizontal layers.Guidelines:",{"point":"1nu","priority":"6","details":"1nv"},"CWE-ID: 1045Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor","A parent class has a virtual destructor method, but the parent has a child class that does not have a virtual destructor.Guidelines:",{"point":"1nx","priority":"6","details":"1ny"},"CWE-ID: 1046Creation of Immutable Text Using String Concatenation","The product creates an immutable text string using string concatenation operations.Guidelines:",{"point":"1o0","priority":"6","details":"1o1"},"CWE-ID: 1047Modules with Circular Dependencies","The product contains modules in which one module has references that cycle back to itself, i.e., there are circular dependencies.Guidelines:",{"point":"1o3","priority":"6","details":"1o4"},"CWE-ID: 1048Invokable Control Element with Large Number of Outward Calls","The code contains callable control elements that contain an excessively large number of references to other application objects external to the context of the callable, i.e. a Fan-Out value that is excessively large.Guidelines:",{"point":"1o6","priority":"6","details":"1o7"},"CWE-ID: 1049Excessive Data Query Operations in a Large Data Table","The product performs a data query with a large number of joins and sub-queries on a large data table.Guidelines:",{"point":"1o9","priority":"6","details":"1oa"},"CWE-ID: 1050Excessive Platform Resource Consumption within a Loop","The product has a loop body or loop condition that contains a control element that directly or indirectly consumes platform resources, e.g. messaging, sessions, locks, or file descriptors.Guidelines:",{"point":"1oc","priority":"6","details":"1od"},"CWE-ID: 1051Initialization with Hard-Coded Network Resource Configuration Data","The product initializes data using hard-coded values that act as network resource identifiers.Guidelines:",{"point":"1of","priority":"6","details":"1og"},"CWE-ID: 1052Excessive Use of Hard-Coded Literals in Initialization","The product initializes a data element using a hard-coded literal that is not a simple integer or static constant element.Guidelines:",{"point":"1oi","priority":"6","details":"1oj"},"CWE-ID: 1053Missing Documentation for Design","The product does not have documentation that represents how it is designed.Guidelines:",{"point":"1ol","priority":"6","details":"1om"},"CWE-ID: 1054Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer","The code at one architectural layer invokes code that resides at a deeper layer than the adjacent layer, i.e., the invocation skips at least one layer, and the invoked code is not part of a vertical utility layer that can be referenced from any horizontal layer.Guidelines:",{"point":"1oo","priority":"6","details":"1op"},"CWE-ID: 1055Multiple Inheritance from Concrete Classes","The product contains a class with inheritance from more than one concrete class.Guidelines:",{"point":"1or","priority":"6","details":"1os"},"CWE-ID: 1056Invokable Control Element with Variadic Parameters","A named-callable or method control element has a signature that supports a variable (variadic) number of parameters or arguments.Guidelines:",{"point":"1ou","priority":"6","details":"1ov"},"CWE-ID: 1057Data Access Operations Outside of Expected Data Manager Component","The product uses a dedicated, central data manager component as required by design, but it contains code that performs data-access operations that do not use this data manager.Guidelines:",{"point":"1ox","priority":"6","details":"1oy"},"CWE-ID: 1058Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element","The code contains a function or method that operates in a multi-threaded environment but owns an unsafe non-final static storable or member data element.Guidelines:",{"point":"1p0","priority":"6","details":"1p1"},"CWE-ID: 1059Insufficient Technical Documentation","The product does not contain sufficient technical or engineering documentation (whether on paper or in electronic form) that contains descriptions of all the relevant software/hardware elements of the product, such as its usage, structure, architectural components, interfaces, design, implementation, configuration, operation, etc.Guidelines:",{"point":"1p3","priority":"6","details":"1p4"},"CWE-ID: 1060Excessive Number of Inefficient Server-Side Data Accesses","The product performs too many data queries without using efficient data processing functionality such as stored procedures.Guidelines:",{"point":"1p6","priority":"6","details":"1p7"},"CWE-ID: 1061Insufficient Encapsulation","The product does not sufficiently hide the internal representation and implementation details of data or methods, which might allow external components or modules to modify data unexpectedly, invoke unexpected functionality, or introduce dependencies that the programmer did not intend.Guidelines:",{"point":"1p9","priority":"6","details":"1pa"},"CWE-ID: 1062Parent Class with References to Child Class","The code has a parent class that contains references to a child class, its methods, or its members.Guidelines:",{"point":"1pc","priority":"6","details":"1pd"},"CWE-ID: 1063Creation of Class Instance within a Static Code Block","A static code block creates an instance of a class.Guidelines:",{"point":"1pf","priority":"6","details":"1pg"},"CWE-ID: 1064Invokable Control Element with Signature Containing an Excessive Number of Parameters","The product contains a function, subroutine, or method whose signature has an unnecessarily large number of parameters/arguments.Guidelines:",{"point":"1pi","priority":"6","details":"1pj"},"CWE-ID: 1065Runtime Resource Management Control Element in a Component Built to Run on Application Servers","The product uses deployed components from application servers, but it also uses low-level functions/methods for management of resources, instead of the API provided by the application server.Guidelines:",{"point":"1pl","priority":"6","details":"1pm"},"CWE-ID: 1066Missing Serialization Control Element","The product contains a serializable data element that does not have an associated serialization method.Guidelines:",{"point":"1po","priority":"6","details":"1pp"},"CWE-ID: 1067Excessive Execution of Sequential Searches of Data Resource","The product contains a data query against an SQL table or view that is configured in a way that does not utilize an index and may cause sequential searches to be performed.Guidelines:",{"point":"1pr","priority":"6","details":"1ps"},"CWE-ID: 1068Inconsistency Between Implementation and Documented Design","The implementation of the product is not consistent with the design as described within the relevant documentation.Guidelines:",{"point":"1pu","priority":"6","details":"1pv"},"CWE-ID: 1069Empty Exception Block","An invokable code block contains an exception handling block that does not contain any code, i.e. is empty.Guidelines:",{"point":"1px","priority":"6","details":"1py"},"CWE-ID: 1070Serializable Data Element Containing non-Serializable Item Elements","The product contains a serializable, storable data element such as a field or member, but the data element contains member elements that are not serializable.Guidelines:",{"point":"1q0","priority":"6","details":"1q1"},"CWE-ID: 1071Empty Code Block","The source code contains a block that does not contain any code, i.e., the block is empty.Guidelines:",{"point":"1q3","priority":"6","details":"1q4"},"CWE-ID: 1072Data Resource Access without Use of Connection Pooling","The product accesses a data resource through a database without using a connection pooling capability.Guidelines:",{"point":"1q6","priority":"6","details":"1q7"},"CWE-ID: 1073Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses","The product contains a client with a function or method that contains a large number of data accesses/queries that are sent through a data manager, i.e., does not use efficient database capabilities.Guidelines:",{"point":"1q9","priority":"6","details":"1qa"},"CWE-ID: 1074Class with Excessively Deep Inheritance","A class has an inheritance level that is too high, i.e., it has a large number of parent classes.Guidelines:",{"point":"1qc","priority":"6","details":"1qd"},"CWE-ID: 1075Unconditional Control Flow Transfer outside of Switch Block","The product performs unconditional control transfer (such as a goto) in code outside of a branching structure such as a switch block.Guidelines:",{"point":"1qf","priority":"6","details":"1qg"},"CWE-ID: 1076Insufficient Adherence to Expected Conventions","The product's architecture, source code, design, documentation, or other artifact does not follow required conventions.Guidelines:",{"point":"1qi","priority":"6","details":"1qj"},"CWE-ID: 1077Floating Point Comparison with Incorrect Operator","The code performs a comparison such as an equality test between two float (floating point) values, but it uses comparison operators that do not account for the possibility of loss of precision.Guidelines:",{"point":"1ql","priority":"6","details":"1qm"},"CWE-ID: 1078Inappropriate Source Code Style or Formatting","The source code does not follow desired style or formatting for indentation, white space, comments, etc.Guidelines:",{"point":"1qo","priority":"6","details":"1qp"},"CWE-ID: 1079Parent Class without Virtual Destructor Method","A parent class contains one or more child classes, but the parent class does not have a virtual destructor method.Guidelines:",{"point":"1qr","priority":"6","details":"1qs"},"CWE-ID: 1080Source Code File with Excessive Number of Lines of Code","A source code file has too many lines of code.Guidelines:",{"point":"1qu","priority":"6","details":"1qv"},"CWE-ID: 1082Class Instance Self Destruction Control Element","The code contains a class instance that calls the method or function to delete or destroy itself.Guidelines:",{"point":"1qx","priority":"6","details":"1qy"},"CWE-ID: 1083Data Access from Outside Expected Data Manager Component","The product is intended to manage data access through a particular data manager component such as a relational or non-SQL database, but it contains code that performs data access operations without using that component.Guidelines:",{"point":"1r0","priority":"6","details":"1r1"},"CWE-ID: 1084Invokable Control Element with Excessive File or Data Access Operations","A function or method contains too many operations that utilize a data manager or file resource.Guidelines:",{"point":"1r3","priority":"6","details":"1r4"},"CWE-ID: 1085Invokable Control Element with Excessive Volume of Commented-out Code","A function, method, procedure, etc. contains an excessive amount of code that has been commented out within its body.Guidelines:",{"point":"1r6","priority":"6","details":"1r7"},"CWE-ID: 1086Class with Excessive Number of Child Classes","A class contains an unnecessarily large number of children.Guidelines:",{"point":"1r9","priority":"6","details":"1ra"},"CWE-ID: 1087Class with Virtual Method without a Virtual Destructor","A class contains a virtual method, but the method does not have an associated virtual destructor.Guidelines:",{"point":"1rc","priority":"6","details":"1rd"},"CWE-ID: 1088Synchronous Access of Remote Resource without Timeout","The code has a synchronous call to a remote resource, but there is no timeout for the call, or the timeout is set to infinite.Guidelines:",{"point":"1rf","priority":"6","details":"1rg"},"CWE-ID: 1089Large Data Table with Excessive Number of Indices","The product uses a large data table that contains an excessively large number of indices.Guidelines:",{"point":"1ri","priority":"6","details":"1rj"},"CWE-ID: 1090Method Containing Access of a Member Element from Another Class","A method for a class performs an operation that directly accesses a member element from another class.Guidelines:",{"point":"1rl","priority":"6","details":"1rm"},"CWE-ID: 1091Use of Object without Invoking Destructor Method","The product contains a method that accesses an object but does not later invoke the element's associated finalize/destructor method.Guidelines:",{"point":"1ro","priority":"6","details":"1rp"},"CWE-ID: 1092Use of Same Invokable Control Element in Multiple Architectural Layers","The product uses the same control element across multiple architectural layers.Guidelines:",{"point":"1rr","priority":"6","details":"1rs"},"CWE-ID: 1093Excessively Complex Data Representation","The product uses an unnecessarily complex internal representation for its data structures or interrelationships between those structures.Guidelines:",{"point":"1ru","priority":"6","details":"1rv"},"CWE-ID: 1094Excessive Index Range Scan for a Data Resource","The product contains an index range scan for a large data table, but the scan can cover a large number of rows.Guidelines:",{"point":"1rx","priority":"6","details":"1ry"},"CWE-ID: 1095Loop Condition Value Update within the Loop","The product uses a loop with a control flow condition based on a value that is updated within the body of the loop.Guidelines:",{"point":"1s0","priority":"6","details":"1s1"},"CWE-ID: 1096Singleton Class Instance Creation without Proper Locking or Synchronization","The product implements a Singleton design pattern but does not use appropriate locking or other synchronization mechanism to ensure that the singleton class is only instantiated once.Guidelines:",{"point":"1s3","priority":"6","details":"1s4"},"CWE-ID: 1097Persistent Storable Data Element without Associated Comparison Control Element","The product uses a storable data element that does not have all of the associated functions or methods that are necessary to support comparison.Guidelines:",{"point":"1s6","priority":"6","details":"1s7"},"CWE-ID: 1098Data Element containing Pointer Item without Proper Copy Control Element","The code contains a data element with a pointer that does not have an associated copy or constructor method.Guidelines:",{"point":"1s9","priority":"6","details":"1sa"},"CWE-ID: 1099Inconsistent Naming Conventions for Identifiers","The product's code, documentation, or other artifacts do not consistently use the same naming conventions for variables, callables, groups of related callables, I/O capabilities, data types, file names, or similar types of elements.Guidelines:",{"point":"1sc","priority":"6","details":"1sd"},"CWE-ID: 1100Insufficient Isolation of System-Dependent Functions","The product or code does not isolate system-dependent functionality into separate standalone modules.Guidelines:",{"point":"1sf","priority":"6","details":"1sg"},"CWE-ID: 1101Reliance on Runtime Component in Generated Code","The product uses automatically-generated code that cannot be executed without a specific runtime support component.Guidelines:",{"point":"1si","priority":"6","details":"1sj"},"CWE-ID: 1102Reliance on Machine-Dependent Data Representation","The code uses a data representation that relies on low-level data representation or constructs that may vary across different processors, physical machines, OSes, or other physical components.Guidelines:",{"point":"1sl","priority":"6","details":"1sm"},"CWE-ID: 1103Use of Platform-Dependent Third Party Components","The product relies on third-party components that do not provide equivalent functionality across all desirable platforms.Guidelines:",{"point":"1so","priority":"6","details":"1sp"},"CWE-ID: 1104Use of Unmaintained Third Party Components","The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer.Guidelines:",{"point":"1sr","priority":"6","details":"1ss"},"CWE-ID: 1105Insufficient Encapsulation of Machine-Dependent Functionality","The product or code uses machine-dependent functionality, but it does not sufficiently encapsulate or isolate this functionality from the rest of the code.Guidelines:",{"point":"1su","priority":"6","details":"1sv"},"CWE-ID: 1106Insufficient Use of Symbolic Constants","The source code uses literal constants that may need to change or evolve over time, instead of using symbolic constants.Guidelines:",{"point":"1sx","priority":"6","details":"1sy"},"CWE-ID: 1107Insufficient Isolation of Symbolic Constant Definitions","The source code uses symbolic constants, but it does not sufficiently place the definitions of these constants into a more centralized or isolated location.Guidelines:",{"point":"1t0","priority":"6","details":"1t1"},"CWE-ID: 1108Excessive Reliance on Global Variables","The code is structured in a way that relies too much on using or setting global variables throughout various points in the code, instead of preserving the associated information in a narrower, more local context.Guidelines:",{"point":"1t3","priority":"6","details":"1t4"},"CWE-ID: 1109Use of Same Variable for Multiple Purposes","The code contains a callable, block, or other code element in which the same variable is used to control more than one unique task or store more than one instance of data.Guidelines:",{"point":"1t6","priority":"6","details":"1t7"},"CWE-ID: 1110Incomplete Design Documentation","The product's design documentation does not adequately describe control flow, data flow, system initialization, relationships between tasks, components, rationales, or other important aspects of the design.Guidelines:",{"point":"1t9","priority":"6","details":"1ta"},"CWE-ID: 1111Incomplete I/O Documentation","The product's documentation does not adequately define inputs, outputs, or system/software interfaces.Guidelines:",{"point":"1tc","priority":"6","details":"1td"},"CWE-ID: 1112Incomplete Documentation of Program Execution","The document does not fully define all mechanisms that are used to control or influence how product-specific programs are executed.Guidelines:",{"point":"1tf","priority":"6","details":"1tg"},"CWE-ID: 1113Inappropriate Comment Style","The source code uses comment styles or formats that are inconsistent or do not follow expected standards for the product.Guidelines:",{"point":"1ti","priority":"6","details":"1tj"},"CWE-ID: 1114Inappropriate Whitespace Style","The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product.Guidelines:",{"point":"1tl","priority":"6","details":"1tm"},"CWE-ID: 1115Source Code Element without Standard Prologue","The source code contains elements such as source files that do not consistently provide a prologue or header that has been standardized for the project.Guidelines:",{"point":"1to","priority":"6","details":"1tp"},"CWE-ID: 1116Inaccurate Comments","The source code contains comments that do not accurately describe or explain aspects of the portion of the code with which the comment is associated.Guidelines:",{"point":"1tr","priority":"6","details":"1ts"},"CWE-ID: 1117Callable with Insufficient Behavioral Summary","The code contains a function or method whose signature and/or associated inline documentation does not sufficiently describe the callable's inputs, outputs, side effects, assumptions, or return codes.Guidelines:",{"point":"1tu","priority":"6","details":"1tv"},"CWE-ID: 1118Insufficient Documentation of Error Handling Techniques","The documentation does not sufficiently describe the techniques that are used for error handling, exception processing, or similar mechanisms.Guidelines:",{"point":"1tx","priority":"6","details":"1ty"},"CWE-ID: 1119Excessive Use of Unconditional Branching","The code uses too many unconditional branches (such as goto).Guidelines:",{"point":"1u0","priority":"6","details":"1u1"},"CWE-ID: 1120Excessive Code Complexity","The code is too complex, as calculated using a well-defined, quantitative measure.Guidelines:",{"point":"1u3","priority":"6","details":"1u4"},"CWE-ID: 1121Excessive McCabe Cyclomatic Complexity","The code contains McCabe cyclomatic complexity that exceeds a desirable maximum.Guidelines:",{"point":"1u6","priority":"6","details":"1u7"},"CWE-ID: 1122Excessive Halstead Complexity","The code is structured in a way that a Halstead complexity measure exceeds a desirable maximum.Guidelines:",{"point":"1u9","priority":"6","details":"1ua"},"CWE-ID: 1123Excessive Use of Self-Modifying Code","The product uses too much self-modifying code.Guidelines:",{"point":"1uc","priority":"6","details":"1ud"},"CWE-ID: 1124Excessively Deep Nesting","The code contains a callable or other code grouping in which the nesting / branching is too deep.Guidelines:",{"point":"1uf","priority":"6","details":"1ug"},"CWE-ID: 1125Excessive Attack Surface","The product has an attack surface whose quantitative measurement exceeds a desirable maximum.Guidelines:",{"point":"1ui","priority":"6","details":"1uj"},"CWE-ID: 1126Declaration of Variable with Unnecessarily Wide Scope","The source code declares a variable in one scope, but the variable is only used within a narrower scope.Guidelines:",{"point":"1ul","priority":"6","details":"1um"},"CWE-ID: 1127Compilation with Insufficient Warnings or Errors","The code is compiled without sufficient warnings enabled, which may prevent the detection of subtle bugs or quality issues.Guidelines:",{"point":"1uo","priority":"6","details":"1up"},"CWE-ID: 1164Irrelevant Code","The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness.Guidelines:",{"point":"1ur","priority":"6","details":"1us"},"CWE-ID: 1173Improper Use of Validation Framework","The product does not use, or incorrectly uses, an input validation framework that is provided by the source language or an independent library.Guidelines:",{"point":"1uu","priority":"6","details":"1uv"},"CWE-ID: 1174ASP.NET Misconfiguration: Improper Model Validation","The ASP.NET application does not use, or incorrectly uses, the model validation framework.Guidelines:",{"point":"1ux","priority":"6","details":"1uy"},"CWE-ID: 1176Inefficient CPU Computation","The product performs CPU computations using algorithms that are not as efficient as they could be for the needs of the developer, i.e., the computations can be optimized further.Guidelines:",{"point":"1v0","priority":"6","details":"1v1"},"CWE-ID: 1177Use of Prohibited Code","The product uses a function, library, or third party component that has been explicitly prohibited, whether by the developer or the customer.Guidelines:",{"point":"1v3","priority":"6","details":"1v4"},"CWE-ID: 1188Initialization of a Resource with an Insecure Default","The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.Guidelines:::TYPE:Maintenance:NOTE:This entry improves organization of concepts under initialization. The typical CWE model is to cover Missing and Incorrect behaviors. Arguably, this entry could be named as Incorrect instead of Insecure. This might be changed in the near future.::",{"point":"1v6","priority":"6","details":"1v7"},"CWE-ID: 1189Improper Isolation of Shared Resources on System-on-a-Chip (SoC)","The System-On-a-Chip (SoC) does not properly isolate shared resources between trusted and untrusted agents.Guidelines:",{"point":"1v9","priority":"6","details":"1va"},"CWE-ID: 1190DMA Device Enabled Too Early in Boot Phase","The product enables a Direct Memory Access (DMA) capable device before the security configuration settings are established, which allows an attacker to extract data from or gain privileges on the product.Guidelines:",{"point":"1vc","priority":"6","details":"1vd"},"CWE-ID: 1191On-Chip Debug and Test Interface With Improper Access Control","The chip does not implement or does not correctly perform access control to check whether users are authorized to access internal registers and test modes through the physical debug/test interface.Guidelines:::TYPE:Relationship:NOTE:CWE-1191 and CWE-1244 both involve physical debug access, but the weaknesses are different. CWE-1191 is effectively about missing authorization for a debug interface, i.e. JTAG. CWE-1244 is about providing internal assets with the wrong debug access level, exposing the asset to untrusted debug agents.::",{"point":"1vf","priority":"6","details":"1vg"},"CWE-ID: 1192Improper Identifier for IP Block used in System-On-Chip (SOC)","The System-on-Chip (SoC) does not have unique, immutable identifiers for each of its components.Guidelines:",{"point":"1vi","priority":"6","details":"1vj"},"CWE-ID: 1193Power-On of Untrusted Execution Core Before Enabling Fabric Access Control","The product enables components that contain untrusted firmware before memory and fabric access controls have been enabled.Guidelines:",{"point":"1vl","priority":"6","details":"1vm"},"CWE-ID: 1204Generation of Weak Initialization Vector (IV)","The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or unique according to the expected cryptographic requirements for that primitive.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"1vo","priority":"6","details":"1vp"},"CWE-ID: 1209Failure to Disable Reserved Bits","The reserved bits in a hardware design are not disabled prior to production. Typically, reserved bits are used for future capabilities and should not support any functional logic in the design. However, designers might covertly use these bits to debug or further develop new capabilities in production hardware. Adversaries with access to these bits will write to them in hopes of compromising hardware state.Guidelines:",{"point":"1vr","priority":"6","details":"1vs"},"CWE-ID: 1220Insufficient Granularity of Access Control","The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.Guidelines:",{"point":"1vu","priority":"6","details":"1vv"},"CWE-ID: 1221Incorrect Register Defaults or Module Parameters","Hardware description language code incorrectly defines register defaults or hardware Intellectual Property (IP) parameters to insecure values.Guidelines:",{"point":"1vx","priority":"6","details":"1vy"},"CWE-ID: 1222Insufficient Granularity of Address Regions Protected by Register Locks","The product defines a large address region protected from modification by the same register lock control bit. This results in a conflict between the functional requirement that some addresses need to be writable by software during operation and the security requirement that the system configuration lock bit must be set during the boot process.Guidelines:",{"point":"1w0","priority":"6","details":"1w1"},"CWE-ID: 1223Race Condition for Write-Once Attributes","A write-once register in hardware design is programmable by an untrusted software component earlier than the trusted software component, resulting in a race condition issue.Guidelines:",{"point":"1w3","priority":"6","details":"1w4"},"CWE-ID: 1224Improper Restriction of Write-Once Bit Fields","The hardware design control register sticky bits or write-once bit fields are improperly implemented, such that they can be reprogrammed by software.Guidelines:",{"point":"1w6","priority":"6","details":"1w7"},"CWE-ID: 1229Creation of Emergent Resource","The product manages resources or behaves in a way that indirectly creates a new, distinct resource that can be used by attackers in violation of the intended policy.Guidelines:",{"point":"1w9","priority":"6","details":"1wa"},"CWE-ID: 1230Exposure of Sensitive Information Through Metadata","The product prevents direct access to a resource containing sensitive information, but it does not sufficiently limit access to metadata that is derived from the original, sensitive information.Guidelines:",{"point":"1wc","priority":"6","details":"1wd"},"CWE-ID: 1231Improper Prevention of Lock Bit Modification","The product uses a trusted lock bit for restricting access to registers, address regions, or other resources, but the product does not prevent the value of the lock bit from being modified after it has been set.Guidelines:",{"point":"1wf","priority":"6","details":"1wg"},"CWE-ID: 1232Improper Lock Behavior After Power State Transition","Register lock bit protection disables changes to system configuration once the bit is set. Some of the protected registers or lock bits become programmable after power state transitions (e.g., Entry and wake from low power sleep modes) causing the system configuration to be changeable.Guidelines:",{"point":"1wi","priority":"6","details":"1wj"},"CWE-ID: 1233Security-Sensitive Hardware Controls with Missing Lock Bit Protection","The product uses a register lock bit protection mechanism, but it does not ensure that the lock bit prevents modification of system registers or controls that perform changes to important hardware system configuration.Guidelines:",{"point":"1wl","priority":"6","details":"1wm"},"CWE-ID: 1234Hardware Internal or Debug Modes Allow Override of Locks","System configuration protection may be bypassed during debug mode.Guidelines:",{"point":"1wo","priority":"6","details":"1wp"},"CWE-ID: 1235Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations","The code uses boxed primitives, which may introduce inefficiencies into performance-critical operations.Guidelines:",{"point":"1wr","priority":"6","details":"1ws"},"CWE-ID: 1236Improper Neutralization of Formula Elements in a CSV File","The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.Guidelines:",{"point":"1wu","priority":"6","details":"1wv"},"CWE-ID: 1239Improper Zeroization of Hardware Register","The hardware product does not properly clear sensitive information from built-in registers when the user of the hardware block changes.Guidelines:",{"point":"1wx","priority":"6","details":"1wy"},"CWE-ID: 1240Use of a Cryptographic Primitive with a Risky Implementation","To fulfill the need for a cryptographic primitive, the product implements a cryptographic algorithm using a non-standard, unproven, or disallowed/non-compliant cryptographic implementation.Guidelines:::TYPE:Terminology:NOTE:Terminology for cryptography varies widely, from informal and colloquial to mathematically-defined, with different precision and formalism depending on whether the stakeholder is a developer, cryptologist, etc. Yet there is a need for CWE to be self-consistent while remaining understandable and acceptable to multiple audiences. As of CWE 4.6, CWE terminology around primitives and algorithms is emerging as shown by the following example, subject to future consultation and agreement within the CWE and cryptography communities. Suppose one wishes to send encrypted data using a CLI tool such as OpenSSL. One might choose to use AES with a 256-bit key and require tamper protection (GCM mode, for instance). For compatibility's sake, one might also choose the ciphertext to be formatted to the PKCS#5 standard. In this case, the cryptographic system would be AES-256-GCM with PKCS#5 formatting. The cryptographic function would be AES-256 in the GCM mode of operation, and the algorithm would be AES. Colloquially, one would say that AES (and sometimes AES-256) is the cryptographic primitive, because it is the algorithm that realizes the concept of symmetric encryption (without modes of operation or other protocol related modifications). In practice, developers and architects typically refer to base cryptographic algorithms (AES, SHA, etc.) as cryptographic primitives.::TYPE:Maintenance:NOTE:Since CWE 4.4, various cryptography-related entries, including CWE-327 and CWE-1240, have been slated for extensive research, analysis, and community consultation to define consistent terminology, improve relationships, and reduce overlap or duplication. As of CWE 4.6, this work is still ongoing.::",{"point":"1x0","priority":"6","details":"1x1"},"CWE-ID: 1241Use of Predictable Algorithm in Random Number Generator","The device uses an algorithm that is predictable and generates a pseudo-random number.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"1x3","priority":"6","details":"1x4"},"CWE-ID: 1242Inclusion of Undocumented Features or Chicken Bits","The device includes chicken bits or undocumented features that can create entry points for unauthorized actors.Guidelines:",{"point":"1x6","priority":"6","details":"1x7"},"CWE-ID: 1243Sensitive Non-Volatile Information Not Protected During Debug","Access to security-sensitive information stored in fuses is not limited during debug.Guidelines:",{"point":"1x9","priority":"6","details":"1xa"},"CWE-ID: 1244Internal Asset Exposed to Unsafe Debug Access Level or State","The product uses physical debug or test interfaces with support for multiple access levels, but it assigns the wrong debug access level to an internal asset, providing unintended access to the asset from untrusted debug agents.Guidelines:::TYPE:Relationship:NOTE:CWE-1191 and CWE-1244 both involve physical debug access, but the weaknesses are different. CWE-1191 is effectively about missing authorization for a debug interface, i.e. JTAG. CWE-1244 is about providing internal assets with the wrong debug access level, exposing the asset to untrusted debug agents.::",{"point":"1xc","priority":"6","details":"1xd"},"CWE-ID: 1245Improper Finite State Machines (FSMs) in Hardware Logic","Faulty finite state machines (FSMs) in the hardware logic allow an attacker to put the system in an undefined state, to cause a denial of service (DoS) or gain privileges on the victim's system.Guidelines:",{"point":"1xf","priority":"6","details":"1xg"},"CWE-ID: 1246Improper Write Handling in Limited-write Non-Volatile Memories","The product does not implement or incorrectly implements wear leveling operations in limited-write non-volatile memories.Guidelines:",{"point":"1xi","priority":"6","details":"1xj"},"CWE-ID: 1247Improper Protection Against Voltage and Clock Glitches","The device does not contain or contains incorrectly implemented circuitry or sensors to detect and mitigate voltage and clock glitches and protect sensitive information or software contained on the device.Guidelines:",{"point":"1xl","priority":"6","details":"1xm"},"CWE-ID: 1248Semiconductor Defects in Hardware Logic with Security-Sensitive Implications","The security-sensitive hardware module contains semiconductor defects.Guidelines:",{"point":"1xo","priority":"6","details":"1xp"},"CWE-ID: 1249Application-Level Admin Tool with Inconsistent View of Underlying Operating System","The product provides an application for administrators to manage parts of the underlying operating system, but the application does not accurately identify all of the relevant entities or resources that exist in the OS; that is, the application's model of the OS's state is inconsistent with the OS's actual state.Guidelines:",{"point":"1xr","priority":"6","details":"1xs"},"CWE-ID: 1250Improper Preservation of Consistency Between Independent Representations of Shared State","The product has or supports multiple distributed components or sub-systems that are each required to keep their own local copy of shared data - such as state or cache - but the product does not ensure that all local copies remain consistent with each other.Guidelines:::TYPE:Research Gap:NOTE:Issues related to state and cache - creation, preservation, and update - are a significant gap in CWE that is expected to be addressed in future versions. It likely has relationships to concurrency and synchronization, incorrect behavior order, and other areas that already have some coverage in CWE, although the focus has typically been on independent processes on the same operating system - not on independent systems that are all a part of a larger system-of-systems.::",{"point":"1xu","priority":"6","details":"1xv"},"CWE-ID: 1251Mirrored Regions with Different Values","The product's architecture mirrors regions without ensuring that their contents always stay in sync.Guidelines:::TYPE:Research Gap:NOTE:Issues related to state and cache - creation, preservation, and update - are a significant gap in CWE that is expected to be addressed in future versions. It has relationships to concurrency and synchronization, incorrect behavior order, and other areas that already have some coverage in CWE, although the focus has typically been on independent processes on the same operating system - not on independent systems that are all a part of a larger system-of-systems.::",{"point":"1xx","priority":"6","details":"1xy"},"CWE-ID: 1252CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations","The CPU is not configured to provide hardware support for exclusivity of write and execute operations on memory. This allows an attacker to execute data from all of memory.Guidelines:",{"point":"1y0","priority":"6","details":"1y1"},"CWE-ID: 1253Incorrect Selection of Fuse Values","The logic level used to set a system to a secure state relies on a fuse being unblown. An attacker can set the system to an insecure state merely by blowing the fuse.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1y3","priority":"6","details":"1y4"},"CWE-ID: 1254Incorrect Comparison Logic Granularity","The product's comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failure on one of these steps, the operation may be vulnerable to a timing attack that can result in the interception of the process for nefarious purposes.Guidelines:",{"point":"1y6","priority":"6","details":"1y7"},"CWE-ID: 1255Comparison Logic is Vulnerable to Power Side-Channel Attacks","A device's real time power consumption may be monitored during security token evaluation and the information gleaned may be used to determine the value of the reference token.Guidelines:",{"point":"1y9","priority":"6","details":"1ya"},"CWE-ID: 1256Improper Restriction of Software Interfaces to Hardware Features","The product provides software-controllable device functionality for capabilities such as power and clock management, but it does not properly limit functionality that can lead to modification of hardware memory or register bits, or the ability to observe physical side channels.Guidelines:",{"point":"1yc","priority":"6","details":"1yd"},"CWE-ID: 1257Improper Access Control Applied to Mirrored or Aliased Memory Regions","Aliased or mirrored memory regions in hardware designs may have inconsistent read/write permissions enforced by the hardware. A possible result is that an untrusted agent is blocked from accessing a memory region but is not blocked from accessing the corresponding aliased memory region.Guidelines:",{"point":"1yf","priority":"6","details":"1yg"},"CWE-ID: 1258Exposure of Sensitive System Information Due to Uncleared Debug Information","The hardware does not fully clear security-sensitive values, such as keys and intermediate values in cryptographic operations, when debug mode is entered.Guidelines:",{"point":"1yi","priority":"6","details":"1yj"},"CWE-ID: 1259Improper Restriction of Security Token Assignment","The System-On-A-Chip (SoC) implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens are improperly protected.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements. Currently it is expressed as a general absence of a protection mechanism as opposed to a specific mistake, and the entry's name and description could be interpreted as applying to software.::",{"point":"1yl","priority":"6","details":"1ym"},"CWE-ID: 1260Improper Handling of Overlap Between Protected Memory Ranges","The product allows address regions to overlap, which can result in the bypassing of intended memory protection.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.6, CWE-1260 and CWE-1316 are siblings under view 1000, but CWE-1260 might be a parent of CWE-1316. More analysis is warranted.::",{"point":"1yo","priority":"6","details":"1yp"},"CWE-ID: 1261Improper Handling of Single Event Upsets","The hardware logic does not effectively handle when single-event upsets (SEUs) occur.Guidelines:",{"point":"1yr","priority":"6","details":"1ys"},"CWE-ID: 1262Improper Access Control for Register Interface","The product uses memory-mapped I/O registers that act as an interface to hardware functionality from software, but there is improper access control to those registers.Guidelines:",{"point":"1yu","priority":"6","details":"1yv"},"CWE-ID: 1263Improper Physical Access Control","The product is designed with access restricted to certain information, but it does not sufficiently protect against an unauthorized actor with physical access to these areas.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1yx","priority":"6","details":"1yy"},"CWE-ID: 1264Hardware Logic with Insecure De-Synchronization between Control and Data Channels","The hardware logic for error handling and security checks can incorrectly forward data before the security check is complete.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. As a result, this entry might change significantly in CWE 4.10.::",{"point":"1z0","priority":"6","details":"1z1"},"CWE-ID: 1265Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls","During execution of non-reentrant code, the product performs a call that unintentionally produces a nested invocation of the non-reentrant code.Guidelines:",{"point":"1z3","priority":"6","details":"1z4"},"CWE-ID: 1266Improper Scrubbing of Sensitive Data from Decommissioned Device","The product does not properly provide a capability for the product administrator to remove sensitive data at the time the product is decommissioned. A scrubbing capability could be missing, insufficient, or incorrect.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1z6","priority":"6","details":"1z7"},"CWE-ID: 1267Policy Uses Obsolete Encoding","The product uses an obsolete encoding mechanism to implement access controls.Guidelines:",{"point":"1z9","priority":"6","details":"1za"},"CWE-ID: 1268Policy Privileges are not Assigned Consistently Between Control and Data Agents","The product's hardware-enforced access control for a particular resource improperly accounts for privilege discrepancies between control and write policies.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1zc","priority":"6","details":"1zd"},"CWE-ID: 1269Product Released in Non-Release Configuration","The product released to market is released in pre-production or manufacturing configuration.Guidelines:",{"point":"1zf","priority":"6","details":"1zg"},"CWE-ID: 1270Generation of Incorrect Security Tokens","The product implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens generated in the system are incorrect.Guidelines:",{"point":"1zi","priority":"6","details":"1zj"},"CWE-ID: 1271Uninitialized Value on Reset for Registers Holding Security Settings","Security-critical logic is not set to a known value on reset.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1zl","priority":"6","details":"1zm"},"CWE-ID: 1272Sensitive Information Uncleared Before Debug/Power State Transition","The product performs a power or debug state transition, but it does not clear sensitive information that should no longer be accessible due to changes to information access restrictions.Guidelines:",{"point":"1zo","priority":"6","details":"1zp"},"CWE-ID: 1273Device Unlock Credential Sharing","The credentials necessary for unlocking a device are shared across multiple parties and may expose sensitive information.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1zr","priority":"6","details":"1zs"},"CWE-ID: 1274Improper Access Control for Volatile Memory Containing Boot Code","The product conducts a secure-boot process that transfers bootloader code from Non-Volatile Memory (NVM) into Volatile Memory (VM), but it does not have sufficient access control or other protections for the Volatile Memory.Guidelines:",{"point":"1zu","priority":"6","details":"1zv"},"CWE-ID: 1275Sensitive Cookie with Improper SameSite Attribute","The SameSite attribute for sensitive cookies is not set, or an insecure value is used.Guidelines:",{"point":"1zx","priority":"6","details":"1zy"},"CWE-ID: 1276Hardware Child Block Incorrectly Connected to Parent System","Signals between a hardware IP and the parent system design are incorrectly connected causing security risks.Guidelines:",{"point":"200","priority":"6","details":"201"},"CWE-ID: 1277Firmware Not Updateable","The product does not provide its users with the ability to update or patch its firmware to address any vulnerabilities or weaknesses that may be present.Guidelines:::TYPE:Terminology:NOTE:The firmware term does not have a single commonly-shared definition, so there may be variations in how this CWE entry is interpreted during mapping.::",{"point":"203","priority":"6","details":"204"},"CWE-ID: 1278Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques","Information stored in hardware may be recovered by an attacker with the capability to capture and analyze images of the integrated circuit using techniques such as scanning electron microscopy.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements. It is more attack-oriented, so it might be more suited for CAPEC.::",{"point":"206","priority":"6","details":"207"},"CWE-ID: 1279Cryptographic Operations are run Before Supporting Units are Ready","Performing cryptographic operations without ensuring that the supporting inputs are ready to supply valid data may compromise the cryptographic result.Guidelines:",{"point":"209","priority":"6","details":"20a"},"CWE-ID: 1280Access Control Check Implemented After Asset is Accessed","A product's hardware-based access control check occurs after the asset has been accessed.Guidelines:",{"point":"20c","priority":"6","details":"20d"},"CWE-ID: 1281Sequence of Processor Instructions Leads to Unexpected Behavior","Specific combinations of processor instructions lead to undesirable behavior such as locking the processor until a hard reset performed.Guidelines:",{"point":"20f","priority":"6","details":"20g"},"CWE-ID: 1282Assumed-Immutable Data is Stored in Writable Memory","Immutable data, such as a first-stage bootloader, device identifiers, and write-once configuration settings are stored in writable memory that can be re-programmed or updated in the field.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::TYPE:Maintenance:NOTE:As of CWE 4.3, CWE-1282 and CWE-1233 are being investigated for potential duplication or overlap.::",{"point":"20i","priority":"6","details":"20j"},"CWE-ID: 1283Mutable Attestation or Measurement Reporting Data","The register contents used for attestation or measurement reporting data to verify boot flow are modifiable by an adversary.Guidelines:::TYPE:Maintenance:NOTE:This entry is still in development and will continue to see updates and content improvements.::",{"point":"20l","priority":"6","details":"20m"},"CWE-ID: 1284Improper Validation of Specified Quantity in Input","The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"20o","priority":"6","details":"20p"},"CWE-ID: 1285Improper Validation of Specified Index, Position, or Offset in Input","The product receives input that is expected to specify an index, position, or offset into an indexable resource such as a buffer or file, but it does not validate or incorrectly validates that the specified index/position/offset has the required properties.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"20r","priority":"6","details":"20s"},"CWE-ID: 1286Improper Validation of Syntactic Correctness of Input","The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"20u","priority":"6","details":"20v"},"CWE-ID: 1287Improper Validation of Specified Type of Input","The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"20x","priority":"6","details":"20y"},"CWE-ID: 1288Improper Validation of Consistency within Input","The product receives a complex input with multiple elements or fields that must be consistent with each other, but it does not validate or incorrectly validates that the input is actually consistent.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"210","priority":"6","details":"211"},"CWE-ID: 1289Improper Validation of Unsafe Equivalence in Input","The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"213","priority":"6","details":"214"},"CWE-ID: 1290Incorrect Decoding of Security Identifiers","The product implements a decoding mechanism to decode certain bus-transaction signals to security identifiers. If the decoding is implemented incorrectly, then untrusted agents can now gain unauthorized access to the asset.Guidelines:",{"point":"216","priority":"6","details":"217"},"CWE-ID: 1291Public Key Re-Use for Signing both Debug and Production Code","The same public key is used for signing both debug and production code.Guidelines:",{"point":"219","priority":"6","details":"21a"},"CWE-ID: 1292Incorrect Conversion of Security Identifiers","The product implements a conversion mechanism to map certain bus-transaction signals to security identifiers. However, if the conversion is incorrectly implemented, untrusted agents can gain unauthorized access to the asset.Guidelines:",{"point":"21c","priority":"6","details":"21d"},"CWE-ID: 1293Missing Source Correlation of Multiple Independent Data","The product relies on one source of data, preventing the ability to detect if an adversary has compromised a data source.Guidelines:",{"point":"21f","priority":"6","details":"21g"},"CWE-ID: 1294Insecure Security Identifier Mechanism","The System-on-Chip (SoC) implements a Security Identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Identifiers are not correctly implemented.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"21i","priority":"6","details":"21j"},"CWE-ID: 1295Debug Messages Revealing Unnecessary Information","The product fails to adequately prevent the revealing of unnecessary and potentially sensitive system information within debugging messages.Guidelines:",{"point":"21l","priority":"6","details":"21m"},"CWE-ID: 1296Incorrect Chaining or Granularity of Debug Components","The product's debug components contain incorrect chaining or granularity of debug components.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"21o","priority":"6","details":"21p"},"CWE-ID: 1297Unprotected Confidential Information on Device is Accessible by OSAT Vendors","The product does not adequately protect confidential information on the device from being accessed by Outsourced Semiconductor Assembly and Test (OSAT) vendors.Guidelines:::TYPE:Maintenance:NOTE:This entry might be subject to CWE Scope Exclusion SCOPE.SITUATIONS (Focus on situations in which weaknesses may appear); SCOPE.HUMANPROC (Human/organizational process; and/or SCOPE.CUSTREL (Not customer-relevant).::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"21r","priority":"6","details":"21s"},"CWE-ID: 1298Hardware Logic Contains Race Conditions","A race condition in the hardware logic results in undermining security guarantees of the system.Guidelines:",{"point":"21u","priority":"6","details":"21v"},"CWE-ID: 1299Missing Protection Mechanism for Alternate Hardware Interface","The lack of protections on alternate paths to access control-protected assets (such as unprotected shadow registers and other external facing unguarded interfaces) allows an attacker to bypass existing protections to the asset that are only performed against the primary path.Guidelines:",{"point":"21x","priority":"6","details":"21y"},"CWE-ID: 1300Improper Protection of Physical Side Channels","The device does not contain sufficient protection mechanisms to prevent physical side channels from exposing sensitive information due to patterns in physically observable phenomena such as variations in power consumption, electromagnetic emissions (EME), or acoustic emissions.Guidelines:",{"point":"220","priority":"6","details":"221"},"CWE-ID: 1301Insufficient or Incomplete Data Removal within Hardware Component","The product's data removal process does not completely delete all data and potentially sensitive information within hardware components.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"223","priority":"6","details":"224"},"CWE-ID: 1302Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)","The product implements a security identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. A transaction is sent without a security identifier.Guidelines:",{"point":"226","priority":"6","details":"227"},"CWE-ID: 1303Non-Transparent Sharing of Microarchitectural Resources","Hardware structures shared across execution contexts (e.g., caches and branch predictors) can violate the expected architecture isolation between contexts.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. Finally, this entry's demonstrative example might not be appropriate. As a result, this entry might change significantly in CWE 4.10.::",{"point":"229","priority":"6","details":"22a"},"CWE-ID: 1304Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation","The product performs a power save/restore operation, but it does not ensure that the integrity of the configuration state is maintained and/or verified between the beginning and ending of the operation.Guidelines:",{"point":"22c","priority":"6","details":"22d"},"CWE-ID: 1310Missing Ability to Patch ROM Code","Missing an ability to patch ROM code may leave a System or System-on-Chip (SoC) in a vulnerable state.Guidelines:",{"point":"22f","priority":"6","details":"22g"},"CWE-ID: 1311Improper Translation of Security Attributes by Fabric Bridge","The bridge incorrectly translates security attributes from either trusted to untrusted or from untrusted to trusted when converting from one fabric protocol to another.Guidelines:",{"point":"22i","priority":"6","details":"22j"},"CWE-ID: 1312Missing Protection for Mirrored Regions in On-Chip Fabric Firewall","The firewall in an on-chip fabric protects the main addressed region, but it does not protect any mirrored memory or memory-mapped-IO (MMIO) regions.Guidelines:",{"point":"22l","priority":"6","details":"22m"},"CWE-ID: 1313Hardware Allows Activation of Test or Debug Logic at Runtime","During runtime, the hardware allows for test or debug logic (feature) to be activated, which allows for changing the state of the hardware. This feature can alter the intended behavior of the system and allow for alteration and leakage of sensitive data by an adversary.Guidelines:",{"point":"22o","priority":"6","details":"22p"},"CWE-ID: 1314Missing Write Protection for Parametric Data Values","The device does not write-protect the parametric data values for sensors that scale the sensor value, allowing untrusted software to manipulate the apparent result and potentially damage hardware or cause operational failure.Guidelines:",{"point":"22r","priority":"6","details":"22s"},"CWE-ID: 1315Improper Setting of Bus Controlling Capability in Fabric End-point","The bus controller enables bits in the fabric end-point to allow responder devices to control transactions on the fabric.Guidelines:",{"point":"22u","priority":"6","details":"22v"},"CWE-ID: 1316Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges","The address map of the on-chip fabric has protected and unprotected regions overlapping, allowing an attacker to bypass access control to the overlapping portion of the protected region.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.6, CWE-1260 and CWE-1316 are siblings under view 1000, but CWE-1260 might be a parent of CWE-1316. More analysis is warranted.::",{"point":"22x","priority":"6","details":"22y"},"CWE-ID: 1317Improper Access Control in Fabric Bridge","The product uses a fabric bridge for transactions between two Intellectual Property (IP) blocks, but the bridge does not properly perform the expected privilege, identity, or other access control checks between those IP blocks.Guidelines:",{"point":"230","priority":"6","details":"231"},"CWE-ID: 1318Missing Support for Security Features in On-chip Fabrics or Buses","On-chip fabrics or buses either do not support or are not configured to support privilege separation or other security features, such as access control.Guidelines:",{"point":"233","priority":"6","details":"234"},"CWE-ID: 1319Improper Protection against Electromagnetic Fault Injection (EM-FI)","The device is susceptible to electromagnetic fault injection attacks, causing device internal information to be compromised or security mechanisms to be bypassed.Guidelines:::TYPE:Maintenance:NOTE:This entry is attack-oriented and may require significant modification in future versions, or even deprecation. It is not clear whether there is really a design mistake that enables such attacks, so this is not necessarily a weakness and may be more appropriate for CAPEC.::",{"point":"236","priority":"6","details":"237"},"CWE-ID: 1320Improper Protection for Outbound Error Messages and Alert Signals","Untrusted agents can disable alerts about signal conditions exceeding limits or the response mechanism that handles such alerts.Guidelines:",{"point":"239","priority":"6","details":"23a"},"CWE-ID: 1321Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')","The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.Guidelines:",{"point":"23c","priority":"6","details":"23d"},"CWE-ID: 1322Use of Blocking Code in Single-threaded, Non-blocking Context","The product uses a non-blocking model that relies on a single threaded process for features such as scalability, but it contains code that can block when it is invoked.Guidelines:",{"point":"23f","priority":"6","details":"23g"},"CWE-ID: 1323Improper Management of Sensitive Trace Data","Trace data collected from several sources on the System-on-Chip (SoC) is stored in unprotected locations or transported to untrusted agents.Guidelines:",{"point":"23i","priority":"6","details":"23j"},"CWE-ID: 1325Improperly Controlled Sequential Memory Allocation","The product manages a group of objects or resources and performs a separate memory allocation for each object, but it does not properly limit the total amount of memory that is consumed by all of the combined objects.Guidelines:",{"point":"23l","priority":"6","details":"23m"},"CWE-ID: 1326Missing Immutable Root of Trust in Hardware","A missing immutable root of trust in the hardware results in the ability to bypass secure boot or execute untrusted or adversarial boot code.Guidelines:",{"point":"23o","priority":"6","details":"23p"},"CWE-ID: 1327Binding to an Unrestricted IP Address","The product assigns the address 0.0.0.0 for a database server, a cloud service/instance, or any computing resource that communicates remotely.Guidelines:",{"point":"23r","priority":"6","details":"23s"},"CWE-ID: 1328Security Version Number Mutable to Older Versions","Security-version number in hardware is mutable, resulting in the ability to downgrade (roll-back) the boot firmware to vulnerable code versions.Guidelines:",{"point":"23u","priority":"6","details":"23v"},"CWE-ID: 1329Reliance on Component That is Not Updateable","The product contains a component that cannot be updated or patched in order to remove vulnerabilities or significant bugs.Guidelines:",{"point":"23x","priority":"6","details":"23y"},"CWE-ID: 1330Remanent Data Readable after Memory Erase","Confidential information stored in memory circuits is readable or recoverable after being cleared or erased.Guidelines:",{"point":"240","priority":"6","details":"241"},"CWE-ID: 1331Improper Isolation of Shared Resources in Network On Chip (NoC)","The Network On Chip (NoC) does not isolate or incorrectly isolates its on-chip-fabric and internal resources such that they are shared between trusted and untrusted agents, creating timing channels.Guidelines:",{"point":"243","priority":"6","details":"244"},"CWE-ID: 1332Improper Handling of Faults that Lead to Instruction Skips","The device is missing or incorrectly implements circuitry or sensors that detect and mitigate the skipping of security-critical CPU instructions when they occur.Guidelines:",{"point":"246","priority":"6","details":"247"},"CWE-ID: 1333Inefficient Regular Expression Complexity","The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.Guidelines:",{"point":"249","priority":"6","details":"24a"},"CWE-ID: 1334Unauthorized Error Injection Can Degrade Hardware Redundancy","An unauthorized agent can inject errors into a redundant block to deprive the system of redundancy or put the system in a degraded operating mode.Guidelines:",{"point":"24c","priority":"6","details":"24d"},"CWE-ID: 1335Incorrect Bitwise Shift of Integer","An integer value is specified to be shifted by a negative amount or an amount greater than or equal to the number of bits contained in the value causing an unexpected or indeterminate result.Guidelines:",{"point":"24f","priority":"6","details":"24g"},"CWE-ID: 1336Improper Neutralization of Special Elements Used in a Template Engine","The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.Guidelines:::TYPE:Relationship:NOTE:Since expression languages are often used in templating languages, there may be some overlap with CWE-917 (Expression Language Injection). XSS (CWE-79) is also co-located with template injection.::TYPE:Maintenance:NOTE:The interrelationships and differences between CWE-917 and CWE-1336 need to be further clarified.::",{"point":"24i","priority":"6","details":"24j"},"CWE-ID: 1338Improper Protections Against Hardware Overheating","A hardware device is missing or has inadequate protection features to prevent overheating.Guidelines:",{"point":"24l","priority":"6","details":"24m"},"CWE-ID: 1339Insufficient Precision or Accuracy of a Real Number","The product processes a real number with an implementation in which the number's representation does not preserve required accuracy and precision in its fractional part, causing an incorrect result.Guidelines:",{"point":"24o","priority":"6","details":"24p"},"CWE-ID: 1341Multiple Releases of Same Resource or Handle","The product attempts to close or release a resource or handle more than once, without any successful open between the close operations.Guidelines:::TYPE:Terminology:NOTE:The terms related to release may vary depending on the type of resource, programming language, specification, or framework. Close has been used synonymously for the release of resources like file descriptors and file handles. Return is sometimes used instead of Release. Free is typically used when releasing memory or buffers back into the system for reuse.::",{"point":"24r","priority":"6","details":"24s"},"CWE-ID: 1342Information Exposure through Microarchitectural State after Transient Execution","The processor does not properly clear microarchitectural state after incorrect microcode assists or speculative execution, resulting in transient execution.Guidelines:::TYPE:Relationship:NOTE:CWE-1342 differs from CWE-1303, which is related to misprediction and biasing microarchitectural components, while CWE-1342 addresses illegal data flows and retention. For example, Spectre is an instance of CWE-1303 biasing branch prediction to steer the transient execution indirectly.::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. As a result, this entry might change significantly in CWE 4.10.::",{"point":"24u","priority":"6","details":"24v"},"CWE-ID: 1351Improper Handling of Hardware Behavior in Exceptionally Cold Environments","A hardware device, or the firmware running on it, is missing or has incorrect protection features to maintain goals of security primitives when the device is cooled below standard operating temperatures.Guidelines:",{"point":"24x","priority":"6","details":"24y"},"CWE-ID: 1357Reliance on Insufficiently Trustworthy Component","The product is built from multiple separate components, but it uses a component that is not sufficiently trusted to meet expectations for security, reliability, updateability, and maintainability.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.10, the name and description for this entry has undergone significant change and is still under public discussion, especially by members of the HW SIG.::",{"point":"250","priority":"6","details":"251"},"CWE-ID: 1384Improper Handling of Physical or Environmental Conditions","The product does not properly handle unexpected physical or environmental conditions that occur naturally or are artificially induced.Guidelines:",{"point":"253","priority":"6","details":"254"},"CWE-ID: 1385Missing Origin Validation in WebSockets","The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid.Guidelines:",{"point":"256","priority":"6","details":"257"},"CWE-ID: 1386Insecure Operation on Windows Junction / Mount Point","The product opens a file or directory, but it does not properly prevent the name from being associated with a junction or mount point to a destination that is outside of the intended control sphere.Guidelines:::TYPE:Terminology:NOTE:Symbolic links, hard links, junctions, and mount points can be confusing terminology, as there are differences in how they operate between UNIX-based systems and Windows, and there are interactions between them.::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"259","priority":"6","details":"25a"},"CWE-ID: 1389Incorrect Parsing of Numbers with Different Radices","The product parses numeric input assuming base 10 (decimal) values, but it does not account for inputs that use a different base number (radix).Guidelines:",{"point":"25c","priority":"6","details":"25d"},"CWE-ID: 1390Weak Authentication","The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.Guidelines:",{"point":"25f","priority":"6","details":"25g"},"CWE-ID: 1391Use of Weak Credentials","The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker.Guidelines:",{"point":"25i","priority":"6","details":"25j"},"CWE-ID: 1392Use of Default Credentials","The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality.Guidelines:",{"point":"25l","priority":"6","details":"25m"},"CWE-ID: 1393Use of Default Password","The product uses default passwords for potentially critical functionality.Guidelines:",{"point":"25o","priority":"6","details":"25p"},"CWE-ID: 1394Use of Default Cryptographic Key","The product uses a default cryptographic key for potentially critical functionality.Guidelines:",{"point":"25r","priority":"6","details":"25s"},"CWE-ID: 1395Dependency on Vulnerable Third-Party Component","The product has a dependency on a third-party component that contains one or more known vulnerabilities.Guidelines:",{"point":"25u","priority":"6","details":"25v"},"CWE-ID: 1419Incorrect Initialization of Resource","The product attempts to initialize a resource but does not correctly do so, which might leave the resource in an unexpected, incorrect, or insecure state when it is accessed.Guidelines:",{"point":"25x","priority":"6","details":"25y"},"CWE-ID: 1420Exposure of Sensitive Information during Transient Execution","A processor event or prediction may allow incorrect operations (or correct operations with incorrect data) to execute transiently, potentially exposing data over a covert channel.Guidelines:",{"point":"260","priority":"6","details":"261"},"CWE-ID: 1421Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution","A processor event may allow transient operations to access architecturally restricted data (for example, in another address space) in a shared microarchitectural structure (for example, a CPU cache), potentially exposing the data over a covert channel.Guidelines:",{"point":"263","priority":"6","details":"264"},"CWE-ID: 1422Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution","A processor event or prediction may allow incorrect or stale data to be forwarded to transient operations, potentially exposing data over a covert channel.Guidelines:",{"point":"266","priority":"6","details":"267"},"CWE-ID: 1423Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution","Shared microarchitectural predictor state may allow code to influence transient execution across a hardware boundary, potentially exposing data that is accessible beyond the boundary over a covert channel.Guidelines:",{"point":"269","priority":"6","details":"26a"},["8","b","e","h","k","n","q","t","w","z","12","15","18","1b","1e","1h","1k","1n","1q","1t","1w","1z","22","25","28","2b","2e","2h","2k","2n","2q","2t","2w","2z","32","35","38","3b","3e","3h","3k","3n","3q","3t","3w","3z","42","45","48","4b","4e","4h","4k","4n","4q","4t","4w","4z","52","55","58","5b","5e","5h","5k","5n","5q","5t","5w","5z","62","65","68","6b","6e","6h","6k","6n","6q","6t","6w","6z","72","75","78","7b","7e","7h","7k","7n","7q","7t","7w","7z","82","85","88","8b","8e","8h","8k","8n","8q","8t","8w","8z","92","95","98","9b","9e","9h","9k","9n","9q","9t","9w","9z","a2","a5","a8","ab","ae","ah","ak","an","aq","at","aw","az","b2","b5","b8","bb","be","bh","bk","bn","bq","bt","bw","bz","c2","c5","c8","cb","ce","ch","ck","cn","cq","ct","cw","cz","d2","d5","d8","db","de","dh","dk","dn","dq","dt","dw","dz","e2","e5","e8","eb","ee","eh","ek","en","eq","et","ew","ez","f2","f5","f8","fb","fe","fh","fk","fn","fq","ft","fw","fz","g2","g5","g8","gb","ge","gh","gk","gn","gq","gt","gw","gz","h2","h5","h8","hb","he","hh","hk","hn","hq","ht","hw","hz","i2","i5","i8","ib","ie","ih","ik","in","iq","it","iw","iz","j2","j5","j8","jb","je","jh","jk","jn","jq","jt","jw","jz","k2","k5","k8","kb","ke","kh","kk","kn","kq","kt","kw","kz","l2","l5","l8","lb","le","lh","lk","ln","lq","lt","lw","lz","m2","m5","m8","mb","me","mh","mk","mn","mq","mt","mw","mz","n2","n5","n8","nb","ne","nh","nk","nn","nq","nt","nw","nz","o2","o5","o8","ob","oe","oh","ok","on","oq","ot","ow","oz","p2","p5","p8","pb","pe","ph","pk","pn","pq","pt","pw","pz","q2","q5","q8","qb","qe","qh","qk","qn","qq","qt","qw","qz","r2","r5","r8","rb","re","rh","rk","rn","rq","rt","rw","rz","s2","s5","s8","sb","se","sh","sk","sn","sq","st","sw","sz","t2","t5","t8","tb","te","th","tk","tn","tq","tt","tw","tz","u2","u5","u8","ub","ue","uh","uk","un","uq","ut","uw","uz","v2","v5","v8","vb","ve","vh","vk","vn","vq","vt","vw","vz","w2","w5","w8","wb","we","wh","wk","wn","wq","wt","ww","wz","x2","x5","x8","xb","xe","xh","xk","xn","xq","xt","xw","xz","y2","y5","y8","yb","ye","yh","yk","yn","yq","yt","yw","yz","z2","z5","z8","zb","ze","zh","zk","zn","zq","zt","zw","zz","102","105","108","10b","10e","10h","10k","10n","10q","10t","10w","10z","112","115","118","11b","11e","11h","11k","11n","11q","11t","11w","11z","122","125","128","12b","12e","12h","12k","12n","12q","12t","12w","12z","132","135","138","13b","13e","13h","13k","13n","13q","13t","13w","13z","142","145","148","14b","14e","14h","14k","14n","14q","14t","14w","14z","152","155","158","15b","15e","15h","15k","15n","15q","15t","15w","15z","162","165","168","16b","16e","16h","16k","16n","16q","16t","16w","16z","172","175","178","17b","17e","17h","17k","17n","17q","17t","17w","17z","182","185","188","18b","18e","18h","18k","18n","18q","18t","18w","18z","192","195","198","19b","19e","19h","19k","19n","19q","19t","19w","19z","1a2","1a5","1a8","1ab","1ae","1ah","1ak","1an","1aq","1at","1aw","1az","1b2","1b5","1b8","1bb","1be","1bh","1bk","1bn","1bq","1bt","1bw","1bz","1c2","1c5","1c8","1cb","1ce","1ch","1ck","1cn","1cq","1ct","1cw","1cz","1d2","1d5","1d8","1db","1de","1dh","1dk","1dn","1dq","1dt","1dw","1dz","1e2","1e5","1e8","1eb","1ee","1eh","1ek","1en","1eq","1et","1ew","1ez","1f2","1f5","1f8","1fb","1fe","1fh","1fk","1fn","1fq","1ft","1fw","1fz","1g2","1g5","1g8","1gb","1ge","1gh","1gk","1gn","1gq","1gt","1gw","1gz","1h2","1h5","1h8","1hb","1he","1hh","1hk","1hn","1hq","1ht","1hw","1hz","1i2","1i5","1i8","1ib","1ie","1ih","1ik","1in","1iq","1it","1iw","1iz","1j2","1j5","1j8","1jb","1je","1jh","1jk","1jn","1jq","1jt","1jw","1jz","1k2","1k5","1k8","1kb","1ke","1kh","1kk","1kn","1kq","1kt","1kw","1kz","1l2","1l5","1l8","1lb","1le","1lh","1lk","1ln","1lq","1lt","1lw","1lz","1m2","1m5","1m8","1mb","1me","1mh","1mk","1mn","1mq","1mt","1mw","1mz","1n2","1n5","1n8","1nb","1ne","1nh","1nk","1nn","1nq","1nt","1nw","1nz","1o2","1o5","1o8","1ob","1oe","1oh","1ok","1on","1oq","1ot","1ow","1oz","1p2","1p5","1p8","1pb","1pe","1ph","1pk","1pn","1pq","1pt","1pw","1pz","1q2","1q5","1q8","1qb","1qe","1qh","1qk","1qn","1qq","1qt","1qw","1qz","1r2","1r5","1r8","1rb","1re","1rh","1rk","1rn","1rq","1rt","1rw","1rz","1s2","1s5","1s8","1sb","1se","1sh","1sk","1sn","1sq","1st","1sw","1sz","1t2","1t5","1t8","1tb","1te","1th","1tk","1tn","1tq","1tt","1tw","1tz","1u2","1u5","1u8","1ub","1ue","1uh","1uk","1un","1uq","1ut","1uw","1uz","1v2","1v5","1v8","1vb","1ve","1vh","1vk","1vn","1vq","1vt","1vw","1vz","1w2","1w5","1w8","1wb","1we","1wh","1wk","1wn","1wq","1wt","1ww","1wz","1x2","1x5","1x8","1xb","1xe","1xh","1xk","1xn","1xq","1xt","1xw","1xz","1y2","1y5","1y8","1yb","1ye","1yh","1yk","1yn","1yq","1yt","1yw","1yz","1z2","1z5","1z8","1zb","1ze","1zh","1zk","1zn","1zq","1zt","1zw","1zz","202","205","208","20b","20e","20h","20k","20n","20q","20t","20w","20z","212","215","218","21b","21e","21h","21k","21n","21q","21t","21w","21z","222","225","228","22b","22e","22h","22k","22n","22q","22t","22w","22z","232","235","238","23b","23e","23h","23k","23n","23q","23t","23w","23z","242","245","248","24b","24e","24h","24k","24n","24q","24t","24w","24z","252","255","258","25b","25e","25h","25k","25n","25q","25t","25w","25z","262","265","268","26b"],"red",{"title":"0","slug":"1","description":"2","icon":"3","intro":"4","checklist":"26c","color":"26d"},"CWE: Weaknesses During Design","cwe-design","This view (slice) lists weaknesses that can be introduced during design.","physical","This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities.","CWE-ID:20 Improper Input Validation","::METHOD:Automated Static Analysis:DESCRIPTION:Some instances of improper input validation can be detected using automated static analysis. A static analysis tool might allow the user to specify which application-specific methods or functions perform input validation; the tool might also have built-in knowledge of validation frameworks such as Struts. The tool may then suppress or de-prioritize any associated warnings. This allows the analyst to focus on areas of the software in which input validation does not appear to be present. Except in the cases described in the previous paragraph, automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes.::METHOD:Manual Static Analysis:DESCRIPTION:When custom input validation is required, such as when enforcing business rules, manual analysis is necessary to ensure that the validation is properly implemented.::METHOD:Fuzzing:DESCRIPTION:Fuzzing techniques can be useful for detecting input validation errors. When unexpected inputs are provided to the software, the software should not crash or otherwise become unstable, and it should generate application-controlled error messages. If exceptions or interpreter-generated error messages occur, this indicates that the input was not detected and handled within the application logic itself.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer Cost effective for partial coverage: Host Application Interface Scanner Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"26k","priority":"6","details":"11","howto":"26l"},"CWE-ID:73 External Control of File Name or Path","::METHOD:Automated Static Analysis:DESCRIPTION:The external control or influence of filenames can often be detected using automated static analysis that models data flow within the product. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes.::",{"point":"26n","priority":"6","details":"4y","howto":"26o"},"CWE-ID:99 Improper Control of Resource Identifiers ('Resource Injection')","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"26q","priority":"6","details":"71","howto":"26r"},"CWE-ID:115 Misinterpretation of Input","::METHOD:Fuzzing:DESCRIPTION:Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.:EFFECTIVENESS:High::",{"point":"26t","priority":"6","details":"87","howto":"26u"},"CWE-ID:184 Incomplete List of Disallowed Inputs","::METHOD:Black Box:DESCRIPTION:Exploitation of a vulnerability with commonly-used manipulations might fail, but minor variations might succeed.::",{"point":"26w","priority":"6","details":"dd","howto":"26x"},"CWE-ID:200 Exposure of Sensitive Information to an Unauthorized Actor","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Inter-application Flow Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Source code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"26z","priority":"6","details":"ej","howto":"270"},"CWE-ID:201 Insertion of Sensitive Information Into Sent Data",{"point":"272","priority":"6","details":"em","howto":"26r"},"CWE-ID:202 Exposure of Sensitive Information Through Data Queries","",{"point":"274","priority":"6","details":"ep","howto":"275"},"CWE-ID:203 Observable Discrepancy",{"point":"277","priority":"6","details":"es","howto":"275"},"CWE-ID:204 Observable Response Discrepancy",{"point":"279","priority":"6","details":"ev","howto":"275"},"CWE-ID:205 Observable Behavioral Discrepancy",{"point":"27b","priority":"6","details":"ey","howto":"275"},"CWE-ID:208 Observable Timing Discrepancy",{"point":"27d","priority":"6","details":"f7","howto":"275"},"CWE-ID:209 Generation of Error Message Containing Sensitive Information","::METHOD:Manual Analysis:DESCRIPTION:This weakness generally requires domain-specific interpretation using manual analysis. However, the number of potential error conditions may be too large to cover completely within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Analysis:DESCRIPTION:Automated methods may be able to detect certain idioms automatically, such as exposed stack traces or pathnames, but violation of business rules or privacy requirements is not typically feasible.:EFFECTIVENESS:Moderate::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Error conditions may be triggered with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.)::",{"point":"27f","priority":"6","details":"fa","howto":"27g"},"CWE-ID:210 Self-generated Error Message Containing Sensitive Information",{"point":"27i","priority":"6","details":"fd","howto":"275"},"CWE-ID:211 Externally-Generated Error Message Containing Sensitive Information",{"point":"27k","priority":"6","details":"fg","howto":"275"},"CWE-ID:212 Improper Removal of Sensitive Information Before Storage or Transfer",{"point":"27m","priority":"6","details":"fj","howto":"275"},"CWE-ID:213 Exposure of Sensitive Information Due to Incompatible Policies",{"point":"27o","priority":"6","details":"fm","howto":"275"},"CWE-ID:214 Invocation of Process Using Visible Sensitive Information",{"point":"27q","priority":"6","details":"fp","howto":"275"},"CWE-ID:221 Information Loss or Omission",{"point":"27s","priority":"6","details":"g1","howto":"275"},"CWE-ID:223 Omission of Security-relevant Information",{"point":"27u","priority":"6","details":"g7","howto":"275"},"CWE-ID:250 Execution with Unnecessary Privileges","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and perform a login. Look for library functions and system calls that indicate when privileges are being raised or dropped. Look for accesses of resources that are restricted to normal users.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Compare binary / bytecode to application permission manifest Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker Permission Manifest Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"27w","priority":"6","details":"i4","howto":"27x"},"CWE-ID:256 Plaintext Storage of a Password",{"point":"27z","priority":"6","details":"id","howto":"26r"},"CWE-ID:257 Storing Passwords in a Recoverable Format",{"point":"281","priority":"6","details":"ig","howto":"26r"},"CWE-ID:260 Password in Configuration File",{"point":"283","priority":"6","details":"ip","howto":"26r"},"CWE-ID:261 Weak Encoding for Password",{"point":"285","priority":"6","details":"is","howto":"26r"},"CWE-ID:262 Not Using Password Aging",{"point":"287","priority":"6","details":"iv","howto":"275"},"CWE-ID:263 Password Aging with Long Expiration",{"point":"289","priority":"6","details":"iy","howto":"275"},"CWE-ID:267 Privilege Defined With Unsafe Actions",{"point":"28b","priority":"6","details":"j4","howto":"275"},"CWE-ID:268 Privilege Chaining",{"point":"28d","priority":"6","details":"j7","howto":"275"},"CWE-ID:269 Improper Privilege Management",{"point":"28f","priority":"6","details":"ja","howto":"26r"},"CWE-ID:270 Privilege Context Switching Error",{"point":"28h","priority":"6","details":"jd","howto":"275"},"CWE-ID:271 Privilege Dropping / Lowering Errors",{"point":"28j","priority":"6","details":"jg","howto":"275"},"CWE-ID:276 Incorrect Default Permissions","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Inter-application Flow Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Host Application Interface Scanner Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Forced Path Execution:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"28l","priority":"6","details":"js","howto":"28m"},"CWE-ID:282 Improper Ownership Management",{"point":"28o","priority":"6","details":"ka","howto":"26r"},"CWE-ID:283 Unverified Ownership",{"point":"28q","priority":"6","details":"kd","howto":"275"},"CWE-ID:285 Improper Authorization","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries. Generally, automated static analysis tools have difficulty detecting custom authorization schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an authorization check; an automated technique that detects the absence of authorization may report false positives.:EFFECTIVENESS:Limited::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated dynamic analysis may find many or all possible interfaces that do not require authorization, but manual analysis is required to determine if the lack of authorization violates business logic::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer Forced Path Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"28s","priority":"6","details":"kj","howto":"28t"},"CWE-ID:286 Incorrect User Management",{"point":"28v","priority":"6","details":"km","howto":"275"},"CWE-ID:287 Improper Authentication","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting certain types of authentication. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authentication libraries. Generally, automated static analysis tools have difficulty detecting custom authentication schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an established identity; an automated technique that detects the absence of authentication may report false positives.:EFFECTIVENESS:Limited::METHOD:Manual Static Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Manual static analysis is useful for evaluating the correctness of custom authentication mechanisms.:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"28x","priority":"6","details":"kp","howto":"28y"},"CWE-ID:288 Authentication Bypass Using an Alternate Path or Channel",{"point":"290","priority":"6","details":"ks","howto":"275"},"CWE-ID:289 Authentication Bypass by Alternate Name",{"point":"292","priority":"6","details":"kv","howto":"275"},"CWE-ID:294 Authentication Bypass by Capture-replay",{"point":"294","priority":"6","details":"l7","howto":"275"},"CWE-ID:295 Improper Certificate Validation","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Man-in-the-middle attack tool:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"296","priority":"6","details":"la","howto":"297"},"CWE-ID:300 Channel Accessible by Non-Endpoint",{"point":"299","priority":"6","details":"lp","howto":"26r"},"CWE-ID:301 Reflection Attack in an Authentication Protocol",{"point":"29b","priority":"6","details":"ls","howto":"275"},"CWE-ID:302 Authentication Bypass by Assumed-Immutable Data",{"point":"29d","priority":"6","details":"lv","howto":"275"},"CWE-ID:306 Missing Authentication for Critical Function","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authentication mechanisms.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting commonly-used idioms for authentication. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authentication libraries. Generally, automated static analysis tools have difficulty detecting custom authentication schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an established identity; an automated technique that detects the absence of authentication may report false positives.:EFFECTIVENESS:Limited::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"29f","priority":"6","details":"m7","howto":"29g"},"CWE-ID:307 Improper Restriction of Excessive Authentication Attempts","::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer Cost effective for partial coverage: Forced Path Execution:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"29i","priority":"6","details":"ma","howto":"29j"},"CWE-ID:308 Use of Single-factor Authentication",{"point":"29l","priority":"6","details":"md","howto":"275"},"CWE-ID:309 Use of Password System for Primary Authentication",{"point":"29n","priority":"6","details":"mg","howto":"275"},"CWE-ID:311 Missing Encryption of Sensitive Data","::METHOD:Manual Analysis:DESCRIPTION:The characterizaton of sensitive data often requires domain-specific understanding, so manual methods are useful. However, manual efforts might not achieve desired code coverage within limited time constraints. Black box methods may produce artifacts (e.g. stored data or unencrypted network transfer) that require manual evaluation.:EFFECTIVENESS:High::METHOD:Automated Analysis:DESCRIPTION:Automated measurement of the entropy of an input/output source may indicate the use or lack of encryption, but human analysis is still required to distinguish intentionally-unencrypted data (e.g. metadata) from sensitive data.::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Network Sniffer Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Man-in-the-middle attack tool:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"29p","priority":"6","details":"mj","howto":"29q"},"CWE-ID:312 Cleartext Storage of Sensitive Information",{"point":"29s","priority":"6","details":"mm","howto":"26r"},"CWE-ID:319 Cleartext Transmission of Sensitive Information","::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process, trigger the feature that sends the data, and look for the presence or absence of common cryptographic functions in the call tree. Monitor the network and determine if the data packets contain readable commands. Tools exist for detecting if certain encodings are in use. If the traffic contains high entropy, this might indicate the usage of encryption.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"29u","priority":"6","details":"n7","howto":"29v"},"CWE-ID:322 Key Exchange without Entity Authentication",{"point":"29x","priority":"6","details":"nd","howto":"275"},"CWE-ID:323 Reusing a Nonce, Key Pair in Encryption",{"point":"29z","priority":"6","details":"ng","howto":"275"},"CWE-ID:324 Use of a Key Past its Expiration Date",{"point":"2a1","priority":"6","details":"nj","howto":"275"},"CWE-ID:326 Inadequate Encryption Strength",{"point":"2a3","priority":"6","details":"np","howto":"26r"},"CWE-ID:327 Use of a Broken or Risky Cryptographic Algorithm","::METHOD:Automated Analysis:DESCRIPTION:Automated methods may be useful for recognizing commonly-used libraries or features that have become obsolete.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis Binary / Bytecode simple extractor - strings, ELF readers, etc.:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Man-in-the-middle attack tool Cost effective for partial coverage: Framework-based Fuzzer Automated Monitored Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2a5","priority":"6","details":"ns","howto":"2a6"},"CWE-ID:328 Use of Weak Hash",{"point":"2a8","priority":"6","details":"nv","howto":"26r"},"CWE-ID:330 Use of Insufficiently Random Values","::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and look for library functions that indicate when randomness is being used. Run the process multiple times to see if the seed changes. Look for accesses of devices or equivalent resources that are commonly used for strong (or weak) randomness, such as /dev/urandom on Linux. Look for library or system calls that access predictable information such as process IDs and system time.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Man-in-the-middle attack tool:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2aa","priority":"6","details":"o1","howto":"2ab"},"CWE-ID:331 Insufficient Entropy",{"point":"2ad","priority":"6","details":"o4","howto":"275"},"CWE-ID:334 Small Space of Random Values",{"point":"2af","priority":"6","details":"od","howto":"275"},"CWE-ID:338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",{"point":"2ah","priority":"6","details":"op","howto":"26r"},"CWE-ID:340 Generation of Predictable Numbers or Identifiers",{"point":"2aj","priority":"6","details":"ov","howto":"275"},"CWE-ID:341 Predictable from Observable State",{"point":"2al","priority":"6","details":"oy","howto":"275"},"CWE-ID:342 Predictable Exact Value from Previous Values",{"point":"2an","priority":"6","details":"p1","howto":"275"},"CWE-ID:343 Predictable Value Range from Previous Values",{"point":"2ap","priority":"6","details":"p4","howto":"275"},"CWE-ID:344 Use of Invariant Value in Dynamically Changing Context",{"point":"2ar","priority":"6","details":"p7","howto":"275"},"CWE-ID:345 Insufficient Verification of Data Authenticity",{"point":"2at","priority":"6","details":"pa","howto":"26r"},"CWE-ID:346 Origin Validation Error",{"point":"2av","priority":"6","details":"pd","howto":"275"},"CWE-ID:347 Improper Verification of Cryptographic Signature",{"point":"2ax","priority":"6","details":"pg","howto":"26r"},"CWE-ID:348 Use of Less Trusted Source",{"point":"2az","priority":"6","details":"pj","howto":"275"},"CWE-ID:353 Missing Support for Integrity Check",{"point":"2b1","priority":"6","details":"py","howto":"275"},"CWE-ID:354 Improper Validation of Integrity Check Value",{"point":"2b3","priority":"6","details":"q1","howto":"275"},"CWE-ID:356 Product UI does not Warn User of Unsafe Actions",{"point":"2b5","priority":"6","details":"q4","howto":"275"},"CWE-ID:357 Insufficient UI Warning of Dangerous Operations",{"point":"2b7","priority":"6","details":"q7","howto":"275"},"CWE-ID:358 Improperly Implemented Security Check for Standard",{"point":"2b9","priority":"6","details":"qa","howto":"275"},"CWE-ID:359 Exposure of Private Personal Information to an Unauthorized Actor","::METHOD:Architecture or Design Review:DESCRIPTION:Private personal data can enter a program in a variety of ways: Directly from the user in the form of a password or personal information Accessed from a database or other data store by the application Indirectly from a partner or other third party If the data is written to an external location - such as the console, file system, or network - a privacy violation may occur.:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2bb","priority":"6","details":"qd","howto":"2bc"},"CWE-ID:360 Trust of System Event Data",{"point":"2be","priority":"6","details":"qg","howto":"275"},"CWE-ID:362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')","::METHOD:Black Box:DESCRIPTION:Black box methods may be able to identify evidence of race conditions via methods such as multiple simultaneous connections, which may cause the software to become instable or crash. However, race conditions with very narrow timing windows would not be detectable.::METHOD:White Box:DESCRIPTION:Common idioms are detectable in white box analysis, such as time-of-check-time-of-use (TOCTOU) file operations (CWE-367), or double-checked locking (CWE-609).::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Race conditions may be detected with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior. Insert breakpoints or delays in between relevant code statements to artificially expand the race window so that it will be easier to detect.:EFFECTIVENESS:Moderate::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Framework-based Fuzzer Cost effective for partial coverage: Fuzz Tester Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2bg","priority":"6","details":"qj","howto":"2bh"},"CWE-ID:363 Race Condition Enabling Link Following",{"point":"2bj","priority":"6","details":"qm","howto":"275"},"CWE-ID:368 Context Switching Race Condition",{"point":"2bl","priority":"6","details":"qy","howto":"275"},"CWE-ID:385 Covert Timing Channel",{"point":"2bn","priority":"6","details":"ry","howto":"275"},"CWE-ID:386 Symbolic Name not Mapping to Correct Object",{"point":"2bp","priority":"6","details":"s1","howto":"275"},"CWE-ID:400 Uncontrolled Resource Consumption","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis typically has limited utility in recognizing resource exhaustion problems, except for program-independent system resources such as files, sockets, and processes. For system resources, automated static analysis may be able to detect circumstances in which resources are not released after they have expired. Automated analysis of configuration files may be able to detect settings that do not specify a maximum value. Automated static analysis tools will not be appropriate for detecting exhaustion of custom resources, such as an intended security policy in which a bulletin board user is only allowed to make a limited number of posts per day.:EFFECTIVENESS:Limited::METHOD:Automated Dynamic Analysis:DESCRIPTION:Certain automated dynamic analysis techniques may be effective in spotting resource exhaustion problems, especially with resources such as processes, memory, and connections. The technique may involve generating a large number of requests to the product within a short time frame.:EFFECTIVENESS:Moderate::METHOD:Fuzzing:DESCRIPTION:While fuzzing is typically geared toward finding low-level implementation bugs, it can inadvertently find resource exhaustion problems. This can occur when the fuzzer generates a large number of test cases but does not restart the targeted product in between test cases. If an individual test case produces a crash, but it does not do so reliably, then an inability to handle resource exhaustion may be the cause.:EFFECTIVENESS:Opportunistic::",{"point":"2br","priority":"6","details":"ss","howto":"2bs"},"CWE-ID:402 Transmission of Private Resources into a New Sphere ('Resource Leak')",{"point":"2bu","priority":"6","details":"sy","howto":"26r"},"CWE-ID:405 Asymmetric Resource Consumption (Amplification)",{"point":"2bw","priority":"6","details":"t7","howto":"275"},"CWE-ID:406 Insufficient Control of Network Message Volume (Network Amplification)",{"point":"2by","priority":"6","details":"ta","howto":"275"},"CWE-ID:407 Inefficient Algorithmic Complexity",{"point":"2c0","priority":"6","details":"td","howto":"275"},"CWE-ID:408 Incorrect Behavior Order: Early Amplification",{"point":"2c2","priority":"6","details":"tg","howto":"275"},"CWE-ID:409 Improper Handling of Highly Compressed Data (Data Amplification)",{"point":"2c4","priority":"6","details":"tj","howto":"275"},"CWE-ID:410 Insufficient Resource Pool",{"point":"2c6","priority":"6","details":"tm","howto":"275"},"CWE-ID:412 Unrestricted Externally Accessible Lock","::METHOD:White Box:DESCRIPTION:Automated code analysis techniques might not be able to reliably detect this weakness, since the application's behavior and general security model dictate which resource locks are critical. Interpretation of the weakness might require knowledge of the environment, e.g. if the existence of a file is used as a lock, but the file is created in a world-writable directory.::",{"point":"2c8","priority":"6","details":"tp","howto":"2c9"},"CWE-ID:413 Improper Resource Locking",{"point":"2cb","priority":"6","details":"ts","howto":"26r"},"CWE-ID:414 Missing Lock Check",{"point":"2cd","priority":"6","details":"tv","howto":"275"},"CWE-ID:419 Unprotected Primary Channel",{"point":"2cf","priority":"6","details":"u4","howto":"275"},"CWE-ID:420 Unprotected Alternate Channel",{"point":"2ch","priority":"6","details":"u7","howto":"275"},"CWE-ID:421 Race Condition During Access to Alternate Channel",{"point":"2cj","priority":"6","details":"ua","howto":"275"},"CWE-ID:424 Improper Protection of Alternate Path",{"point":"2cl","priority":"6","details":"ug","howto":"275"},"CWE-ID:434 Unrestricted Upload of File with Dangerous Type","::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2cn","priority":"6","details":"v7","howto":"2co"},"CWE-ID:436 Interpretation Conflict",{"point":"2cq","priority":"6","details":"vd","howto":"275"},"CWE-ID:437 Incomplete Model of Endpoint Features",{"point":"2cs","priority":"6","details":"vg","howto":"275"},"CWE-ID:439 Behavioral Change in New Version or Environment",{"point":"2cu","priority":"6","details":"vj","howto":"275"},"CWE-ID:440 Expected Behavior Violation",{"point":"2cw","priority":"6","details":"vm","howto":"275"},"CWE-ID:441 Unintended Proxy or Intermediary ('Confused Deputy')",{"point":"2cy","priority":"6","details":"vp","howto":"26r"},"CWE-ID:446 UI Discrepancy for Security Feature",{"point":"2d0","priority":"6","details":"vv","howto":"275"},"CWE-ID:451 User Interface (UI) Misrepresentation of Critical Information",{"point":"2d2","priority":"6","details":"wa","howto":"275"},"CWE-ID:454 External Initialization of Trusted Variables or Data Stores",{"point":"2d4","priority":"6","details":"wg","howto":"275"},"CWE-ID:470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')",{"point":"2d6","priority":"6","details":"xj","howto":"26r"},"CWE-ID:471 Modification of Assumed-Immutable Data (MAID)",{"point":"2d8","priority":"6","details":"xm","howto":"275"},"CWE-ID:475 Undefined Behavior for Input to API",{"point":"2da","priority":"6","details":"xy","howto":"26r"},"CWE-ID:494 Download of Code Without Integrity Check","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is typically required to find the behavior that triggers the download of code, and to determine whether integrity-checking methods are in use.::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and also sniff the network connection. Trigger features related to product updates or plugin installation, which is likely to force a code download. Monitor when files are downloaded and separately executed, or if they are otherwise read back into the process. Look for evidence of cryptographic library calls that use integrity checking.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2dc","priority":"6","details":"zd","howto":"2dd"},"CWE-ID:501 Trust Boundary Violation",{"point":"2df","priority":"6","details":"zy","howto":"26r"},"CWE-ID:502 Deserialization of Untrusted Data",{"point":"2dh","priority":"6","details":"101","howto":"26r"},"CWE-ID:510 Trapdoor","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Inter-application Flow Analysis Binary / Bytecode simple extractor - strings, ELF readers, etc.:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies Generated Code Inspection:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Automated Monitored Execution Forced Path Execution Debugger Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Cost effective for partial coverage: Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"2dj","priority":"6","details":"10g","howto":"2dk"},"CWE-ID:511 Logic/Time Bomb",{"point":"2dm","priority":"6","details":"10j","howto":"275"},"CWE-ID:512 Spyware",{"point":"2do","priority":"6","details":"10m","howto":"275"},"CWE-ID:521 Weak Password Requirements",{"point":"2dq","priority":"6","details":"10y","howto":"26r"},"CWE-ID:522 Insufficiently Protected Credentials",{"point":"2ds","priority":"6","details":"111","howto":"26r"},"CWE-ID:523 Unprotected Transport of Credentials",{"point":"2du","priority":"6","details":"114","howto":"26r"},"CWE-ID:532 Insertion of Sensitive Information into Log File",{"point":"2dw","priority":"6","details":"11v","howto":"26r"},"CWE-ID:544 Missing Standardized Error Handling Mechanism",{"point":"2dy","priority":"6","details":"12m","howto":"275"},"CWE-ID:552 Files or Directories Accessible to External Parties",{"point":"2e0","priority":"6","details":"137","howto":"26r"},"CWE-ID:565 Reliance on Cookies without Validation and Integrity Checking",{"point":"2e2","priority":"6","details":"144","howto":"26r"},"CWE-ID:601 URL Redirection to Untrusted Site ('Open Redirect')","::METHOD:Manual Static Analysis:DESCRIPTION:Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated black box tools that supply URLs to every input may be able to spot Location header modifications, but test case coverage is a factor, and custom redirects may not be detected.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis tools may not be able to determine whether input influences the beginning of a URL, which is important for reducing false positives.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2e4","priority":"6","details":"16v","howto":"2e5"},"CWE-ID:602 Client-Side Enforcement of Server-Side Security",{"point":"2e7","priority":"6","details":"16y","howto":"275"},"CWE-ID:603 Use of Client-Side Authentication",{"point":"2e9","priority":"6","details":"171","howto":"275"},"CWE-ID:610 Externally Controlled Reference to a Resource in Another Sphere",{"point":"2eb","priority":"6","details":"17j","howto":"275"},"CWE-ID:612 Improper Authorization of Index Containing Sensitive Information",{"point":"2ed","priority":"6","details":"17p","howto":"275"},"CWE-ID:613 Insufficient Session Expiration",{"point":"2ef","priority":"6","details":"17s","howto":"26r"},"CWE-ID:620 Unverified Password Change",{"point":"2eh","priority":"6","details":"18d","howto":"275"},"CWE-ID:636 Not Failing Securely ('Failing Open')",{"point":"2ej","priority":"6","details":"194","howto":"275"},"CWE-ID:637 Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')",{"point":"2el","priority":"6","details":"197","howto":"275"},"CWE-ID:639 Authorization Bypass Through User-Controlled Key",{"point":"2en","priority":"6","details":"19d","howto":"26r"},"CWE-ID:640 Weak Password Recovery Mechanism for Forgotten Password",{"point":"2ep","priority":"6","details":"19g","howto":"275"},"CWE-ID:641 Improper Restriction of Names for Files and Other Resources",{"point":"2er","priority":"6","details":"19j","howto":"275"},"CWE-ID:642 External Control of Critical State Data",{"point":"2et","priority":"6","details":"19m","howto":"26r"},"CWE-ID:645 Overly Restrictive Account Lockout Mechanism",{"point":"2ev","priority":"6","details":"19v","howto":"275"},"CWE-ID:648 Incorrect Use of Privileged APIs",{"point":"2ex","priority":"6","details":"1a4","howto":"275"},"CWE-ID:649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking",{"point":"2ez","priority":"6","details":"1a7","howto":"275"},"CWE-ID:653 Improper Isolation or Compartmentalization","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Compare binary / bytecode to application permission manifest:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"2f1","priority":"6","details":"1aj","howto":"2f2"},"CWE-ID:654 Reliance on a Single Factor in a Security Decision",{"point":"2f4","priority":"6","details":"1am","howto":"275"},"CWE-ID:655 Insufficient Psychological Acceptability",{"point":"2f6","priority":"6","details":"1ap","howto":"275"},"CWE-ID:656 Reliance on Security Through Obscurity",{"point":"2f8","priority":"6","details":"1as","howto":"275"},"CWE-ID:657 Violation of Secure Design Principles",{"point":"2fa","priority":"6","details":"1av","howto":"275"},"CWE-ID:662 Improper Synchronization",{"point":"2fc","priority":"6","details":"1ay","howto":"275"},"CWE-ID:667 Improper Locking",{"point":"2fe","priority":"6","details":"1bd","howto":"26r"},"CWE-ID:668 Exposure of Resource to Wrong Sphere",{"point":"2fg","priority":"6","details":"1bg","howto":"275"},"CWE-ID:669 Incorrect Resource Transfer Between Spheres",{"point":"2fi","priority":"6","details":"1bj","howto":"275"},"CWE-ID:671 Lack of Administrator Control over Security",{"point":"2fk","priority":"6","details":"1bp","howto":"275"},"CWE-ID:673 External Influence of Sphere Definition",{"point":"2fm","priority":"6","details":"1bv","howto":"275"},"CWE-ID:694 Use of Multiple Resources with Duplicate Identifier",{"point":"2fo","priority":"6","details":"1dd","howto":"275"},"CWE-ID:696 Incorrect Behavior Order",{"point":"2fq","priority":"6","details":"1dj","howto":"275"},"CWE-ID:706 Use of Incorrectly-Resolved Name or Reference",{"point":"2fs","priority":"6","details":"1e1","howto":"275"},"CWE-ID:708 Incorrect Ownership Assignment",{"point":"2fu","priority":"6","details":"1e7","howto":"275"},"CWE-ID:732 Incorrect Permission Assignment for Critical Resource","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis may be effective in detecting permission problems for system resources such as files, directories, shared memory, device interfaces, etc. Automated techniques may be able to detect the use of library functions that modify permissions, then analyze function calls for arguments that contain potentially insecure values. However, since the software's intended security policy might allow loose permissions for certain operations (such as publishing a file on a web server), automated static analysis may produce some false positives - i.e., warnings that do not have any security consequences or require any code changes. When custom permissions models are used - such as defining who can read messages in a particular forum in a bulletin board system - these can be difficult to detect using automated static analysis. It may be possible to define custom signatures that identify any custom functions that implement the permission checks and assignments.::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated dynamic analysis may be effective in detecting permission problems for system resources such as files, directories, shared memory, device interfaces, etc. However, since the software's intended security policy might allow loose permissions for certain operations (such as publishing a file on a web server), automated dynamic analysis may produce some false positives - i.e., warnings that do not have any security consequences or require any code changes. When custom permissions models are used - such as defining who can read messages in a particular forum in a bulletin board system - these can be difficult to detect using automated dynamic analysis. It may be possible to define custom signatures that identify any custom functions that implement the permission checks and assignments.::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.::METHOD:Manual Static Analysis:DESCRIPTION:Manual static analysis may be effective in detecting the use of custom permissions models and functions. The code could then be examined to identifying usage of the related functions. Then the human analyst could evaluate permission assignments in the context of the intended security model of the software.::METHOD:Manual Dynamic Analysis:DESCRIPTION:Manual dynamic analysis may be effective in detecting the use of custom permissions models and functions. The program could then be executed with a focus on exercising code paths that are related to the custom permissions. Then the human analyst could evaluate permission assignments in the context of the intended security model of the software.::METHOD:Fuzzing:DESCRIPTION:Fuzzing is not effective in detecting this weakness.::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and watch for library functions or system calls on OS resources such as files, directories, and shared memory. Examine the arguments to these calls to infer which permissions are being used.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Inter-application Flow Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Host Application Interface Scanner Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Forced Path Execution:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2fw","priority":"6","details":"1ed","howto":"2fx"},"CWE-ID:749 Exposed Dangerous Method or Function",{"point":"2fz","priority":"6","details":"1ej","howto":"26r"},"CWE-ID:757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')",{"point":"2g1","priority":"6","details":"1ev","howto":"26r"},"CWE-ID:770 Allocation of Resources Without Limits or Throttling","::METHOD:Manual Static Analysis:DESCRIPTION:Manual static analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. If denial-of-service is not considered a significant risk, or if there is strong emphasis on consequences such as code execution, then manual analysis may not focus on this weakness at all.::METHOD:Fuzzing:DESCRIPTION:While fuzzing is typically geared toward finding low-level implementation bugs, it can inadvertently find uncontrolled resource allocation problems. This can occur when the fuzzer generates a large number of test cases but does not restart the targeted product in between test cases. If an individual test case produces a crash, but it does not do so reliably, then an inability to limit resource allocation may be the cause. When the allocation is directly affected by numeric inputs, then fuzzing may produce indications of this weakness.:EFFECTIVENESS:Opportunistic::METHOD:Automated Dynamic Analysis:DESCRIPTION:Certain automated dynamic analysis techniques may be effective in producing side effects of uncontrolled resource allocation problems, especially with resources such as processes, memory, and connections. The technique may involve generating a large number of requests to the product within a short time frame. Manual analysis is likely required to interpret the results.::METHOD:Automated Static Analysis:DESCRIPTION:Specialized configuration or tuning may be required to train automated tools to recognize this weakness. Automated static analysis typically has limited utility in recognizing unlimited allocation problems, except for the missing release of program-independent system resources such as files, sockets, and processes, or unchecked arguments to memory. For system resources, automated static analysis may be able to detect circumstances in which resources are not released after they have expired, or if too much of a resource is requested at once, as can occur with memory. Automated analysis of configuration files may be able to detect settings that do not specify a maximum value. Automated static analysis tools will not be appropriate for detecting exhaustion of custom resources, such as an intended security policy in which a bulletin board user is only allowed to make a limited number of posts per day.::",{"point":"2g3","priority":"6","details":"1fv","howto":"2g4"},"CWE-ID:798 Use of Hard-coded Credentials","::METHOD:Black Box:DESCRIPTION:Credential storage in configuration files is findable using black box methods, but the use of hard-coded credentials for an incoming authentication routine typically involves an account that is not visible outside of the code.:EFFECTIVENESS:Moderate::METHOD:Automated Static Analysis:DESCRIPTION:Automated white box techniques have been published for detecting hard-coded credentials for incoming authentication, but there is some expert disagreement regarding their effectiveness and applicability to a broad range of methods.::METHOD:Manual Static Analysis:DESCRIPTION:This weakness may be detectable using manual code analysis. Unless authentication is decentralized and applied throughout the product, there can be sufficient time for the analyst to find incoming authentication routines and examine the program logic looking for usage of hard-coded credentials. Configuration files could also be analyzed.::METHOD:Manual Dynamic Analysis:DESCRIPTION:For hard-coded credentials in incoming authentication: use monitoring tools that examine the product's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the product was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and perform a login. Using call trees or similar artifacts from the output, examine the associated behaviors and see if any of them appear to be comparing the input to a fixed string or value.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Network Sniffer Forced Path Execution:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"2g6","priority":"6","details":"1i7","howto":"2g7"},"CWE-ID:799 Improper Control of Interaction Frequency",{"point":"2g9","priority":"6","details":"1ia","howto":"275"},"CWE-ID:804 Guessable CAPTCHA",{"point":"2gb","priority":"6","details":"1id","howto":"275"},"CWE-ID:807 Reliance on Untrusted Inputs in a Security Decision","::METHOD:Manual Static Analysis:DESCRIPTION:Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"2gd","priority":"6","details":"1im","howto":"2ge"},"CWE-ID:862 Missing Authorization","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries. Generally, automated static analysis tools have difficulty detecting custom authorization schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an authorization check; an automated technique that detects the absence of authorization may report false positives.:EFFECTIVENESS:Limited::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated dynamic analysis may find many or all possible interfaces that do not require authorization, but manual analysis is required to determine if the lack of authorization violates business logic.::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"2gg","priority":"6","details":"1km","howto":"2gh"},"CWE-ID:863 Incorrect Authorization","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries. Generally, automated static analysis tools have difficulty detecting custom authorization schemes. Even if they can be customized to recognize these schemes, they might not be able to tell whether the scheme correctly performs the authorization in a way that cannot be bypassed or subverted by an attacker.:EFFECTIVENESS:Limited::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated dynamic analysis may not be able to find interfaces that are protected by authorization checks, even if those checks contain weaknesses.::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer Forced Path Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2gj","priority":"6","details":"1kp","howto":"2gk"},"CWE-ID:912 Hidden Functionality",{"point":"2gm","priority":"6","details":"1l4","howto":"275"},"CWE-ID:913 Improper Control of Dynamically-Managed Code Resources",{"point":"2go","priority":"6","details":"1l7","howto":"26u"},"CWE-ID:915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",{"point":"2gq","priority":"6","details":"1ld","howto":"26r"},"CWE-ID:916 Use of Password Hash With Insufficient Computational Effort","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2gs","priority":"6","details":"1lg","howto":"2gt"},"CWE-ID:917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')",{"point":"2gv","priority":"6","details":"1lj","howto":"26r"},"CWE-ID:918 Server-Side Request Forgery (SSRF)",{"point":"2gx","priority":"6","details":"1lm","howto":"26r"},"CWE-ID:920 Improper Restriction of Power Consumption",{"point":"2gz","priority":"6","details":"1lp","howto":"275"},"CWE-ID:921 Storage of Sensitive Data in a Mechanism without Access Control",{"point":"2h1","priority":"6","details":"1ls","howto":"275"},"CWE-ID:922 Insecure Storage of Sensitive Information",{"point":"2h3","priority":"6","details":"1lv","howto":"26r"},"CWE-ID:923 Improper Restriction of Communication Channel to Intended Endpoints",{"point":"2h5","priority":"6","details":"1ly","howto":"26r"},"CWE-ID:924 Improper Enforcement of Message Integrity During Transmission in a Communication Channel",{"point":"2h7","priority":"6","details":"1m1","howto":"275"},"CWE-ID:940 Improper Verification of Source of a Communication Channel",{"point":"2h9","priority":"6","details":"1mg","howto":"275"},"CWE-ID:941 Incorrectly Specified Destination in a Communication Channel",{"point":"2hb","priority":"6","details":"1mj","howto":"275"},"CWE-ID:1007 Insufficient Visual Distinction of Homoglyphs Presented to User","::METHOD:Manual Dynamic Analysis:DESCRIPTION:If utilizing user accounts, attempt to submit a username that contains homoglyphs. Similarly, check to see if links containing homoglyphs can be sent via email, web browsers, or other mechanisms.:EFFECTIVENESS:Moderate::",{"point":"2hd","priority":"6","details":"1mv","howto":"2he"},"CWE-ID:1037 Processor Optimization Removal or Modification of Security-critical Code","::METHOD:White Box:DESCRIPTION:In theory this weakness can be detected through the use of white box testing techniques where specifically crafted test cases are used in conjunction with debuggers to verify the order of statements being executed.:EFFECTIVENESS:Opportunistic::",{"point":"2hg","priority":"6","details":"1nd","howto":"2hh"},"CWE-ID:1038 Insecure Automated Optimizations",{"point":"2hj","priority":"6","details":"1ng","howto":"275"},"CWE-ID:1039 Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations",{"point":"2hl","priority":"6","details":"1nj","howto":"275"},"CWE-ID:1044 Architecture with Number of Horizontal Layers Outside of Expected Range",{"point":"2hn","priority":"6","details":"1nv","howto":"275"},"CWE-ID:1059 Insufficient Technical Documentation",{"point":"2hp","priority":"6","details":"1p4","howto":"275"},"CWE-ID:1173 Improper Use of Validation Framework","::METHOD:Automated Static Analysis:DESCRIPTION:Some instances of improper input validation can be detected using automated static analysis. A static analysis tool might allow the user to specify which application-specific methods or functions perform input validation; the tool might also have built-in knowledge of validation frameworks such as Struts. The tool may then suppress or de-prioritize any associated warnings. This allows the analyst to focus on areas of the software in which input validation does not appear to be present. Except in the cases described in the previous paragraph, automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes.::",{"point":"2hr","priority":"6","details":"1uv","howto":"2hs"},"CWE-ID:1176 Inefficient CPU Computation",{"point":"2hu","priority":"6","details":"1v1","howto":"275"},"CWE-ID:1189 Improper Isolation of Shared Resources on System-on-a-Chip (SoC)","::METHOD:Automated Dynamic Analysis:DESCRIPTION:Pre-silicon / post-silicon: Test access to shared systems resources (memory ranges, control registers, etc.) from untrusted software to verify that the assets are not incorrectly exposed to untrusted agents. Note that access to shared resources can be dynamically allowed or revoked based on system flows. Security testing should cover such dynamic shared resource allocation and access control modification flows.:EFFECTIVENESS:High::",{"point":"2hw","priority":"6","details":"1va","howto":"2hx"},"CWE-ID:1190 DMA Device Enabled Too Early in Boot Phase",{"point":"2hz","priority":"6","details":"1vd","howto":"275"},"CWE-ID:1191 On-Chip Debug and Test Interface With Improper Access Control","::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Authentication and authorization of debug and test interfaces should be part of the architecture and design review process. Withholding of private register documentation from the debug and test interface public specification (Security by obscurity) should not be considered as sufficient security.::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Dynamic tests should be done in the pre-silicon and post-silicon stages to verify that the debug and test interfaces are not open by default.::METHOD:Fuzzing:DESCRIPTION:Tests that fuzz Debug and Test Interfaces should ensure that no access without appropriate authentication and authorization is possible.:EFFECTIVENESS:Moderate::",{"point":"2i1","priority":"6","details":"1vg","howto":"2i2"},"CWE-ID:1192 Improper Identifier for IP Block used in System-On-Chip (SOC)",{"point":"2i4","priority":"6","details":"1vj","howto":"275"},"CWE-ID:1209 Failure to Disable Reserved Bits",{"point":"2i6","priority":"6","details":"1vs","howto":"275"},"CWE-ID:1220 Insufficient Granularity of Access Control",{"point":"2i8","priority":"6","details":"1vv","howto":"275"},"CWE-ID:1223 Race Condition for Write-Once Attributes",{"point":"2ia","priority":"6","details":"1w4","howto":"275"},"CWE-ID:1224 Improper Restriction of Write-Once Bit Fields",{"point":"2ic","priority":"6","details":"1w7","howto":"275"},"CWE-ID:1230 Exposure of Sensitive Information Through Metadata",{"point":"2ie","priority":"6","details":"1wd","howto":"275"},"CWE-ID:1231 Improper Prevention of Lock Bit Modification","::METHOD:Manual Analysis:DESCRIPTION:Set the lock bit. Power cycle the device. Attempt to clear the lock bit. If the information is changed, implement a design fix. Retest. Also, attempt to indirectly clear the lock bit or bypass it.:EFFECTIVENESS:High::",{"point":"2ig","priority":"6","details":"1wg","howto":"2ih"},"CWE-ID:1232 Improper Lock Behavior After Power State Transition",{"point":"2ij","priority":"6","details":"1wj","howto":"275"},"CWE-ID:1233 Security-Sensitive Hardware Controls with Missing Lock Bit Protection","::METHOD:Manual Analysis:DESCRIPTION:Set the lock bit. Attempt to modify the information protected by the lock bit. If the information is changed, implement a design fix. Retest. Also, attempt to indirectly clear the lock bit or bypass it.:EFFECTIVENESS:High::",{"point":"2il","priority":"6","details":"1wm","howto":"2im"},"CWE-ID:1234 Hardware Internal or Debug Modes Allow Override of Locks",{"point":"2io","priority":"6","details":"1wp","howto":"275"},"CWE-ID:1240 Use of a Cryptographic Primitive with a Risky Implementation","::METHOD:Architecture or Design Review:DESCRIPTION:Review requirements, documentation, and product design to ensure that primitives are consistent with the strongest-available recommendations from trusted parties. If the product appears to be using custom or proprietary implementations that have not had sufficient public review and approval, then this is a significant concern.:EFFECTIVENESS:High::METHOD:Manual Analysis:DESCRIPTION:Analyze the product to ensure that implementations for each primitive do not contain any known vulnerabilities and are not using any known-weak algorithms, including MD4, MD5, SHA1, DES, etc.:EFFECTIVENESS:Moderate::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:For hardware, during the implementation (pre-Silicon / post-Silicon) phase, dynamic tests should be done to ensure that outputs from cryptographic routines are indeed working properly, such as test vectors provided by NIST [REF-1236].:EFFECTIVENESS:Moderate::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:It needs to be determined if the output of a cryptographic primitive is lacking entropy, which is one clear sign that something went wrong with the crypto implementation. There exist many methods of measuring the entropy of a bytestream, from sophisticated ones (like calculating Shannon's entropy of a sequence of characters) to crude ones (by compressing it and comparing the size of the original bytestream vs. the compressed - a truly random byte stream should not be compressible and hence the uncompressed and compressed bytestreams should be nearly identical in size).:EFFECTIVENESS:Moderate::",{"point":"2iq","priority":"6","details":"1x1","howto":"2ir"},"CWE-ID:1241 Use of Predictable Algorithm in Random Number Generator",{"point":"2it","priority":"6","details":"1x4","howto":"275"},"CWE-ID:1242 Inclusion of Undocumented Features or Chicken Bits",{"point":"2iv","priority":"6","details":"1x7","howto":"275"},"CWE-ID:1243 Sensitive Non-Volatile Information Not Protected During Debug",{"point":"2ix","priority":"6","details":"1xa","howto":"275"},"CWE-ID:1244 Internal Asset Exposed to Unsafe Debug Access Level or State","::METHOD:Manual Analysis:DESCRIPTION:Check 2 devices for their passcode to authenticate access to JTAG/debugging ports. If the passcodes are missing or the same, update the design to fix and retest. Check communications over JTAG/debugging ports for encryption. If the communications are not encrypted, fix the design and retest.:EFFECTIVENESS:Moderate::",{"point":"2iz","priority":"6","details":"1xd","howto":"2j0"},"CWE-ID:1245 Improper Finite State Machines (FSMs) in Hardware Logic",{"point":"2j2","priority":"6","details":"1xg","howto":"275"},"CWE-ID:1246 Improper Write Handling in Limited-write Non-Volatile Memories",{"point":"2j4","priority":"6","details":"1xj","howto":"275"},"CWE-ID:1249 Application-Level Admin Tool with Inconsistent View of Underlying Operating System",{"point":"2j6","priority":"6","details":"1xs","howto":"275"},"CWE-ID:1252 CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations",{"point":"2j8","priority":"6","details":"1y1","howto":"275"},"CWE-ID:1253 Incorrect Selection of Fuse Values",{"point":"2ja","priority":"6","details":"1y4","howto":"275"},"CWE-ID:1254 Incorrect Comparison Logic Granularity",{"point":"2jc","priority":"6","details":"1y7","howto":"275"},"CWE-ID:1256 Improper Restriction of Software Interfaces to Hardware Features","::METHOD:Manual Analysis:DESCRIPTION:Perform a security evaluation of system-level architecture and design with software-aided physical attacks in scope.::METHOD:Automated Dynamic Analysis:DESCRIPTION:Use custom software to change registers that control clock settings or power settings to try to bypass security locks, or repeatedly write DRAM to try to change adjacent locations. This can be effective in extracting or changing data. The drawback is that it cannot be run before manufacturing, and it may require specialized software.:EFFECTIVENESS:Moderate::",{"point":"2je","priority":"6","details":"1yd","howto":"2jf"},"CWE-ID:1257 Improper Access Control Applied to Mirrored or Aliased Memory Regions",{"point":"2jh","priority":"6","details":"1yg","howto":"275"},"CWE-ID:1258 Exposure of Sensitive System Information Due to Uncleared Debug Information",{"point":"2jj","priority":"6","details":"1yj","howto":"275"},"CWE-ID:1259 Improper Restriction of Security Token Assignment",{"point":"2jl","priority":"6","details":"1ym","howto":"275"},"CWE-ID:1260 Improper Handling of Overlap Between Protected Memory Ranges","::METHOD:Manual Analysis:DESCRIPTION:Create a high privilege memory block of any arbitrary size. Attempt to create a lower privilege memory block with an overlap of the high privilege memory block. If the creation attempt works, fix the hardware. Repeat the test.:EFFECTIVENESS:High::",{"point":"2jn","priority":"6","details":"1yp","howto":"2jo"},"CWE-ID:1261 Improper Handling of Single Event Upsets",{"point":"2jq","priority":"6","details":"1ys","howto":"275"},"CWE-ID:1262 Improper Access Control for Register Interface","::METHOD:Manual Analysis:DESCRIPTION:This is applicable in the Architecture phase before implementation started. Make sure access policy is specified for the entire memory map. Manual analysis may not ensure the implementation is correct.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Registers controlling hardware should have access control implemented. This access control may be checked manually for correct implementation. Items to check consist of how are trusted parties set, how are trusted parties verified, how are accesses verified, etc. Effectiveness of a manual analysis will vary depending upon how complicated the interface is constructed.:EFFECTIVENESS:Moderate::METHOD:Simulation / Emulation:DESCRIPTION:Functional simulation is applicable during the Implementation Phase. Testcases must be created and executed for memory mapped registers to verify adherence to the access control policy. This method can be effective, since functional verification needs to be performed on the design, and verification for this weakness will be included. There can be difficulty covering the entire memory space during the test.:EFFECTIVENESS:Moderate::METHOD:Formal Verification:DESCRIPTION:Formal verification is applicable during the Implementation phase. Assertions need to be created in order to capture illegal register access scenarios and prove that they cannot occur. Formal methods are exhaustive and can be very effective, but creating the cases for large designs may be complex and difficult.:EFFECTIVENESS:High::METHOD:Automated Analysis:DESCRIPTION:Information flow tracking can be applicable during the Implementation phase. Security sensitive data (assets) - for example, as stored in registers - is automatically tracked over time through the design to verify the data doesn't reach illegal destinations that violate the access policies for the memory map. This method can be very effective when used together with simulation and emulation, since detecting violations doesn't rely on specific scenarios or data values. This method does rely on simulation and emulation, so testcases must exist in order to use this method.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Manual documentation review of the system memory map, register specification, and permissions associated with accessing security-relevant functionality exposed via memory-mapped registers.:EFFECTIVENESS:Moderate::METHOD:Fuzzing:DESCRIPTION:Perform penetration testing (either manual or semi-automated with fuzzing) to verify that access control mechanisms such as the memory protection units or on-chip bus firewall settings adequately protect critical hardware registers from software access.:EFFECTIVENESS:Moderate::",{"point":"2js","priority":"6","details":"1yv","howto":"2jt"},"CWE-ID:1263 Improper Physical Access Control",{"point":"2jv","priority":"6","details":"1yy","howto":"275"},"CWE-ID:1264 Hardware Logic with Insecure De-Synchronization between Control and Data Channels",{"point":"2jx","priority":"6","details":"1z1","howto":"275"},"CWE-ID:1266 Improper Scrubbing of Sensitive Data from Decommissioned Device",{"point":"2jz","priority":"6","details":"1z7","howto":"275"},"CWE-ID:1267 Policy Uses Obsolete Encoding",{"point":"2k1","priority":"6","details":"1za","howto":"275"},"CWE-ID:1268 Policy Privileges are not Assigned Consistently Between Control and Data Agents",{"point":"2k3","priority":"6","details":"1zd","howto":"275"},"CWE-ID:1270 Generation of Incorrect Security Tokens",{"point":"2k5","priority":"6","details":"1zj","howto":"275"},"CWE-ID:1272 Sensitive Information Uncleared Before Debug/Power State Transition","::METHOD:Manual Analysis:DESCRIPTION:Write a known pattern into each sensitive location. Enter the power/debug state in question. Read data back from the sensitive locations. If the reads are successful, and the data is the same as the pattern that was originally written, the test fails and the device needs to be fixed. Note that this test can likely be automated.:EFFECTIVENESS:High::",{"point":"2k7","priority":"6","details":"1zp","howto":"2k8"},"CWE-ID:1274 Improper Access Control for Volatile Memory Containing Boot Code","::METHOD:Manual Analysis:DESCRIPTION:Ensure the volatile memory is lockable or has locks. Ensure the volatile memory is locked for writes from untrusted agents or adversaries. Try modifying the volatile memory from an untrusted agent, and ensure these writes are dropped.:EFFECTIVENESS:High::METHOD:Manual Analysis:DESCRIPTION:Analyze the device using the following steps: Identify all fabric master agents that are active during system Boot Flow when initial code is loaded from Non-volatile storage to volatile memory. Identify the volatile memory regions that are used for storing loaded system executable program. During system boot, test programming the identified memory regions in step 2 from all the masters identified in step 1. Only trusted masters should be allowed to write to the memory regions. For example, pluggable device peripherals should not have write access to program load memory regions.:EFFECTIVENESS:Moderate::",{"point":"2ka","priority":"6","details":"1zv","howto":"2kb"},"CWE-ID:1277 Firmware Not Updateable","::METHOD:Manual Analysis:DESCRIPTION:Create a new installable boot image of the current build with a minor version number change. Use the standard installation method to update the boot image. Verify that the minor version number has changed. Create a fake image. Verify that the boot updater will not install the fake image and generates an invalid image error message or equivalent.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Check the consumer or maintainer documentation, the architecture/design documentation, or the original requirements to ensure that the documentation includes details for how to update the firmware.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Determine if there is a lack of a capability to update read-only memory (ROM) structure. This could manifest as a difference between the latest firmware version and the current version within the device.:EFFECTIVENESS:High::",{"point":"2kd","priority":"6","details":"204","howto":"2ke"},"CWE-ID:1278 Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques",{"point":"2kg","priority":"6","details":"207","howto":"275"},"CWE-ID:1279 Cryptographic Operations are run Before Supporting Units are Ready",{"point":"2ki","priority":"6","details":"20a","howto":"275"},"CWE-ID:1281 Sequence of Processor Instructions Leads to Unexpected Behavior",{"point":"2kk","priority":"6","details":"20g","howto":"275"},"CWE-ID:1283 Mutable Attestation or Measurement Reporting Data",{"point":"2km","priority":"6","details":"20m","howto":"275"},"CWE-ID:1290 Incorrect Decoding of Security Identifiers ",{"point":"2ko","priority":"6","details":"217","howto":"275"},"CWE-ID:1292 Incorrect Conversion of Security Identifiers",{"point":"2kq","priority":"6","details":"21d","howto":"275"},"CWE-ID:1293 Missing Source Correlation of Multiple Independent Data",{"point":"2ks","priority":"6","details":"21g","howto":"275"},"CWE-ID:1294 Insecure Security Identifier Mechanism",{"point":"2ku","priority":"6","details":"21j","howto":"275"},"CWE-ID:1298 Hardware Logic Contains Race Conditions",{"point":"2kw","priority":"6","details":"21v","howto":"275"},"CWE-ID:1299 Missing Protection Mechanism for Alternate Hardware Interface",{"point":"2ky","priority":"6","details":"21y","howto":"275"},"CWE-ID:1302 Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)",{"point":"2l0","priority":"6","details":"227","howto":"275"},"CWE-ID:1303 Non-Transparent Sharing of Microarchitectural Resources",{"point":"2l2","priority":"6","details":"22a","howto":"275"},"CWE-ID:1304 Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation",{"point":"2l4","priority":"6","details":"22d","howto":"275"},"CWE-ID:1310 Missing Ability to Patch ROM Code",{"point":"2l6","priority":"6","details":"22g","howto":"275"},"CWE-ID:1311 Improper Translation of Security Attributes by Fabric Bridge",{"point":"2l8","priority":"6","details":"22j","howto":"275"},"CWE-ID:1312 Missing Protection for Mirrored Regions in On-Chip Fabric Firewall","::METHOD:Manual Dynamic Analysis:DESCRIPTION:Using an external debugger, send write transactions to mirrored regions to test if original, write-protected regions are modified. Similarly, send read transactions to mirrored regions to test if the original, read-protected signals can be read.:EFFECTIVENESS:High::",{"point":"2la","priority":"6","details":"22m","howto":"2lb"},"CWE-ID:1313 Hardware Allows Activation of Test or Debug Logic at Runtime",{"point":"2ld","priority":"6","details":"22p","howto":"275"},"CWE-ID:1314 Missing Write Protection for Parametric Data Values",{"point":"2lf","priority":"6","details":"22s","howto":"275"},"CWE-ID:1315 Improper Setting of Bus Controlling Capability in Fabric End-point",{"point":"2lh","priority":"6","details":"22v","howto":"275"},"CWE-ID:1316 Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges","::METHOD:Automated Dynamic Analysis:DESCRIPTION:Review address map in specification to see if there are any overlapping ranges.:EFFECTIVENESS:High::METHOD:Manual Static Analysis:DESCRIPTION:Negative testing of access control on overlapped ranges.:EFFECTIVENESS:High::",{"point":"2lj","priority":"6","details":"22y","howto":"2lk"},"CWE-ID:1317 Improper Access Control in Fabric Bridge","::METHOD:Simulation / Emulation:DESCRIPTION:RTL simulation to ensure that bridge-access controls are implemented properly.:EFFECTIVENESS:High::METHOD:Formal Verification:DESCRIPTION:Formal verification of bridge RTL to ensure that access control cannot be bypassed.:EFFECTIVENESS:High::",{"point":"2lm","priority":"6","details":"231","howto":"2ln"},"CWE-ID:1318 Missing Support for Security Features in On-chip Fabrics or Buses","::METHOD:Architecture or Design Review:DESCRIPTION:Review the fabric specification and ensure that it contains signals to transfer security-sensitive signals.:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:Lack of security features can also be confirmed through manual RTL review of the fabric RTL.:EFFECTIVENESS:High::",{"point":"2lp","priority":"6","details":"234","howto":"2lq"},"CWE-ID:1319 Improper Protection against Electromagnetic Fault Injection (EM-FI)",{"point":"2ls","priority":"6","details":"237","howto":"275"},"CWE-ID:1320 Improper Protection for Outbound Error Messages and Alert Signals",{"point":"2lu","priority":"6","details":"23a","howto":"275"},"CWE-ID:1323 Improper Management of Sensitive Trace Data",{"point":"2lw","priority":"6","details":"23j","howto":"275"},"CWE-ID:1326 Missing Immutable Root of Trust in Hardware","::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated testing can verify that RoT components are immutable.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Root of trust elements and memory should be part of architecture and design reviews.:EFFECTIVENESS:High::",{"point":"2ly","priority":"6","details":"23p","howto":"2lz"},"CWE-ID:1328 Security Version Number Mutable to Older Versions","::METHOD:Automated Dynamic Analysis:DESCRIPTION:Mutability of stored security version numbers and programming with older firmware images should be part of automated testing.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Anti-roll-back features should be reviewed as part of Architecture or Design review.:EFFECTIVENESS:High::",{"point":"2m1","priority":"6","details":"23v","howto":"2m2"},"CWE-ID:1329 Reliance on Component That is Not Updateable","::METHOD:Architecture or Design Review:DESCRIPTION:Check the consumer or maintainer documentation, the architecture/design documentation, or the original requirements to ensure that the documentation includes details for how to update the firmware.:EFFECTIVENESS:Moderate::",{"point":"2m4","priority":"6","details":"23y","howto":"2m5"},"CWE-ID:1331 Improper Isolation of Shared Resources in Network On Chip (NoC)","::METHOD:Manual Analysis:DESCRIPTION:Providing marker flags to send through the interfaces coupled with examination of which users are able to read or manipulate the flags will help verify that the proper isolation has been achieved and is effective.:EFFECTIVENESS:Moderate::",{"point":"2m7","priority":"6","details":"244","howto":"2m8"},"CWE-ID:1332 Improper Handling of Faults that Lead to Instruction Skips","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can be found using automated static analysis once a developer has indicated which code paths are critical to protect.:EFFECTIVENESS:Moderate::METHOD:Simulation / Emulation:DESCRIPTION:This weakness can be found using automated dynamic analysis. Both emulation of a CPU with instruction skips, as well as RTL simulation of a CPU IP, can indicate parts of the code that are sensitive to faults due to instruction skips.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:This weakness can be found using manual (static) analysis. The analyst has security objectives that are matched against the high-level code. This method is less precise than emulation, especially if the analysis is done at the higher level language rather than at assembly level.:EFFECTIVENESS:Moderate::",{"point":"2ma","priority":"6","details":"247","howto":"2mb"},"CWE-ID:1334 Unauthorized Error Injection Can Degrade Hardware Redundancy",{"point":"2md","priority":"6","details":"24d","howto":"275"},"CWE-ID:1336 Improper Neutralization of Special Elements Used in a Template Engine",{"point":"2mf","priority":"6","details":"24j","howto":"275"},"CWE-ID:1338 Improper Protections Against Hardware Overheating","::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Dynamic tests should be performed to stress-test temperature controls.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Power management controls should be part of Architecture and Design reviews.:EFFECTIVENESS:High::",{"point":"2mh","priority":"6","details":"24m","howto":"2mi"},"CWE-ID:1342 Information Exposure through Microarchitectural State after Transient Execution",{"point":"2mk","priority":"6","details":"24v","howto":"275"},"CWE-ID:1351 Improper Handling of Hardware Behavior in Exceptionally Cold Environments",{"point":"2mm","priority":"6","details":"24y","howto":"275"},"CWE-ID:1357 Reliance on Insufficiently Trustworthy Component",{"point":"2mo","priority":"6","details":"251","howto":"275"},"CWE-ID:1384 Improper Handling of Physical or Environmental Conditions",{"point":"2mq","priority":"6","details":"254","howto":"275"},"CWE-ID:1390 Weak Authentication",{"point":"2ms","priority":"6","details":"25g","howto":"275"},"CWE-ID:1391 Use of Weak Credentials",{"point":"2mu","priority":"6","details":"25j","howto":"275"},"CWE-ID:1392 Use of Default Credentials",{"point":"2mw","priority":"6","details":"25m","howto":"275"},"CWE-ID:1393 Use of Default Password",{"point":"2my","priority":"6","details":"25p","howto":"275"},"CWE-ID:1394 Use of Default Cryptographic Key",{"point":"2n0","priority":"6","details":"25s","howto":"275"},"CWE-ID:1395 Dependency on Vulnerable Third-Party Component","::METHOD:Automated Analysis:DESCRIPTION:For software, use Software Composition Analysis (SCA) tools, which automatically analyze products to identify third-party dependencies. Often, SCA tools can be used to link with known vulnerabilities in the dependencies that they detect. There are commercial and open-source alternatives, such as OWASP Dependency-Check [REF-1312]. Many languages or frameworks have package managers with similar capabilities, such as npm audit for JavaScript, pip-audit for Python, govulncheck for Go, and many others. Dynamic methods can detect loading of third-party components.:EFFECTIVENESS:High::",{"point":"2n2","priority":"6","details":"25v","howto":"2n3"},"CWE-ID:1420 Exposure of Sensitive Information during Transient Execution","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected in hardware by manually inspecting processor specifications. Features that exhibit this weakness may include microarchitectural predictors, access control checks that occur out-of-order, or any other features that can allow operations to execute without committing to architectural state. Academic researchers have demonstrated that new hardware weaknesses can be discovered by exhaustively analyzing a processor's machine clear (or nuke) conditions ([REF-1427]).:EFFECTIVENESS:Moderate::METHOD:Fuzzing:DESCRIPTION:Academic researchers have demonstrated that this weakness can be detected in hardware using software fuzzing tools that treat the underlying hardware as a black box ([REF-1428]).:EFFECTIVENESS:Opportunistic::METHOD:Fuzzing:DESCRIPTION:Academic researchers have demonstrated that this weakness can be detected in software using software fuzzing tools ([REF-1429]).:EFFECTIVENESS:Opportunistic::METHOD:Automated Static Analysis:DESCRIPTION:A variety of automated static analysis tools can identify potentially exploitable code sequences in software. These tools may perform the analysis on source code, on binary code, or on an intermediate code representation (for example, during compilation).:EFFECTIVENESS:Limited::METHOD:Automated Analysis:DESCRIPTION:Software vendors can release tools that detect presence of known weaknesses on a processor. For example, some of these tools can attempt to transiently execute a vulnerable code sequence and detect whether code successfully leaks data in a manner consistent with the weakness under test. Alternatively, some hardware vendors provide enumeration for the presence of a weakness (or lack of a weakness). These enumeration bits can be checked and reported by system software. For example, Linux supports these checks for many commodity processors: $ cat /proc/cpuinfo | grep bugs | head -n 1 bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit srbds mmio_stale_data retbleed:EFFECTIVENESS:High::",{"point":"2n5","priority":"6","details":"261","howto":"2n6"},"CWE-ID:1421 Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected in hardware by manually inspecting processor specifications. Features that exhibit this weakness may include microarchitectural predictors, access control checks that occur out-of-order, or any other features that can allow operations to execute without committing to architectural state. Academic researchers have demonstrated that new hardware weaknesses can be discovered by examining publicly available patent filings, for example [REF-1405] and [REF-1406]. Hardware designers can also scrutinize aspects of the instruction set architecture that have undefined behavior; these can become a focal point when applying other detection methods.:EFFECTIVENESS:Moderate::METHOD:Automated Analysis:DESCRIPTION:This weakness can be detected (pre-discovery) in hardware by employing static or dynamic taint analysis methods [REF-1401]. These methods can label data in one context (for example, kernel data) and perform information flow analysis (or a simulation, etc.) to determine whether tainted data can appear in another context (for example, user mode). Alternatively, stale or invalid data in shared microarchitectural resources can be marked as tainted, and the taint analysis framework can identify when transient operations encounter tainted data.:EFFECTIVENESS:Moderate::METHOD:Automated Analysis:DESCRIPTION:Software vendors can release tools that detect presence of known weaknesses (post-discovery) on a processor. For example, some of these tools can attempt to transiently execute a vulnerable code sequence and detect whether code successfully leaks data in a manner consistent with the weakness under test. Alternatively, some hardware vendors provide enumeration for the presence of a weakness (or lack of a weakness). These enumeration bits can be checked and reported by system software. For example, Linux supports these checks for many commodity processors: $ cat /proc/cpuinfo | grep bugs | head -n 1 bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit srbds mmio_stale_data retbleed:EFFECTIVENESS:High::METHOD:Fuzzing:DESCRIPTION:Academic researchers have demonstrated that this weakness can be detected in hardware using software fuzzing tools that treat the underlying hardware as a black box ([REF-1406], [REF-1430]):EFFECTIVENESS:Opportunistic::",{"point":"2n8","priority":"6","details":"264","howto":"2n9"},"CWE-ID:1422 Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution","::METHOD:Automated Static Analysis:DESCRIPTION:A variety of automated static analysis tools can identify potentially exploitable code sequences in software. These tools may perform the analysis on source code, on binary code, or on an intermediate code representation (for example, during compilation).:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected in hardware by manually inspecting processor specifications. Features that exhibit this weakness may include microarchitectural predictors, access control checks that occur out-of-order, or any other features that can allow operations to execute without committing to architectural state.Hardware designers can also scrutinize aspects of the instruction set architecture that have undefined behavior; these can become a focal point when applying other detection methods.:EFFECTIVENESS:Moderate::METHOD:Automated Analysis:DESCRIPTION:Software vendors can release tools that detect presence of known weaknesses on a processor. For example, some of these tools can attempt to transiently execute a vulnerable code sequence and detect whether code successfully leaks data in a manner consistent with the weakness under test. Alternatively, some hardware vendors provide enumeration for the presence of a weakness (or lack of a weakness). These enumeration bits can be checked and reported by system software. For example, Linux supports these checks for many commodity processors: $ cat /proc/cpuinfo | grep bugs | head -n 1 bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit srbds mmio_stale_data retbleed:EFFECTIVENESS:High::",{"point":"2nb","priority":"6","details":"267","howto":"2nc"},"CWE-ID:1423 Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected in hardware by manually inspecting processor specifications. Features that exhibit this weakness may have microarchitectural predictor state that is shared between hardware threads, execution contexts (for example, user and kernel), or other components that may host mutually distrusting software (or firmware, etc.).:EFFECTIVENESS:Moderate::METHOD:Automated Analysis:DESCRIPTION:Software vendors can release tools that detect presence of known weaknesses on a processor. For example, some of these tools can attempt to transiently execute a vulnerable code sequence and detect whether code successfully leaks data in a manner consistent with the weakness under test. Alternatively, some hardware vendors provide enumeration for the presence of a weakness (or lack of a weakness). These enumeration bits can be checked and reported by system software. For example, Linux supports these checks for many commodity processors: $ cat /proc/cpuinfo | grep bugs | head -n 1 bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit srbds mmio_stale_data retbleed:EFFECTIVENESS:High::METHOD:Automated Analysis:DESCRIPTION:This weakness can be detected in hardware by employing static or dynamic taint analysis methods [REF-1401]. These methods can label each predictor entry (or prediction history, etc.) according to the processor context that created it. Taint analysis or information flow analysis can then be applied to detect when predictor state created in one context can influence predictions made in another context.:EFFECTIVENESS:Moderate::",{"point":"2ne","priority":"6","details":"26a","howto":"2nf"},["26m","26p","26s","26v","26y","271","273","276","278","27a","27c","27e","27h","27j","27l","27n","27p","27r","27t","27v","27y","280","282","284","286","288","28a","28c","28e","28g","28i","28k","28n","28p","28r","28u","28w","28z","291","293","295","298","29a","29c","29e","29h","29k","29m","29o","29r","29t","29w","29y","2a0","2a2","2a4","2a7","2a9","2ac","2ae","2ag","2ai","2ak","2am","2ao","2aq","2as","2au","2aw","2ay","2b0","2b2","2b4","2b6","2b8","2ba","2bd","2bf","2bi","2bk","2bm","2bo","2bq","2bt","2bv","2bx","2bz","2c1","2c3","2c5","2c7","2ca","2cc","2ce","2cg","2ci","2ck","2cm","2cp","2cr","2ct","2cv","2cx","2cz","2d1","2d3","2d5","2d7","2d9","2db","2de","2dg","2di","2dl","2dn","2dp","2dr","2dt","2dv","2dx","2dz","2e1","2e3","2e6","2e8","2ea","2ec","2ee","2eg","2ei","2ek","2em","2eo","2eq","2es","2eu","2ew","2ey","2f0","2f3","2f5","2f7","2f9","2fb","2fd","2ff","2fh","2fj","2fl","2fn","2fp","2fr","2ft","2fv","2fy","2g0","2g2","2g5","2g8","2ga","2gc","2gf","2gi","2gl","2gn","2gp","2gr","2gu","2gw","2gy","2h0","2h2","2h4","2h6","2h8","2ha","2hc","2hf","2hi","2hk","2hm","2ho","2hq","2ht","2hv","2hy","2i0","2i3","2i5","2i7","2i9","2ib","2id","2if","2ii","2ik","2in","2ip","2is","2iu","2iw","2iy","2j1","2j3","2j5","2j7","2j9","2jb","2jd","2jg","2ji","2jk","2jm","2jp","2jr","2ju","2jw","2jy","2k0","2k2","2k4","2k6","2k9","2kc","2kf","2kh","2kj","2kl","2kn","2kp","2kr","2kt","2kv","2kx","2kz","2l1","2l3","2l5","2l7","2l9","2lc","2le","2lg","2li","2ll","2lo","2lr","2lt","2lv","2lx","2m0","2m3","2m6","2m9","2mc","2me","2mg","2mj","2ml","2mn","2mp","2mr","2mt","2mv","2mx","2mz","2n1","2n4","2n7","2na","2nd","2ng"],"magenta",{"title":"26f","slug":"26g","description":"26h","icon":"26i","intro":"26j","checklist":"2nh","color":"2ni"},"CWE :Weaknesses During Implementation","implementation-security","This view (slice) lists weaknesses that can be introduced during implementation.","shield","CWE-ID:5 J2EE Misconfiguration: Data Transmission Without Encryption",{"point":"2no","priority":"6","details":"7","howto":"275"},"CWE-ID:6 J2EE Misconfiguration: Insufficient Session-ID Length",{"point":"2nq","priority":"6","details":"a","howto":"275"},"CWE-ID:7 J2EE Misconfiguration: Missing Custom Error Page",{"point":"2ns","priority":"6","details":"d","howto":"275"},"CWE-ID:8 J2EE Misconfiguration: Entity Bean Declared Remote",{"point":"2nu","priority":"6","details":"g","howto":"275"},"CWE-ID:9 J2EE Misconfiguration: Weak Access Permissions for EJB Methods",{"point":"2nw","priority":"6","details":"j","howto":"275"},"CWE-ID:11 ASP.NET Misconfiguration: Creating Debug Binary",{"point":"2ny","priority":"6","details":"m","howto":"26r"},"CWE-ID:12 ASP.NET Misconfiguration: Missing Custom Error Page",{"point":"2o0","priority":"6","details":"p","howto":"275"},"CWE-ID:13 ASP.NET Misconfiguration: Password in Configuration File",{"point":"2o2","priority":"6","details":"s","howto":"275"},"CWE-ID:14 Compiler Removal of Code to Clear Buffers","::METHOD:Black Box:DESCRIPTION:This specific weakness is impossible to detect using black box methods. While an analyst could examine memory to see that it has not been scrubbed, an analysis of the executable would not be successful. This is because the compiler has already removed the relevant code. Only the source code shows whether the programmer intended to clear the memory or not, so this weakness is indistinguishable from others.::METHOD:White Box:DESCRIPTION:This weakness is only detectable using white box methods (see black box detection factor). Careful analysis is required to determine if the code is likely to be removed by the compiler.::",{"point":"2o4","priority":"6","details":"v","howto":"2o5"},"CWE-ID:15 External Control of System or Configuration Setting",{"point":"2o7","priority":"6","details":"y","howto":"26r"},{"point":"26k","priority":"6","details":"11","howto":"26l"},"CWE-ID:22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","::METHOD:Automated Static Analysis:DESCRIPTION:Automated techniques can find areas where path traversal weaknesses exist. However, tuning or customization may be required to remove or de-prioritize path-traversal problems that are only exploitable by the product's administrator - or other privileged users - and thus potentially valid behavior or, at worst, a bug instead of a vulnerability.:EFFECTIVENESS:High::METHOD:Manual Static Analysis:DESCRIPTION:Manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all file access operations can be assessed within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2oa","priority":"6","details":"14","howto":"2ob"},"CWE-ID:23 Relative Path Traversal",{"point":"2od","priority":"6","details":"17","howto":"26r"},"CWE-ID:24 Path Traversal: '../filedir'",{"point":"2of","priority":"6","details":"1a","howto":"275"},"CWE-ID:25 Path Traversal: '/../filedir'",{"point":"2oh","priority":"6","details":"1d","howto":"275"},"CWE-ID:26 Path Traversal: '/dir/../filename'",{"point":"2oj","priority":"6","details":"1g","howto":"275"},"CWE-ID:27 Path Traversal: 'dir/../../filename'",{"point":"2ol","priority":"6","details":"1j","howto":"275"},"CWE-ID:28 Path Traversal: '..filedir'",{"point":"2on","priority":"6","details":"1m","howto":"275"},"CWE-ID:29 Path Traversal: '..filename'",{"point":"2op","priority":"6","details":"1p","howto":"275"},"CWE-ID:30 Path Traversal: 'dir..filename'",{"point":"2or","priority":"6","details":"1s","howto":"275"},"CWE-ID:31 Path Traversal: 'dir....filename'",{"point":"2ot","priority":"6","details":"1v","howto":"275"},"CWE-ID:32 Path Traversal: '...' (Triple Dot)",{"point":"2ov","priority":"6","details":"1y","howto":"275"},"CWE-ID:33 Path Traversal: '....' (Multiple Dot)",{"point":"2ox","priority":"6","details":"21","howto":"275"},"CWE-ID:34 Path Traversal: '....//'","::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"2oz","priority":"6","details":"24","howto":"2p0"},"CWE-ID:35 Path Traversal: '.../...//'",{"point":"2p2","priority":"6","details":"27","howto":"275"},"CWE-ID:36 Absolute Path Traversal",{"point":"2p4","priority":"6","details":"2a","howto":"26r"},"CWE-ID:37 Path Traversal: '/absolute/pathname/here'",{"point":"2p6","priority":"6","details":"2d","howto":"275"},"CWE-ID:38 Path Traversal: 'absolutepathnamehere'",{"point":"2p8","priority":"6","details":"2g","howto":"275"},"CWE-ID:39 Path Traversal: 'C:dirname'",{"point":"2pa","priority":"6","details":"2j","howto":"275"},"CWE-ID:40 Path Traversal: 'UNCsharename' (Windows UNC Share)",{"point":"2pc","priority":"6","details":"2m","howto":"275"},"CWE-ID:41 Improper Resolution of Path Equivalence","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2pe","priority":"6","details":"2p","howto":"2pf"},"CWE-ID:42 Path Equivalence: 'filename.' (Trailing Dot)",{"point":"2ph","priority":"6","details":"2s","howto":"275"},"CWE-ID:43 Path Equivalence: 'filename....' (Multiple Trailing Dot)",{"point":"2pj","priority":"6","details":"2v","howto":"275"},"CWE-ID:44 Path Equivalence: 'file.name' (Internal Dot)",{"point":"2pl","priority":"6","details":"2y","howto":"275"},"CWE-ID:45 Path Equivalence: 'file...name' (Multiple Internal Dot)",{"point":"2pn","priority":"6","details":"31","howto":"275"},"CWE-ID:46 Path Equivalence: 'filename ' (Trailing Space)",{"point":"2pp","priority":"6","details":"34","howto":"275"},"CWE-ID:47 Path Equivalence: ' filename' (Leading Space)",{"point":"2pr","priority":"6","details":"37","howto":"275"},"CWE-ID:48 Path Equivalence: 'file name' (Internal Whitespace)",{"point":"2pt","priority":"6","details":"3a","howto":"275"},"CWE-ID:49 Path Equivalence: 'filename/' (Trailing Slash)",{"point":"2pv","priority":"6","details":"3d","howto":"275"},"CWE-ID:50 Path Equivalence: '//multiple/leading/slash'",{"point":"2px","priority":"6","details":"3g","howto":"275"},"CWE-ID:51 Path Equivalence: '/multiple//internal/slash'",{"point":"2pz","priority":"6","details":"3j","howto":"275"},"CWE-ID:52 Path Equivalence: '/multiple/trailing/slash//'",{"point":"2q1","priority":"6","details":"3m","howto":"275"},"CWE-ID:53 Path Equivalence: 'multipleinternalbackslash'",{"point":"2q3","priority":"6","details":"3p","howto":"275"},"CWE-ID:54 Path Equivalence: 'filedir' (Trailing Backslash)",{"point":"2q5","priority":"6","details":"3s","howto":"275"},"CWE-ID:55 Path Equivalence: '/./' (Single Dot Directory)",{"point":"2q7","priority":"6","details":"3v","howto":"275"},"CWE-ID:56 Path Equivalence: 'filedir*' (Wildcard)",{"point":"2q9","priority":"6","details":"3y","howto":"275"},"CWE-ID:57 Path Equivalence: 'fakedir/../realdir/filename'",{"point":"2qb","priority":"6","details":"41","howto":"275"},"CWE-ID:58 Path Equivalence: Windows 8.3 Filename",{"point":"2qd","priority":"6","details":"44","howto":"275"},"CWE-ID:59 Improper Link Resolution Before File Access ('Link Following')",{"point":"2qf","priority":"6","details":"47","howto":"2pf"},"CWE-ID:61 UNIX Symbolic Link (Symlink) Following",{"point":"2qh","priority":"6","details":"4a","howto":"275"},"CWE-ID:62 UNIX Hard Link",{"point":"2qj","priority":"6","details":"4d","howto":"275"},"CWE-ID:65 Windows Hard Link",{"point":"2ql","priority":"6","details":"4j","howto":"275"},"CWE-ID:66 Improper Handling of File Names that Identify Virtual Resources",{"point":"2qn","priority":"6","details":"4m","howto":"2pf"},"CWE-ID:67 Improper Handling of Windows Device Names",{"point":"2qp","priority":"6","details":"4p","howto":"275"},"CWE-ID:69 Improper Handling of Windows ::DATA Alternate Data Stream",{"point":"2qr","priority":"6","details":"4s","howto":"275"},"CWE-ID:72 Improper Handling of Apple HFS+ Alternate Data Stream Path",{"point":"2qt","priority":"6","details":"4v","howto":"275"},{"point":"26n","priority":"6","details":"4y","howto":"26o"},"CWE-ID:74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')",{"point":"2qw","priority":"6","details":"51","howto":"26r"},"CWE-ID:75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)",{"point":"2qy","priority":"6","details":"54","howto":"275"},"CWE-ID:76 Improper Neutralization of Equivalent Special Elements",{"point":"2r0","priority":"6","details":"57","howto":"275"},"CWE-ID:77 Improper Neutralization of Special Elements used in a Command ('Command Injection')",{"point":"2r2","priority":"6","details":"5a","howto":"26r"},"CWE-ID:78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes. Automated static analysis might not be able to detect the usage of custom API functions or third-party libraries that indirectly invoke OS commands, leading to false negatives - especially if the API/library code is not available for analysis.::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis:DESCRIPTION:Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2r4","priority":"6","details":"5d","howto":"2r5"},"CWE-ID:79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","::METHOD:Automated Static Analysis:DESCRIPTION:Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible, especially when multiple components are involved.:EFFECTIVENESS:Moderate::METHOD:Black Box:DESCRIPTION:Use the XSS Cheat Sheet [REF-714] or automated test-generation tools to help launch a wide variety of attacks against your web application. The Cheat Sheet contains many subtle XSS variations that are specifically targeted against weak XSS defenses.:EFFECTIVENESS:Moderate::",{"point":"2r7","priority":"6","details":"5g","howto":"2r8"},"CWE-ID:80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",{"point":"2ra","priority":"6","details":"5j","howto":"26r"},"CWE-ID:81 Improper Neutralization of Script in an Error Message Web Page",{"point":"2rc","priority":"6","details":"5m","howto":"275"},"CWE-ID:82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page",{"point":"2re","priority":"6","details":"5p","howto":"275"},"CWE-ID:83 Improper Neutralization of Script in Attributes in a Web Page",{"point":"2rg","priority":"6","details":"5s","howto":"26r"},"CWE-ID:84 Improper Neutralization of Encoded URI Schemes in a Web Page",{"point":"2ri","priority":"6","details":"5v","howto":"275"},"CWE-ID:85 Doubled Character XSS Manipulations",{"point":"2rk","priority":"6","details":"5y","howto":"275"},"CWE-ID:86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages",{"point":"2rm","priority":"6","details":"61","howto":"26r"},"CWE-ID:87 Improper Neutralization of Alternate XSS Syntax",{"point":"2ro","priority":"6","details":"64","howto":"275"},"CWE-ID:88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')",{"point":"2rq","priority":"6","details":"67","howto":"26r"},"CWE-ID:89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or do not require any code changes. Automated static analysis might not be able to detect the usage of custom API functions or third-party libraries that indirectly invoke SQL commands, leading to false negatives - especially if the API/library code is not available for analysis.::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Database Scanners Cost effective for partial coverage: Web Application Scanner Web Services Scanner:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2rs","priority":"6","details":"6a","howto":"2rt"},"CWE-ID:90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')",{"point":"2rv","priority":"6","details":"6d","howto":"26r"},"CWE-ID:91 XML Injection (aka Blind XPath Injection)",{"point":"2rx","priority":"6","details":"6g","howto":"26r"},"CWE-ID:93 Improper Neutralization of CRLF Sequences ('CRLF Injection')",{"point":"2rz","priority":"6","details":"6j","howto":"26r"},"CWE-ID:94 Improper Control of Generation of Code ('Code Injection')",{"point":"2s1","priority":"6","details":"6m","howto":"26r"},"CWE-ID:95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')",{"point":"2s3","priority":"6","details":"6p","howto":"26r"},"CWE-ID:96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')",{"point":"2s5","priority":"6","details":"6s","howto":"275"},"CWE-ID:97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page",{"point":"2s7","priority":"6","details":"6v","howto":"275"},"CWE-ID:98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')","::METHOD:Manual Analysis:DESCRIPTION:Manual white-box analysis can be very effective for finding this issue, since there is typically a relatively small number of include or require statements in each program.:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:The external control or influence of filenames can often be detected using automated static analysis that models data flow within the product. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes. If the program uses a customized input validation library, then some tools may allow the analyst to create custom signatures to detect usage of those routines.::",{"point":"2s9","priority":"6","details":"6y","howto":"2sa"},{"point":"26q","priority":"6","details":"71","howto":"26r"},"CWE-ID:102 Struts: Duplicate Validation Forms",{"point":"2sd","priority":"6","details":"74","howto":"275"},"CWE-ID:103 Struts: Incomplete validate() Method Definition",{"point":"2sf","priority":"6","details":"77","howto":"26r"},"CWE-ID:104 Struts: Form Bean Does Not Extend Validation Class",{"point":"2sh","priority":"6","details":"7a","howto":"26r"},"CWE-ID:105 Struts: Form Field Without Validator",{"point":"2sj","priority":"6","details":"7d","howto":"275"},"CWE-ID:106 Struts: Plug-in Framework not in Use",{"point":"2sl","priority":"6","details":"7g","howto":"275"},"CWE-ID:107 Struts: Unused Validation Form",{"point":"2sn","priority":"6","details":"7j","howto":"275"},"CWE-ID:108 Struts: Unvalidated Action Form",{"point":"2sp","priority":"6","details":"7m","howto":"275"},"CWE-ID:109 Struts: Validator Turned Off",{"point":"2sr","priority":"6","details":"7p","howto":"275"},"CWE-ID:110 Struts: Validator Without Form Field","::METHOD:Automated Static Analysis:DESCRIPTION:To find the issue in the implementation, manual checks or automated static analysis could be applied to the XML configuration files.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis:DESCRIPTION:To find the issue in the implementation, manual checks or automated static analysis could be applied to the XML configuration files.:EFFECTIVENESS:Moderate::",{"point":"2st","priority":"6","details":"7s","howto":"2su"},"CWE-ID:111 Direct Use of Unsafe JNI",{"point":"2sw","priority":"6","details":"7v","howto":"26r"},"CWE-ID:112 Missing XML Validation",{"point":"2sy","priority":"6","details":"7y","howto":"26r"},"CWE-ID:113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')",{"point":"2t0","priority":"6","details":"81","howto":"26r"},"CWE-ID:114 Process Control",{"point":"2t2","priority":"6","details":"84","howto":"26r"},{"point":"26t","priority":"6","details":"87","howto":"26u"},"CWE-ID:116 Improper Encoding or Escaping of Output","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.:EFFECTIVENESS:Moderate::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::",{"point":"2t5","priority":"6","details":"8a","howto":"2t6"},"CWE-ID:117 Improper Output Neutralization for Logs",{"point":"2t8","priority":"6","details":"8d","howto":"26r"},"CWE-ID:118 Incorrect Access of Indexable Resource ('Range Error')",{"point":"2ta","priority":"6","details":"8g","howto":"275"},"CWE-ID:119 Improper Restriction of Operations within the Bounds of a Memory Buffer","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode Quality Analysis Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Source Code Quality Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2tc","priority":"6","details":"8j","howto":"2td"},"CWE-ID:120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::METHOD:Manual Analysis:DESCRIPTION:Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2tf","priority":"6","details":"8m","howto":"2tg"},"CWE-ID:121 Stack-based Buffer Overflow","::METHOD:Fuzzing:DESCRIPTION:Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2ti","priority":"6","details":"8p","howto":"2tj"},"CWE-ID:122 Heap-based Buffer Overflow",{"point":"2tl","priority":"6","details":"8s","howto":"26u"},"CWE-ID:123 Write-what-where Condition",{"point":"2tn","priority":"6","details":"8v","howto":"275"},"CWE-ID:124 Buffer Underwrite ('Buffer Underflow')",{"point":"2tp","priority":"6","details":"8y","howto":"275"},"CWE-ID:125 Out-of-bounds Read",{"point":"2tr","priority":"6","details":"91","howto":"2tj"},"CWE-ID:126 Buffer Over-read",{"point":"2tt","priority":"6","details":"94","howto":"26r"},"CWE-ID:127 Buffer Under-read",{"point":"2tv","priority":"6","details":"97","howto":"275"},"CWE-ID:128 Wrap-around Error",{"point":"2tx","priority":"6","details":"9a","howto":"275"},"CWE-ID:129 Improper Validation of Array Index","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report array index errors that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::METHOD:Black Box:DESCRIPTION:Black box methods might not get the needed code coverage within limited time constraints, and a dynamic test might not produce any noticeable side effects even if it is successful.::",{"point":"2tz","priority":"6","details":"9d","howto":"2u0"},"CWE-ID:130 Improper Handling of Length Parameter Inconsistency",{"point":"2u2","priority":"6","details":"9g","howto":"275"},"CWE-ID:131 Incorrect Calculation of Buffer Size","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting potential errors in buffer calculations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of allocation calculations. This can be useful for detecting overflow conditions (CWE-190) or similar weaknesses that might have serious security impacts on the program.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Source Code Quality Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2u4","priority":"6","details":"9j","howto":"2u5"},"CWE-ID:134 Use of Externally-Controlled Format String","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.::METHOD:Black Box:DESCRIPTION:Since format strings often occur in rarely-occurring erroneous conditions (e.g. for error message logging), they can be difficult to detect using black box methods. It is highly likely that many latent issues exist in executables that do not have associated source code (or equivalent source.:EFFECTIVENESS:Limited::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary / Bytecode simple extractor - strings, ELF readers, etc.:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Warning Flags:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2u7","priority":"6","details":"9m","howto":"2u8"},"CWE-ID:135 Incorrect Calculation of Multi-Byte String Length",{"point":"2ua","priority":"6","details":"9p","howto":"26r"},"CWE-ID:138 Improper Neutralization of Special Elements",{"point":"2uc","priority":"6","details":"9s","howto":"275"},"CWE-ID:140 Improper Neutralization of Delimiters",{"point":"2ue","priority":"6","details":"9v","howto":"275"},"CWE-ID:141 Improper Neutralization of Parameter/Argument Delimiters",{"point":"2ug","priority":"6","details":"9y","howto":"275"},"CWE-ID:142 Improper Neutralization of Value Delimiters",{"point":"2ui","priority":"6","details":"a1","howto":"275"},"CWE-ID:143 Improper Neutralization of Record Delimiters",{"point":"2uk","priority":"6","details":"a4","howto":"275"},"CWE-ID:144 Improper Neutralization of Line Delimiters",{"point":"2um","priority":"6","details":"a7","howto":"275"},"CWE-ID:145 Improper Neutralization of Section Delimiters",{"point":"2uo","priority":"6","details":"aa","howto":"275"},"CWE-ID:146 Improper Neutralization of Expression/Command Delimiters",{"point":"2uq","priority":"6","details":"ad","howto":"275"},"CWE-ID:147 Improper Neutralization of Input Terminators",{"point":"2us","priority":"6","details":"ag","howto":"275"},"CWE-ID:148 Improper Neutralization of Input Leaders",{"point":"2uu","priority":"6","details":"aj","howto":"275"},"CWE-ID:149 Improper Neutralization of Quoting Syntax",{"point":"2uw","priority":"6","details":"am","howto":"275"},"CWE-ID:150 Improper Neutralization of Escape, Meta, or Control Sequences",{"point":"2uy","priority":"6","details":"ap","howto":"275"},"CWE-ID:151 Improper Neutralization of Comment Delimiters",{"point":"2v0","priority":"6","details":"as","howto":"275"},"CWE-ID:152 Improper Neutralization of Macro Symbols",{"point":"2v2","priority":"6","details":"av","howto":"275"},"CWE-ID:153 Improper Neutralization of Substitution Characters",{"point":"2v4","priority":"6","details":"ay","howto":"275"},"CWE-ID:154 Improper Neutralization of Variable Name Delimiters",{"point":"2v6","priority":"6","details":"b1","howto":"275"},"CWE-ID:155 Improper Neutralization of Wildcards or Matching Symbols",{"point":"2v8","priority":"6","details":"b4","howto":"275"},"CWE-ID:156 Improper Neutralization of Whitespace",{"point":"2va","priority":"6","details":"b7","howto":"275"},"CWE-ID:157 Failure to Sanitize Paired Delimiters",{"point":"2vc","priority":"6","details":"ba","howto":"275"},"CWE-ID:158 Improper Neutralization of Null Byte or NUL Character",{"point":"2ve","priority":"6","details":"bd","howto":"275"},"CWE-ID:159 Improper Handling of Invalid Use of Special Elements",{"point":"2vg","priority":"6","details":"bg","howto":"275"},"CWE-ID:160 Improper Neutralization of Leading Special Elements",{"point":"2vi","priority":"6","details":"bj","howto":"275"},"CWE-ID:161 Improper Neutralization of Multiple Leading Special Elements",{"point":"2vk","priority":"6","details":"bm","howto":"275"},"CWE-ID:162 Improper Neutralization of Trailing Special Elements",{"point":"2vm","priority":"6","details":"bp","howto":"275"},"CWE-ID:163 Improper Neutralization of Multiple Trailing Special Elements",{"point":"2vo","priority":"6","details":"bs","howto":"275"},"CWE-ID:164 Improper Neutralization of Internal Special Elements",{"point":"2vq","priority":"6","details":"bv","howto":"275"},"CWE-ID:165 Improper Neutralization of Multiple Internal Special Elements",{"point":"2vs","priority":"6","details":"by","howto":"275"},"CWE-ID:166 Improper Handling of Missing Special Element",{"point":"2vu","priority":"6","details":"c1","howto":"275"},"CWE-ID:167 Improper Handling of Additional Special Element",{"point":"2vw","priority":"6","details":"c4","howto":"275"},"CWE-ID:168 Improper Handling of Inconsistent Special Elements",{"point":"2vy","priority":"6","details":"c7","howto":"275"},"CWE-ID:170 Improper Null Termination",{"point":"2w0","priority":"6","details":"ca","howto":"26r"},"CWE-ID:172 Encoding Error",{"point":"2w2","priority":"6","details":"cd","howto":"275"},"CWE-ID:173 Improper Handling of Alternate Encoding",{"point":"2w4","priority":"6","details":"cg","howto":"275"},"CWE-ID:174 Double Decoding of the Same Data",{"point":"2w6","priority":"6","details":"cj","howto":"275"},"CWE-ID:175 Improper Handling of Mixed Encoding",{"point":"2w8","priority":"6","details":"cm","howto":"275"},"CWE-ID:176 Improper Handling of Unicode Encoding",{"point":"2wa","priority":"6","details":"cp","howto":"275"},"CWE-ID:177 Improper Handling of URL Encoding (Hex Encoding)",{"point":"2wc","priority":"6","details":"cs","howto":"275"},"CWE-ID:178 Improper Handling of Case Sensitivity",{"point":"2we","priority":"6","details":"cv","howto":"275"},"CWE-ID:179 Incorrect Behavior Order: Early Validation",{"point":"2wg","priority":"6","details":"cy","howto":"275"},"CWE-ID:180 Incorrect Behavior Order: Validate Before Canonicalize",{"point":"2wi","priority":"6","details":"d1","howto":"275"},"CWE-ID:181 Incorrect Behavior Order: Validate Before Filter",{"point":"2wk","priority":"6","details":"d4","howto":"275"},"CWE-ID:182 Collapse of Data into Unsafe Value",{"point":"2wm","priority":"6","details":"d7","howto":"26r"},"CWE-ID:183 Permissive List of Allowed Inputs",{"point":"2wo","priority":"6","details":"da","howto":"26r"},{"point":"26w","priority":"6","details":"dd","howto":"26x"},"CWE-ID:185 Incorrect Regular Expression",{"point":"2wr","priority":"6","details":"dg","howto":"26r"},"CWE-ID:186 Overly Restrictive Regular Expression",{"point":"2wt","priority":"6","details":"dj","howto":"275"},"CWE-ID:187 Partial String Comparison",{"point":"2wv","priority":"6","details":"dm","howto":"275"},"CWE-ID:188 Reliance on Data/Memory Layout",{"point":"2wx","priority":"6","details":"dp","howto":"26u"},"CWE-ID:190 Integer Overflow or Wraparound","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.:EFFECTIVENESS:High::METHOD:Black Box:DESCRIPTION:Sometimes, evidence of this weakness can be detected using dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of allocation calculations. This can be useful for detecting overflow conditions (CWE-190) or similar weaknesses that might have serious security impacts on the program.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2wz","priority":"6","details":"ds","howto":"2x0"},"CWE-ID:191 Integer Underflow (Wrap or Wraparound)",{"point":"2x2","priority":"6","details":"dv","howto":"26r"},"CWE-ID:192 Integer Coercion Error",{"point":"2x4","priority":"6","details":"dy","howto":"26r"},"CWE-ID:193 Off-by-one Error",{"point":"2x6","priority":"6","details":"e1","howto":"26r"},"CWE-ID:194 Unexpected Sign Extension",{"point":"2x8","priority":"6","details":"e4","howto":"275"},"CWE-ID:195 Signed to Unsigned Conversion Error",{"point":"2xa","priority":"6","details":"e7","howto":"26r"},"CWE-ID:196 Unsigned to Signed Conversion Error",{"point":"2xc","priority":"6","details":"ea","howto":"275"},"CWE-ID:197 Numeric Truncation Error",{"point":"2xe","priority":"6","details":"ed","howto":"2tj"},"CWE-ID:198 Use of Incorrect Byte Ordering","::METHOD:Black Box:DESCRIPTION:Because byte ordering bugs are usually very noticeable even with normal inputs, this bug is more likely to occur in rarely triggered error conditions, making them difficult to detect using black box methods.::",{"point":"2xg","priority":"6","details":"eg","howto":"2xh"},{"point":"26z","priority":"6","details":"ej","howto":"270"},{"point":"272","priority":"6","details":"em","howto":"26r"},{"point":"274","priority":"6","details":"ep","howto":"275"},{"point":"277","priority":"6","details":"es","howto":"275"},{"point":"279","priority":"6","details":"ev","howto":"275"},{"point":"27b","priority":"6","details":"ey","howto":"275"},"CWE-ID:206 Observable Internal Behavioral Discrepancy",{"point":"2xp","priority":"6","details":"f1","howto":"275"},"CWE-ID:207 Observable Behavioral Discrepancy With Equivalent Products",{"point":"2xr","priority":"6","details":"f4","howto":"275"},{"point":"27d","priority":"6","details":"f7","howto":"275"},{"point":"27f","priority":"6","details":"fa","howto":"27g"},{"point":"27i","priority":"6","details":"fd","howto":"275"},{"point":"27k","priority":"6","details":"fg","howto":"275"},{"point":"27m","priority":"6","details":"fj","howto":"275"},{"point":"27o","priority":"6","details":"fm","howto":"275"},{"point":"27q","priority":"6","details":"fp","howto":"275"},"CWE-ID:215 Insertion of Sensitive Information Into Debugging Code",{"point":"2y0","priority":"6","details":"fs","howto":"26r"},"CWE-ID:219 Storage of File with Sensitive Data Under Web Root",{"point":"2y2","priority":"6","details":"fv","howto":"275"},{"point":"27s","priority":"6","details":"g1","howto":"275"},"CWE-ID:222 Truncation of Security-relevant Information",{"point":"2y5","priority":"6","details":"g4","howto":"275"},{"point":"27u","priority":"6","details":"g7","howto":"275"},"CWE-ID:224 Obscured Security-relevant Information by Alternate Name",{"point":"2y8","priority":"6","details":"ga","howto":"275"},"CWE-ID:226 Sensitive Information in Resource Not Removed Before Reuse","::METHOD:Manual Analysis:DESCRIPTION:Write a known pattern into each sensitive location. Trigger the release of the resource or cause the desired state transition to occur. Read data back from the sensitive locations. If the reads are successful, and the data is the same as the pattern that was originally written, the test fails and the product needs to be fixed. Note that this test can likely be automated.:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2ya","priority":"6","details":"gd","howto":"2yb"},"CWE-ID:228 Improper Handling of Syntactically Invalid Structure",{"point":"2yd","priority":"6","details":"gg","howto":"26r"},"CWE-ID:229 Improper Handling of Values",{"point":"2yf","priority":"6","details":"gj","howto":"275"},"CWE-ID:230 Improper Handling of Missing Values",{"point":"2yh","priority":"6","details":"gm","howto":"275"},"CWE-ID:231 Improper Handling of Extra Values",{"point":"2yj","priority":"6","details":"gp","howto":"275"},"CWE-ID:232 Improper Handling of Undefined Values",{"point":"2yl","priority":"6","details":"gs","howto":"275"},"CWE-ID:233 Improper Handling of Parameters",{"point":"2yn","priority":"6","details":"gv","howto":"2tj"},"CWE-ID:234 Failure to Handle Missing Parameter",{"point":"2yp","priority":"6","details":"gy","howto":"275"},"CWE-ID:235 Improper Handling of Extra Parameters",{"point":"2yr","priority":"6","details":"h1","howto":"275"},"CWE-ID:236 Improper Handling of Undefined Parameters",{"point":"2yt","priority":"6","details":"h4","howto":"275"},"CWE-ID:238 Improper Handling of Incomplete Structural Elements",{"point":"2yv","priority":"6","details":"ha","howto":"275"},"CWE-ID:239 Failure to Handle Incomplete Element",{"point":"2yx","priority":"6","details":"hd","howto":"275"},"CWE-ID:240 Improper Handling of Inconsistent Structural Elements",{"point":"2yz","priority":"6","details":"hg","howto":"275"},"CWE-ID:241 Improper Handling of Unexpected Data Type",{"point":"2z1","priority":"6","details":"hj","howto":"275"},"CWE-ID:242 Use of Inherently Dangerous Function",{"point":"2z3","priority":"6","details":"hm","howto":"26r"},"CWE-ID:243 Creation of chroot Jail Without Changing Working Directory",{"point":"2z5","priority":"6","details":"hp","howto":"26r"},"CWE-ID:244 Improper Clearing of Heap Memory Before Release ('Heap Inspection')",{"point":"2z7","priority":"6","details":"hs","howto":"275"},"CWE-ID:245 J2EE Bad Practices: Direct Management of Connections",{"point":"2z9","priority":"6","details":"hv","howto":"26r"},"CWE-ID:246 J2EE Bad Practices: Direct Use of Sockets",{"point":"2zb","priority":"6","details":"hy","howto":"26r"},"CWE-ID:248 Uncaught Exception",{"point":"2zd","priority":"6","details":"i1","howto":"26r"},{"point":"27w","priority":"6","details":"i4","howto":"27x"},"CWE-ID:252 Unchecked Return Value",{"point":"2zg","priority":"6","details":"i7","howto":"26r"},"CWE-ID:253 Incorrect Check of Function Return Value",{"point":"2zi","priority":"6","details":"ia","howto":"275"},"CWE-ID:258 Empty Password in Configuration File",{"point":"2zk","priority":"6","details":"ij","howto":"275"},"CWE-ID:259 Use of Hard-coded Password","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and perform a login. Using disassembled code, look at the associated instructions and see if any of them appear to be comparing the input to a fixed string or value.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2zm","priority":"6","details":"im","howto":"2zn"},{"point":"283","priority":"6","details":"ip","howto":"26r"},"CWE-ID:266 Incorrect Privilege Assignment",{"point":"2zq","priority":"6","details":"j1","howto":"275"},{"point":"28b","priority":"6","details":"j4","howto":"275"},{"point":"28d","priority":"6","details":"j7","howto":"275"},{"point":"28f","priority":"6","details":"ja","howto":"26r"},{"point":"28h","priority":"6","details":"jd","howto":"275"},{"point":"28j","priority":"6","details":"jg","howto":"275"},"CWE-ID:272 Least Privilege Violation","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Compare binary / bytecode to application permission manifest:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Permission Manifest Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"2zx","priority":"6","details":"jj","howto":"2zy"},"CWE-ID:273 Improper Check for Dropped Privileges",{"point":"300","priority":"6","details":"jm","howto":"26r"},"CWE-ID:274 Improper Handling of Insufficient Privileges",{"point":"302","priority":"6","details":"jp","howto":"26r"},{"point":"28l","priority":"6","details":"js","howto":"28m"},"CWE-ID:277 Insecure Inherited Permissions",{"point":"305","priority":"6","details":"jv","howto":"275"},"CWE-ID:279 Incorrect Execution-Assigned Permissions",{"point":"307","priority":"6","details":"k1","howto":"275"},"CWE-ID:280 Improper Handling of Insufficient Permissions or Privileges ",{"point":"309","priority":"6","details":"k4","howto":"275"},"CWE-ID:281 Improper Preservation of Permissions",{"point":"30b","priority":"6","details":"k7","howto":"275"},"CWE-ID:284 Improper Access Control",{"point":"30d","priority":"6","details":"kg","howto":"275"},{"point":"28s","priority":"6","details":"kj","howto":"28t"},{"point":"28v","priority":"6","details":"km","howto":"275"},{"point":"28x","priority":"6","details":"kp","howto":"28y"},{"point":"292","priority":"6","details":"kv","howto":"275"},"CWE-ID:290 Authentication Bypass by Spoofing",{"point":"30j","priority":"6","details":"ky","howto":"275"},{"point":"296","priority":"6","details":"la","howto":"297"},"CWE-ID:296 Improper Following of a Certificate's Chain of Trust",{"point":"30m","priority":"6","details":"ld","howto":"26r"},"CWE-ID:297 Improper Validation of Certificate with Host Mismatch","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Set up an untrusted endpoint (e.g. a server) with which the product will connect. Create a test certificate that uses an invalid hostname but is signed by a trusted CA and provide this certificate from the untrusted endpoint. If the product performs any operations instead of disconnecting and reporting an error, then this indicates that the hostname is not being checked and the test certificate has been accepted.::METHOD:Black Box:DESCRIPTION:When Certificate Pinning is being used in a mobile application, consider using a tool such as Spinner [REF-955]. This methodology might be extensible to other technologies.::",{"point":"30o","priority":"6","details":"lg","howto":"30p"},"CWE-ID:298 Improper Validation of Certificate Expiration",{"point":"30r","priority":"6","details":"lj","howto":"275"},"CWE-ID:299 Improper Check for Certificate Revocation",{"point":"30t","priority":"6","details":"lm","howto":"26r"},{"point":"29d","priority":"6","details":"lv","howto":"275"},"CWE-ID:303 Incorrect Implementation of Authentication Algorithm",{"point":"30w","priority":"6","details":"ly","howto":"275"},"CWE-ID:304 Missing Critical Step in Authentication",{"point":"30y","priority":"6","details":"m1","howto":"26r"},"CWE-ID:305 Authentication Bypass by Primary Weakness",{"point":"310","priority":"6","details":"m4","howto":"275"},"CWE-ID:318 Cleartext Storage of Sensitive Information in Executable",{"point":"312","priority":"6","details":"n4","howto":"275"},"CWE-ID:325 Missing Cryptographic Step",{"point":"314","priority":"6","details":"nm","howto":"275"},{"point":"2a5","priority":"6","details":"ns","howto":"2a6"},"CWE-ID:329 Generation of Predictable IV with CBC Mode",{"point":"317","priority":"6","details":"ny","howto":"26r"},{"point":"2aa","priority":"6","details":"o1","howto":"2ab"},{"point":"2ad","priority":"6","details":"o4","howto":"275"},"CWE-ID:332 Insufficient Entropy in PRNG",{"point":"31b","priority":"6","details":"o7","howto":"275"},"CWE-ID:333 Improper Handling of Insufficient Entropy in TRNG",{"point":"31d","priority":"6","details":"oa","howto":"275"},{"point":"2af","priority":"6","details":"od","howto":"275"},"CWE-ID:335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)",{"point":"31g","priority":"6","details":"og","howto":"275"},"CWE-ID:336 Same Seed in Pseudo-Random Number Generator (PRNG)",{"point":"31i","priority":"6","details":"oj","howto":"26r"},"CWE-ID:337 Predictable Seed in Pseudo-Random Number Generator (PRNG)",{"point":"31k","priority":"6","details":"om","howto":"275"},{"point":"2ah","priority":"6","details":"op","howto":"26r"},"CWE-ID:339 Small Seed Space in PRNG",{"point":"31n","priority":"6","details":"os","howto":"275"},{"point":"2aj","priority":"6","details":"ov","howto":"275"},{"point":"2al","priority":"6","details":"oy","howto":"275"},{"point":"2an","priority":"6","details":"p1","howto":"275"},{"point":"2ap","priority":"6","details":"p4","howto":"275"},{"point":"2ar","priority":"6","details":"p7","howto":"275"},{"point":"2at","priority":"6","details":"pa","howto":"26r"},{"point":"2av","priority":"6","details":"pd","howto":"275"},{"point":"2ax","priority":"6","details":"pg","howto":"26r"},{"point":"2az","priority":"6","details":"pj","howto":"275"},"CWE-ID:349 Acceptance of Extraneous Untrusted Data With Trusted Data",{"point":"31y","priority":"6","details":"pm","howto":"275"},"CWE-ID:351 Insufficient Type Distinction",{"point":"320","priority":"6","details":"ps","howto":"275"},{"point":"2b1","priority":"6","details":"py","howto":"275"},{"point":"2b3","priority":"6","details":"q1","howto":"275"},{"point":"2b5","priority":"6","details":"q4","howto":"275"},{"point":"2b7","priority":"6","details":"q7","howto":"275"},{"point":"2b9","priority":"6","details":"qa","howto":"275"},{"point":"2bb","priority":"6","details":"qd","howto":"2bc"},{"point":"2be","priority":"6","details":"qg","howto":"275"},{"point":"2bg","priority":"6","details":"qj","howto":"2bh"},{"point":"2bj","priority":"6","details":"qm","howto":"275"},"CWE-ID:364 Signal Handler Race Condition",{"point":"32b","priority":"6","details":"qp","howto":"275"},"CWE-ID:366 Race Condition within a Thread",{"point":"32d","priority":"6","details":"qs","howto":"26r"},"CWE-ID:367 Time-of-check Time-of-use (TOCTOU) Race Condition",{"point":"32f","priority":"6","details":"qv","howto":"26r"},{"point":"2bl","priority":"6","details":"qy","howto":"275"},"CWE-ID:369 Divide By Zero","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::METHOD:Fuzzing:DESCRIPTION:Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.:EFFECTIVENESS:High::",{"point":"32i","priority":"6","details":"r1","howto":"32j"},"CWE-ID:370 Missing Check for Certificate Revocation after Initial Check",{"point":"32l","priority":"6","details":"r4","howto":"275"},"CWE-ID:372 Incomplete Internal State Distinction",{"point":"32n","priority":"6","details":"r7","howto":"275"},"CWE-ID:374 Passing Mutable Objects to an Untrusted Method",{"point":"32p","priority":"6","details":"ra","howto":"275"},"CWE-ID:375 Returning a Mutable Object to an Untrusted Caller",{"point":"32r","priority":"6","details":"rd","howto":"275"},"CWE-ID:377 Insecure Temporary File",{"point":"32t","priority":"6","details":"rg","howto":"26r"},"CWE-ID:378 Creation of Temporary File With Insecure Permissions",{"point":"32v","priority":"6","details":"rj","howto":"275"},"CWE-ID:379 Creation of Temporary File in Directory with Insecure Permissions",{"point":"32x","priority":"6","details":"rm","howto":"26r"},"CWE-ID:382 J2EE Bad Practices: Use of System.exit()",{"point":"32z","priority":"6","details":"rp","howto":"26r"},"CWE-ID:383 J2EE Bad Practices: Direct Use of Threads",{"point":"331","priority":"6","details":"rs","howto":"26r"},"CWE-ID:384 Session Fixation",{"point":"333","priority":"6","details":"rv","howto":"275"},{"point":"2bn","priority":"6","details":"ry","howto":"275"},{"point":"2bp","priority":"6","details":"s1","howto":"275"},"CWE-ID:390 Detection of Error Condition Without Action",{"point":"337","priority":"6","details":"s4","howto":"26r"},"CWE-ID:391 Unchecked Error Condition",{"point":"339","priority":"6","details":"s7","howto":"26r"},"CWE-ID:392 Missing Report of Error Condition",{"point":"33b","priority":"6","details":"sa","howto":"275"},"CWE-ID:393 Return of Wrong Status Code",{"point":"33d","priority":"6","details":"sd","howto":"26u"},"CWE-ID:394 Unexpected Status Code or Return Value",{"point":"33f","priority":"6","details":"sg","howto":"275"},"CWE-ID:395 Use of NullPointerException Catch to Detect NULL Pointer Dereference","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"33h","priority":"6","details":"sj","howto":"33i"},"CWE-ID:396 Declaration of Catch for Generic Exception",{"point":"33k","priority":"6","details":"sm","howto":"26r"},"CWE-ID:397 Declaration of Throws for Generic Exception",{"point":"33m","priority":"6","details":"sp","howto":"26r"},{"point":"2br","priority":"6","details":"ss","howto":"2bs"},"CWE-ID:401 Missing Release of Memory after Effective Lifetime",{"point":"33p","priority":"6","details":"sv","howto":"2tj"},{"point":"2bu","priority":"6","details":"sy","howto":"26r"},"CWE-ID:403 Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')",{"point":"33s","priority":"6","details":"t1","howto":"275"},"CWE-ID:404 Improper Resource Shutdown or Release","::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Resource clean up errors might be detected with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the product under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"33u","priority":"6","details":"t4","howto":"33v"},{"point":"2bw","priority":"6","details":"t7","howto":"275"},{"point":"2by","priority":"6","details":"ta","howto":"275"},{"point":"2c0","priority":"6","details":"td","howto":"275"},{"point":"2c2","priority":"6","details":"tg","howto":"275"},{"point":"2c4","priority":"6","details":"tj","howto":"275"},{"point":"2c6","priority":"6","details":"tm","howto":"275"},{"point":"2c8","priority":"6","details":"tp","howto":"2c9"},{"point":"2cb","priority":"6","details":"ts","howto":"26r"},{"point":"2cd","priority":"6","details":"tv","howto":"275"},"CWE-ID:415 Double Free",{"point":"346","priority":"6","details":"ty","howto":"2tj"},"CWE-ID:416 Use After Free",{"point":"348","priority":"6","details":"u1","howto":"2tj"},{"point":"2cf","priority":"6","details":"u4","howto":"275"},{"point":"2ch","priority":"6","details":"u7","howto":"275"},"CWE-ID:425 Direct Request ('Forced Browsing')",{"point":"34c","priority":"6","details":"uj","howto":"275"},"CWE-ID:426 Untrusted Search Path","::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and look for library functions and system calls that suggest when a search path is being used. One pattern is when the program performs multiple accesses of the same file but in different directories, with repeated failures until the proper filename is found. Library calls such as getenv() or their equivalent can be checked to see if any path-related variables are being accessed.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::METHOD:Manual Analysis:DESCRIPTION:Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.::",{"point":"34e","priority":"6","details":"um","howto":"34f"},"CWE-ID:427 Uncontrolled Search Path Element",{"point":"34h","priority":"6","details":"up","howto":"26r"},"CWE-ID:428 Unquoted Search Path or Element",{"point":"34j","priority":"6","details":"us","howto":"275"},"CWE-ID:430 Deployment of Wrong Handler",{"point":"34l","priority":"6","details":"uv","howto":"275"},"CWE-ID:431 Missing Handler",{"point":"34n","priority":"6","details":"uy","howto":"275"},"CWE-ID:432 Dangerous Signal Handler not Disabled During Sensitive Operations",{"point":"34p","priority":"6","details":"v1","howto":"275"},"CWE-ID:433 Unparsed Raw Web Content Delivery",{"point":"34r","priority":"6","details":"v4","howto":"275"},{"point":"2cn","priority":"6","details":"v7","howto":"2co"},"CWE-ID:435 Improper Interaction Between Multiple Correctly-Behaving Entities",{"point":"34u","priority":"6","details":"va","howto":"275"},{"point":"2cq","priority":"6","details":"vd","howto":"275"},{"point":"2cs","priority":"6","details":"vg","howto":"275"},{"point":"2cu","priority":"6","details":"vj","howto":"275"},{"point":"2cw","priority":"6","details":"vm","howto":"275"},"CWE-ID:444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')",{"point":"350","priority":"6","details":"vs","howto":"275"},{"point":"2d0","priority":"6","details":"vv","howto":"275"},"CWE-ID:447 Unimplemented or Unsupported Feature in UI",{"point":"353","priority":"6","details":"vy","howto":"275"},"CWE-ID:448 Obsolete Feature in UI",{"point":"355","priority":"6","details":"w1","howto":"275"},"CWE-ID:449 The UI Performs the Wrong Action",{"point":"357","priority":"6","details":"w4","howto":"275"},"CWE-ID:450 Multiple Interpretations of UI Input",{"point":"359","priority":"6","details":"w7","howto":"275"},{"point":"2d2","priority":"6","details":"wa","howto":"275"},"CWE-ID:453 Insecure Default Variable Initialization",{"point":"35c","priority":"6","details":"wd","howto":"275"},{"point":"2d4","priority":"6","details":"wg","howto":"275"},"CWE-ID:455 Non-exit on Failed Initialization",{"point":"35f","priority":"6","details":"wj","howto":"275"},"CWE-ID:456 Missing Initialization of a Variable",{"point":"35h","priority":"6","details":"wm","howto":"26r"},"CWE-ID:457 Use of Uninitialized Variable",{"point":"35j","priority":"6","details":"wp","howto":"2tj"},"CWE-ID:459 Incomplete Cleanup",{"point":"35l","priority":"6","details":"ws","howto":"26r"},"CWE-ID:460 Improper Cleanup on Thrown Exception",{"point":"35n","priority":"6","details":"wv","howto":"26r"},"CWE-ID:462 Duplicate Key in Associative List (Alist)",{"point":"35p","priority":"6","details":"wy","howto":"275"},"CWE-ID:463 Deletion of Data Structure Sentinel",{"point":"35r","priority":"6","details":"x1","howto":"275"},"CWE-ID:464 Addition of Data Structure Sentinel",{"point":"35t","priority":"6","details":"x4","howto":"275"},"CWE-ID:466 Return of Pointer Value Outside of Expected Range",{"point":"35v","priority":"6","details":"x7","howto":"275"},"CWE-ID:467 Use of sizeof() on a Pointer Type",{"point":"35x","priority":"6","details":"xa","howto":"26r"},"CWE-ID:468 Incorrect Pointer Scaling",{"point":"35z","priority":"6","details":"xd","howto":"275"},"CWE-ID:469 Use of Pointer Subtraction to Determine Size",{"point":"361","priority":"6","details":"xg","howto":"2tj"},{"point":"2d6","priority":"6","details":"xj","howto":"26r"},{"point":"2d8","priority":"6","details":"xm","howto":"275"},"CWE-ID:472 External Control of Assumed-Immutable Web Parameter",{"point":"365","priority":"6","details":"xp","howto":"26r"},"CWE-ID:473 PHP External Variable Modification",{"point":"367","priority":"6","details":"xs","howto":"275"},"CWE-ID:474 Use of Function with Inconsistent Implementations",{"point":"369","priority":"6","details":"xv","howto":"26r"},{"point":"2da","priority":"6","details":"xy","howto":"26r"},"CWE-ID:476 NULL Pointer Dereference","::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"36c","priority":"6","details":"y1","howto":"36d"},"CWE-ID:477 Use of Obsolete Function","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Binary / Bytecode Quality Analysis Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Debugger:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source Code Quality Analyzer Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Origin Analysis:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"36f","priority":"6","details":"y4","howto":"36g"},"CWE-ID:478 Missing Default Case in Multiple Condition Expression",{"point":"36i","priority":"6","details":"y7","howto":"26r"},"CWE-ID:479 Signal Handler Use of a Non-reentrant Function",{"point":"36k","priority":"6","details":"ya","howto":"26r"},"CWE-ID:480 Use of Incorrect Operator","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can be found easily using static analysis. However in some cases an operator might appear to be incorrect, but is actually correct and reflects unusual logic within the program.::METHOD:Manual Static Analysis:DESCRIPTION:This weakness can be found easily using static analysis. However in some cases an operator might appear to be incorrect, but is actually correct and reflects unusual logic within the program.::",{"point":"36m","priority":"6","details":"yd","howto":"36n"},"CWE-ID:481 Assigning instead of Comparing",{"point":"36p","priority":"6","details":"yg","howto":"26r"},"CWE-ID:482 Comparing instead of Assigning",{"point":"36r","priority":"6","details":"yj","howto":"26r"},"CWE-ID:483 Incorrect Block Delimitation",{"point":"36t","priority":"6","details":"ym","howto":"26r"},"CWE-ID:484 Omitted Break Statement in Switch","::METHOD:White Box:DESCRIPTION:Omission of a break statement might be intentional, in order to support fallthrough. Automated detection methods might therefore be erroneous. Semantic understanding of expected product behavior is required to interpret whether the code is correct.::METHOD:Black Box:DESCRIPTION:Since this weakness is associated with a code construct, it would be indistinguishable from other errors that produce the same behavior.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"36v","priority":"6","details":"yp","howto":"36w"},"CWE-ID:486 Comparison of Classes by Name",{"point":"36y","priority":"6","details":"ys","howto":"26r"},"CWE-ID:487 Reliance on Package-level Scope",{"point":"370","priority":"6","details":"yv","howto":"275"},"CWE-ID:488 Exposure of Data Element to Wrong Session",{"point":"372","priority":"6","details":"yy","howto":"26r"},"CWE-ID:489 Active Debug Code",{"point":"374","priority":"6","details":"z1","howto":"26r"},"CWE-ID:491 Public cloneable() Method Without Final ('Object Hijack')",{"point":"376","priority":"6","details":"z4","howto":"275"},"CWE-ID:492 Use of Inner Class Containing Sensitive Data",{"point":"378","priority":"6","details":"z7","howto":"26r"},"CWE-ID:493 Critical Public Variable Without Final Modifier",{"point":"37a","priority":"6","details":"za","howto":"26r"},{"point":"2dc","priority":"6","details":"zd","howto":"2dd"},"CWE-ID:495 Private Data Structure Returned From A Public Method",{"point":"37d","priority":"6","details":"zg","howto":"26r"},"CWE-ID:496 Public Data Assigned to Private Array-Typed Field",{"point":"37f","priority":"6","details":"zj","howto":"26r"},"CWE-ID:497 Exposure of Sensitive System Information to an Unauthorized Control Sphere",{"point":"37h","priority":"6","details":"zm","howto":"26r"},"CWE-ID:498 Cloneable Class Containing Sensitive Information",{"point":"37j","priority":"6","details":"zp","howto":"275"},"CWE-ID:499 Serializable Class Containing Sensitive Data",{"point":"37l","priority":"6","details":"zs","howto":"26r"},"CWE-ID:500 Public Static Field Not Marked Final",{"point":"37n","priority":"6","details":"zv","howto":"26r"},{"point":"2dh","priority":"6","details":"101","howto":"26r"},"CWE-ID:506 Embedded Malicious Code","::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies Generated Code Inspection:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Automated Monitored Execution:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Origin Analysis:EFFECTIVENESS:SOAR Partial::",{"point":"37q","priority":"6","details":"104","howto":"37r"},"CWE-ID:507 Trojan Horse",{"point":"37t","priority":"6","details":"107","howto":"275"},"CWE-ID:508 Non-Replicating Malicious Code",{"point":"37v","priority":"6","details":"10a","howto":"275"},"CWE-ID:509 Replicating Malicious Code (Virus or Worm)",{"point":"37x","priority":"6","details":"10d","howto":"275"},{"point":"2dj","priority":"6","details":"10g","howto":"2dk"},{"point":"2dm","priority":"6","details":"10j","howto":"275"},{"point":"2do","priority":"6","details":"10m","howto":"275"},"CWE-ID:514 Covert Channel","::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:SOAR Partial::",{"point":"382","priority":"6","details":"10p","howto":"383"},"CWE-ID:515 Covert Storage Channel",{"point":"385","priority":"6","details":"10s","howto":"275"},"CWE-ID:520 .NET Misconfiguration: Use of Impersonation",{"point":"387","priority":"6","details":"10v","howto":"275"},{"point":"2dq","priority":"6","details":"10y","howto":"26r"},{"point":"2ds","priority":"6","details":"111","howto":"26r"},"CWE-ID:524 Use of Cache Containing Sensitive Information",{"point":"38b","priority":"6","details":"117","howto":"26r"},"CWE-ID:525 Use of Web Browser Cache Containing Sensitive Information",{"point":"38d","priority":"6","details":"11a","howto":"275"},"CWE-ID:526 Cleartext Storage of Sensitive Information in an Environment Variable",{"point":"38f","priority":"6","details":"11d","howto":"26r"},{"point":"2dw","priority":"6","details":"11v","howto":"26r"},"CWE-ID:535 Exposure of Information Through Shell Error Message",{"point":"38i","priority":"6","details":"11y","howto":"26r"},"CWE-ID:536 Servlet Runtime Error Message Containing Sensitive Information",{"point":"38k","priority":"6","details":"121","howto":"275"},"CWE-ID:537 Java Runtime Error Message Containing Sensitive Information",{"point":"38m","priority":"6","details":"124","howto":"275"},"CWE-ID:538 Insertion of Sensitive Information into Externally-Accessible File or Directory",{"point":"38o","priority":"6","details":"127","howto":"26r"},"CWE-ID:539 Use of Persistent Cookies Containing Sensitive Information",{"point":"38q","priority":"6","details":"12a","howto":"26r"},"CWE-ID:540 Inclusion of Sensitive Information in Source Code",{"point":"38s","priority":"6","details":"12d","howto":"275"},"CWE-ID:541 Inclusion of Sensitive Information in an Include File",{"point":"38u","priority":"6","details":"12g","howto":"275"},"CWE-ID:543 Use of Singleton Pattern Without Synchronization in a Multithreaded Context",{"point":"38w","priority":"6","details":"12j","howto":"275"},"CWE-ID:546 Suspicious Comment",{"point":"38y","priority":"6","details":"12p","howto":"275"},"CWE-ID:547 Use of Hard-coded, Security-relevant Constants",{"point":"390","priority":"6","details":"12s","howto":"26r"},"CWE-ID:548 Exposure of Information Through Directory Listing",{"point":"392","priority":"6","details":"12v","howto":"26r"},"CWE-ID:549 Missing Password Field Masking",{"point":"394","priority":"6","details":"12y","howto":"26r"},"CWE-ID:550 Server-generated Error Message Containing Sensitive Information",{"point":"396","priority":"6","details":"131","howto":"275"},"CWE-ID:551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization",{"point":"398","priority":"6","details":"134","howto":"275"},{"point":"2e0","priority":"6","details":"137","howto":"26r"},"CWE-ID:553 Command Shell in Externally Accessible Directory",{"point":"39b","priority":"6","details":"13a","howto":"275"},"CWE-ID:554 ASP.NET Misconfiguration: Not Using Input Validation Framework",{"point":"39d","priority":"6","details":"13d","howto":"275"},"CWE-ID:555 J2EE Misconfiguration: Plaintext Password in Configuration File",{"point":"39f","priority":"6","details":"13g","howto":"275"},"CWE-ID:556 ASP.NET Misconfiguration: Use of Identity Impersonation",{"point":"39h","priority":"6","details":"13j","howto":"275"},"CWE-ID:558 Use of getlogin() in Multithreaded Application",{"point":"39j","priority":"6","details":"13m","howto":"275"},"CWE-ID:560 Use of umask() with chmod-style Argument",{"point":"39l","priority":"6","details":"13p","howto":"275"},"CWE-ID:561 Dead Code","::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Binary / Bytecode Quality Analysis Compare binary / bytecode to application permission manifest:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Automated Monitored Execution:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Permission Manifest Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source Code Quality Analyzer Cost effective for partial coverage: Warning Flags Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::",{"point":"39n","priority":"6","details":"13s","howto":"39o"},"CWE-ID:562 Return of Stack Variable Address",{"point":"39q","priority":"6","details":"13v","howto":"2tj"},"CWE-ID:563 Assignment to Variable without Use",{"point":"39s","priority":"6","details":"13y","howto":"26r"},"CWE-ID:564 SQL Injection: Hibernate",{"point":"39u","priority":"6","details":"141","howto":"275"},{"point":"2e2","priority":"6","details":"144","howto":"26r"},"CWE-ID:566 Authorization Bypass Through User-Controlled SQL Primary Key",{"point":"39x","priority":"6","details":"147","howto":"26r"},"CWE-ID:567 Unsynchronized Access to Shared Data in a Multithreaded Context",{"point":"39z","priority":"6","details":"14a","howto":"26r"},"CWE-ID:568 finalize() Method Without super.finalize()",{"point":"3a1","priority":"6","details":"14d","howto":"26r"},"CWE-ID:570 Expression is Always False",{"point":"3a3","priority":"6","details":"14g","howto":"26r"},"CWE-ID:571 Expression is Always True",{"point":"3a5","priority":"6","details":"14j","howto":"26r"},"CWE-ID:572 Call to Thread run() instead of start()",{"point":"3a7","priority":"6","details":"14m","howto":"26r"},"CWE-ID:573 Improper Following of Specification by Caller",{"point":"3a9","priority":"6","details":"14p","howto":"275"},"CWE-ID:574 EJB Bad Practices: Use of Synchronization Primitives",{"point":"3ab","priority":"6","details":"14s","howto":"275"},"CWE-ID:575 EJB Bad Practices: Use of AWT Swing",{"point":"3ad","priority":"6","details":"14v","howto":"275"},"CWE-ID:576 EJB Bad Practices: Use of Java I/O",{"point":"3af","priority":"6","details":"14y","howto":"275"},"CWE-ID:577 EJB Bad Practices: Use of Sockets",{"point":"3ah","priority":"6","details":"151","howto":"275"},"CWE-ID:578 EJB Bad Practices: Use of Class Loader",{"point":"3aj","priority":"6","details":"154","howto":"275"},"CWE-ID:579 J2EE Bad Practices: Non-serializable Object Stored in Session",{"point":"3al","priority":"6","details":"157","howto":"26r"},"CWE-ID:580 clone() Method Without super.clone()",{"point":"3an","priority":"6","details":"15a","howto":"26r"},"CWE-ID:581 Object Model Violation: Just One of Equals and Hashcode Defined",{"point":"3ap","priority":"6","details":"15d","howto":"26r"},"CWE-ID:582 Array Declared Public, Final, and Static",{"point":"3ar","priority":"6","details":"15g","howto":"275"},"CWE-ID:583 finalize() Method Declared Public",{"point":"3at","priority":"6","details":"15j","howto":"26r"},"CWE-ID:584 Return Inside Finally Block",{"point":"3av","priority":"6","details":"15m","howto":"26r"},"CWE-ID:585 Empty Synchronized Block",{"point":"3ax","priority":"6","details":"15p","howto":"26r"},"CWE-ID:586 Explicit Call to Finalize()",{"point":"3az","priority":"6","details":"15s","howto":"26r"},"CWE-ID:587 Assignment of a Fixed Address to a Pointer",{"point":"3b1","priority":"6","details":"15v","howto":"275"},"CWE-ID:588 Attempt to Access Child of a Non-structure Pointer",{"point":"3b3","priority":"6","details":"15y","howto":"275"},"CWE-ID:589 Call to Non-ubiquitous API",{"point":"3b5","priority":"6","details":"161","howto":"26r"},"CWE-ID:590 Free of Memory not on the Heap",{"point":"3b7","priority":"6","details":"164","howto":"2tj"},"CWE-ID:591 Sensitive Data Storage in Improperly Locked Memory",{"point":"3b9","priority":"6","details":"167","howto":"275"},"CWE-ID:593 Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created",{"point":"3bb","priority":"6","details":"16a","howto":"275"},"CWE-ID:594 J2EE Framework: Saving Unserializable Objects to Disk",{"point":"3bd","priority":"6","details":"16d","howto":"275"},"CWE-ID:595 Comparison of Object References Instead of Object Contents",{"point":"3bf","priority":"6","details":"16g","howto":"26r"},"CWE-ID:597 Use of Wrong Operator in String Comparison",{"point":"3bh","priority":"6","details":"16j","howto":"26r"},"CWE-ID:598 Use of GET Request Method With Sensitive Query Strings",{"point":"3bj","priority":"6","details":"16m","howto":"26r"},"CWE-ID:599 Missing Validation of OpenSSL Certificate",{"point":"3bl","priority":"6","details":"16p","howto":"275"},"CWE-ID:600 Uncaught Exception in Servlet ",{"point":"3bn","priority":"6","details":"16s","howto":"275"},{"point":"2e4","priority":"6","details":"16v","howto":"2e5"},{"point":"2e9","priority":"6","details":"171","howto":"275"},"CWE-ID:605 Multiple Binds to the Same Port",{"point":"3br","priority":"6","details":"174","howto":"275"},"CWE-ID:606 Unchecked Input for Loop Condition",{"point":"3bt","priority":"6","details":"177","howto":"26r"},"CWE-ID:607 Public Static Final Field References Mutable Object",{"point":"3bv","priority":"6","details":"17a","howto":"26r"},"CWE-ID:608 Struts: Non-private Field in ActionForm Class",{"point":"3bx","priority":"6","details":"17d","howto":"275"},"CWE-ID:609 Double-Checked Locking",{"point":"3bz","priority":"6","details":"17g","howto":"275"},"CWE-ID:611 Improper Restriction of XML External Entity Reference",{"point":"3c1","priority":"6","details":"17m","howto":"26r"},{"point":"2ed","priority":"6","details":"17p","howto":"275"},{"point":"2ef","priority":"6","details":"17s","howto":"26r"},"CWE-ID:614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute",{"point":"3c5","priority":"6","details":"17v","howto":"26r"},"CWE-ID:615 Inclusion of Sensitive Information in Source Code Comments",{"point":"3c7","priority":"6","details":"17y","howto":"26r"},"CWE-ID:616 Incomplete Identification of Uploaded File Variables (PHP)",{"point":"3c9","priority":"6","details":"181","howto":"275"},"CWE-ID:617 Reachable Assertion",{"point":"3cb","priority":"6","details":"184","howto":"26r"},"CWE-ID:618 Exposed Unsafe ActiveX Method",{"point":"3cd","priority":"6","details":"187","howto":"26r"},"CWE-ID:619 Dangling Database Cursor ('Cursor Injection')",{"point":"3cf","priority":"6","details":"18a","howto":"275"},{"point":"2eh","priority":"6","details":"18d","howto":"275"},"CWE-ID:621 Variable Extraction Error",{"point":"3ci","priority":"6","details":"18g","howto":"275"},"CWE-ID:622 Improper Validation of Function Hook Arguments",{"point":"3ck","priority":"6","details":"18j","howto":"275"},"CWE-ID:623 Unsafe ActiveX Control Marked Safe For Scripting",{"point":"3cm","priority":"6","details":"18m","howto":"275"},"CWE-ID:624 Executable Regular Expression Error",{"point":"3co","priority":"6","details":"18p","howto":"275"},"CWE-ID:625 Permissive Regular Expression",{"point":"3cq","priority":"6","details":"18s","howto":"26r"},"CWE-ID:626 Null Byte Interaction Error (Poison Null Byte)",{"point":"3cs","priority":"6","details":"18v","howto":"275"},"CWE-ID:627 Dynamic Variable Evaluation",{"point":"3cu","priority":"6","details":"18y","howto":"275"},"CWE-ID:628 Function Call with Incorrectly Specified Arguments","::METHOD:Other:DESCRIPTION:Since these bugs typically introduce incorrect behavior that is obvious to users, they are found quickly, unless they occur in rarely-tested code paths. Managing the correct number of arguments can be made more difficult in cases where format strings are used, or when variable numbers of arguments are supported.::",{"point":"3cw","priority":"6","details":"191","howto":"3cx"},{"point":"2ej","priority":"6","details":"194","howto":"275"},{"point":"2el","priority":"6","details":"197","howto":"275"},"CWE-ID:638 Not Using Complete Mediation",{"point":"3d1","priority":"6","details":"19a","howto":"275"},{"point":"2ep","priority":"6","details":"19g","howto":"275"},{"point":"2er","priority":"6","details":"19j","howto":"275"},{"point":"2et","priority":"6","details":"19m","howto":"26r"},"CWE-ID:643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')",{"point":"3d6","priority":"6","details":"19p","howto":"26r"},"CWE-ID:644 Improper Neutralization of HTTP Headers for Scripting Syntax",{"point":"3d8","priority":"6","details":"19s","howto":"275"},"CWE-ID:646 Reliance on File Name or Extension of Externally-Supplied File",{"point":"3da","priority":"6","details":"19y","howto":"275"},"CWE-ID:647 Use of Non-Canonical URL Paths for Authorization Decisions",{"point":"3dc","priority":"6","details":"1a1","howto":"26r"},{"point":"2ex","priority":"6","details":"1a4","howto":"275"},{"point":"2ez","priority":"6","details":"1a7","howto":"275"},"CWE-ID:650 Trusting HTTP Permission Methods on the Server Side",{"point":"3dg","priority":"6","details":"1aa","howto":"275"},"CWE-ID:651 Exposure of WSDL File Containing Sensitive Information",{"point":"3di","priority":"6","details":"1ad","howto":"275"},"CWE-ID:652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')",{"point":"3dk","priority":"6","details":"1ag","howto":"275"},{"point":"2f1","priority":"6","details":"1aj","howto":"2f2"},{"point":"2f4","priority":"6","details":"1am","howto":"275"},{"point":"2f8","priority":"6","details":"1as","howto":"275"},{"point":"2fa","priority":"6","details":"1av","howto":"275"},{"point":"2fc","priority":"6","details":"1ay","howto":"275"},"CWE-ID:663 Use of a Non-reentrant Function in a Concurrent Context",{"point":"3dr","priority":"6","details":"1b1","howto":"275"},"CWE-ID:664 Improper Control of a Resource Through its Lifetime",{"point":"3dt","priority":"6","details":"1b4","howto":"275"},"CWE-ID:665 Improper Initialization","::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Initialization problems may be detected with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"3dv","priority":"6","details":"1b7","howto":"3dw"},"CWE-ID:666 Operation on Resource in Wrong Phase of Lifetime",{"point":"3dy","priority":"6","details":"1ba","howto":"275"},{"point":"2fe","priority":"6","details":"1bd","howto":"26r"},{"point":"2fg","priority":"6","details":"1bg","howto":"275"},{"point":"2fi","priority":"6","details":"1bj","howto":"275"},"CWE-ID:670 Always-Incorrect Control Flow Implementation",{"point":"3e3","priority":"6","details":"1bm","howto":"275"},{"point":"2fk","priority":"6","details":"1bp","howto":"275"},"CWE-ID:672 Operation on a Resource after Expiration or Release",{"point":"3e6","priority":"6","details":"1bs","howto":"275"},{"point":"2fm","priority":"6","details":"1bv","howto":"275"},"CWE-ID:674 Uncontrolled Recursion",{"point":"3e9","priority":"6","details":"1by","howto":"26r"},"CWE-ID:675 Multiple Operations on Resource in Single-Operation Context",{"point":"3eb","priority":"6","details":"1c1","howto":"275"},"CWE-ID:676 Use of Potentially Dangerous Function","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary / Bytecode Quality Analysis Binary / Bytecode simple extractor - strings, ELF readers, etc.:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Debugger Cost effective for partial coverage: Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Warning Flags Source Code Quality Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Origin Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"3ed","priority":"6","details":"1c4","howto":"3ee"},"CWE-ID:681 Incorrect Conversion between Numeric Types",{"point":"3eg","priority":"6","details":"1ca","howto":"275"},"CWE-ID:682 Incorrect Calculation","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of allocation calculations. This can be useful for detecting overflow conditions (CWE-190) or similar weaknesses that might have serious security impacts on the program.:EFFECTIVENESS:High::",{"point":"3ei","priority":"6","details":"1cd","howto":"3ej"},"CWE-ID:683 Function Call With Incorrect Order of Arguments",{"point":"3el","priority":"6","details":"1cg","howto":"275"},"CWE-ID:684 Incorrect Provision of Specified Functionality",{"point":"3en","priority":"6","details":"1cj","howto":"275"},"CWE-ID:685 Function Call With Incorrect Number of Arguments","::METHOD:Other:DESCRIPTION:While this weakness might be caught by the compiler in some languages, it can occur more frequently in cases in which the called function accepts variable numbers of arguments, such as format strings in C. It also can occur in languages or environments that do not require that functions always be called with the correct number of arguments, such as Perl.::",{"point":"3ep","priority":"6","details":"1cm","howto":"3eq"},"CWE-ID:686 Function Call With Incorrect Argument Type",{"point":"3es","priority":"6","details":"1cp","howto":"275"},"CWE-ID:687 Function Call With Incorrectly Specified Argument Value","::METHOD:Manual Static Analysis:DESCRIPTION:This might require an understanding of intended program behavior or design to determine whether the value is incorrect.::",{"point":"3eu","priority":"6","details":"1cs","howto":"3ev"},"CWE-ID:688 Function Call With Incorrect Variable or Reference as Argument","::METHOD:Other:DESCRIPTION:While this weakness might be caught by the compiler in some languages, it can occur more frequently in cases in which the called function accepts variable numbers of arguments, such as format strings in C. It also can occur in loosely typed languages or environments. This might require an understanding of intended program behavior or design to determine whether the value is incorrect.::",{"point":"3ex","priority":"6","details":"1cv","howto":"3ey"},"CWE-ID:689 Permission Race Condition During Resource Copy",{"point":"3f0","priority":"6","details":"1cy","howto":"275"},"CWE-ID:690 Unchecked Return Value to NULL Pointer Dereference","::METHOD:Black Box:DESCRIPTION:This typically occurs in rarely-triggered error conditions, reducing the chances of detection during black box testing.::METHOD:White Box:DESCRIPTION:Code analysis can require knowledge of API behaviors for library functions that might return NULL, reducing the chances of detection when unknown libraries are used.::",{"point":"3f2","priority":"6","details":"1d1","howto":"3f3"},"CWE-ID:691 Insufficient Control Flow Management",{"point":"3f5","priority":"6","details":"1d4","howto":"275"},"CWE-ID:693 Protection Mechanism Failure",{"point":"3f7","priority":"6","details":"1da","howto":"275"},{"point":"2fo","priority":"6","details":"1dd","howto":"275"},"CWE-ID:695 Use of Low-Level Functionality",{"point":"3fa","priority":"6","details":"1dg","howto":"26r"},{"point":"2fq","priority":"6","details":"1dj","howto":"275"},"CWE-ID:697 Incorrect Comparison",{"point":"3fd","priority":"6","details":"1dm","howto":"275"},"CWE-ID:698 Execution After Redirect (EAR)","::METHOD:Black Box:DESCRIPTION:This issue might not be detected if testing is performed using a web browser, because the browser might obey the redirect and move the user to a different page before the application has produced outputs that indicate something is amiss.::",{"point":"3ff","priority":"6","details":"1dp","howto":"3fg"},"CWE-ID:703 Improper Check or Handling of Exceptional Conditions","::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fault Injection - source code Fault Injection - binary Cost effective for partial coverage: Forced Path Execution:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"3fi","priority":"6","details":"1ds","howto":"3fj"},"CWE-ID:704 Incorrect Type Conversion or Cast",{"point":"3fl","priority":"6","details":"1dv","howto":"26u"},"CWE-ID:705 Incorrect Control Flow Scoping",{"point":"3fn","priority":"6","details":"1dy","howto":"275"},{"point":"2fs","priority":"6","details":"1e1","howto":"275"},"CWE-ID:707 Improper Neutralization",{"point":"3fq","priority":"6","details":"1e4","howto":"275"},{"point":"2fu","priority":"6","details":"1e7","howto":"275"},"CWE-ID:710 Improper Adherence to Coding Standards",{"point":"3ft","priority":"6","details":"1ea","howto":"275"},{"point":"2fw","priority":"6","details":"1ed","howto":"2fx"},{"point":"2fz","priority":"6","details":"1ej","howto":"26r"},"CWE-ID:754 Improper Check for Unusual or Exceptional Conditions","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis may be useful for detecting unusual conditions involving system resources or common programming idioms, but not for violations of business rules.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::",{"point":"3fx","priority":"6","details":"1em","howto":"3fy"},"CWE-ID:755 Improper Handling of Exceptional Conditions",{"point":"3g0","priority":"6","details":"1ep","howto":"275"},"CWE-ID:759 Use of a One-Way Hash without a Salt",{"point":"3g2","priority":"6","details":"1f1","howto":"2gt"},"CWE-ID:760 Use of a One-Way Hash with a Predictable Salt",{"point":"3g4","priority":"6","details":"1f4","howto":"26r"},"CWE-ID:761 Free of Pointer not at Start of Buffer",{"point":"3g6","priority":"6","details":"1f7","howto":"275"},"CWE-ID:762 Mismatched Memory Management Routines",{"point":"3g8","priority":"6","details":"1fa","howto":"275"},"CWE-ID:763 Release of Invalid Pointer or Reference",{"point":"3ga","priority":"6","details":"1fd","howto":"26u"},"CWE-ID:764 Multiple Locks of a Critical Resource",{"point":"3gc","priority":"6","details":"1fg","howto":"275"},"CWE-ID:765 Multiple Unlocks of a Critical Resource",{"point":"3ge","priority":"6","details":"1fj","howto":"275"},"CWE-ID:766 Critical Data Element Declared Public",{"point":"3gg","priority":"6","details":"1fm","howto":"26r"},"CWE-ID:767 Access to Critical Private Variable via Public Method",{"point":"3gi","priority":"6","details":"1fp","howto":"275"},"CWE-ID:768 Incorrect Short Circuit Evaluation",{"point":"3gk","priority":"6","details":"1fs","howto":"275"},{"point":"2g3","priority":"6","details":"1fv","howto":"2g4"},"CWE-ID:771 Missing Reference to Active Allocated Resource",{"point":"3gn","priority":"6","details":"1fy","howto":"275"},"CWE-ID:772 Missing Release of Resource after Effective Lifetime",{"point":"3gp","priority":"6","details":"1g1","howto":"275"},"CWE-ID:773 Missing Reference to Active File Descriptor or Handle",{"point":"3gr","priority":"6","details":"1g4","howto":"275"},"CWE-ID:774 Allocation of File Descriptors or Handles Without Limits or Throttling",{"point":"3gt","priority":"6","details":"1g7","howto":"275"},"CWE-ID:775 Missing Release of File Descriptor or Handle after Effective Lifetime",{"point":"3gv","priority":"6","details":"1ga","howto":"275"},"CWE-ID:776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')",{"point":"3gx","priority":"6","details":"1gd","howto":"26r"},"CWE-ID:777 Regular Expression without Anchors",{"point":"3gz","priority":"6","details":"1gg","howto":"275"},"CWE-ID:780 Use of RSA Algorithm without OAEP",{"point":"3h1","priority":"6","details":"1gp","howto":"26r"},"CWE-ID:781 Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code",{"point":"3h3","priority":"6","details":"1gs","howto":"275"},"CWE-ID:782 Exposed IOCTL with Insufficient Access Control",{"point":"3h5","priority":"6","details":"1gv","howto":"275"},"CWE-ID:783 Operator Precedence Logic Error",{"point":"3h7","priority":"6","details":"1gy","howto":"275"},"CWE-ID:784 Reliance on Cookies without Validation and Integrity Checking in a Security Decision",{"point":"3h9","priority":"6","details":"1h1","howto":"275"},"CWE-ID:785 Use of Path Manipulation Function without Maximum-sized Buffer",{"point":"3hb","priority":"6","details":"1h4","howto":"275"},"CWE-ID:787 Out-of-bounds Write","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::",{"point":"3hd","priority":"6","details":"1ha","howto":"3he"},"CWE-ID:789 Memory Allocation with Excessive Size Value",{"point":"3hg","priority":"6","details":"1hg","howto":"2tj"},"CWE-ID:790 Improper Filtering of Special Elements",{"point":"3hi","priority":"6","details":"1hj","howto":"275"},"CWE-ID:791 Incomplete Filtering of Special Elements",{"point":"3hk","priority":"6","details":"1hm","howto":"275"},"CWE-ID:792 Incomplete Filtering of One or More Instances of Special Elements",{"point":"3hm","priority":"6","details":"1hp","howto":"275"},"CWE-ID:793 Only Filtering One Instance of a Special Element",{"point":"3ho","priority":"6","details":"1hs","howto":"275"},"CWE-ID:794 Incomplete Filtering of Multiple Instances of Special Elements",{"point":"3hq","priority":"6","details":"1hv","howto":"275"},"CWE-ID:795 Only Filtering Special Elements at a Specified Location",{"point":"3hs","priority":"6","details":"1hy","howto":"275"},"CWE-ID:796 Only Filtering Special Elements Relative to a Marker",{"point":"3hu","priority":"6","details":"1i1","howto":"275"},"CWE-ID:797 Only Filtering Special Elements at an Absolute Position",{"point":"3hw","priority":"6","details":"1i4","howto":"275"},{"point":"2g9","priority":"6","details":"1ia","howto":"275"},{"point":"2gb","priority":"6","details":"1id","howto":"275"},"CWE-ID:805 Buffer Access with Incorrect Length Value","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.::",{"point":"3i0","priority":"6","details":"1ig","howto":"3i1"},"CWE-ID:806 Buffer Access Using Size of Source Buffer",{"point":"3i3","priority":"6","details":"1ij","howto":"275"},{"point":"2gd","priority":"6","details":"1im","howto":"2ge"},"CWE-ID:827 Improper Control of Document Type Definition",{"point":"3i6","priority":"6","details":"1ja","howto":"275"},"CWE-ID:829 Inclusion of Functionality from Untrusted Control Sphere","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Forced Path Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"3i8","priority":"6","details":"1jg","howto":"3i9"},"CWE-ID:830 Inclusion of Web Functionality from an Untrusted Source",{"point":"3ib","priority":"6","details":"1jj","howto":"275"},"CWE-ID:836 Use of Password Hash Instead of Password for Authentication",{"point":"3id","priority":"6","details":"1k1","howto":"275"},"CWE-ID:841 Improper Enforcement of Behavioral Workflow",{"point":"3if","priority":"6","details":"1kd","howto":"275"},"CWE-ID:842 Placement of User into Incorrect Group",{"point":"3ih","priority":"6","details":"1kg","howto":"275"},"CWE-ID:843 Access of Resource Using Incompatible Type ('Type Confusion')",{"point":"3ij","priority":"6","details":"1kj","howto":"275"},{"point":"2gg","priority":"6","details":"1km","howto":"2gh"},{"point":"2gj","priority":"6","details":"1kp","howto":"2gk"},"CWE-ID:908 Use of Uninitialized Resource",{"point":"3in","priority":"6","details":"1ks","howto":"275"},"CWE-ID:909 Missing Initialization of Resource",{"point":"3ip","priority":"6","details":"1kv","howto":"275"},"CWE-ID:910 Use of Expired File Descriptor",{"point":"3ir","priority":"6","details":"1ky","howto":"275"},"CWE-ID:911 Improper Update of Reference Count",{"point":"3it","priority":"6","details":"1l1","howto":"275"},{"point":"2gm","priority":"6","details":"1l4","howto":"275"},{"point":"2go","priority":"6","details":"1l7","howto":"26u"},"CWE-ID:914 Improper Control of Dynamically-Identified Variables",{"point":"3ix","priority":"6","details":"1la","howto":"275"},{"point":"2gq","priority":"6","details":"1ld","howto":"26r"},{"point":"2gv","priority":"6","details":"1lj","howto":"26r"},{"point":"2gx","priority":"6","details":"1lm","howto":"26r"},{"point":"2h3","priority":"6","details":"1lv","howto":"26r"},"CWE-ID:939 Improper Authorization in Handler for Custom URL Scheme",{"point":"3j3","priority":"6","details":"1md","howto":"275"},{"point":"2h9","priority":"6","details":"1mg","howto":"275"},{"point":"2hb","priority":"6","details":"1mj","howto":"275"},"CWE-ID:942 Permissive Cross-domain Policy with Untrusted Domains",{"point":"3j7","priority":"6","details":"1mm","howto":"26r"},"CWE-ID:943 Improper Neutralization of Special Elements in Data Query Logic",{"point":"3j9","priority":"6","details":"1mp","howto":"26r"},"CWE-ID:1004 Sensitive Cookie Without 'HttpOnly' Flag",{"point":"3jb","priority":"6","details":"1ms","howto":"26r"},{"point":"2hd","priority":"6","details":"1mv","howto":"2he"},"CWE-ID:1021 Improper Restriction of Rendered UI Layers or Frames",{"point":"3je","priority":"6","details":"1my","howto":"26r"},"CWE-ID:1022 Use of Web Link to Untrusted Target with window.opener Access",{"point":"3jg","priority":"6","details":"1n1","howto":"26r"},"CWE-ID:1023 Incomplete Comparison with Missing Factors",{"point":"3ji","priority":"6","details":"1n4","howto":"275"},"CWE-ID:1024 Comparison of Incompatible Types",{"point":"3jk","priority":"6","details":"1n7","howto":"275"},"CWE-ID:1025 Comparison Using Wrong Factors",{"point":"3jm","priority":"6","details":"1na","howto":"275"},"CWE-ID:1068 Inconsistency Between Implementation and Documented Design",{"point":"3jo","priority":"6","details":"1pv","howto":"275"},{"point":"2hr","priority":"6","details":"1uv","howto":"2hs"},"CWE-ID:1174 ASP.NET Misconfiguration: Improper Model Validation",{"point":"3jr","priority":"6","details":"1uy","howto":"275"},{"point":"2hu","priority":"6","details":"1v1","howto":"275"},"CWE-ID:1177 Use of Prohibited Code",{"point":"3ju","priority":"6","details":"1v4","howto":"275"},{"point":"2hw","priority":"6","details":"1va","howto":"2hx"},{"point":"2i1","priority":"6","details":"1vg","howto":"2i2"},{"point":"2i4","priority":"6","details":"1vj","howto":"275"},"CWE-ID:1204 Generation of Weak Initialization Vector (IV)",{"point":"3jz","priority":"6","details":"1vp","howto":"275"},{"point":"2i6","priority":"6","details":"1vs","howto":"275"},{"point":"2i8","priority":"6","details":"1vv","howto":"275"},"CWE-ID:1221 Incorrect Register Defaults or Module Parameters",{"point":"3k3","priority":"6","details":"1vy","howto":"275"},{"point":"2ic","priority":"6","details":"1w7","howto":"275"},{"point":"2ig","priority":"6","details":"1wg","howto":"2ih"},{"point":"2ij","priority":"6","details":"1wj","howto":"275"},{"point":"2il","priority":"6","details":"1wm","howto":"2im"},{"point":"2io","priority":"6","details":"1wp","howto":"275"},"CWE-ID:1235 Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations",{"point":"3ka","priority":"6","details":"1ws","howto":"275"},"CWE-ID:1236 Improper Neutralization of Formula Elements in a CSV File",{"point":"3kc","priority":"6","details":"1wv","howto":"275"},"CWE-ID:1239 Improper Zeroization of Hardware Register",{"point":"3ke","priority":"6","details":"1wy","howto":"275"},{"point":"2iq","priority":"6","details":"1x1","howto":"2ir"},{"point":"2it","priority":"6","details":"1x4","howto":"275"},{"point":"2iv","priority":"6","details":"1x7","howto":"275"},{"point":"2ix","priority":"6","details":"1xa","howto":"275"},{"point":"2iz","priority":"6","details":"1xd","howto":"2j0"},{"point":"2j2","priority":"6","details":"1xg","howto":"275"},{"point":"2j4","priority":"6","details":"1xj","howto":"275"},{"point":"2j6","priority":"6","details":"1xs","howto":"275"},{"point":"2ja","priority":"6","details":"1y4","howto":"275"},{"point":"2jc","priority":"6","details":"1y7","howto":"275"},"CWE-ID:1255 Comparison Logic is Vulnerable to Power Side-Channel Attacks",{"point":"3kq","priority":"6","details":"1ya","howto":"275"},{"point":"2je","priority":"6","details":"1yd","howto":"2jf"},{"point":"2jh","priority":"6","details":"1yg","howto":"275"},{"point":"2jj","priority":"6","details":"1yj","howto":"275"},{"point":"2jl","priority":"6","details":"1ym","howto":"275"},{"point":"2jn","priority":"6","details":"1yp","howto":"2jo"},{"point":"2jq","priority":"6","details":"1ys","howto":"275"},{"point":"2js","priority":"6","details":"1yv","howto":"2jt"},{"point":"2jx","priority":"6","details":"1z1","howto":"275"},{"point":"2jz","priority":"6","details":"1z7","howto":"275"},{"point":"2k1","priority":"6","details":"1za","howto":"275"},{"point":"2k3","priority":"6","details":"1zd","howto":"275"},"CWE-ID:1269 Product Released in Non-Release Configuration",{"point":"3l3","priority":"6","details":"1zg","howto":"275"},{"point":"2k5","priority":"6","details":"1zj","howto":"275"},"CWE-ID:1271 Uninitialized Value on Reset for Registers Holding Security Settings",{"point":"3l6","priority":"6","details":"1zm","howto":"275"},"CWE-ID:1275 Sensitive Cookie with Improper SameSite Attribute",{"point":"3l8","priority":"6","details":"1zy","howto":"26r"},"CWE-ID:1276 Hardware Child Block Incorrectly Connected to Parent System",{"point":"3la","priority":"6","details":"201","howto":"275"},{"point":"2kd","priority":"6","details":"204","howto":"2ke"},{"point":"2ki","priority":"6","details":"20a","howto":"275"},"CWE-ID:1280 Access Control Check Implemented After Asset is Accessed",{"point":"3le","priority":"6","details":"20d","howto":"275"},{"point":"2kk","priority":"6","details":"20g","howto":"275"},"CWE-ID:1282 Assumed-Immutable Data is Stored in Writable Memory",{"point":"3lh","priority":"6","details":"20j","howto":"275"},{"point":"2km","priority":"6","details":"20m","howto":"275"},"CWE-ID:1284 Improper Validation of Specified Quantity in Input",{"point":"3lk","priority":"6","details":"20p","howto":"275"},"CWE-ID:1285 Improper Validation of Specified Index, Position, or Offset in Input",{"point":"3lm","priority":"6","details":"20s","howto":"275"},"CWE-ID:1286 Improper Validation of Syntactic Correctness of Input",{"point":"3lo","priority":"6","details":"20v","howto":"275"},"CWE-ID:1287 Improper Validation of Specified Type of Input",{"point":"3lq","priority":"6","details":"20y","howto":"275"},"CWE-ID:1288 Improper Validation of Consistency within Input",{"point":"3ls","priority":"6","details":"211","howto":"275"},"CWE-ID:1289 Improper Validation of Unsafe Equivalence in Input",{"point":"3lu","priority":"6","details":"214","howto":"275"},{"point":"2ko","priority":"6","details":"217","howto":"275"},"CWE-ID:1291 Public Key Re-Use for Signing both Debug and Production Code","::METHOD:Architecture or Design Review:DESCRIPTION:Compare the debug key with the production key to make sure that they are not the same.:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Compare the debug key with the production key to make sure that they are not the same.:EFFECTIVENESS:High::",{"point":"3lx","priority":"6","details":"21a","howto":"3ly"},{"point":"2kq","priority":"6","details":"21d","howto":"275"},{"point":"2ks","priority":"6","details":"21g","howto":"275"},{"point":"2ku","priority":"6","details":"21j","howto":"275"},"CWE-ID:1295 Debug Messages Revealing Unnecessary Information",{"point":"3m3","priority":"6","details":"21m","howto":"275"},"CWE-ID:1296 Incorrect Chaining or Granularity of Debug Components","::METHOD:Architecture or Design Review:DESCRIPTION:Appropriate Post-Si tests should be carried out at various authorization levels to ensure that debug components are properly chained and accessible only to users with appropriate credentials.:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Appropriate Post-Si tests should be carried out at various authorization levels to ensure that debug components are properly chained and accessible only to users with appropriate credentials.:EFFECTIVENESS:High::",{"point":"3m5","priority":"6","details":"21p","howto":"3m6"},"CWE-ID:1297 Unprotected Confidential Information on Device is Accessible by OSAT Vendors","::METHOD:Architecture or Design Review:DESCRIPTION:Appropriate Post-Si tests should be carried out to ensure that residual confidential information is not left on parts leaving one facility for another facility.:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Appropriate Post-Si tests should be carried out to ensure that residual confidential information is not left on parts leaving one facility for another facility.:EFFECTIVENESS:Moderate::",{"point":"3m8","priority":"6","details":"21s","howto":"3m9"},{"point":"2kw","priority":"6","details":"21v","howto":"275"},{"point":"2ky","priority":"6","details":"21y","howto":"275"},"CWE-ID:1300 Improper Protection of Physical Side Channels","::METHOD:Manual Analysis:DESCRIPTION:Perform a set of leakage detection tests such as the procedure outlined in the Test Vector Leakage Assessment (TVLA) test requirements for AES [REF-1230]. TVLA is the basis for the ISO standard 17825 [REF-1229]. A separate methodology is provided by [REF-1228]. Note that sole reliance on this method might not yield expected results [REF-1239] [REF-1240].:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Post-silicon, perform full side-channel attacks (penetration testing) covering as many known leakage models as possible against test code.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Pre-silicon - while the aforementioned TVLA methods can be performed post-silicon, models of device power consumption or other physical emanations can be built from information present at various stages of the hardware design process before fabrication. TVLA or known side-channel attacks can be applied to these simulated traces and countermeasures applied before tape-out. Academic research in this field includes [REF-1231] [REF-1232] [REF-1233].:EFFECTIVENESS:Moderate::",{"point":"3md","priority":"6","details":"221","howto":"3me"},"CWE-ID:1301 Insufficient or Incomplete Data Removal within Hardware Component",{"point":"3mg","priority":"6","details":"224","howto":"275"},{"point":"2l0","priority":"6","details":"227","howto":"275"},{"point":"2l2","priority":"6","details":"22a","howto":"275"},{"point":"2l6","priority":"6","details":"22g","howto":"275"},{"point":"2l8","priority":"6","details":"22j","howto":"275"},{"point":"2la","priority":"6","details":"22m","howto":"2lb"},{"point":"2ld","priority":"6","details":"22p","howto":"275"},{"point":"2lf","priority":"6","details":"22s","howto":"275"},{"point":"2lh","priority":"6","details":"22v","howto":"275"},{"point":"2lj","priority":"6","details":"22y","howto":"2lk"},{"point":"2lm","priority":"6","details":"231","howto":"2ln"},{"point":"2lp","priority":"6","details":"234","howto":"2lq"},{"point":"2ls","priority":"6","details":"237","howto":"275"},{"point":"2lu","priority":"6","details":"23a","howto":"275"},"CWE-ID:1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')",{"point":"3mv","priority":"6","details":"23d","howto":"275"},"CWE-ID:1322 Use of Blocking Code in Single-threaded, Non-blocking Context",{"point":"3mx","priority":"6","details":"23g","howto":"275"},{"point":"2lw","priority":"6","details":"23j","howto":"275"},"CWE-ID:1325 Improperly Controlled Sequential Memory Allocation",{"point":"3n0","priority":"6","details":"23m","howto":"275"},{"point":"2ly","priority":"6","details":"23p","howto":"2lz"},{"point":"2m1","priority":"6","details":"23v","howto":"2m2"},{"point":"2m4","priority":"6","details":"23y","howto":"2m5"},"CWE-ID:1330 Remanent Data Readable after Memory Erase","::METHOD:Architecture or Design Review:DESCRIPTION:Testing of memory-device contents after clearing or erase commands. Dynamic analysis of memory contents during device operation to detect specific, confidential assets. Architecture and design analysis of memory clear and erase operations.::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Testing of memory-device contents after clearing or erase commands. Dynamic analysis of memory contents during device operation to detect specific, confidential assets. Architecture and design analysis of memory clear and erase operations.::",{"point":"3n5","priority":"6","details":"241","howto":"3n6"},{"point":"2m7","priority":"6","details":"244","howto":"2m8"},{"point":"2ma","priority":"6","details":"247","howto":"2mb"},"CWE-ID:1333 Inefficient Regular Expression Complexity",{"point":"3na","priority":"6","details":"24a","howto":"275"},{"point":"2md","priority":"6","details":"24d","howto":"275"},"CWE-ID:1335 Incorrect Bitwise Shift of Integer",{"point":"3nd","priority":"6","details":"24g","howto":"275"},{"point":"2mf","priority":"6","details":"24j","howto":"275"},{"point":"2mh","priority":"6","details":"24m","howto":"2mi"},"CWE-ID:1339 Insufficient Precision or Accuracy of a Real Number",{"point":"3nh","priority":"6","details":"24p","howto":"275"},"CWE-ID:1341 Multiple Releases of Same Resource or Handle","::METHOD:Automated Static Analysis:DESCRIPTION:For commonly-used APIs and resource types, automated tools often have signatures that can spot this issue.::METHOD:Automated Dynamic Analysis:DESCRIPTION:Some compiler instrumentation tools such as AddressSanitizer (ASan) can indirectly detect some instances of this weakness.::",{"point":"3nj","priority":"6","details":"24s","howto":"3nk"},{"point":"2mm","priority":"6","details":"24y","howto":"275"},"CWE-ID:1385 Missing Origin Validation in WebSockets",{"point":"3nn","priority":"6","details":"257","howto":"275"},"CWE-ID:1386 Insecure Operation on Windows Junction / Mount Point",{"point":"3np","priority":"6","details":"25a","howto":"275"},"CWE-ID:1389 Incorrect Parsing of Numbers with Different Radices",{"point":"3nr","priority":"6","details":"25d","howto":"275"},{"point":"2ms","priority":"6","details":"25g","howto":"275"},{"point":"2n2","priority":"6","details":"25v","howto":"2n3"},"CWE-ID:1419 Incorrect Initialization of Resource",{"point":"3nv","priority":"6","details":"25y","howto":"275"},{"point":"2n5","priority":"6","details":"261","howto":"2n6"},{"point":"2n8","priority":"6","details":"264","howto":"2n9"},{"point":"2ne","priority":"6","details":"26a","howto":"2nf"},["2np","2nr","2nt","2nv","2nx","2nz","2o1","2o3","2o6","2o8","2o9","2oc","2oe","2og","2oi","2ok","2om","2oo","2oq","2os","2ou","2ow","2oy","2p1","2p3","2p5","2p7","2p9","2pb","2pd","2pg","2pi","2pk","2pm","2po","2pq","2ps","2pu","2pw","2py","2q0","2q2","2q4","2q6","2q8","2qa","2qc","2qe","2qg","2qi","2qk","2qm","2qo","2qq","2qs","2qu","2qv","2qx","2qz","2r1","2r3","2r6","2r9","2rb","2rd","2rf","2rh","2rj","2rl","2rn","2rp","2rr","2ru","2rw","2ry","2s0","2s2","2s4","2s6","2s8","2sb","2sc","2se","2sg","2si","2sk","2sm","2so","2sq","2ss","2sv","2sx","2sz","2t1","2t3","2t4","2t7","2t9","2tb","2te","2th","2tk","2tm","2to","2tq","2ts","2tu","2tw","2ty","2u1","2u3","2u6","2u9","2ub","2ud","2uf","2uh","2uj","2ul","2un","2up","2ur","2ut","2uv","2ux","2uz","2v1","2v3","2v5","2v7","2v9","2vb","2vd","2vf","2vh","2vj","2vl","2vn","2vp","2vr","2vt","2vv","2vx","2vz","2w1","2w3","2w5","2w7","2w9","2wb","2wd","2wf","2wh","2wj","2wl","2wn","2wp","2wq","2ws","2wu","2ww","2wy","2x1","2x3","2x5","2x7","2x9","2xb","2xd","2xf","2xi","2xj","2xk","2xl","2xm","2xn","2xo","2xq","2xs","2xt","2xu","2xv","2xw","2xx","2xy","2xz","2y1","2y3","2y4","2y6","2y7","2y9","2yc","2ye","2yg","2yi","2yk","2ym","2yo","2yq","2ys","2yu","2yw","2yy","2z0","2z2","2z4","2z6","2z8","2za","2zc","2ze","2zf","2zh","2zj","2zl","2zo","2zp","2zr","2zs","2zt","2zu","2zv","2zw","2zz","301","303","304","306","308","30a","30c","30e","30f","30g","30h","30i","30k","30l","30n","30q","30s","30u","30v","30x","30z","311","313","315","316","318","319","31a","31c","31e","31f","31h","31j","31l","31m","31o","31p","31q","31r","31s","31t","31u","31v","31w","31x","31z","321","322","323","324","325","326","327","328","329","32a","32c","32e","32g","32h","32k","32m","32o","32q","32s","32u","32w","32y","330","332","334","335","336","338","33a","33c","33e","33g","33j","33l","33n","33o","33q","33r","33t","33w","33x","33y","33z","340","341","342","343","344","345","347","349","34a","34b","34d","34g","34i","34k","34m","34o","34q","34s","34t","34v","34w","34x","34y","34z","351","352","354","356","358","35a","35b","35d","35e","35g","35i","35k","35m","35o","35q","35s","35u","35w","35y","360","362","363","364","366","368","36a","36b","36e","36h","36j","36l","36o","36q","36s","36u","36x","36z","371","373","375","377","379","37b","37c","37e","37g","37i","37k","37m","37o","37p","37s","37u","37w","37y","37z","380","381","384","386","388","389","38a","38c","38e","38g","38h","38j","38l","38n","38p","38r","38t","38v","38x","38z","391","393","395","397","399","39a","39c","39e","39g","39i","39k","39m","39p","39r","39t","39v","39w","39y","3a0","3a2","3a4","3a6","3a8","3aa","3ac","3ae","3ag","3ai","3ak","3am","3ao","3aq","3as","3au","3aw","3ay","3b0","3b2","3b4","3b6","3b8","3ba","3bc","3be","3bg","3bi","3bk","3bm","3bo","3bp","3bq","3bs","3bu","3bw","3by","3c0","3c2","3c3","3c4","3c6","3c8","3ca","3cc","3ce","3cg","3ch","3cj","3cl","3cn","3cp","3cr","3ct","3cv","3cy","3cz","3d0","3d2","3d3","3d4","3d5","3d7","3d9","3db","3dd","3de","3df","3dh","3dj","3dl","3dm","3dn","3do","3dp","3dq","3ds","3du","3dx","3dz","3e0","3e1","3e2","3e4","3e5","3e7","3e8","3ea","3ec","3ef","3eh","3ek","3em","3eo","3er","3et","3ew","3ez","3f1","3f4","3f6","3f8","3f9","3fb","3fc","3fe","3fh","3fk","3fm","3fo","3fp","3fr","3fs","3fu","3fv","3fw","3fz","3g1","3g3","3g5","3g7","3g9","3gb","3gd","3gf","3gh","3gj","3gl","3gm","3go","3gq","3gs","3gu","3gw","3gy","3h0","3h2","3h4","3h6","3h8","3ha","3hc","3hf","3hh","3hj","3hl","3hn","3hp","3hr","3ht","3hv","3hx","3hy","3hz","3i2","3i4","3i5","3i7","3ia","3ic","3ie","3ig","3ii","3ik","3il","3im","3io","3iq","3is","3iu","3iv","3iw","3iy","3iz","3j0","3j1","3j2","3j4","3j5","3j6","3j8","3ja","3jc","3jd","3jf","3jh","3jj","3jl","3jn","3jp","3jq","3js","3jt","3jv","3jw","3jx","3jy","3k0","3k1","3k2","3k4","3k5","3k6","3k7","3k8","3k9","3kb","3kd","3kf","3kg","3kh","3ki","3kj","3kk","3kl","3km","3kn","3ko","3kp","3kr","3ks","3kt","3ku","3kv","3kw","3kx","3ky","3kz","3l0","3l1","3l2","3l4","3l5","3l7","3l9","3lb","3lc","3ld","3lf","3lg","3li","3lj","3ll","3ln","3lp","3lr","3lt","3lv","3lw","3lz","3m0","3m1","3m2","3m4","3m7","3ma","3mb","3mc","3mf","3mh","3mi","3mj","3mk","3ml","3mm","3mn","3mo","3mp","3mq","3mr","3ms","3mt","3mu","3mw","3my","3mz","3n1","3n2","3n3","3n4","3n7","3n8","3n9","3nb","3nc","3ne","3nf","3ng","3ni","3nl","3nm","3no","3nq","3ns","3nt","3nu","3nw","3nx","3ny","3nz"],"pink",{"title":"2nk","slug":"2nl","description":"2nm","icon":"2nn","intro":"2nm","checklist":"3o0","color":"3o1"},["26e","2nj","3o2"],{"uzXTlLKitXg":"3o3"},"\u0001",200,"/checklist/",{"loaders":"3o4","action":"3o5","status":"3o6","href":"3o7"}]} \ No newline at end of file +{"_entry":"3o8","_objs":["CWE: Categorization for Assurance","cwe-security","Researchers can use this view to evaluate the breadth and depth of software assurance with respect to mitigating and managing weaknesses before they become vulnerabilities","dev","This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.","CWE-ID: 5J2EE Misconfiguration: Data Transmission Without Encryption","Essential","Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.Guidelines:::TYPE:Other:NOTE:If an application uses SSL to guarantee confidential communication with client browsers, the application configuration should make it impossible to view any access controlled page without SSL. There are three common ways for SSL to be bypassed: A user manually enters URL and types HTTP rather than HTTPS. Attackers intentionally send a user to an insecure URL. A programmer erroneously creates a relative link to a page in the application, which does not switch from HTTP to HTTPS. (This is particularly easy to do when the link moves between public and secured areas on a web site.)::",{"point":"5","priority":"6","details":"7"},"CWE-ID: 6J2EE Misconfiguration: Insufficient Session-ID Length","The J2EE application is configured to use an insufficient session ID length.Guidelines:",{"point":"9","priority":"6","details":"a"},"CWE-ID: 7J2EE Misconfiguration: Missing Custom Error Page","The default error page of a web application should not display sensitive information about the product.Guidelines:",{"point":"c","priority":"6","details":"d"},"CWE-ID: 8J2EE Misconfiguration: Entity Bean Declared Remote","When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean's data. These methods could be leveraged to read sensitive information, or to change data in ways that violate the application's expectations, potentially leading to other vulnerabilities.Guidelines:::TYPE:Other:NOTE:Entity beans that expose a remote interface become part of an application's attack surface. For performance reasons, an application should rarely use remote entity beans, so there is a good chance that a remote entity bean declaration is an error.::",{"point":"f","priority":"6","details":"g"},"CWE-ID: 9J2EE Misconfiguration: Weak Access Permissions for EJB Methods","If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the product.Guidelines:",{"point":"i","priority":"6","details":"j"},"CWE-ID: 11ASP.NET Misconfiguration: Creating Debug Binary","Debugging messages help attackers learn about the system and plan a form of attack.Guidelines:",{"point":"l","priority":"6","details":"m"},"CWE-ID: 12ASP.NET Misconfiguration: Missing Custom Error Page","An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses.Guidelines:",{"point":"o","priority":"6","details":"p"},"CWE-ID: 13ASP.NET Misconfiguration: Password in Configuration File","Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers.Guidelines:",{"point":"r","priority":"6","details":"s"},"CWE-ID: 14Compiler Removal of Code to Clear Buffers","Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka dead store removal.Guidelines:",{"point":"u","priority":"6","details":"v"},"CWE-ID: 15External Control of System or Configuration Setting","One or more system settings or configuration elements can be externally controlled by a user.Guidelines:",{"point":"x","priority":"6","details":"y"},"CWE-ID: 20Improper Input Validation","The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Guidelines:::TYPE:Relationship:NOTE:CWE-116 and CWE-20 have a close association because, depending on the nature of the structured message, proper input validation can indirectly prevent special characters from changing the meaning of a structured message. For example, by validating that a numeric ID field should only contain the 0-9 characters, the programmer effectively prevents injection attacks.::TYPE:Maintenance:NOTE:As of 2020, this entry is used more often than preferred, and it is a source of frequent confusion. It is being actively modified for CWE 4.1 and subsequent versions.::TYPE:Maintenance:NOTE:Concepts such as validation, data transformation, and neutralization are being refined, so relationships between CWE-20 and other entries such as CWE-707 may change in future versions, along with an update to the Vulnerability Theory document.::TYPE:Maintenance:NOTE:Input validation - whether missing or incorrect - is such an essential and widespread part of secure development that it is implicit in many different weaknesses. Traditionally, problems such as buffer overflows and XSS have been classified as input validation problems by many security professionals. However, input validation is not necessarily the only protection mechanism available for avoiding such problems, and in some cases it is not even sufficient. The CWE team has begun capturing these subtleties in chains within the Research Concepts view (CWE-1000), but more work is needed.::TYPE:Terminology:NOTE:The input validation term is extremely common, but it is used in many different ways. In some cases its usage can obscure the real underlying weakness or otherwise hide chaining and composite relationships. Some people use input validation as a general term that covers many different neutralization techniques for ensuring that input is appropriate, such as filtering, canonicalization, and escaping. Others use the term in a more narrow context to simply mean checking if an input conforms to expectations without changing it. CWE uses this more narrow interpretation.::",{"point":"10","priority":"6","details":"11"},"CWE-ID: 22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Guidelines:::TYPE:Relationship:NOTE:Pathname equivalence can be regarded as a type of canonicalization error.::TYPE:Relationship:NOTE:Some pathname equivalence issues are not directly related to directory traversal, rather are used to bypass security-relevant checks for whether a file/directory can be accessed by the attacker (e.g. a trailing / on a filename could bypass access rules that don't expect a trailing /, causing a server to provide the file when it normally would not).::TYPE:Terminology:NOTE:Like other weaknesses, terminology is often based on the types of manipulations used, instead of the underlying weaknesses. Some people use directory traversal only to refer to the injection of .. and equivalent sequences whose specific meaning is to traverse directories. Other variants like absolute pathname and drive letter have the *effect* of directory traversal, but some people may not call it such, since it doesn't involve .. or equivalent.::TYPE:Research Gap:NOTE:Many variants of path traversal attacks are probably under-studied with respect to root cause. CWE-790 and CWE-182 begin to cover part of this gap.::TYPE:Research Gap:NOTE:Incomplete diagnosis or reporting of vulnerabilities can make it difficult to know which variant is affected. For example, a researcher might say that .. is vulnerable, but not test ../ which may also be vulnerable. Any combination of directory separators (/, , etc.) and numbers of . (e.g. ....) can produce unique variants; for example, the //../ variant is not listed (CVE-2004-0325). See this entry's children and lower-level descendants.::",{"point":"13","priority":"6","details":"14"},"CWE-ID: 23Relative Path Traversal","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as .. that can resolve to a location that is outside of that directory.Guidelines:",{"point":"16","priority":"6","details":"17"},"CWE-ID: 24Path Traversal: '../filedir'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize ../ sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"19","priority":"6","details":"1a"},"CWE-ID: 25Path Traversal: '/../filedir'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize /../ sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1c","priority":"6","details":"1d"},"CWE-ID: 26Path Traversal: '/dir/../filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize /dir/../filename sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1f","priority":"6","details":"1g"},"CWE-ID: 27Path Traversal: 'dir/../../filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize multiple internal ../ sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1i","priority":"6","details":"1j"},"CWE-ID: 28Path Traversal: '..filedir'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize .. sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1l","priority":"6","details":"1m"},"CWE-ID: 29Path Traversal: '..filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '..filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1o","priority":"6","details":"1p"},"CWE-ID: 30Path Traversal: 'dir..filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize 'dir..filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1r","priority":"6","details":"1s"},"CWE-ID: 31Path Traversal: 'dir....filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize 'dir....filename' (multiple internal backslash dot dot) sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1u","priority":"6","details":"1v"},"CWE-ID: 32Path Traversal: '...' (Triple Dot)","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '...' (triple dot) sequences that can resolve to a location that is outside of that directory.Guidelines:::TYPE:Maintenance:NOTE:This manipulation-focused entry is currently hiding two distinct weaknesses, so it might need to be split. The manipulation is effective in two different contexts: it is equivalent to .... on Windows, or it can take advantage of incomplete filtering, e.g. if the programmer does a single-pass removal of ./ in a string (collapse of data into unsafe value, CWE-182).::",{"point":"1x","priority":"6","details":"1y"},"CWE-ID: 33Path Traversal: '....' (Multiple Dot)","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....' (multiple dot) sequences that can resolve to a location that is outside of that directory.Guidelines:::TYPE:Maintenance:NOTE:Like the triple-dot CWE-32, this manipulation probably hides multiple weaknesses that should be made more explicit.::",{"point":"20","priority":"6","details":"21"},"CWE-ID: 34Path Traversal: '....//'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....//' (doubled dot dot slash) sequences that can resolve to a location that is outside of that directory.Guidelines:::TYPE:Relationship:NOTE:This could occur due to a cleansing error that removes a single ../ from ....//::",{"point":"23","priority":"6","details":"24"},"CWE-ID: 35Path Traversal: '.../...//'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"26","priority":"6","details":"27"},"CWE-ID: 36Absolute Path Traversal","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as /abs/path that can resolve to a location that is outside of that directory.Guidelines:",{"point":"29","priority":"6","details":"2a"},"CWE-ID: 37Path Traversal: '/absolute/pathname/here'","The product accepts input in the form of a slash absolute path ('/absolute/pathname/here') without appropriate validation, which can allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"2c","priority":"6","details":"2d"},"CWE-ID: 38Path Traversal: 'absolutepathnamehere'","The product accepts input in the form of a backslash absolute path ('absolutepathnamehere') without appropriate validation, which can allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"2f","priority":"6","details":"2g"},"CWE-ID: 39Path Traversal: 'C:dirname'","The product accepts input that contains a drive letter or Windows volume letter ('C:dirname') that potentially redirects access to an unintended location or arbitrary file.Guidelines:",{"point":"2i","priority":"6","details":"2j"},"CWE-ID: 40Path Traversal: 'UNCsharename' (Windows UNC Share)","The product accepts input that identifies a Windows UNC share ('UNCsharename') that potentially redirects access to an unintended location or arbitrary file.Guidelines:",{"point":"2l","priority":"6","details":"2m"},"CWE-ID: 41Improper Resolution of Path Equivalence","The product is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object.Guidelines:::TYPE:Relationship:NOTE:Some of these manipulations could be effective in path traversal issues, too.::",{"point":"2o","priority":"6","details":"2p"},"CWE-ID: 42Path Equivalence: 'filename.' (Trailing Dot)","The product accepts path input in the form of trailing dot ('filedir.') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"2r","priority":"6","details":"2s"},"CWE-ID: 43Path Equivalence: 'filename....' (Multiple Trailing Dot)","The product accepts path input in the form of multiple trailing dot ('filedir....') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"2u","priority":"6","details":"2v"},"CWE-ID: 44Path Equivalence: 'file.name' (Internal Dot)","The product accepts path input in the form of internal dot ('file.ordir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:::TYPE:Relationship:NOTE:An improper attempt to remove the internal dots from the string could lead to CWE-181 (Incorrect Behavior Order: Validate Before Filter).::",{"point":"2x","priority":"6","details":"2y"},"CWE-ID: 45Path Equivalence: 'file...name' (Multiple Internal Dot)","The product accepts path input in the form of multiple internal dot ('file...dir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:::TYPE:Relationship:NOTE:An improper attempt to remove the internal dots from the string could lead to CWE-181 (Incorrect Behavior Order: Validate Before Filter).::",{"point":"30","priority":"6","details":"31"},"CWE-ID: 46Path Equivalence: 'filename ' (Trailing Space)","The product accepts path input in the form of trailing space ('filedir ') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"33","priority":"6","details":"34"},"CWE-ID: 47Path Equivalence: ' filename' (Leading Space)","The product accepts path input in the form of leading space (' filedir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"36","priority":"6","details":"37"},"CWE-ID: 48Path Equivalence: 'file name' (Internal Whitespace)","The product accepts path input in the form of internal space ('file(SPACE)name') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:::TYPE:Relationship:NOTE:This weakness is likely to overlap quoting problems, e.g. the Program Files unquoted search path (CWE-428). It also could be an equivalence issue if filtering removes all extraneous spaces.::TYPE:Relationship:NOTE:Whitespace can be a factor in other weaknesses not directly related to equivalence. It can also be used to spoof icons or hide files with dangerous names (see icon manipulation and visual truncation in CWE-451).::",{"point":"39","priority":"6","details":"3a"},"CWE-ID: 49Path Equivalence: 'filename/' (Trailing Slash)","The product accepts path input in the form of trailing slash ('filedir/') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3c","priority":"6","details":"3d"},"CWE-ID: 50Path Equivalence: '//multiple/leading/slash'","The product accepts path input in the form of multiple leading slash ('//multiple/leading/slash') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3f","priority":"6","details":"3g"},"CWE-ID: 51Path Equivalence: '/multiple//internal/slash'","The product accepts path input in the form of multiple internal slash ('/multiple//internal/slash/') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3i","priority":"6","details":"3j"},"CWE-ID: 52Path Equivalence: '/multiple/trailing/slash//'","The product accepts path input in the form of multiple trailing slash ('/multiple/trailing/slash//') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3l","priority":"6","details":"3m"},"CWE-ID: 53Path Equivalence: 'multipleinternalbackslash'","The product accepts path input in the form of multiple internal backslash ('multipletrailingslash') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3o","priority":"6","details":"3p"},"CWE-ID: 54Path Equivalence: 'filedir' (Trailing Backslash)","The product accepts path input in the form of trailing backslash ('filedir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3r","priority":"6","details":"3s"},"CWE-ID: 55Path Equivalence: '/./' (Single Dot Directory)","The product accepts path input in the form of single dot directory exploit ('/./') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3u","priority":"6","details":"3v"},"CWE-ID: 56Path Equivalence: 'filedir*' (Wildcard)","The product accepts path input in the form of asterisk wildcard ('filedir*') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3x","priority":"6","details":"3y"},"CWE-ID: 57Path Equivalence: 'fakedir/../realdir/filename'","The product contains protection mechanisms to restrict access to 'realdir/filename', but it constructs pathnames using external input in the form of 'fakedir/../realdir/filename' that are not handled by those mechanisms. This allows attackers to perform unauthorized actions against the targeted file.Guidelines:::TYPE:Theoretical:NOTE:This is a manipulation that uses an injection for one consequence (containment violation using relative path) to achieve a different consequence (equivalence by alternate name).::",{"point":"40","priority":"6","details":"41"},"CWE-ID: 58Path Equivalence: Windows 8.3 Filename","The product contains a protection mechanism that restricts access to a long filename on a Windows operating system, but it does not properly restrict access to the equivalent short 8.3 filename.Guidelines:::TYPE:Research Gap:NOTE:Probably under-studied.::",{"point":"43","priority":"6","details":"44"},"CWE-ID: 59Improper Link Resolution Before File Access ('Link Following')","The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.Guidelines:::TYPE:Theoretical:NOTE:Link following vulnerabilities are Multi-factor Vulnerabilities (MFV). They are the combination of multiple elements: file or directory permissions, filename predictability, race conditions, and in some cases, a design limitation in which there is no mechanism for performing atomic file creation operations. Some potential factors are race conditions, permissions, and predictability.::",{"point":"46","priority":"6","details":"47"},"CWE-ID: 61UNIX Symbolic Link (Symlink) Following","The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.Guidelines:::TYPE:Research Gap:NOTE:Symlink vulnerabilities are regularly found in C and shell programs, but all programming languages can have this problem. Even shell programs are probably under-reported. Second-order symlink vulnerabilities may exist in programs that invoke other programs that follow symlinks. They are rarely reported but are likely to be fairly common when process invocation is used [REF-493].::",{"point":"49","priority":"6","details":"4a"},"CWE-ID: 62UNIX Hard Link","The product, when opening a file or directory, does not sufficiently account for when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.Guidelines:",{"point":"4c","priority":"6","details":"4d"},"CWE-ID: 64Windows Shortcut Following (.LNK)","The product, when opening a file or directory, does not sufficiently handle when the file is a Windows shortcut (.LNK) whose target is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.Guidelines:::TYPE:Research Gap:NOTE:Under-studied. Windows .LNK files are more portable than Unix symlinks and have been used in remote exploits. Some Windows API's will access LNK's as if they are regular files, so one would expect that they would be reported more frequently.::",{"point":"4f","priority":"6","details":"4g"},"CWE-ID: 65Windows Hard Link","The product, when opening a file or directory, does not sufficiently handle when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.Guidelines:",{"point":"4i","priority":"6","details":"4j"},"CWE-ID: 66Improper Handling of File Names that Identify Virtual Resources","The product does not handle or incorrectly handles a file name that identifies a virtual resource that is not directly specified within the directory that is associated with the file name, causing the product to perform file-based operations on a resource that is not a file.Guidelines:",{"point":"4l","priority":"6","details":"4m"},"CWE-ID: 67Improper Handling of Windows Device Names","The product constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.Guidelines:",{"point":"4o","priority":"6","details":"4p"},"CWE-ID: 69Improper Handling of Windows ::DATA Alternate Data Stream","The product does not properly prevent access to, or detect usage of, alternate data streams (ADS).Guidelines:::TYPE:Theoretical:NOTE:This and similar problems exist because the same resource can have multiple identifiers that dictate which behavior can be performed on the resource.::",{"point":"4r","priority":"6","details":"4s"},"CWE-ID: 72Improper Handling of Apple HFS+ Alternate Data Stream Path","The product does not properly handle special paths that may identify the data or resource fork of a file on the HFS+ file system.Guidelines:::TYPE:Theoretical:NOTE:This and similar problems exist because the same resource can have multiple identifiers that dictate which behavior can be performed on the resource.::TYPE:Research Gap:NOTE:Under-studied::",{"point":"4u","priority":"6","details":"4v"},"CWE-ID: 73External Control of File Name or Path","The product allows user input to control or influence paths or file names that are used in filesystem operations.Guidelines:::TYPE:Maintenance:NOTE:CWE-114 is a Class, but it is listed a child of CWE-73 in view 1000. This suggests some abstraction problems that should be resolved in future versions.::TYPE:Relationship:NOTE:The external control of filenames can be the primary link in chains with other file-related weaknesses, as seen in the CanPrecede relationships. This is because software systems use files for many different purposes: to execute programs, load code libraries, to store application data, to store configuration settings, record temporary data, act as signals or semaphores to other processes, etc. However, those weaknesses do not always require external control. For example, link-following weaknesses (CWE-59) often involve pathnames that are not controllable by the attacker at all. The external control can be resultant from other issues. For example, in PHP applications, the register_globals setting can allow an attacker to modify variables that the programmer thought were immutable, enabling file inclusion (CWE-98) and path traversal (CWE-22). Operating with excessive privileges (CWE-250) might allow an attacker to specify an input filename that is not directly readable by the attacker, but is accessible to the privileged program. A buffer overflow (CWE-119) might give an attacker control over nearby memory locations that are related to pathnames, but were not directly modifiable by the attacker.::",{"point":"4x","priority":"6","details":"4y"},"CWE-ID: 74Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')","The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Guidelines:::TYPE:Theoretical:NOTE:Many people treat injection only as an input validation problem (CWE-20) because many people do not distinguish between the consequence/attack (injection) and the protection mechanism that prevents the attack from succeeding. However, input validation is only one potential protection mechanism (output encoding is another), and there is a chaining relationship between improper input validation and the improper enforcement of the structure of messages to other components. Other issues not directly related to input validation, such as race conditions, could similarly impact message structure.::",{"point":"50","priority":"6","details":"51"},"CWE-ID: 75Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)","The product does not adequately filter user-controlled input for special elements with control implications.Guidelines:",{"point":"53","priority":"6","details":"54"},"CWE-ID: 76Improper Neutralization of Equivalent Special Elements","The product correctly neutralizes certain special elements, but it improperly neutralizes equivalent special elements.Guidelines:",{"point":"56","priority":"6","details":"57"},"CWE-ID: 77Improper Neutralization of Special Elements used in a Command ('Command Injection')","The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.Guidelines:::TYPE:Terminology:NOTE:The command injection phrase carries different meanings to different people. For some people, it refers to any type of attack that can allow the attacker to execute commands of their own choosing, regardless of how those commands are inserted. The command injection could thus be resultant from another weakness. This usage also includes cases in which the functionality allows the user to specify an entire command, which is then executed; within CWE, this situation might be better regarded as an authorization problem (since an attacker should not be able to specify arbitrary commands.) Another common usage, which includes CWE-77 and its descendants, involves cases in which the attacker injects separators into the command being constructed.::",{"point":"59","priority":"6","details":"5a"},"CWE-ID: 78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Guidelines:::TYPE:Terminology:NOTE:The OS command injection phrase carries different meanings to different people. For some people, it only refers to cases in which the attacker injects command separators into arguments for an application-controlled program that is being invoked. For some people, it refers to any type of attack that can allow the attacker to execute OS commands of their own choosing. This usage could include untrusted search path weaknesses (CWE-426) that cause the application to find and execute an attacker-controlled program. Further complicating the issue is the case when argument injection (CWE-88) allows alternate command-line switches or options to be inserted into the command line, such as an -exec switch whose purpose may be to execute the subsequent argument as a command (this -exec switch exists in the UNIX find command, for example). In this latter case, however, CWE-88 could be regarded as the primary weakness in a chain with CWE-78.::TYPE:Research Gap:NOTE:More investigation is needed into the distinction between the OS command injection variants, including the role with argument injection (CWE-88). Equivalent distinctions may exist in other injection-related problems such as SQL injection.::",{"point":"5c","priority":"6","details":"5d"},"CWE-ID: 79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Guidelines:::TYPE:Relationship:NOTE:There can be a close relationship between XSS and CSRF (CWE-352). An attacker might use CSRF in order to trick the victim into submitting requests to the server in which the requests contain an XSS payload. A well-known example of this was the Samy worm on MySpace [REF-956]. The worm used XSS to insert malicious HTML sequences into a user's profile and add the attacker as a MySpace friend. MySpace friends of that victim would then execute the payload to modify their own profiles, causing the worm to propagate exponentially. Since the victims did not intentionally insert the malicious script themselves, CSRF was a root cause.::TYPE:Applicable Platform:NOTE:XSS flaws are very common in web applications, since they require a great deal of developer discipline to avoid them.::",{"point":"5f","priority":"6","details":"5g"},"CWE-ID: 80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as <, >, and & that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.Guidelines:",{"point":"5i","priority":"6","details":"5j"},"CWE-ID: 81Improper Neutralization of Script in an Error Message Web Page","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters that could be interpreted as web-scripting elements when they are sent to an error page.Guidelines:",{"point":"5l","priority":"6","details":"5m"},"CWE-ID: 82Improper Neutralization of Script in Attributes of IMG Tags in a Web Page","The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute.Guidelines:",{"point":"5o","priority":"6","details":"5p"},"CWE-ID: 83Improper Neutralization of Script in Attributes in a Web Page","The product does not neutralize or incorrectly neutralizes javascript: or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.Guidelines:",{"point":"5r","priority":"6","details":"5s"},"CWE-ID: 84Improper Neutralization of Encoded URI Schemes in a Web Page","The web application improperly neutralizes user-controlled input for executable script disguised with URI encodings.Guidelines:",{"point":"5u","priority":"6","details":"5v"},"CWE-ID: 85Doubled Character XSS Manipulations","The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters.Guidelines:",{"point":"5x","priority":"6","details":"5y"},"CWE-ID: 86Improper Neutralization of Invalid Characters in Identifiers in Web Pages","The product does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers.Guidelines:",{"point":"60","priority":"6","details":"61"},"CWE-ID: 87Improper Neutralization of Alternate XSS Syntax","The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.Guidelines:",{"point":"63","priority":"6","details":"64"},"CWE-ID: 88Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')","The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.Guidelines:::TYPE:Relationship:NOTE:At one layer of abstraction, this can overlap other weaknesses that have whitespace problems, e.g. injection of javascript into attributes of HTML tags.::",{"point":"66","priority":"6","details":"67"},"CWE-ID: 89Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:SQL injection can be resultant from special character mismanagement, MAID, or denylist/allowlist problems. It can be primary to authentication errors.::",{"point":"69","priority":"6","details":"6a"},"CWE-ID: 90Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')","The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:Factors: resultant to special character mismanagement, MAID, or denylist/allowlist problems. Can be primary to authentication and verification errors.::",{"point":"6c","priority":"6","details":"6d"},"CWE-ID: 91XML Injection (aka Blind XPath Injection)","The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.Guidelines:::TYPE:Maintenance:NOTE:The description for this entry is generally applicable to XML, but the name includes blind XPath injection which is more closely associated with CWE-643. Therefore this entry might need to be deprecated or converted to a general category - although injection into raw XML is not covered by CWE-643 or CWE-652.::TYPE:Theoretical:NOTE:In vulnerability theory terms, this is a representation-specific case of a Data/Directive Boundary Error.::TYPE:Research Gap:NOTE:Under-reported. This is likely found regularly by third party code auditors, but there are very few publicly reported examples.::",{"point":"6f","priority":"6","details":"6g"},"CWE-ID: 93Improper Neutralization of CRLF Sequences ('CRLF Injection')","The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.Guidelines:",{"point":"6i","priority":"6","details":"6j"},"CWE-ID: 94Improper Control of Generation of Code ('Code Injection')","The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.Guidelines:",{"point":"6l","priority":"6","details":"6m"},"CWE-ID: 95Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. eval).Guidelines:::TYPE:Other:NOTE:Factors: special character errors can play a role in increasing the variety of code that can be injected, although some vulnerabilities do not require special characters at all, e.g. when a single function without arguments can be referenced and a terminator character is not necessary.::",{"point":"6o","priority":"6","details":"6p"},"CWE-ID: 96Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.Guidelines:::TYPE:Relationship:NOTE:HTML injection (see CWE-79: XSS) could be thought of as an example of this, but the code is injected and executed on the client side, not the server side. Server-Side Includes (SSI) are an example of direct static code injection.::",{"point":"6r","priority":"6","details":"6s"},"CWE-ID: 97Improper Neutralization of Server-Side Includes (SSI) Within a Web Page","The product generates a web page, but does not neutralize or incorrectly neutralizes user-controllable input that could be interpreted as a server-side include (SSI) directive.Guidelines:::TYPE:Relationship:NOTE:This can be resultant from XSS/HTML injection because the same special characters can be involved. However, this is server-side code execution, not client-side.::",{"point":"6u","priority":"6","details":"6v"},"CWE-ID: 98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')","The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in require, include, or similar functions.Guidelines:::TYPE:Relationship:NOTE:This is frequently a functional consequence of other weaknesses. It is usually multi-factor with other factors (e.g. MAID), although not all inclusion bugs involve assumed-immutable data. Direct request weaknesses frequently play a role. Can overlap directory traversal in local inclusion problems.::",{"point":"6x","priority":"6","details":"6y"},"CWE-ID: 99Improper Control of Resource Identifiers ('Resource Injection')","The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.Guidelines:::TYPE:Relationship:NOTE:Resource injection that involves resources stored on the filesystem goes by the name path manipulation (CWE-73).::TYPE:Maintenance:NOTE:The relationship between CWE-99 and CWE-610 needs further investigation and clarification. They might be duplicates. CWE-99 Resource Injection, as originally defined in Seven Pernicious Kingdoms taxonomy, emphasizes the identifier used to access a system resource such as a file name or port number, yet it explicitly states that the resource injection term does not apply to path manipulation, which effectively identifies the path at which a resource can be found and could be considered to be one aspect of a resource identifier. Also, CWE-610 effectively covers any type of resource, whether that resource is at the system layer, the application layer, or the code layer.::",{"point":"70","priority":"6","details":"71"},"CWE-ID: 102Struts: Duplicate Validation Forms","The product uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not expect.Guidelines:",{"point":"73","priority":"6","details":"74"},"CWE-ID: 103Struts: Incomplete validate() Method Definition","The product has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate().Guidelines:::TYPE:Relationship:NOTE:This could introduce other weaknesses related to missing input validation.::TYPE:Maintenance:NOTE:The current description implies a loose composite of two separate weaknesses, so this node might need to be split or converted into a low-level category.::",{"point":"76","priority":"6","details":"77"},"CWE-ID: 104Struts: Form Bean Does Not Extend Validation Class","If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation.Guidelines:",{"point":"79","priority":"6","details":"7a"},"CWE-ID: 105Struts: Form Field Without Validator","The product has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation.Guidelines:",{"point":"7c","priority":"6","details":"7d"},"CWE-ID: 106Struts: Plug-in Framework not in Use","When an application does not use an input validation framework such as the Struts Validator, there is a greater risk of introducing weaknesses related to insufficient input validation.Guidelines:",{"point":"7f","priority":"6","details":"7g"},"CWE-ID: 107Struts: Unused Validation Form","An unused validation form indicates that validation logic is not up-to-date.Guidelines:",{"point":"7i","priority":"6","details":"7j"},"CWE-ID: 108Struts: Unvalidated Action Form","Every Action Form must have a corresponding validation form.Guidelines:",{"point":"7l","priority":"6","details":"7m"},"CWE-ID: 109Struts: Validator Turned Off","Automatic filtering via a Struts bean has been turned off, which disables the Struts Validator and custom validation logic. This exposes the application to other weaknesses related to insufficient input validation.Guidelines:::TYPE:Other:NOTE:The Action Form mapping in the demonstrative example disables the form's validate() method. The Struts bean: write tag automatically encodes special HTML characters, replacing a < with < and a > with >. This action can be disabled by specifying filter=false as an attribute of the tag to disable specified JSP pages. However, being disabled makes these pages susceptible to cross-site scripting attacks. An attacker may be able to insert malicious scripts as user input to write to these JSP pages.::",{"point":"7o","priority":"6","details":"7p"},"CWE-ID: 110Struts: Validator Without Form Field","Validation fields that do not appear in forms they are associated with indicate that the validation logic is out of date.Guidelines:",{"point":"7r","priority":"6","details":"7s"},"CWE-ID: 111Direct Use of Unsafe JNI","When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that code, even if those weaknesses cannot occur in Java.Guidelines:",{"point":"7u","priority":"6","details":"7v"},"CWE-ID: 112Missing XML Validation","The product accepts XML from an untrusted source but does not validate the XML against the proper schema.Guidelines:",{"point":"7x","priority":"6","details":"7y"},"CWE-ID: 113Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')","The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.Guidelines:",{"point":"80","priority":"6","details":"81"},"CWE-ID: 114Process Control","Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) on behalf of an attacker.Guidelines:::TYPE:Maintenance:NOTE:CWE-114 is a Class, but it is listed a child of CWE-73 in view 1000. This suggests some abstraction problems that should be resolved in future versions.::TYPE:Maintenance:NOTE:This entry seems to have close relationships with CWE-426/CWE-427. It seems more attack-oriented.::",{"point":"83","priority":"6","details":"84"},"CWE-ID: 115Misinterpretation of Input","The product misinterprets an input, whether from an attacker or another product, in a security-relevant fashion.Guidelines:::TYPE:Research Gap:NOTE:This concept needs further study. It is likely a factor in several weaknesses, possibly resultant as well. Overlaps Multiple Interpretation Errors (MIE).::",{"point":"86","priority":"6","details":"87"},"CWE-ID: 116Improper Encoding or Escaping of Output","The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.Guidelines:::TYPE:Relationship:NOTE:This weakness is primary to all weaknesses related to injection (CWE-74) since the inherent nature of injection involves the violation of structured messages.::TYPE:Relationship:NOTE:CWE-116 and CWE-20 have a close association because, depending on the nature of the structured message, proper input validation can indirectly prevent special characters from changing the meaning of a structured message. For example, by validating that a numeric ID field should only contain the 0-9 characters, the programmer effectively prevents injection attacks. However, input validation is not always sufficient, especially when less stringent data types must be supported, such as free-form text. Consider a SQL injection scenario in which a last name is inserted into a query. The name O'Reilly would likely pass the validation step since it is a common last name in the English language. However, it cannot be directly inserted into the database because it contains the ' apostrophe character, which would need to be escaped or otherwise neutralized. In this case, stripping the apostrophe might reduce the risk of SQL injection, but it would produce incorrect behavior because the wrong name would be recorded.::TYPE:Terminology:NOTE:The usage of the encoding and escaping terms varies widely. For example, in some programming languages, the terms are used interchangeably, while other languages provide APIs that use both terms for different tasks. This overlapping usage extends to the Web, such as the escape JavaScript function whose purpose is stated to be encoding. The concepts of encoding and escaping predate the Web by decades. Given such a context, it is difficult for CWE to adopt a consistent vocabulary that will not be misinterpreted by some constituency.::TYPE:Theoretical:NOTE:This is a data/directive boundary error in which data boundaries are not sufficiently enforced before it is sent to a different control sphere.::TYPE:Research Gap:NOTE:While many published vulnerabilities are related to insufficient output encoding, there is such an emphasis on input validation as a protection mechanism that the underlying causes are rarely described. Within CVE, the focus is primarily on well-understood issues like cross-site scripting and SQL injection. It is likely that this weakness frequently occurs in custom protocols that support multiple encodings, which are not necessarily detectable with automated techniques.::",{"point":"89","priority":"6","details":"8a"},"CWE-ID: 117Improper Output Neutralization for Logs","The product does not neutralize or incorrectly neutralizes output that is written to logs.Guidelines:",{"point":"8c","priority":"6","details":"8d"},"CWE-ID: 118Incorrect Access of Indexable Resource ('Range Error')","The product does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files.Guidelines:",{"point":"8f","priority":"6","details":"8g"},"CWE-ID: 119Improper Restriction of Operations within the Bounds of a Memory Buffer","The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.Guidelines:::TYPE:Applicable Platform:NOTE:It is possible in any programming languages without memory management support to attempt an operation outside of the bounds of a memory buffer, but the consequences will vary widely depending on the language, platform, and chip architecture.::",{"point":"8i","priority":"6","details":"8j"},"CWE-ID: 120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')","The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.Guidelines:::TYPE:Relationship:NOTE:At the code level, stack-based and heap-based overflows do not differ significantly, so there usually is not a need to distinguish them. From the attacker perspective, they can be quite different, since different techniques are required to exploit them.::TYPE:Terminology:NOTE:Many issues that are now called buffer overflows are substantively different than the classic overflow, including entirely different bug types that rely on overflow exploit techniques, such as integer signedness errors, integer overflows, and format string bugs. This imprecise terminology can make it difficult to determine which variant is being reported.::",{"point":"8l","priority":"6","details":"8m"},"CWE-ID: 121Stack-based Buffer Overflow","A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).Guidelines:::TYPE:Other:NOTE:Stack-based buffer overflows can instantiate in return address overwrites, stack pointer overwrites or frame pointer overwrites. They can also be considered function pointer overwrites, array indexer overwrites or write-what-where condition, etc.::",{"point":"8o","priority":"6","details":"8p"},"CWE-ID: 122Heap-based Buffer Overflow","A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().Guidelines:::TYPE:Relationship:NOTE:Heap-based buffer overflows are usually just as dangerous as stack-based buffer overflows.::",{"point":"8r","priority":"6","details":"8s"},"CWE-ID: 123Write-what-where Condition","Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow.Guidelines:",{"point":"8u","priority":"6","details":"8v"},"CWE-ID: 124Buffer Underwrite ('Buffer Underflow')","The product writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.Guidelines:::TYPE:Relationship:NOTE:This could be resultant from several errors, including a bad offset or an array index that decrements before the beginning of the buffer (see CWE-129).::",{"point":"8x","priority":"6","details":"8y"},"CWE-ID: 125Out-of-bounds Read","The product reads data past the end, or before the beginning, of the intended buffer.Guidelines:",{"point":"90","priority":"6","details":"91"},"CWE-ID: 126Buffer Over-read","The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.Guidelines:::TYPE:Relationship:NOTE:These problems may be resultant from missing sentinel values (CWE-463) or trusting a user-influenced input length variable.::",{"point":"93","priority":"6","details":"94"},"CWE-ID: 127Buffer Under-read","The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"96","priority":"6","details":"97"},"CWE-ID: 128Wrap-around Error","Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore wraps around to a very small, negative, or undefined value.Guidelines:::TYPE:Relationship:NOTE:The relationship between overflow and wrap-around needs to be examined more closely, since several entries (including CWE-190) are closely related.::",{"point":"99","priority":"6","details":"9a"},"CWE-ID: 129Improper Validation of Array Index","The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.Guidelines:::TYPE:Relationship:NOTE:This weakness can precede uncontrolled memory allocation (CWE-789) in languages that automatically expand an array when an index is used that is larger than the size of the array, such as JavaScript.::TYPE:Theoretical:NOTE:An improperly validated array index might lead directly to the always-incorrect behavior of access of array using out-of-bounds index.::",{"point":"9c","priority":"6","details":"9d"},"CWE-ID: 130Improper Handling of Length Parameter Inconsistency","The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.Guidelines:::TYPE:Relationship:NOTE:This probably overlaps other categories including zero-length issues.::",{"point":"9f","priority":"6","details":"9g"},"CWE-ID: 131Incorrect Calculation of Buffer Size","The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.Guidelines:::TYPE:Maintenance:NOTE:This is a broad category. Some examples include: simple math errors, incorrectly updating parallel counters, not accounting for size differences when transforming one input to another format (e.g. URL canonicalization or other transformation that can generate a result that's larger than the original input, i.e. expansion). This level of detail is rarely available in public reports, so it is difficult to find good examples.::TYPE:Maintenance:NOTE:This weakness may be a composite or a chain. It also may contain layering or perspective differences. This issue may be associated with many different types of incorrect calculations (CWE-682), although the integer overflow (CWE-190) is probably the most prevalent. This can be primary to resource consumption problems (CWE-400), including uncontrolled memory allocation (CWE-789). However, its relationship with out-of-bounds buffer access (CWE-119) must also be considered.::",{"point":"9i","priority":"6","details":"9j"},"CWE-ID: 134Use of Externally-Controlled Format String","The product uses a function that accepts a format string as an argument, but the format string originates from an external source.Guidelines:::TYPE:Applicable Platform:NOTE:This weakness is possible in any programming language that support format strings.::TYPE:Other:NOTE:While Format String vulnerabilities typically fall under the Buffer Overflow category, technically they are not overflowed buffers. The Format String vulnerability is fairly new (circa 1999) and stems from the fact that there is no realistic way for a function that takes a variable number of arguments to determine just how many arguments were passed in. The most common functions that take a variable number of arguments, including C-runtime functions, are the printf() family of calls. The Format String problem appears in a number of ways. A *printf() call without a format specifier is dangerous and can be exploited. For example, printf(input); is exploitable, while printf(y, input); is not exploitable in that context. The result of the first call, used incorrectly, allows for an attacker to be able to peek at stack memory since the input string will be used as the format specifier. The attacker can stuff the input string with format specifiers and begin reading stack values, since the remaining parameters will be pulled from the stack. Worst case, this improper use may give away enough control to allow an arbitrary value (or values in the case of an exploit program) to be written into the memory of the running program. Frequently targeted entities are file names, process names, identifiers. Format string problems are a classic C/C++ issue that are now rare due to the ease of discovery. One main reason format string vulnerabilities can be exploited is due to the %n operator. The %n operator will write the number of characters, which have been printed by the format string therefore far, to the memory pointed to by its argument. Through skilled creation of a format string, a malicious user may use values on the stack to create a write-what-where condition. Once this is achieved, they can execute arbitrary code. Other operators can be used as well; for example, a %9999s operator could also trigger a buffer overflow, or when used in file-formatting functions like fprintf, it can generate a much larger output than intended.::TYPE:Research Gap:NOTE:Format string issues are under-studied for languages other than C. Memory or disk consumption, control flow or variable alteration, and data corruption may result from format string exploitation in applications written in other languages such as Perl, PHP, Python, etc.::",{"point":"9l","priority":"6","details":"9m"},"CWE-ID: 135Incorrect Calculation of Multi-Byte String Length","The product does not correctly calculate the length of strings that can contain wide or multi-byte characters.Guidelines:",{"point":"9o","priority":"6","details":"9p"},"CWE-ID: 138Improper Neutralization of Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:This weakness can be related to interpretation conflicts or interaction errors in intermediaries (such as proxies or application firewalls) when the intermediary's model of an endpoint does not account for protocol-specific special elements.::TYPE:Relationship:NOTE:See this entry's children for different types of special elements that have been observed at one point or another. However, it can be difficult to find suitable CVE examples. In an attempt to be complete, CWE includes some types that do not have any associated observed example.::TYPE:Research Gap:NOTE:This weakness is probably under-studied for proprietary or custom formats. It is likely that these issues are fairly common in applications that use their own custom format for configuration files, logs, meta-data, messaging, etc. They would only be found by accident or with a focused effort based on an understanding of the format.::",{"point":"9r","priority":"6","details":"9s"},"CWE-ID: 140Improper Neutralization of Delimiters","The product does not neutralize or incorrectly neutralizes delimiters.Guidelines:",{"point":"9u","priority":"6","details":"9v"},"CWE-ID: 141Improper Neutralization of Parameter/Argument Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component.Guidelines:",{"point":"9x","priority":"6","details":"9y"},"CWE-ID: 142Improper Neutralization of Value Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component.Guidelines:",{"point":"a0","priority":"6","details":"a1"},"CWE-ID: 143Improper Neutralization of Record Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component.Guidelines:",{"point":"a3","priority":"6","details":"a4"},"CWE-ID: 144Improper Neutralization of Line Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as line delimiters when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:Depending on the language and syntax being used, this could be the same as the record delimiter (CWE-143).::",{"point":"a6","priority":"6","details":"a7"},"CWE-ID: 145Improper Neutralization of Section Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as section delimiters when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:Depending on the language and syntax being used, this could be the same as the record delimiter (CWE-143).::",{"point":"a9","priority":"6","details":"aa"},"CWE-ID: 146Improper Neutralization of Expression/Command Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:A shell metacharacter (covered in CWE-150) is one example of a potential delimiter that may need to be neutralized.::",{"point":"ac","priority":"6","details":"ad"},"CWE-ID: 147Improper Neutralization of Input Terminators","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as input terminators when they are sent to a downstream component.Guidelines:",{"point":"af","priority":"6","details":"ag"},"CWE-ID: 148Improper Neutralization of Input Leaders","The product does not properly handle when a leading character or sequence (leader) is missing or malformed, or if multiple leaders are used when only one should be allowed.Guidelines:",{"point":"ai","priority":"6","details":"aj"},"CWE-ID: 149Improper Neutralization of Quoting Syntax","Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.Guidelines:",{"point":"al","priority":"6","details":"am"},"CWE-ID: 150Improper Neutralization of Escape, Meta, or Control Sequences","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.Guidelines:",{"point":"ao","priority":"6","details":"ap"},"CWE-ID: 151Improper Neutralization of Comment Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as comment delimiters when they are sent to a downstream component.Guidelines:",{"point":"ar","priority":"6","details":"as"},"CWE-ID: 152Improper Neutralization of Macro Symbols","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as macro symbols when they are sent to a downstream component.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"au","priority":"6","details":"av"},"CWE-ID: 153Improper Neutralization of Substitution Characters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as substitution characters when they are sent to a downstream component.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"ax","priority":"6","details":"ay"},"CWE-ID: 154Improper Neutralization of Variable Name Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as variable name delimiters when they are sent to a downstream component.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"b0","priority":"6","details":"b1"},"CWE-ID: 155Improper Neutralization of Wildcards or Matching Symbols","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as wildcards or matching symbols when they are sent to a downstream component.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"b3","priority":"6","details":"b4"},"CWE-ID: 156Improper Neutralization of Whitespace","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as whitespace when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:Can overlap other separator characters or delimiters.::",{"point":"b6","priority":"6","details":"b7"},"CWE-ID: 157Failure to Sanitize Paired Delimiters","The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"b9","priority":"6","details":"ba"},"CWE-ID: 158Improper Neutralization of Null Byte or NUL Character","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:This can be a factor in multiple interpretation errors, other interaction errors, filename equivalence, etc.::",{"point":"bc","priority":"6","details":"bd"},"CWE-ID: 159Improper Handling of Invalid Use of Special Elements","The product does not properly filter, remove, quote, or otherwise manage the invalid use of special elements in user-controlled input, which could cause adverse effect on its behavior and integrity.Guidelines:::TYPE:Maintenance:NOTE:The list of children for this entry is far from complete. However, the types of special elements might be too precise for use within CWE.::TYPE:Terminology:NOTE:Precise terminology for the underlying weaknesses does not exist. Therefore, these weaknesses use the terminology associated with the manipulation.::TYPE:Research Gap:NOTE:Customized languages and grammars, even those that are specific to a particular product, are potential sources of weaknesses that are related to special elements. However, most researchers concentrate on the most commonly used representations for data transmission, such as HTML and SQL. Any representation that is commonly used is likely to be a rich source of weaknesses; researchers are encouraged to investigate previously unexplored representations.::",{"point":"bf","priority":"6","details":"bg"},"CWE-ID: 160Improper Neutralization of Leading Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes leading special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bi","priority":"6","details":"bj"},"CWE-ID: 161Improper Neutralization of Multiple Leading Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple leading special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bl","priority":"6","details":"bm"},"CWE-ID: 162Improper Neutralization of Trailing Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes trailing special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bo","priority":"6","details":"bp"},"CWE-ID: 163Improper Neutralization of Multiple Trailing Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple trailing special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"br","priority":"6","details":"bs"},"CWE-ID: 164Improper Neutralization of Internal Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes internal special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bu","priority":"6","details":"bv"},"CWE-ID: 165Improper Neutralization of Multiple Internal Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple internal special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bx","priority":"6","details":"by"},"CWE-ID: 166Improper Handling of Missing Special Element","The product receives input from an upstream component, but it does not handle or incorrectly handles when an expected special element is missing.Guidelines:",{"point":"c0","priority":"6","details":"c1"},"CWE-ID: 167Improper Handling of Additional Special Element","The product receives input from an upstream component, but it does not handle or incorrectly handles when an additional unexpected special element is provided.Guidelines:",{"point":"c3","priority":"6","details":"c4"},"CWE-ID: 168Improper Handling of Inconsistent Special Elements","The product does not properly handle input in which an inconsistency exists between two or more special characters or reserved words.Guidelines:",{"point":"c6","priority":"6","details":"c7"},"CWE-ID: 170Improper Null Termination","The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.Guidelines:::TYPE:Relationship:NOTE:Factors: this is usually resultant from other weaknesses such as off-by-one errors, but it can be primary to boundary condition violations such as buffer overflows. In buffer overflows, it can act as an expander for assumed-immutable data.::TYPE:Relationship:NOTE:Overlaps missing input terminator.::TYPE:Applicable Platform:NOTE:Conceptually, this does not just apply to the C language; any language or representation that involves a terminator could have this type of problem.::TYPE:Maintenance:NOTE:As currently described, this entry is more like a category than a weakness.::",{"point":"c9","priority":"6","details":"ca"},"CWE-ID: 172Encoding Error","The product does not properly encode or decode the data, resulting in unexpected values.Guidelines:::TYPE:Relationship:NOTE:Partially overlaps path traversal and equivalence weaknesses.::TYPE:Maintenance:NOTE:This is more like a category than a weakness.::TYPE:Maintenance:NOTE:Many other types of encodings should be listed in this category.::",{"point":"cc","priority":"6","details":"cd"},"CWE-ID: 173Improper Handling of Alternate Encoding","The product does not properly handle when an input uses an alternate encoding that is valid for the control sphere to which the input is being sent.Guidelines:",{"point":"cf","priority":"6","details":"cg"},"CWE-ID: 174Double Decoding of the Same Data","The product decodes the same input twice, which can limit the effectiveness of any protection mechanism that occurs in between the decoding operations.Guidelines:::TYPE:Research Gap:NOTE:Probably under-studied.::",{"point":"ci","priority":"6","details":"cj"},"CWE-ID: 175Improper Handling of Mixed Encoding","The product does not properly handle when the same input uses several different (mixed) encodings.Guidelines:",{"point":"cl","priority":"6","details":"cm"},"CWE-ID: 176Improper Handling of Unicode Encoding","The product does not properly handle when an input contains Unicode encoding.Guidelines:",{"point":"co","priority":"6","details":"cp"},"CWE-ID: 177Improper Handling of URL Encoding (Hex Encoding)","The product does not properly handle when all or part of an input has been URL encoded.Guidelines:",{"point":"cr","priority":"6","details":"cs"},"CWE-ID: 178Improper Handling of Case Sensitivity","The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.Guidelines:::TYPE:Research Gap:NOTE:These are probably under-studied in Windows and Mac environments, where file names are case-insensitive and thus are subject to equivalence manipulations involving case.::",{"point":"cu","priority":"6","details":"cv"},"CWE-ID: 179Incorrect Behavior Order: Early Validation","The product validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous inputs that only arise after the modification.Guidelines:::TYPE:Research Gap:NOTE:These errors are mostly reported in path traversal vulnerabilities, but the concept applies whenever validation occurs.::",{"point":"cx","priority":"6","details":"cy"},"CWE-ID: 180Incorrect Behavior Order: Validate Before Canonicalize","The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step.Guidelines:::TYPE:Relationship:NOTE:This overlaps other categories.::",{"point":"d0","priority":"6","details":"d1"},"CWE-ID: 181Incorrect Behavior Order: Validate Before Filter","The product validates data before it has been filtered, which prevents the product from detecting data that becomes invalid after the filtering step.Guidelines:::TYPE:Research Gap:NOTE:This category is probably under-studied.::",{"point":"d3","priority":"6","details":"d4"},"CWE-ID: 182Collapse of Data into Unsafe Value","The product filters data in a way that causes it to be reduced or collapsed into an unsafe value that violates an expected security property.Guidelines:::TYPE:Relationship:NOTE:Overlaps regular expressions, although an implementation might not necessarily use regexp's.::",{"point":"d6","priority":"6","details":"d7"},"CWE-ID: 183Permissive List of Allowed Inputs","The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.Guidelines:",{"point":"d9","priority":"6","details":"da"},"CWE-ID: 184Incomplete List of Disallowed Inputs","The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses.Guidelines:::TYPE:Relationship:NOTE:Multiple interpretation errors can indirectly introduce inputs that should be disallowed. For example, a list of dangerous shell metacharacters might not include a metacharacter that only has meaning in one particular shell, not all of them; or a check for XSS manipulations might ignore an unusual construct that is supported by one web browser, but not others.::",{"point":"dc","priority":"6","details":"dd"},"CWE-ID: 185Incorrect Regular Expression","The product specifies a regular expression in a way that causes data to be improperly matched or compared.Guidelines:::TYPE:Relationship:NOTE:While there is some overlap with allowlist/denylist problems, this entry is intended to deal with incorrectly written regular expressions, regardless of their intended use. Not every regular expression is intended for use as an allowlist or denylist. In addition, allowlists and denylists can be implemented using other mechanisms besides regular expressions.::TYPE:Research Gap:NOTE:Regexp errors are likely a primary factor in many MFVs, especially those that require multiple manipulations to exploit. However, they are rarely diagnosed at this level of detail.::",{"point":"df","priority":"6","details":"dg"},"CWE-ID: 186Overly Restrictive Regular Expression","A regular expression is overly restrictive, which prevents dangerous values from being detected.Guidelines:::TYPE:Relationship:NOTE:Can overlap allowlist/denylist errors (CWE-183/CWE-184)::",{"point":"di","priority":"6","details":"dj"},"CWE-ID: 187Partial String Comparison","The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.Guidelines:::TYPE:Relationship:NOTE:This is conceptually similar to other weaknesses, such as insufficient verification and regular expression errors. It is primary to some weaknesses.::",{"point":"dl","priority":"6","details":"dm"},"CWE-ID: 188Reliance on Data/Memory Layout","The product makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior.Guidelines:",{"point":"do","priority":"6","details":"dp"},"CWE-ID: 190Integer Overflow or Wraparound","The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.Guidelines:::TYPE:Relationship:NOTE:Integer overflows can be primary to buffer overflows.::TYPE:Terminology:NOTE:Integer overflow is sometimes used to cover several types of errors, including signedness errors, or buffer overflows that involve manipulation of integer data types instead of characters. Part of the confusion results from the fact that 0xffffffff is -1 in a signed context. Other confusion also arises because of the role that integer overflows have in chains.::",{"point":"dr","priority":"6","details":"ds"},"CWE-ID: 191Integer Underflow (Wrap or Wraparound)","The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.Guidelines:",{"point":"du","priority":"6","details":"dv"},"CWE-ID: 192Integer Coercion Error","Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types.Guidelines:::TYPE:Maintenance:NOTE:Within C, it might be that coercion is semantically different than casting, possibly depending on whether the programmer directly specifies the conversion, or if the compiler does it implicitly. This has implications for the presentation of this entry and others, such as CWE-681, and whether there is enough of a difference for these entries to be split.::",{"point":"dx","priority":"6","details":"dy"},"CWE-ID: 193Off-by-one Error","A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.Guidelines:::TYPE:Relationship:NOTE:This is not always a buffer overflow. For example, an off-by-one error could be a factor in a partial comparison, a read from the wrong memory location, an incorrect conditional, etc.::",{"point":"e0","priority":"6","details":"e1"},"CWE-ID: 194Unexpected Sign Extension","The product performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses.Guidelines:::TYPE:Relationship:NOTE:Sign extension errors can lead to buffer overflows and other memory-based problems. They are also likely to be factors in other weaknesses that are not based on memory operations, but rely on numeric calculation.::TYPE:Maintenance:NOTE:This entry is closely associated with signed-to-unsigned conversion errors (CWE-195) and other numeric errors. These relationships need to be more closely examined within CWE.::",{"point":"e3","priority":"6","details":"e4"},"CWE-ID: 195Signed to Unsigned Conversion Error","The product uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive.Guidelines:",{"point":"e6","priority":"6","details":"e7"},"CWE-ID: 196Unsigned to Signed Conversion Error","The product uses an unsigned primitive and performs a cast to a signed primitive, which can produce an unexpected value if the value of the unsigned primitive can not be represented using a signed primitive.Guidelines:",{"point":"e9","priority":"6","details":"ea"},"CWE-ID: 197Numeric Truncation Error","Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion.Guidelines:::TYPE:Research Gap:NOTE:This weakness has traditionally been under-studied and under-reported, although vulnerabilities in popular software have been published in 2008 and 2009.::",{"point":"ec","priority":"6","details":"ed"},"CWE-ID: 198Use of Incorrect Byte Ordering","The product receives input from an upstream component, but it does not account for byte ordering (e.g. big-endian and little-endian) when processing the input, causing an incorrect number or value to be used.Guidelines:::TYPE:Research Gap:NOTE:Under-reported.::",{"point":"ef","priority":"6","details":"eg"},"CWE-ID: 200Exposure of Sensitive Information to an Unauthorized Actor","The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Guidelines:::TYPE:Maintenance:NOTE:As a result of mapping analysis in the 2020 Top 25 and more recent versions, this weakness is under review, since it is frequently misused in mapping to cover many problems that lead to loss of confidentiality. See Mapping Notes, Extended Description, and Alternate Terms.::",{"point":"ei","priority":"6","details":"ej"},"CWE-ID: 201Insertion of Sensitive Information Into Sent Data","The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.Guidelines:",{"point":"el","priority":"6","details":"em"},"CWE-ID: 202Exposure of Sensitive Information Through Data Queries","When trying to keep information confidential, an attacker can often infer some of the information by using statistics.Guidelines:::TYPE:Maintenance:NOTE:The relationship between CWE-202 and CWE-612 needs to be investigated more closely, as they may be different descriptions of the same kind of problem. CWE-202 is also being considered for deprecation, as it is not clearly described and may have been misunderstood by CWE users. It could be argued that this issue is better covered by CAPEC; an attacker can utilize their data-query privileges to perform this kind of operation, and if the attacker should not be allowed to perform the operation - or if the sensitive data should not have been made accessible at all - then that is more appropriately classified as a separate CWE related to authorization (see the parent, CWE-1230).::",{"point":"eo","priority":"6","details":"ep"},"CWE-ID: 203Observable Discrepancy","The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.Guidelines:",{"point":"er","priority":"6","details":"es"},"CWE-ID: 204Observable Response Discrepancy","The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.Guidelines:::TYPE:Relationship:NOTE:can overlap errors related to escalated privileges::",{"point":"eu","priority":"6","details":"ev"},"CWE-ID: 205Observable Behavioral Discrepancy","The product's behaviors indicate important differences that may be observed by unauthorized actors in a way that reveals (1) its internal state or decision process, or (2) differences from other products with equivalent functionality.Guidelines:",{"point":"ex","priority":"6","details":"ey"},"CWE-ID: 206Observable Internal Behavioral Discrepancy","The product performs multiple behaviors that are combined to produce a single result, but the individual behaviors are observable separately in a way that allows attackers to reveal internal state or internal decision points.Guidelines:",{"point":"f0","priority":"6","details":"f1"},"CWE-ID: 207Observable Behavioral Discrepancy With Equivalent Products","The product operates in an environment in which its existence or specific identity should not be known, but it behaves differently than other products with equivalent functionality, in a way that is observable to an attacker.Guidelines:",{"point":"f3","priority":"6","details":"f4"},"CWE-ID: 208Observable Timing Discrepancy","Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.Guidelines:::TYPE:Relationship:NOTE:Often primary in cryptographic applications and algorithms.::",{"point":"f6","priority":"6","details":"f7"},"CWE-ID: 209Generation of Error Message Containing Sensitive Information","The product generates an error message that includes sensitive information about its environment, users, or associated data.Guidelines:",{"point":"f9","priority":"6","details":"fa"},"CWE-ID: 210Self-generated Error Message Containing Sensitive Information","The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.Guidelines:",{"point":"fc","priority":"6","details":"fd"},"CWE-ID: 211Externally-Generated Error Message Containing Sensitive Information","The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information.Guidelines:::TYPE:Relationship:NOTE:This is inherently a resultant vulnerability from a weakness within the product or an interaction error.::",{"point":"ff","priority":"6","details":"fg"},"CWE-ID: 212Improper Removal of Sensitive Information Before Storage or Transfer","The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.Guidelines:::TYPE:Relationship:NOTE:This entry is intended to be different from resultant information leaks, including those that occur from improper buffer initialization and reuse, improper encryption, interaction errors, and multiple interpretation errors. This entry could be regarded as a privacy leak, depending on the type of information that is leaked.::TYPE:Relationship:NOTE:There is a close association between CWE-226 and CWE-212. The difference is partially that of perspective. CWE-226 is geared towards the final stage of the resource lifecycle, in which the resource is deleted, eliminated, expired, or otherwise released for reuse. Technically, this involves a transfer to a different control sphere, in which the original contents of the resource are no longer relevant. CWE-212, however, is intended for sensitive data in resources that are intentionally shared with others, so they are still active. This distinction is useful from the perspective of the CWE research view (CWE-1000).::TYPE:Terminology:NOTE:The terms cleansing and scrubbing have multiple uses within computing. In information security, these are used for the removal of sensitive data, but they are also used for the modification of incoming/outgoing data so that it conforms to specifications.::",{"point":"fi","priority":"6","details":"fj"},"CWE-ID: 213Exposure of Sensitive Information Due to Incompatible Policies","The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product's administrator, users, or others whose information is being processed.Guidelines:::TYPE:Maintenance:NOTE:This entry is being considered for deprecation. It overlaps many other entries related to information exposures. It might not be essential to preserve this entry, since other key stakeholder policies are covered elsewhere, e.g. personal privacy leaks (CWE-359) and system-level exposures that are important to system administrators (CWE-497).::TYPE:Theoretical:NOTE:In vulnerability theory terms, this covers cases in which the developer's Intended Policy allows the information to be made available, but the information might be in violation of a Universal Policy in which the product's administrator should have control over which information is considered sensitive and therefore should not be exposed.::",{"point":"fl","priority":"6","details":"fm"},"CWE-ID: 214Invocation of Process Using Visible Sensitive Information","A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system.Guidelines:::TYPE:Research Gap:NOTE:Under-studied, especially environment variables.::",{"point":"fo","priority":"6","details":"fp"},"CWE-ID: 215Insertion of Sensitive Information Into Debugging Code","The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.Guidelines:::TYPE:Relationship:NOTE:This overlaps other categories.::",{"point":"fr","priority":"6","details":"fs"},"CWE-ID: 219Storage of File with Sensitive Data Under Web Root","The product stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties.Guidelines:",{"point":"fu","priority":"6","details":"fv"},"CWE-ID: 220Storage of File With Sensitive Data Under FTP Root","The product stores sensitive data under the FTP server root with insufficient access control, which might make it accessible to untrusted parties.Guidelines:",{"point":"fx","priority":"6","details":"fy"},"CWE-ID: 221Information Loss or Omission","The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.Guidelines:",{"point":"g0","priority":"6","details":"g1"},"CWE-ID: 222Truncation of Security-relevant Information","The product truncates the display, recording, or processing of security-relevant information in a way that can obscure the source or nature of an attack.Guidelines:",{"point":"g3","priority":"6","details":"g4"},"CWE-ID: 223Omission of Security-relevant Information","The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.Guidelines:",{"point":"g6","priority":"6","details":"g7"},"CWE-ID: 224Obscured Security-relevant Information by Alternate Name","The product records security-relevant information according to an alternate name of the affected entity, instead of the canonical name.Guidelines:",{"point":"g9","priority":"6","details":"ga"},"CWE-ID: 226Sensitive Information in Resource Not Removed Before Reuse","The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or zeroize the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.Guidelines:::TYPE:Relationship:NOTE:There is a close association between CWE-226 and CWE-212. The difference is partially that of perspective. CWE-226 is geared towards the final stage of the resource lifecycle, in which the resource is deleted, eliminated, expired, or otherwise released for reuse. Technically, this involves a transfer to a different control sphere, in which the original contents of the resource are no longer relevant. CWE-212, however, is intended for sensitive data in resources that are intentionally shared with others, so they are still active. This distinction is useful from the perspective of the CWE research view (CWE-1000).::TYPE:Maintenance:NOTE:This entry needs modification to clarify the differences with CWE-212. The description also combines two problems that are distinct from the CWE research perspective: the inadvertent transfer of information to another sphere, and improper initialization/shutdown. Some of the associated taxonomy mappings reflect these different uses.::TYPE:Research Gap:NOTE:This is frequently found for network packets, but it can also exist in local memory allocation, files, etc.::",{"point":"gc","priority":"6","details":"gd"},"CWE-ID: 228Improper Handling of Syntactically Invalid Structure","The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification.Guidelines:::TYPE:Maintenance:NOTE:This entry needs more investigation. Public vulnerability research generally focuses on the manipulations that generate invalid structure, instead of the weaknesses that are exploited by those manipulations. For example, a common attack involves making a request that omits a required field, which can trigger a crash in some cases. The crash could be due to a named chain such as CWE-690 (Unchecked Return Value to NULL Pointer Dereference), but public reports rarely cover this aspect of a vulnerability.::TYPE:Theoretical:NOTE:The validity of input could be roughly classified along syntactic, semantic, and lexical dimensions. If the specification requires that an input value should be delimited with the [ and ] square brackets, then any input that does not follow this specification would be syntactically invalid. If the input between the brackets is expected to be a number, but the letters aaa are provided, then the input is syntactically invalid. If the input is a number and enclosed in brackets, but the number is outside of the allowable range, then it is semantically invalid. The inter-relationships between these properties - and their associated weaknesses- need further exploration.::",{"point":"gf","priority":"6","details":"gg"},"CWE-ID: 229Improper Handling of Values","The product does not properly handle when the expected number of values for parameters, fields, or arguments is not provided in input, or if those values are undefined.Guidelines:",{"point":"gi","priority":"6","details":"gj"},"CWE-ID: 230Improper Handling of Missing Values","The product does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empty, blank, or null.Guidelines:::TYPE:Research Gap:NOTE:Some crash by port scan bugs are probably due to this, but lack of diagnosis makes it difficult to be certain.::",{"point":"gl","priority":"6","details":"gm"},"CWE-ID: 231Improper Handling of Extra Values","The product does not handle or incorrectly handles when more values are provided than expected.Guidelines:::TYPE:Relationship:NOTE:This can overlap buffer overflows.::",{"point":"go","priority":"6","details":"gp"},"CWE-ID: 232Improper Handling of Undefined Values","The product does not handle or incorrectly handles when a value is not defined or supported for the associated parameter, field, or argument name.Guidelines:",{"point":"gr","priority":"6","details":"gs"},"CWE-ID: 233Improper Handling of Parameters","The product does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined.Guidelines:",{"point":"gu","priority":"6","details":"gv"},"CWE-ID: 234Failure to Handle Missing Parameter","If too few arguments are sent to a function, the function will still pop the expected number of arguments from the stack. Potentially, a variable number of arguments could be exhausted in a function as well.Guidelines:::TYPE:Maintenance:NOTE:This entry will be deprecated in a future version of CWE. The term missing parameter was used in both PLOVER and CLASP, with completely different meanings. However, data from both taxonomies was merged into this entry. In PLOVER, it was meant to cover malformed inputs that do not contain required parameters, such as a missing parameter in a CGI request. This entry's observed examples and classification came from PLOVER. However, the description, demonstrative example, and other information are derived from CLASP. They are related to an incorrect number of function arguments, which is already covered by CWE-685.::",{"point":"gx","priority":"6","details":"gy"},"CWE-ID: 235Improper Handling of Extra Parameters","The product does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount.Guidelines:::TYPE:Relationship:NOTE:This type of problem has a big role in multiple interpretation vulnerabilities and various HTTP attacks.::",{"point":"h0","priority":"6","details":"h1"},"CWE-ID: 236Improper Handling of Undefined Parameters","The product does not handle or incorrectly handles when a particular parameter, field, or argument name is not defined or supported by the product.Guidelines:",{"point":"h3","priority":"6","details":"h4"},"CWE-ID: 237Improper Handling of Structural Elements","The product does not handle or incorrectly handles inputs that are related to complex structures.Guidelines:",{"point":"h6","priority":"6","details":"h7"},"CWE-ID: 238Improper Handling of Incomplete Structural Elements","The product does not handle or incorrectly handles when a particular structural element is not completely specified.Guidelines:::TYPE:Relationship:NOTE:Can be primary to other problems.::",{"point":"h9","priority":"6","details":"ha"},"CWE-ID: 239Failure to Handle Incomplete Element","The product does not properly handle when a particular element is not completely specified.Guidelines:",{"point":"hc","priority":"6","details":"hd"},"CWE-ID: 240Improper Handling of Inconsistent Structural Elements","The product does not handle or incorrectly handles when two or more structural elements should be consistent, but are not.Guidelines:",{"point":"hf","priority":"6","details":"hg"},"CWE-ID: 241Improper Handling of Unexpected Data Type","The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).Guidelines:::TYPE:Research Gap:NOTE:Probably under-studied.::",{"point":"hi","priority":"6","details":"hj"},"CWE-ID: 242Use of Inherently Dangerous Function","The product calls a function that can never be guaranteed to work safely.Guidelines:",{"point":"hl","priority":"6","details":"hm"},"CWE-ID: 243Creation of chroot Jail Without Changing Working Directory","The product uses the chroot() system call to create a jail, but does not change the working directory afterward. This does not prevent access to files outside of the jail.Guidelines:",{"point":"ho","priority":"6","details":"hp"},"CWE-ID: 244Improper Clearing of Heap Memory Before Release ('Heap Inspection')","Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory.Guidelines:",{"point":"hr","priority":"6","details":"hs"},"CWE-ID: 245J2EE Bad Practices: Direct Management of Connections","The J2EE application directly manages connections, instead of using the container's connection management facilities.Guidelines:",{"point":"hu","priority":"6","details":"hv"},"CWE-ID: 246J2EE Bad Practices: Direct Use of Sockets","The J2EE application directly uses sockets instead of using framework method calls.Guidelines:",{"point":"hx","priority":"6","details":"hy"},"CWE-ID: 248Uncaught Exception","An exception is thrown from a function, but it is not caught.Guidelines:",{"point":"i0","priority":"6","details":"i1"},"CWE-ID: 250Execution with Unnecessary Privileges","The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.Guidelines:::TYPE:Relationship:NOTE:There is a close association with CWE-653 (Insufficient Separation of Privileges). CWE-653 is about providing separate components for each privilege; CWE-250 is about ensuring that each component has the least amount of privileges possible.::TYPE:Maintenance:NOTE:CWE-271, CWE-272, and CWE-250 are all closely related and possibly overlapping. CWE-271 is probably better suited as a category. Both CWE-272 and CWE-250 are in active use by the community. The least privilege phrase has multiple interpretations.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"i3","priority":"6","details":"i4"},"CWE-ID: 252Unchecked Return Value","The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.Guidelines:",{"point":"i6","priority":"6","details":"i7"},"CWE-ID: 253Incorrect Check of Function Return Value","The product incorrectly checks a return value from a function, which prevents it from detecting errors or exceptional conditions.Guidelines:",{"point":"i9","priority":"6","details":"ia"},"CWE-ID: 256Plaintext Storage of a Password","Storing a password in plaintext may result in a system compromise.Guidelines:",{"point":"ic","priority":"6","details":"id"},"CWE-ID: 257Storing Passwords in a Recoverable Format","The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.Guidelines:::TYPE:Maintenance:NOTE:The meaning of this entry needs to be investigated more closely, especially with respect to what is meant by recoverable.::",{"point":"if","priority":"6","details":"ig"},"CWE-ID: 258Empty Password in Configuration File","Using an empty string as a password is insecure.Guidelines:",{"point":"ii","priority":"6","details":"ij"},"CWE-ID: 259Use of Hard-coded Password","The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.Guidelines:::TYPE:Maintenance:NOTE:This entry could be split into multiple variants: an inbound variant (as seen in the second demonstrative example) and an outbound variant (as seen in the first demonstrative example). These variants are likely to have different consequences, detectability, etc. More importantly, from a vulnerability theory perspective, they could be characterized as different behaviors.::",{"point":"il","priority":"6","details":"im"},"CWE-ID: 260Password in Configuration File","The product stores a password in a configuration file that might be accessible to actors who do not know the password.Guidelines:",{"point":"io","priority":"6","details":"ip"},"CWE-ID: 261Weak Encoding for Password","Obscuring a password with a trivial encoding does not protect the password.Guidelines:::TYPE:Other:NOTE:The crypt family of functions uses weak cryptographic algorithms and should be avoided. It may be present in some projects for compatibility.::",{"point":"ir","priority":"6","details":"is"},"CWE-ID: 262Not Using Password Aging","The product does not have a mechanism in place for managing password aging.Guidelines:",{"point":"iu","priority":"6","details":"iv"},"CWE-ID: 263Password Aging with Long Expiration","The product supports password aging, but the expiration period is too long.Guidelines:",{"point":"ix","priority":"6","details":"iy"},"CWE-ID: 266Incorrect Privilege Assignment","A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.Guidelines:",{"point":"j0","priority":"6","details":"j1"},"CWE-ID: 267Privilege Defined With Unsafe Actions","A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity.Guidelines:::TYPE:Maintenance:NOTE:Note: there are 2 separate sub-categories here: - privilege incorrectly allows entities to perform certain actions - object is incorrectly accessible to entities with a given privilege::",{"point":"j3","priority":"6","details":"j4"},"CWE-ID: 268Privilege Chaining","Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination.Guidelines:::TYPE:Relationship:NOTE:There is some conceptual overlap with Unsafe Privilege.::",{"point":"j6","priority":"6","details":"j7"},"CWE-ID: 269Improper Privilege Management","The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.Guidelines:::TYPE:Maintenance:NOTE:The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693).::",{"point":"j9","priority":"6","details":"ja"},"CWE-ID: 270Privilege Context Switching Error","The product does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control.Guidelines:::TYPE:Research Gap:NOTE:This concept needs more study.::",{"point":"jc","priority":"6","details":"jd"},"CWE-ID: 271Privilege Dropping / Lowering Errors","The product does not drop privileges before passing control of a resource to an actor that does not have those privileges.Guidelines:::TYPE:Maintenance:NOTE:CWE-271, CWE-272, and CWE-250 are all closely related and possibly overlapping. CWE-271 is probably better suited as a category.::",{"point":"jf","priority":"6","details":"jg"},"CWE-ID: 272Least Privilege Violation","The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.Guidelines:::TYPE:Maintenance:NOTE:CWE-271, CWE-272, and CWE-250 are all closely related and possibly overlapping. CWE-271 is probably better suited as a category.::TYPE:Other:NOTE:If system privileges are not dropped when it is reasonable to do so, this is not a vulnerability by itself. According to the principle of least privilege, access should be allowed only when it is absolutely necessary to the function of a given system, and only for the minimal necessary amount of time. Any further allowance of privilege widens the window of time during which a successful exploitation of the system will provide an attacker with that same privilege. If at all possible, limit the allowance of system privilege to small, simple sections of code that may be called atomically. When a program calls a privileged function, such as chroot(), it must first acquire root privilege. As soon as the privileged operation has completed, the program should drop root privilege and return to the privilege level of the invoking user.::",{"point":"ji","priority":"6","details":"jj"},"CWE-ID: 273Improper Check for Dropped Privileges","The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.Guidelines:",{"point":"jl","priority":"6","details":"jm"},"CWE-ID: 274Improper Handling of Insufficient Privileges","The product does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses.Guidelines:::TYPE:Maintenance:NOTE:CWE-280 and CWE-274 are too similar. It is likely that CWE-274 will be deprecated in the future.::TYPE:Relationship:NOTE:Overlaps dropped privileges, insufficient permissions.::TYPE:Theoretical:NOTE:This has a layering relationship with Unchecked Error Condition and Unchecked Return Value.::TYPE:Theoretical:NOTE:Within the context of vulnerability theory, privileges and permissions are two sides of the same coin. Privileges are associated with actors, and permissions are associated with resources. To perform access control, at some point the product makes a decision about whether the actor (and the privileges that have been assigned to that actor) is allowed to access the resource (based on the permissions that have been specified for that resource).::",{"point":"jo","priority":"6","details":"jp"},"CWE-ID: 276Incorrect Default Permissions","During installation, installed file permissions are set to allow anyone to modify those files.Guidelines:",{"point":"jr","priority":"6","details":"js"},"CWE-ID: 277Insecure Inherited Permissions","A product defines a set of insecure permissions that are inherited by objects that are created by the program.Guidelines:",{"point":"ju","priority":"6","details":"jv"},"CWE-ID: 278Insecure Preserved Inherited Permissions","A product inherits a set of insecure permissions for an object, e.g. when copying from an archive file, without user awareness or involvement.Guidelines:",{"point":"jx","priority":"6","details":"jy"},"CWE-ID: 279Incorrect Execution-Assigned Permissions","While it is executing, the product sets the permissions of an object in a way that violates the intended permissions that have been specified by the user.Guidelines:",{"point":"k0","priority":"6","details":"k1"},"CWE-ID: 280Improper Handling of Insufficient Permissions or Privileges","The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.Guidelines:::TYPE:Maintenance:NOTE:CWE-280 and CWE-274 are too similar. It is likely that CWE-274 will be deprecated in the future.::TYPE:Relationship:NOTE:This can be both primary and resultant. When primary, it can expose a variety of weaknesses because a resource might not have the expected state, and subsequent operations might fail. It is often resultant from Unchecked Error Condition (CWE-391).::TYPE:Theoretical:NOTE:Within the context of vulnerability theory, privileges and permissions are two sides of the same coin. Privileges are associated with actors, and permissions are associated with resources. To perform access control, at some point the software makes a decision about whether the actor (and the privileges that have been assigned to that actor) is allowed to access the resource (based on the permissions that have been specified for that resource).::TYPE:Research Gap:NOTE:This type of issue is under-studied, since researchers often concentrate on whether an object has too many permissions, instead of not enough. These weaknesses are likely to appear in environments with fine-grained models for permissions and privileges, which can include operating systems and other large-scale software packages. However, even highly simplistic permission/privilege models are likely to contain these issues if the developer has not considered the possibility of access failure.::",{"point":"k3","priority":"6","details":"k4"},"CWE-ID: 281Improper Preservation of Permissions","The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.Guidelines:",{"point":"k6","priority":"6","details":"k7"},"CWE-ID: 282Improper Ownership Management","The product assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.Guidelines:::TYPE:Maintenance:NOTE:The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693).::",{"point":"k9","priority":"6","details":"ka"},"CWE-ID: 283Unverified Ownership","The product does not properly verify that a critical resource is owned by the proper entity.Guidelines:::TYPE:Relationship:NOTE:This overlaps insufficient comparison, verification errors, permissions, and privileges.::",{"point":"kc","priority":"6","details":"kd"},"CWE-ID: 284Improper Access Control","The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.Guidelines:::TYPE:Maintenance:NOTE:This entry needs more work. Possible sub-categories include: Trusted group includes undesired entities (partially covered by CWE-286) Group can perform undesired actions ACL parse error does not fail closed::",{"point":"kf","priority":"6","details":"kg"},"CWE-ID: 285Improper Authorization","The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.Guidelines:",{"point":"ki","priority":"6","details":"kj"},"CWE-ID: 286Incorrect User Management","The product does not properly manage a user within its environment.Guidelines:::TYPE:Maintenance:NOTE:The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693).::TYPE:Maintenance:NOTE:This item needs more work. Possible sub-categories include: user in wrong group, and user with insecure profile or configuration. It also might be better expressed as a category than a weakness.::",{"point":"kl","priority":"6","details":"km"},"CWE-ID: 287Improper Authentication","When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Guidelines:::TYPE:Relationship:NOTE:This can be resultant from SQL injection vulnerabilities and other issues.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"ko","priority":"6","details":"kp"},"CWE-ID: 288Authentication Bypass Using an Alternate Path or Channel","A product requires authentication, but the product has an alternate path or channel that does not require authentication.Guidelines:::TYPE:Relationship:NOTE:overlaps Unprotected Alternate Channel::",{"point":"kr","priority":"6","details":"ks"},"CWE-ID: 289Authentication Bypass by Alternate Name","The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.Guidelines:::TYPE:Relationship:NOTE:Overlaps equivalent encodings, canonicalization, authorization, multiple trailing slash, trailing space, mixed case, and other equivalence issues.::TYPE:Theoretical:NOTE:Alternate names are useful in data driven manipulation attacks, not just for authentication.::",{"point":"ku","priority":"6","details":"kv"},"CWE-ID: 290Authentication Bypass by Spoofing","This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.Guidelines:::TYPE:Relationship:NOTE:This can be resultant from insufficient verification.::",{"point":"kx","priority":"6","details":"ky"},"CWE-ID: 291Reliance on IP Address for Authentication","The product uses an IP address for authentication.Guidelines:",{"point":"l0","priority":"6","details":"l1"},"CWE-ID: 293Using Referer Field for Authentication","The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking.Guidelines:",{"point":"l3","priority":"6","details":"l4"},"CWE-ID: 294Authentication Bypass by Capture-replay","A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).Guidelines:",{"point":"l6","priority":"6","details":"l7"},"CWE-ID: 295Improper Certificate Validation","The product does not validate, or incorrectly validates, a certificate.Guidelines:",{"point":"l9","priority":"6","details":"la"},"CWE-ID: 296Improper Following of a Certificate's Chain of Trust","The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.Guidelines:",{"point":"lc","priority":"6","details":"ld"},"CWE-ID: 297Improper Validation of Certificate with Host Mismatch","The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.Guidelines:",{"point":"lf","priority":"6","details":"lg"},"CWE-ID: 298Improper Validation of Certificate Expiration","A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age.Guidelines:",{"point":"li","priority":"6","details":"lj"},"CWE-ID: 299Improper Check for Certificate Revocation","The product does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised.Guidelines:",{"point":"ll","priority":"6","details":"lm"},"CWE-ID: 300Channel Accessible by Non-Endpoint","The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.Guidelines:::TYPE:Maintenance:NOTE:The summary identifies multiple distinct possibilities, suggesting that this is a category that must be broken into more specific weaknesses.::",{"point":"lo","priority":"6","details":"lp"},"CWE-ID: 301Reflection Attack in an Authentication Protocol","Simple authentication protocols are subject to reflection attacks if a malicious user can use the target machine to impersonate a trusted user.Guidelines:::TYPE:Maintenance:NOTE:The term reflection is used in multiple ways within CWE and the community, so its usage should be reviewed.::",{"point":"lr","priority":"6","details":"ls"},"CWE-ID: 302Authentication Bypass by Assumed-Immutable Data","The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.Guidelines:",{"point":"lu","priority":"6","details":"lv"},"CWE-ID: 303Incorrect Implementation of Authentication Algorithm","The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.Guidelines:",{"point":"lx","priority":"6","details":"ly"},"CWE-ID: 304Missing Critical Step in Authentication","The product implements an authentication technique, but it skips a step that weakens the technique.Guidelines:",{"point":"m0","priority":"6","details":"m1"},"CWE-ID: 305Authentication Bypass by Primary Weakness","The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.Guidelines:::TYPE:Relationship:NOTE:Most authentication bypass errors are resultant, not primary.::",{"point":"m3","priority":"6","details":"m4"},"CWE-ID: 306Missing Authentication for Critical Function","The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.Guidelines:",{"point":"m6","priority":"6","details":"m7"},"CWE-ID: 307Improper Restriction of Excessive Authentication Attempts","The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.Guidelines:",{"point":"m9","priority":"6","details":"ma"},"CWE-ID: 308Use of Single-factor Authentication","The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme.Guidelines:",{"point":"mc","priority":"6","details":"md"},"CWE-ID: 309Use of Password System for Primary Authentication","The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.Guidelines:",{"point":"mf","priority":"6","details":"mg"},"CWE-ID: 311Missing Encryption of Sensitive Data","The product does not encrypt sensitive or critical information before storage or transmission.Guidelines:::TYPE:Relationship:NOTE:There is an overlapping relationship between insecure storage of sensitive information (CWE-922) and missing encryption of sensitive information (CWE-311). Encryption is often used to prevent an attacker from reading the sensitive data. However, encryption does not prevent the attacker from erasing or overwriting the data.::",{"point":"mi","priority":"6","details":"mj"},"CWE-ID: 312Cleartext Storage of Sensitive Information","The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"ml","priority":"6","details":"mm"},"CWE-ID: 313Cleartext Storage in a File or on Disk","The product stores sensitive information in cleartext in a file, or on disk.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"mo","priority":"6","details":"mp"},"CWE-ID: 314Cleartext Storage in the Registry","The product stores sensitive information in cleartext in the registry.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"mr","priority":"6","details":"ms"},"CWE-ID: 315Cleartext Storage of Sensitive Information in a Cookie","The product stores sensitive information in cleartext in a cookie.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"mu","priority":"6","details":"mv"},"CWE-ID: 316Cleartext Storage of Sensitive Information in Memory","The product stores sensitive information in cleartext in memory.Guidelines:::TYPE:Relationship:NOTE:This could be a resultant weakness, e.g. if the compiler removes code that was intended to wipe memory.::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"mx","priority":"6","details":"my"},"CWE-ID: 317Cleartext Storage of Sensitive Information in GUI","The product stores sensitive information in cleartext within the GUI.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"n0","priority":"6","details":"n1"},"CWE-ID: 318Cleartext Storage of Sensitive Information in Executable","The product stores sensitive information in cleartext in an executable.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"n3","priority":"6","details":"n4"},"CWE-ID: 319Cleartext Transmission of Sensitive Information","The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.Guidelines:::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"n6","priority":"6","details":"n7"},"CWE-ID: 321Use of Hard-coded Cryptographic Key","The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.Guidelines:::TYPE:Other:NOTE:The main difference between the use of hard-coded passwords and the use of hard-coded cryptographic keys is the false sense of security that the former conveys. Many people believe that simply hashing a hard-coded password before storage will protect the information from malicious users. However, many hashes are reversible (or at least vulnerable to brute force attacks) -- and further, many authentication protocols simply request the hash itself, making it no better than a password.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"n9","priority":"6","details":"na"},"CWE-ID: 322Key Exchange without Entity Authentication","The product performs a key exchange with an actor without verifying the identity of that actor.Guidelines:",{"point":"nc","priority":"6","details":"nd"},"CWE-ID: 323Reusing a Nonce, Key Pair in Encryption","Nonces should be used for the present occasion and only once.Guidelines:",{"point":"nf","priority":"6","details":"ng"},"CWE-ID: 324Use of a Key Past its Expiration Date","The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.Guidelines:",{"point":"ni","priority":"6","details":"nj"},"CWE-ID: 325Missing Cryptographic Step","The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.Guidelines:::TYPE:Relationship:NOTE:Overlaps incomplete/missing security check.::TYPE:Relationship:NOTE:Can be resultant.::",{"point":"nl","priority":"6","details":"nm"},"CWE-ID: 326Inadequate Encryption Strength","The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.Guidelines:",{"point":"no","priority":"6","details":"np"},"CWE-ID: 327Use of a Broken or Risky Cryptographic Algorithm","The product uses a broken or risky cryptographic algorithm or protocol.Guidelines:::TYPE:Maintenance:NOTE:Since CWE 4.4, various cryptography-related entries, including CWE-327 and CWE-1240, have been slated for extensive research, analysis, and community consultation to define consistent terminology, improve relationships, and reduce overlap or duplication. As of CWE 4.6, this work is still ongoing.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"nr","priority":"6","details":"ns"},"CWE-ID: 328Use of Weak Hash","The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).Guidelines:::TYPE:Maintenance:NOTE:Since CWE 4.4, various cryptography-related entries including CWE-328 have been slated for extensive research, analysis, and community consultation to define consistent terminology, improve relationships, and reduce overlap or duplication. As of CWE 4.6, this work is still ongoing.::",{"point":"nu","priority":"6","details":"nv"},"CWE-ID: 329Generation of Predictable IV with CBC Mode","The product generates and uses a predictable initialization Vector (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible to dictionary attacks when they are encrypted under the same key.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"nx","priority":"6","details":"ny"},"CWE-ID: 330Use of Insufficiently Random Values","The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.Guidelines:::TYPE:Relationship:NOTE:This can be primary to many other weaknesses such as cryptographic errors, authentication errors, symlink following, information leaks, and others.::TYPE:Maintenance:NOTE:As of CWE 4.3, CWE-330 and its descendants are being investigated by the CWE crypto team to identify gaps related to randomness and unpredictability, as well as the relationships between randomness and cryptographic primitives. This subtree analysis might result in the addition or deprecation of existing entries; the reorganization of relationships in some views, e.g. the research view (CWE-1000); more consistent use of terminology; and/or significant modifications to related entries.::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"o0","priority":"6","details":"o1"},"CWE-ID: 331Insufficient Entropy","The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"o3","priority":"6","details":"o4"},"CWE-ID: 332Insufficient Entropy in PRNG","The lack of entropy available for, or used by, a Pseudo-Random Number Generator (PRNG) can be a stability and security threat.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"o6","priority":"6","details":"o7"},"CWE-ID: 333Improper Handling of Insufficient Entropy in TRNG","True random number generators (TRNG) generally have a limited source of entropy and therefore can fail or block.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"o9","priority":"6","details":"oa"},"CWE-ID: 334Small Space of Random Values","The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"oc","priority":"6","details":"od"},"CWE-ID: 335Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)","The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"of","priority":"6","details":"og"},"CWE-ID: 336Same Seed in Pseudo-Random Number Generator (PRNG)","A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"oi","priority":"6","details":"oj"},"CWE-ID: 337Predictable Seed in Pseudo-Random Number Generator (PRNG)","A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"ol","priority":"6","details":"om"},"CWE-ID: 338Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)","The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"oo","priority":"6","details":"op"},"CWE-ID: 339Small Seed Space in PRNG","A Pseudo-Random Number Generator (PRNG) uses a relatively small seed space, which makes it more susceptible to brute force attacks.Guidelines:::TYPE:Maintenance:NOTE:This entry may have a chaining relationship with predictable from observable state (CWE-341).::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"or","priority":"6","details":"os"},"CWE-ID: 340Generation of Predictable Numbers or Identifiers","The product uses a scheme that generates numbers or identifiers that are more predictable than required.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"ou","priority":"6","details":"ov"},"CWE-ID: 341Predictable from Observable State","A number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"ox","priority":"6","details":"oy"},"CWE-ID: 342Predictable Exact Value from Previous Values","An exact value or random number can be precisely predicted by observing previous values.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"p0","priority":"6","details":"p1"},"CWE-ID: 343Predictable Value Range from Previous Values","The product's random number generator produces a series of values which, when observed, can be used to infer a relatively small range of possibilities for the next value that could be generated.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"p3","priority":"6","details":"p4"},"CWE-ID: 344Use of Invariant Value in Dynamically Changing Context","The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.Guidelines:::TYPE:Relationship:NOTE:overlaps default configuration.::",{"point":"p6","priority":"6","details":"p7"},"CWE-ID: 345Insufficient Verification of Data Authenticity","The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.Guidelines:::TYPE:Relationship:NOTE:origin validation could fall under this.::TYPE:Maintenance:NOTE:The specific ways in which the origin is not properly identified should be laid out as separate weaknesses. In some sense, this is more like a category.::",{"point":"p9","priority":"6","details":"pa"},"CWE-ID: 346Origin Validation Error","The product does not properly verify that the source of data or communication is valid.Guidelines:::TYPE:Maintenance:NOTE:This entry has some significant overlap with other CWE entries and may need some clarification. See terminology notes.::TYPE:Terminology:NOTE:The Origin Validation Error term was originally used in a 1995 thesis [REF-324]. Although not formally defined, an issue is considered to be an origin validation error if either (1) an object [accepts] input from an unauthorized subject, or (2) the system [fails] to properly or completely authenticate a subject. A later section says that an origin validation error can occur when the system (1) does not properly authenticate a user or process or (2) does not properly authenticate the shared data or libraries. The only example provided in the thesis (covered by OSVDB:57615) involves a setuid program running command-line arguments without dropping privileges. So, this definition (and its examples in the thesis) effectively cover other weaknesses such as CWE-287 (Improper Authentication), CWE-285 (Improper Authorization), and CWE-250 (Execution with Unnecessary Privileges). There appears to be little usage of this term today, except in the SecurityFocus vulnerability database, where the term is used for a variety of issues, including web-browser problems that allow violation of the Same Origin Policy and improper validation of the source of an incoming message.::",{"point":"pc","priority":"6","details":"pd"},"CWE-ID: 347Improper Verification of Cryptographic Signature","The product does not verify, or incorrectly verifies, the cryptographic signature for data.Guidelines:",{"point":"pf","priority":"6","details":"pg"},"CWE-ID: 348Use of Less Trusted Source","The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.Guidelines:",{"point":"pi","priority":"6","details":"pj"},"CWE-ID: 349Acceptance of Extraneous Untrusted Data With Trusted Data","The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.Guidelines:",{"point":"pl","priority":"6","details":"pm"},"CWE-ID: 350Reliance on Reverse DNS Resolution for a Security-Critical Action","The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.Guidelines:::TYPE:Maintenance:NOTE:CWE-350, CWE-247, and CWE-292 were merged into CWE-350 in CWE 2.5. CWE-247 was originally derived from Seven Pernicious Kingdoms, CWE-350 from PLOVER, and CWE-292 from CLASP. All taxonomies focused closely on the use of reverse DNS for authentication of incoming requests.::",{"point":"po","priority":"6","details":"pp"},"CWE-ID: 351Insufficient Type Distinction","The product does not properly distinguish between different types of elements in a way that leads to insecure behavior.Guidelines:::TYPE:Relationship:NOTE:Overlaps others, e.g. Multiple Interpretation Errors.::",{"point":"pr","priority":"6","details":"ps"},"CWE-ID: 352Cross-Site Request Forgery (CSRF)","The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.Guidelines:::TYPE:Relationship:NOTE:There can be a close relationship between XSS and CSRF (CWE-352). An attacker might use CSRF in order to trick the victim into submitting requests to the server in which the requests contain an XSS payload. A well-known example of this was the Samy worm on MySpace [REF-956]. The worm used XSS to insert malicious HTML sequences into a user's profile and add the attacker as a MySpace friend. MySpace friends of that victim would then execute the payload to modify their own profiles, causing the worm to propagate exponentially. Since the victims did not intentionally insert the malicious script themselves, CSRF was a root cause.::TYPE:Theoretical:NOTE:The CSRF topology is multi-channel: Attacker (as outsider) to intermediary (as user). The interaction point is either an external or internal channel. Intermediary (as user) to server (as victim). The activation point is an internal channel.::",{"point":"pu","priority":"6","details":"pv"},"CWE-ID: 353Missing Support for Integrity Check","The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.Guidelines:",{"point":"px","priority":"6","details":"py"},"CWE-ID: 354Improper Validation of Integrity Check Value","The product does not validate or incorrectly validates the integrity check values or checksums of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.Guidelines:",{"point":"q0","priority":"6","details":"q1"},"CWE-ID: 356Product UI does not Warn User of Unsafe Actions","The product's user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick users into inflicting damage to their system.Guidelines:::TYPE:Relationship:NOTE:Often resultant, e.g. in unhandled error conditions.::TYPE:Relationship:NOTE:Can overlap privilege errors, conceptually at least.::",{"point":"q3","priority":"6","details":"q4"},"CWE-ID: 357Insufficient UI Warning of Dangerous Operations","The user interface provides a warning to a user regarding dangerous or sensitive operations, but the warning is not noticeable enough to warrant attention.Guidelines:",{"point":"q6","priority":"6","details":"q7"},"CWE-ID: 358Improperly Implemented Security Check for Standard","The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.Guidelines:::TYPE:Relationship:NOTE:This is a missing step error on the product side, which can overlap weaknesses such as insufficient verification and spoofing. It is frequently found in cryptographic and authentication errors. It is sometimes resultant.::",{"point":"q9","priority":"6","details":"qa"},"CWE-ID: 359Exposure of Private Personal Information to an Unauthorized Actor","The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.Guidelines:::TYPE:Maintenance:NOTE:This entry overlaps many other entries that are not organized around the kind of sensitive information that is exposed. However, because privacy is treated with such importance due to regulations and other factors, and it may be useful for weakness-finding tools to highlight capabilities that detect personal private information instead of system information, it is not clear whether - and how - this entry should be deprecated.::",{"point":"qc","priority":"6","details":"qd"},"CWE-ID: 360Trust of System Event Data","Security based on event locations are insecure and can be spoofed.Guidelines:",{"point":"qf","priority":"6","details":"qg"},"CWE-ID: 362Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')","The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.Guidelines:::TYPE:Maintenance:NOTE:The relationship between race conditions and synchronization problems (CWE-662) needs to be further developed. They are not necessarily two perspectives of the same core concept, since synchronization is only one technique for avoiding race conditions, and synchronization can be used for other purposes besides race condition prevention.::TYPE:Research Gap:NOTE:Race conditions in web applications are under-studied and probably under-reported. However, in 2008 there has been growing interest in this area.::TYPE:Research Gap:NOTE:Much of the focus of race condition research has been in Time-of-check Time-of-use (TOCTOU) variants (CWE-367), but many race conditions are related to synchronization problems that do not necessarily require a time-of-check.::TYPE:Research Gap:NOTE:From a classification/taxonomy perspective, the relationships between concurrency and program state need closer investigation and may be useful in organizing related issues.::",{"point":"qi","priority":"6","details":"qj"},"CWE-ID: 363Race Condition Enabling Link Following","The product checks the status of a file or directory before accessing it, which produces a race condition in which the file can be replaced with a link before the access is performed, causing the product to access the wrong file.Guidelines:::TYPE:Relationship:NOTE:This is already covered by the Link Following weakness (CWE-59). It is included here because so many people associate race conditions with link problems; however, not all link following issues involve race conditions.::",{"point":"ql","priority":"6","details":"qm"},"CWE-ID: 364Signal Handler Race Condition","The product uses a signal handler that introduces a race condition.Guidelines:",{"point":"qo","priority":"6","details":"qp"},"CWE-ID: 366Race Condition within a Thread","If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.Guidelines:",{"point":"qr","priority":"6","details":"qs"},"CWE-ID: 367Time-of-check Time-of-use (TOCTOU) Race Condition","The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.Guidelines:::TYPE:Relationship:NOTE:TOCTOU issues do not always involve symlinks, and not every symlink issue is a TOCTOU problem.::TYPE:Research Gap:NOTE:Non-symlink TOCTOU issues are not reported frequently, but they are likely to occur in code that attempts to be secure.::",{"point":"qu","priority":"6","details":"qv"},"CWE-ID: 368Context Switching Race Condition","A product performs a series of non-atomic actions to switch between contexts that cross privilege or other security boundaries, but a race condition allows an attacker to modify or misrepresent the product's behavior during the switch.Guidelines:::TYPE:Relationship:NOTE:Can overlap signal handler race conditions.::TYPE:Research Gap:NOTE:Under-studied as a concept. Frequency unknown; few vulnerability reports give enough detail to know when a context switching race condition is a factor.::",{"point":"qx","priority":"6","details":"qy"},"CWE-ID: 369Divide By Zero","The product divides a value by zero.Guidelines:",{"point":"r0","priority":"6","details":"r1"},"CWE-ID: 370Missing Check for Certificate Revocation after Initial Check","The product does not check the revocation status of a certificate after its initial revocation check, which can cause the product to perform privileged actions even after the certificate is revoked at a later time.Guidelines:",{"point":"r3","priority":"6","details":"r4"},"CWE-ID: 372Incomplete Internal State Distinction","The product does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect operations in a security-relevant manner.Guidelines:::TYPE:Relationship:NOTE:This conceptually overlaps other categories such as insufficient verification, but this entry refers to the product's incorrect perception of its own state.::TYPE:Relationship:NOTE:This is probably resultant from other weaknesses such as unhandled error conditions, inability to handle out-of-order steps, multiple interpretation errors, etc.::TYPE:Maintenance:NOTE:This entry is being considered for deprecation. It was poorly-defined in PLOVER and is not easily described using the behavior/resource/property model of vulnerability theory.::",{"point":"r6","priority":"6","details":"r7"},"CWE-ID: 374Passing Mutable Objects to an Untrusted Method","The product sends non-cloned mutable data as an argument to a method or function.Guidelines:",{"point":"r9","priority":"6","details":"ra"},"CWE-ID: 375Returning a Mutable Object to an Untrusted Caller","Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function.Guidelines:",{"point":"rc","priority":"6","details":"rd"},"CWE-ID: 377Insecure Temporary File","Creating and using insecure temporary files can leave application and system data vulnerable to attack.Guidelines:::TYPE:Other:NOTE:Applications require temporary files so frequently that many different mechanisms exist for creating them in the C Library and Windows(R) API. Most of these functions are vulnerable to various forms of attacks. The functions designed to aid in the creation of temporary files can be broken into two groups based whether they simply provide a filename or actually open a new file. - Group 1: Unique Filenames: The first group of C Library and WinAPI functions designed to help with the process of creating temporary files do so by generating a unique file name for a new temporary file, which the program is then supposed to open. This group includes C Library functions like tmpnam(), tempnam(), mktemp() and their C++ equivalents prefaced with an _ (underscore) as well as the GetTempFileName() function from the Windows API. This group of functions suffers from an underlying race condition on the filename chosen. Although the functions guarantee that the filename is unique at the time it is selected, there is no mechanism to prevent another process or an attacker from creating a file with the same name after it is selected but before the application attempts to open the file. Beyond the risk of a legitimate collision caused by another call to the same function, there is a high probability that an attacker will be able to create a malicious collision because the filenames generated by these functions are not sufficiently randomized to make them difficult to guess. If a file with the selected name is created, then depending on how the file is opened the existing contents or access permissions of the file may remain intact. If the existing contents of the file are malicious in nature, an attacker may be able to inject dangerous data into the application when it reads data back from the temporary file. If an attacker pre-creates the file with relaxed access permissions, then data stored in the temporary file by the application may be accessed, modified or corrupted by an attacker. On Unix based systems an even more insidious attack is possible if the attacker pre-creates the file as a link to another important file. Then, if the application truncates or writes data to the file, it may unwittingly perform damaging operations for the attacker. This is an especially serious threat if the program operates with elevated permissions. Finally, in the best case the file will be opened with the a call to open() using the O_CREAT and O_EXCL flags or to CreateFile() using the CREATE_NEW attribute, which will fail if the file already exists and therefore prevent the types of attacks described above. However, if an attacker is able to accurately predict a sequence of temporary file names, then the application may be prevented from opening necessary temporary storage causing a denial of service (DoS) attack. This type of attack would not be difficult to mount given the small amount of randomness used in the selection of the filenames generated by these functions. - Group 2: Unique Files: The second group of C Library functions attempts to resolve some of the security problems related to temporary files by not only generating a unique file name, but also opening the file. This group includes C Library functions like tmpfile() and its C++ equivalents prefaced with an _ (underscore), as well as the slightly better-behaved C Library function mkstemp(). The tmpfile() style functions construct a unique filename and open it in the same way that fopen() would if passed the flags wb+, that is, as a binary file in read/write mode. If the file already exists, tmpfile() will truncate it to size zero, possibly in an attempt to assuage the security concerns mentioned earlier regarding the race condition that exists between the selection of a supposedly unique filename and the subsequent opening of the selected file. However, this behavior clearly does not solve the function's security problems. First, an attacker can pre-create the file with relaxed access-permissions that will likely be retained by the file opened by tmpfile(). Furthermore, on Unix based systems if the attacker pre-creates the file as a link to another important file, the application may use its possibly elevated permissions to truncate that file, thereby doing damage on behalf of the attacker. Finally, if tmpfile() does create a new file, the access permissions applied to that file will vary from one operating system to another, which can leave application data vulnerable even if an attacker is unable to predict the filename to be used in advance. Finally, mkstemp() is a reasonably safe way create temporary files. It will attempt to create and open a unique file based on a filename template provided by the user combined with a series of randomly generated characters. If it is unable to create such a file, it will fail and return -1. On modern systems the file is opened using mode 0600, which means the file will be secure from tampering unless the user explicitly changes its access permissions. However, mkstemp() still suffers from the use of predictable file names and can leave an application vulnerable to denial of service attacks if an attacker causes mkstemp() to fail by predicting and pre-creating the filenames to be used.::",{"point":"rf","priority":"6","details":"rg"},"CWE-ID: 378Creation of Temporary File With Insecure Permissions","Opening temporary files without appropriate measures or controls can leave the file, its contents and any function that it impacts vulnerable to attack.Guidelines:",{"point":"ri","priority":"6","details":"rj"},"CWE-ID: 379Creation of Temporary File in Directory with Insecure Permissions","The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.Guidelines:",{"point":"rl","priority":"6","details":"rm"},"CWE-ID: 382J2EE Bad Practices: Use of System.exit()","A J2EE application uses System.exit(), which also shuts down its container.Guidelines:",{"point":"ro","priority":"6","details":"rp"},"CWE-ID: 383J2EE Bad Practices: Direct Use of Threads","Thread management in a Web application is forbidden in some circumstances and is always highly error prone.Guidelines:",{"point":"rr","priority":"6","details":"rs"},"CWE-ID: 384Session Fixation","Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.Guidelines:::TYPE:Other:NOTE:Other attack vectors include DNS poisoning and related network based attacks where an attacker causes the user to visit a malicious site by redirecting a request for a valid site. Network based attacks typically involve a physical presence on the victim's network or control of a compromised machine on the network, which makes them harder to exploit remotely, but their significance should not be overlooked. Less secure session management mechanisms, such as the default implementation in Apache Tomcat, allow session identifiers normally expected in a cookie to be specified on the URL as well, which enables an attacker to cause a victim to use a fixed session identifier simply by emailing a malicious URL.::",{"point":"ru","priority":"6","details":"rv"},"CWE-ID: 385Covert Timing Channel","Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are working to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks that create or exploit covert channels. As a result of that work, this entry might change in CWE 4.10.::",{"point":"rx","priority":"6","details":"ry"},"CWE-ID: 386Symbolic Name not Mapping to Correct Object","A constant symbolic reference to an object is used, even though the reference can resolve to a different object over time.Guidelines:",{"point":"s0","priority":"6","details":"s1"},"CWE-ID: 390Detection of Error Condition Without Action","The product detects a specific error, but takes no actions to handle the error.Guidelines:",{"point":"s3","priority":"6","details":"s4"},"CWE-ID: 391Unchecked Error Condition","[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.Guidelines:::TYPE:Maintenance:NOTE:This entry is slated for deprecation; it has multiple widespread interpretations by CWE analysts. It currently combines information from three different taxonomies, but each taxonomy is talking about a slightly different issue. CWE analysts might map to this entry based on any of these issues. 7PK has Empty Catch Block which has an association with empty exception block (CWE-1069); in this case, the exception has performed the check, but does not handle. In PLOVER there is Unchecked Return Value which is CWE-252, but unlike Empty Catch Block there isn't even a check of the issue - and Unchecked Error Condition implies lack of a check. For CLASP, Uncaught Exception (CWE-248) is associated with incorrect error propagation - uncovered in CWE 3.2 and earlier, at least. There are other issues related to error handling and checks.::TYPE:Other:NOTE:When a programmer ignores an exception, they implicitly state that they are operating under one of two assumptions: This method call can never fail. It doesn't matter if this call fails.::",{"point":"s6","priority":"6","details":"s7"},"CWE-ID: 392Missing Report of Error Condition","The product encounters an error but does not provide a status code or return value to indicate that an error has occurred.Guidelines:",{"point":"s9","priority":"6","details":"sa"},"CWE-ID: 393Return of Wrong Status Code","A function or operation returns an incorrect return value or status code that does not indicate an error, but causes the product to modify its behavior based on the incorrect result.Guidelines:::TYPE:Relationship:NOTE:This can be primary or resultant, but it is probably most often primary to other issues.::",{"point":"sc","priority":"6","details":"sd"},"CWE-ID: 394Unexpected Status Code or Return Value","The product does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the product.Guidelines:::TYPE:Relationship:NOTE:Usually primary, but can be resultant from issues such as behavioral change or API abuse. This can produce resultant vulnerabilities.::",{"point":"sf","priority":"6","details":"sg"},"CWE-ID: 395Use of NullPointerException Catch to Detect NULL Pointer Dereference","Catching NullPointerException should not be used as an alternative to programmatic checks to prevent dereferencing a null pointer.Guidelines:",{"point":"si","priority":"6","details":"sj"},"CWE-ID: 396Declaration of Catch for Generic Exception","Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.Guidelines:",{"point":"sl","priority":"6","details":"sm"},"CWE-ID: 397Declaration of Throws for Generic Exception","Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.Guidelines:::TYPE:Applicable Platform:NOTE:For C++, this weakness only applies to C++98, C++03, and C++11. It relies on a feature known as Dynamic Exception Specification, which was part of early versions of C++ but was deprecated in C++11. It has been removed for C++17 and later.::",{"point":"so","priority":"6","details":"sp"},"CWE-ID: 400Uncontrolled Resource Consumption","The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Guidelines:::TYPE:Maintenance:NOTE:Resource consumption could be interpreted as a consequence instead of an insecure behavior, so this entry is being considered for modification. It appears to be referenced too frequently when more precise mappings are available. Some of its children, such as CWE-771, might be better considered as a chain.::TYPE:Theoretical:NOTE:Vulnerability theory is largely about how behaviors and resources interact. Resource exhaustion can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect the underlying weaknesses that enable these attacks (or consequences) to take place.::TYPE:Other:NOTE:Database queries that take a long time to process are good DoS targets. An attacker would have to write a few lines of Perl code to generate enough traffic to exceed the site's ability to keep up. This would effectively prevent authorized users from using the site at all. Resources can be exploited simply by ensuring that the target machine must do much more work and consume more resources in order to service a request than the attacker must do to initiate a request. A prime example of this can be found in old switches that were vulnerable to macof attacks (so named for a tool developed by Dugsong). These attacks flooded a switch with random IP and MAC address combinations, therefore exhausting the switch's cache, which held the information of which port corresponded to which MAC addresses. Once this cache was exhausted, the switch would fail in an insecure way and would begin to act simply as a hub, broadcasting all traffic on all ports and allowing for basic sniffing attacks.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"sr","priority":"6","details":"ss"},"CWE-ID: 401Missing Release of Memory after Effective Lifetime","The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.Guidelines:::TYPE:Relationship:NOTE:This is often a resultant weakness due to improper handling of malformed data or early termination of sessions.::TYPE:Terminology:NOTE:memory leak has sometimes been used to describe other kinds of issues, e.g. for information leaks in which the contents of memory are inadvertently leaked (CVE-2003-0400 is one such example of this terminology conflict).::",{"point":"su","priority":"6","details":"sv"},"CWE-ID: 402Transmission of Private Resources into a New Sphere ('Resource Leak')","The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product.Guidelines:",{"point":"sx","priority":"6","details":"sy"},"CWE-ID: 403Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')","A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors.Guidelines:",{"point":"t0","priority":"6","details":"t1"},"CWE-ID: 404Improper Resource Shutdown or Release","The product does not release or incorrectly releases a resource before it is made available for re-use.Guidelines:::TYPE:Relationship:NOTE:Overlaps memory leaks, asymmetric resource consumption, malformed input errors.::",{"point":"t3","priority":"6","details":"t4"},"CWE-ID: 405Asymmetric Resource Consumption (Amplification)","The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is asymmetric.Guidelines:",{"point":"t6","priority":"6","details":"t7"},"CWE-ID: 406Insufficient Control of Network Message Volume (Network Amplification)","The product does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the product to transmit more traffic than should be allowed for that actor.Guidelines:::TYPE:Relationship:NOTE:This can be resultant from weaknesses that simplify spoofing attacks.::TYPE:Theoretical:NOTE:Network amplification, when performed with spoofing, is normally a multi-channel attack from attacker (acting as user) to amplifier, and amplifier to victim.::",{"point":"t9","priority":"6","details":"ta"},"CWE-ID: 407Inefficient Algorithmic Complexity","An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.Guidelines:",{"point":"tc","priority":"6","details":"td"},"CWE-ID: 408Incorrect Behavior Order: Early Amplification","The product allows an entity to perform a legitimate but expensive operation before authentication or authorization has taken place.Guidelines:::TYPE:Relationship:NOTE:Overlaps authentication errors.::",{"point":"tf","priority":"6","details":"tg"},"CWE-ID: 409Improper Handling of Highly Compressed Data (Data Amplification)","The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.Guidelines:",{"point":"ti","priority":"6","details":"tj"},"CWE-ID: 410Insufficient Resource Pool","The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.Guidelines:",{"point":"tl","priority":"6","details":"tm"},"CWE-ID: 412Unrestricted Externally Accessible Lock","The product properly checks for the existence of a lock, but the lock can be externally controlled or influenced by an actor that is outside of the intended sphere of control.Guidelines:::TYPE:Relationship:NOTE:This overlaps Insufficient Resource Pool when the pool is of size 1. It can also be resultant from race conditions, although the timing window could be quite large in some cases.::",{"point":"to","priority":"6","details":"tp"},"CWE-ID: 413Improper Resource Locking","The product does not lock or does not correctly lock a resource when the product must have exclusive access to the resource.Guidelines:",{"point":"tr","priority":"6","details":"ts"},"CWE-ID: 414Missing Lock Check","A product does not check to see if a lock is present before performing sensitive operations on a resource.Guidelines:",{"point":"tu","priority":"6","details":"tv"},"CWE-ID: 415Double Free","The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.Guidelines:::TYPE:Relationship:NOTE:This is usually resultant from another weakness, such as an unhandled error or race condition between threads. It could also be primary to weaknesses such as buffer overflows.::TYPE:Theoretical:NOTE:It could be argued that Double Free would be most appropriately located as a child of Use after Free, but Use and Release are considered to be distinct operations within vulnerability theory, therefore this is more accurately Release of a Resource after Expiration or Release, which doesn't exist yet.::",{"point":"tx","priority":"6","details":"ty"},"CWE-ID: 416Use After Free","Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.Guidelines:",{"point":"u0","priority":"6","details":"u1"},"CWE-ID: 419Unprotected Primary Channel","The product uses a primary channel for administration or restricted functionality, but it does not properly protect the channel.Guidelines:",{"point":"u3","priority":"6","details":"u4"},"CWE-ID: 420Unprotected Alternate Channel","The product protects a primary channel, but it does not use the same level of protection for an alternate channel.Guidelines:::TYPE:Relationship:NOTE:This can be primary to authentication errors, and resultant from unhandled error conditions.::",{"point":"u6","priority":"6","details":"u7"},"CWE-ID: 421Race Condition During Access to Alternate Channel","The product opens an alternate channel to communicate with an authorized user, but the channel is accessible to other actors.Guidelines:",{"point":"u9","priority":"6","details":"ua"},"CWE-ID: 422Unprotected Windows Messaging Channel ('Shatter')","The product does not properly verify the source of a message in the Windows Messaging System while running at elevated privileges, creating an alternate channel through which an attacker can directly send a message to the product.Guidelines:::TYPE:Relationship:NOTE:Overlaps privilege errors and UI errors.::TYPE:Research Gap:NOTE:Possibly under-reported, probably under-studied. It is suspected that a number of publicized vulnerabilities that involve local privilege escalation on Windows systems may be related to Shatter attacks, but they are not labeled as such. Alternate channel attacks likely exist in other operating systems and messaging models, e.g. in privileged X Windows applications, but examples are not readily available.::",{"point":"uc","priority":"6","details":"ud"},"CWE-ID: 424Improper Protection of Alternate Path","The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.Guidelines:",{"point":"uf","priority":"6","details":"ug"},"CWE-ID: 425Direct Request ('Forced Browsing')","The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.Guidelines:::TYPE:Relationship:NOTE:Overlaps Modification of Assumed-Immutable Data (MAID), authorization errors, container errors; often primary to other weaknesses such as XSS and SQL injection.::TYPE:Theoretical:NOTE:Forced browsing is a step-based manipulation involving the omission of one or more steps, whose order is assumed to be immutable. The application does not verify that the first step was performed successfully before the second step. The consequence is typically authentication bypass or path disclosure, although it can be primary to all kinds of weaknesses, especially in languages such as PHP, which allow external modification of assumed-immutable variables.::",{"point":"ui","priority":"6","details":"uj"},"CWE-ID: 426Untrusted Search Path","The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.Guidelines:",{"point":"ul","priority":"6","details":"um"},"CWE-ID: 427Uncontrolled Search Path Element","The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.Guidelines:::TYPE:Relationship:NOTE:Unlike untrusted search path (CWE-426), which inherently involves control over the definition of a control sphere (i.e., modification of a search path), this entry concerns a fixed control sphere in which some part of the sphere may be under attacker control (i.e., the search path cannot be modified by an attacker, but one element of the path can be under attacker control).::TYPE:Theoretical:NOTE:This weakness is not a clean fit under CWE-668 or CWE-610, which suggests that the control sphere model might need enhancement or clarification.::",{"point":"uo","priority":"6","details":"up"},"CWE-ID: 428Unquoted Search Path or Element","The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.Guidelines:::TYPE:Applicable Platform:NOTE:This weakness could apply to any OS that supports spaces in filenames, especially any OS that make it easy for a user to insert spaces into filenames or folders, such as Windows. While spaces are technically supported in Unix, the practice is generally avoided. .::TYPE:Maintenance:NOTE:This weakness primarily involves the lack of quoting, which is not explicitly stated as a part of CWE-116. CWE-116 also describes output in light of structured messages, but the generation of a filename or search path (as in this weakness) might not be considered a structured message. An additional complication is the relationship to control spheres. Unlike untrusted search path (CWE-426), which inherently involves control over the definition of a control sphere, this entry concerns a fixed control sphere in which some part of the sphere may be under attacker control. This is not a clean fit under CWE-668 or CWE-610, which suggests that the control sphere model needs enhancement or clarification.::",{"point":"ur","priority":"6","details":"us"},"CWE-ID: 430Deployment of Wrong Handler","The wrong handler is assigned to process an object.Guidelines:",{"point":"uu","priority":"6","details":"uv"},"CWE-ID: 431Missing Handler","A handler is not available or implemented.Guidelines:",{"point":"ux","priority":"6","details":"uy"},"CWE-ID: 432Dangerous Signal Handler not Disabled During Sensitive Operations","The product uses a signal handler that shares state with other signal handlers, but it does not properly mask or prevent those signal handlers from being invoked while the original signal handler is still running.Guidelines:",{"point":"v0","priority":"6","details":"v1"},"CWE-ID: 433Unparsed Raw Web Content Delivery","The product stores raw content or supporting code under the web document root with an extension that is not specifically handled by the server.Guidelines:::TYPE:Relationship:NOTE:This overlaps direct requests (CWE-425), alternate path (CWE-424), permissions (CWE-275), and sensitive file under web root (CWE-219).::",{"point":"v3","priority":"6","details":"v4"},"CWE-ID: 434Unrestricted Upload of File with Dangerous Type","The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.Guidelines:::TYPE:Relationship:NOTE:This can have a chaining relationship with incomplete denylist / permissive allowlist errors when the product tries, but fails, to properly limit which types of files are allowed (CWE-183, CWE-184). This can also overlap multiple interpretation errors for intermediaries, e.g. anti-virus products that do not remove or quarantine attachments with certain file extensions that can be processed by client systems.::",{"point":"v6","priority":"6","details":"v7"},"CWE-ID: 435Improper Interaction Between Multiple Correctly-Behaving Entities","An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses.Guidelines:::TYPE:Research Gap:NOTE:Weaknesses related to this Pillar appear to be under-studied, especially with respect to classification schemes. Input from academic and other communities could help identify and resolve gaps or organizational difficulties within CWE.::TYPE:Relationship:NOTE:The Interaction Error term, in CWE and elsewhere, is only intended to describe products that behave according to specification. When one or more of the products do not comply with specifications, then it is more likely to be API Abuse (CWE-227) or an interpretation conflict (CWE-436). This distinction can be blurred in real world scenarios, especially when de facto standards do not comply with specifications, or when there are no standards but there is widespread adoption. As a result, it can be difficult to distinguish these weaknesses during mapping and classification.::",{"point":"v9","priority":"6","details":"va"},"CWE-ID: 436Interpretation Conflict","Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.Guidelines:",{"point":"vc","priority":"6","details":"vd"},"CWE-ID: 437Incomplete Model of Endpoint Features","A product acts as an intermediary or monitor between two or more endpoints, but it does not have a complete model of an endpoint's features, behaviors, or state, potentially causing the product to perform incorrect actions based on this incomplete model.Guidelines:::TYPE:Relationship:NOTE:This can be related to interaction errors, although in some cases, one of the endpoints is not performing correctly according to specification.::",{"point":"vf","priority":"6","details":"vg"},"CWE-ID: 439Behavioral Change in New Version or Environment","A's behavior or functionality changes with a new version of A, or a new environment, which is not known (or manageable) by B.Guidelines:",{"point":"vi","priority":"6","details":"vj"},"CWE-ID: 440Expected Behavior Violation","A feature, API, or function does not perform according to its specification.Guidelines:::TYPE:Theoretical:NOTE:The behavior of an application that is not consistent with the expectations of the developer may lead to incorrect use of the software.::",{"point":"vl","priority":"6","details":"vm"},"CWE-ID: 441Unintended Proxy or Intermediary ('Confused Deputy')","The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.Guidelines:::TYPE:Relationship:NOTE:This weakness has a chaining relationship with CWE-668 (Exposure of Resource to Wrong Sphere) because the proxy effectively provides the attacker with access to the target's resources that the attacker cannot directly obtain.::TYPE:Maintenance:NOTE:This could possibly be considered as an emergent resource.::TYPE:Theoretical:NOTE:It could be argued that the confused deputy is a fundamental aspect of most vulnerabilities that require an active attacker. Even for common implementation issues such as buffer overflows, SQL injection, OS command injection, and path traversal, the vulnerable program already has the authorization to run code or access files. The vulnerability arises when the attacker causes the program to run unexpected code or access unexpected files.::",{"point":"vo","priority":"6","details":"vp"},"CWE-ID: 444Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')","The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.Guidelines:::TYPE:Theoretical:NOTE:Request smuggling can be performed due to a multiple interpretation error, where the target is an intermediary or monitor, via a consistency manipulation (Transfer-Encoding and Content-Length headers).::",{"point":"vr","priority":"6","details":"vs"},"CWE-ID: 446UI Discrepancy for Security Feature","The user interface does not correctly enable or configure a security feature, but the interface provides feedback that causes the user to believe that the feature is in a secure state.Guidelines:::TYPE:Maintenance:NOTE:This entry is likely a loose composite that could be broken down into the different types of errors that cause the user interface to have incorrect interactions with the underlying security feature.::",{"point":"vu","priority":"6","details":"vv"},"CWE-ID: 447Unimplemented or Unsupported Feature in UI","A UI function for a security feature appears to be supported and gives feedback to the user that suggests that it is supported, but the underlying functionality is not implemented.Guidelines:::TYPE:Research Gap:NOTE:This issue needs more study, as there are not many examples. It is not clear whether it is primary or resultant.::",{"point":"vx","priority":"6","details":"vy"},"CWE-ID: 448Obsolete Feature in UI","A UI function is obsolete and the product does not warn the user.Guidelines:",{"point":"w0","priority":"6","details":"w1"},"CWE-ID: 449The UI Performs the Wrong Action","The UI performs the wrong action with respect to the user's request.Guidelines:",{"point":"w3","priority":"6","details":"w4"},"CWE-ID: 450Multiple Interpretations of UI Input","The UI has multiple interpretations of user input but does not prompt the user when it selects the less secure interpretation.Guidelines:",{"point":"w6","priority":"6","details":"w7"},"CWE-ID: 451User Interface (UI) Misrepresentation of Critical Information","The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks.Guidelines:::TYPE:Maintenance:NOTE:This entry should be broken down into more precise entries. See extended description.::TYPE:Research Gap:NOTE:Misrepresentation problems are frequently studied in web browsers, but there are no known efforts for classifying these kinds of problems in terms of the shortcomings of the interface. In addition, many misrepresentation issues are resultant.::",{"point":"w9","priority":"6","details":"wa"},"CWE-ID: 453Insecure Default Variable Initialization","The product, by default, initializes an internal variable with an insecure or less secure value than is possible.Guidelines:::TYPE:Maintenance:NOTE:This overlaps other categories, probably should be split into separate items.::",{"point":"wc","priority":"6","details":"wd"},"CWE-ID: 454External Initialization of Trusted Variables or Data Stores","The product initializes critical internal variables or data stores using inputs that can be modified by untrusted actors.Guidelines:::TYPE:Relationship:NOTE:Overlaps Missing variable initialization, especially in PHP.::TYPE:Applicable Platform:NOTE:This is often found in PHP due to register_globals and the common practice of storing library/include files under the web document root so that they are available using a direct request.::",{"point":"wf","priority":"6","details":"wg"},"CWE-ID: 455Non-exit on Failed Initialization","The product does not exit or otherwise modify its operation when security-relevant errors occur during initialization, such as when a configuration file has a format error or a hardware security module (HSM) cannot be activated, which can cause the product to execute in a less secure fashion than intended by the administrator.Guidelines:::TYPE:Research Gap:NOTE:Under-studied. These issues are not frequently reported, and it is difficult to find published examples.::",{"point":"wi","priority":"6","details":"wj"},"CWE-ID: 456Missing Initialization of a Variable","The product does not initialize critical variables, which causes the execution environment to use unexpected values.Guidelines:::TYPE:Relationship:NOTE:This weakness is a major factor in a number of resultant weaknesses, especially in web applications that allow global variable initialization (such as PHP) with libraries that can be directly requested.::TYPE:Research Gap:NOTE:It is highly likely that a large number of resultant weaknesses have missing initialization as a primary factor, but researcher reports generally do not provide this level of detail.::",{"point":"wl","priority":"6","details":"wm"},"CWE-ID: 457Use of Uninitialized Variable","The code uses a variable that has not been initialized, leading to unpredictable or unintended results.Guidelines:",{"point":"wo","priority":"6","details":"wp"},"CWE-ID: 459Incomplete Cleanup","The product does not properly clean up and remove temporary or supporting resources after they have been used.Guidelines:::TYPE:Relationship:NOTE:CWE-459 is a child of CWE-404 because, while CWE-404 covers any type of improper shutdown or release of a resource, CWE-459 deals specifically with a multi-step shutdown process in which a crucial step for proper cleanup is omitted or impossible. That is, CWE-459 deals specifically with a cleanup or shutdown process that does not successfully remove all potentially sensitive data.::TYPE:Relationship:NOTE:Overlaps other categories such as permissions and containment. Concept needs further development. This could be primary (e.g. leading to infoleak) or resultant (e.g. resulting from unhandled error conditions or early termination).::",{"point":"wr","priority":"6","details":"ws"},"CWE-ID: 460Improper Cleanup on Thrown Exception","The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow.Guidelines:",{"point":"wu","priority":"6","details":"wv"},"CWE-ID: 462Duplicate Key in Associative List (Alist)","Duplicate keys in associative lists can lead to non-unique keys being mistaken for an error.Guidelines:",{"point":"wx","priority":"6","details":"wy"},"CWE-ID: 463Deletion of Data Structure Sentinel","The accidental deletion of a data-structure sentinel can cause serious programming logic problems.Guidelines:",{"point":"x0","priority":"6","details":"x1"},"CWE-ID: 464Addition of Data Structure Sentinel","The accidental addition of a data-structure sentinel can cause serious programming logic problems.Guidelines:",{"point":"x3","priority":"6","details":"x4"},"CWE-ID: 466Return of Pointer Value Outside of Expected Range","A function can return a pointer to memory that is outside of the buffer that the pointer is expected to reference.Guidelines:::TYPE:Maintenance:NOTE:This entry should have a chaining relationship with CWE-119 instead of a parent / child relationship, however the focus of this weakness does not map cleanly to any existing entries in CWE. A new parent is being considered which covers the more generic problem of incorrect return values. There is also an abstract relationship to weaknesses in which one component sends incorrect messages to another component; in this case, one routine is sending an incorrect value to another.::",{"point":"x6","priority":"6","details":"x7"},"CWE-ID: 467Use of sizeof() on a Pointer Type","The code calls sizeof() on a malloced pointer type, which always returns the wordsize/8. This can produce an unexpected result if the programmer intended to determine how much memory has been allocated.Guidelines:",{"point":"x9","priority":"6","details":"xa"},"CWE-ID: 468Incorrect Pointer Scaling","In C and C++, one may often accidentally refer to the wrong memory due to the semantics of when math operations are implicitly scaled.Guidelines:",{"point":"xc","priority":"6","details":"xd"},"CWE-ID: 469Use of Pointer Subtraction to Determine Size","The product subtracts one pointer from another in order to determine size, but this calculation can be incorrect if the pointers do not exist in the same memory chunk.Guidelines:",{"point":"xf","priority":"6","details":"xg"},"CWE-ID: 470Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')","The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.Guidelines:",{"point":"xi","priority":"6","details":"xj"},"CWE-ID: 471Modification of Assumed-Immutable Data (MAID)","The product does not properly protect an assumed-immutable element from being modified by an attacker.Guidelines:::TYPE:Relationship:NOTE:MAID issues can be primary to many other weaknesses, and they are a major factor in languages that provide easy access to internal program constructs, such as PHP's register_globals and similar features. However, MAID issues can also be resultant from weaknesses that modify internal state; for example, a program might validate some data and store it in memory, but a buffer overflow could overwrite that validated data, leading to a change in program logic.::TYPE:Theoretical:NOTE:There are many examples where the MUTABILITY property is a major factor in a vulnerability.::",{"point":"xl","priority":"6","details":"xm"},"CWE-ID: 472External Control of Assumed-Immutable Web Parameter","The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.Guidelines:::TYPE:Relationship:NOTE:This is a primary weakness for many other weaknesses and functional consequences, including XSS, SQL injection, path disclosure, and file inclusion.::TYPE:Theoretical:NOTE:This is a technology-specific MAID problem.::",{"point":"xo","priority":"6","details":"xp"},"CWE-ID: 473PHP External Variable Modification","A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies. This can expose the application to numerous weaknesses that would not exist otherwise.Guidelines:::TYPE:Relationship:NOTE:This is a language-specific instance of Modification of Assumed-Immutable Data (MAID). This can be resultant from direct request (alternate path) issues. It can be primary to weaknesses such as PHP file inclusion, SQL injection, XSS, authentication bypass, and others.::",{"point":"xr","priority":"6","details":"xs"},"CWE-ID: 474Use of Function with Inconsistent Implementations","The code uses a function that has inconsistent implementations across operating systems and versions.Guidelines:",{"point":"xu","priority":"6","details":"xv"},"CWE-ID: 475Undefined Behavior for Input to API","The behavior of this function is undefined unless its control parameter is set to a specific value.Guidelines:::TYPE:Other:NOTE:The Linux Standard Base Specification 2.0.1 for libc places constraints on the arguments to some internal functions [21]. If the constraints are not met, the behavior of the functions is not defined. It is unusual for this function to be called directly. It is almost always invoked through a macro defined in a system header file, and the macro ensures that the following constraints are met: The value 1 must be passed to the third parameter (the version number) of the following file system function: __xmknod The value 2 must be passed to the third parameter (the group argument) of the following wide character string functions: __wcstod_internal __wcstof_internal __wcstol_internal __wcstold_internal __wcstoul_internal The value 3 must be passed as the first parameter (the version number) of the following file system functions: __xstat __lxstat __fxstat __xstat64 __lxstat64 __fxstat64::",{"point":"xx","priority":"6","details":"xy"},"CWE-ID: 476NULL Pointer Dereference","A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.Guidelines:",{"point":"y0","priority":"6","details":"y1"},"CWE-ID: 477Use of Obsolete Function","The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained.Guidelines:",{"point":"y3","priority":"6","details":"y4"},"CWE-ID: 478Missing Default Case in Multiple Condition Expression","The code does not have a default case in an expression with multiple conditions, such as a switch statement.Guidelines:",{"point":"y6","priority":"6","details":"y7"},"CWE-ID: 479Signal Handler Use of a Non-reentrant Function","The product defines a signal handler that calls a non-reentrant function.Guidelines:",{"point":"y9","priority":"6","details":"ya"},"CWE-ID: 480Use of Incorrect Operator","The product accidentally uses the wrong operator, which changes the logic in security-relevant ways.Guidelines:",{"point":"yc","priority":"6","details":"yd"},"CWE-ID: 481Assigning instead of Comparing","The code uses an operator for assignment when the intention was to perform a comparison.Guidelines:",{"point":"yf","priority":"6","details":"yg"},"CWE-ID: 482Comparing instead of Assigning","The code uses an operator for comparison when the intention was to perform an assignment.Guidelines:",{"point":"yi","priority":"6","details":"yj"},"CWE-ID: 483Incorrect Block Delimitation","The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.Guidelines:",{"point":"yl","priority":"6","details":"ym"},"CWE-ID: 484Omitted Break Statement in Switch","The product omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition.Guidelines:",{"point":"yo","priority":"6","details":"yp"},"CWE-ID: 486Comparison of Classes by Name","The product compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name.Guidelines:",{"point":"yr","priority":"6","details":"ys"},"CWE-ID: 487Reliance on Package-level Scope","Java packages are not inherently closed; therefore, relying on them for code security is not a good practice.Guidelines:",{"point":"yu","priority":"6","details":"yv"},"CWE-ID: 488Exposure of Data Element to Wrong Session","The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.Guidelines:",{"point":"yx","priority":"6","details":"yy"},"CWE-ID: 489Active Debug Code","The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.Guidelines:::TYPE:Other:NOTE:In J2EE a main method may be a good indicator that debug code has been left in the application, although there may not be any direct security impact.::",{"point":"z0","priority":"6","details":"z1"},"CWE-ID: 491Public cloneable() Method Without Final ('Object Hijack')","A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state.Guidelines:",{"point":"z3","priority":"6","details":"z4"},"CWE-ID: 492Use of Inner Class Containing Sensitive Data","Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers.Guidelines:::TYPE:Other:NOTE:Mobile code, in this case a Java Applet, is code that is transmitted across a network and executed on a remote machine. Because mobile code developers have little if any control of the environment in which their code will execute, special security concerns become relevant. One of the biggest environmental threats results from the risk that the mobile code will run side-by-side with other, potentially malicious, mobile code. Because all of the popular web browsers execute code from multiple sources together in the same JVM, many of the security guidelines for mobile code are focused on preventing manipulation of your objects' state and behavior by adversaries who have access to the same virtual machine where your program is running.::",{"point":"z6","priority":"6","details":"z7"},"CWE-ID: 493Critical Public Variable Without Final Modifier","The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.Guidelines:",{"point":"z9","priority":"6","details":"za"},"CWE-ID: 494Download of Code Without Integrity Check","The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.Guidelines:::TYPE:Research Gap:NOTE:This is critical for mobile code, but it is likely to become more and more common as developers continue to adopt automated, network-based product distributions and upgrades. Software-as-a-Service (SaaS) might introduce additional subtleties. Common exploitation scenarios may include ad server compromises and bad upgrades.::",{"point":"zc","priority":"6","details":"zd"},"CWE-ID: 495Private Data Structure Returned From A Public Method","The product has a method that is declared public, but returns a reference to a private data structure, which could then be modified in unexpected ways.Guidelines:",{"point":"zf","priority":"6","details":"zg"},"CWE-ID: 496Public Data Assigned to Private Array-Typed Field","Assigning public data to a private array is equivalent to giving public access to the array.Guidelines:",{"point":"zi","priority":"6","details":"zj"},"CWE-ID: 497Exposure of Sensitive System Information to an Unauthorized Control Sphere","The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.Guidelines:",{"point":"zl","priority":"6","details":"zm"},"CWE-ID: 498Cloneable Class Containing Sensitive Information","The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class.Guidelines:",{"point":"zo","priority":"6","details":"zp"},"CWE-ID: 499Serializable Class Containing Sensitive Data","The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another class.Guidelines:",{"point":"zr","priority":"6","details":"zs"},"CWE-ID: 500Public Static Field Not Marked Final","An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways.Guidelines:",{"point":"zu","priority":"6","details":"zv"},"CWE-ID: 501Trust Boundary Violation","The product mixes trusted and untrusted data in the same data structure or structured message.Guidelines:",{"point":"zx","priority":"6","details":"zy"},"CWE-ID: 502Deserialization of Untrusted Data","The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.Guidelines:::TYPE:Maintenance:NOTE:The relationships between CWE-502 and CWE-915 need further exploration. CWE-915 is more narrowly scoped to object modification, and is not necessarily used for deserialization.::",{"point":"100","priority":"6","details":"101"},"CWE-ID: 506Embedded Malicious Code","The product contains code that appears to be malicious in nature.Guidelines:::TYPE:Terminology:NOTE:The term Trojan horse was introduced by Dan Edwards and recorded by James Anderson [18] to characterize a particular computer security threat; it has been redefined many times [4,18-20].::",{"point":"103","priority":"6","details":"104"},"CWE-ID: 507Trojan Horse","The product appears to contain benign or useful functionality, but it also contains code that is hidden from normal operation that violates the intended security policy of the user or the system administrator.Guidelines:::TYPE:Other:NOTE:Potentially malicious dynamic code compiled at runtime can conceal any number of attacks that will not appear in the baseline. The use of dynamically compiled code could also allow the injection of attacks on post-deployed applications.::TYPE:Terminology:NOTE:Definitions of Trojan horse and related terms have varied widely over the years, but common usage in 2008 generally refers to software that performs a legitimate function, but also contains malicious code. Almost any malicious code can be called a Trojan horse, since the author of malicious code needs to disguise it somehow so that it will be invoked by a nonmalicious user (unless the author means also to invoke the code, in which case they presumably already possess the authorization to perform the intended sabotage). A Trojan horse that replicates itself by copying its code into other program files (see case MA1) is commonly referred to as a virus. One that replicates itself by creating new processes or files to contain its code, instead of modifying existing storage entities, is often called a worm. Denning provides a general discussion of these terms; differences of opinion about the term applicable to a particular flaw or its exploitations sometimes occur.::",{"point":"106","priority":"6","details":"107"},"CWE-ID: 508Non-Replicating Malicious Code","Non-replicating malicious code only resides on the target system or product that is attacked; it does not attempt to spread to other systems.Guidelines:",{"point":"109","priority":"6","details":"10a"},"CWE-ID: 509Replicating Malicious Code (Virus or Worm)","Replicating malicious code, including viruses and worms, will attempt to attack other systems once it has successfully compromised the target system or the product.Guidelines:",{"point":"10c","priority":"6","details":"10d"},"CWE-ID: 510Trapdoor","A trapdoor is a hidden piece of code that responds to a special input, allowing its user access to resources without passing through the normal security enforcement mechanism.Guidelines:",{"point":"10f","priority":"6","details":"10g"},"CWE-ID: 511Logic/Time Bomb","The product contains code that is designed to disrupt the legitimate operation of the product (or its environment) when a certain time passes, or when a certain logical condition is met.Guidelines:",{"point":"10i","priority":"6","details":"10j"},"CWE-ID: 512Spyware","The product collects personally identifiable information about a human user or the user's activities, but the product accesses this information using other resources besides itself, and it does not require that user's explicit approval or direct input into the product.Guidelines:",{"point":"10l","priority":"6","details":"10m"},"CWE-ID: 514Covert Channel","A covert channel is a path that can be used to transfer information in a way not intended by the system's designers.Guidelines:::TYPE:Theoretical:NOTE:A covert channel can be thought of as an emergent resource, meaning that it was not an originally intended resource, however it exists due the application's behaviors.::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are working to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks that create or exploit covert channels. As a result of that work, this entry might change in CWE 4.10.::",{"point":"10o","priority":"6","details":"10p"},"CWE-ID: 515Covert Storage Channel","A covert storage channel transfers information through the setting of bits by one program and the reading of those bits by another. What distinguishes this case from that of ordinary operation is that the bits are used to convey encoded information.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are working to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks that create or exploit covert channels. As a result of that work, this entry might change in CWE 4.10.::",{"point":"10r","priority":"6","details":"10s"},"CWE-ID: 520.NET Misconfiguration: Use of Impersonation","Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms of attacks.Guidelines:",{"point":"10u","priority":"6","details":"10v"},"CWE-ID: 521Weak Password Requirements","The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.Guidelines:",{"point":"10x","priority":"6","details":"10y"},"CWE-ID: 522Insufficiently Protected Credentials","The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.Guidelines:",{"point":"110","priority":"6","details":"111"},"CWE-ID: 523Unprotected Transport of Credentials","Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.Guidelines:",{"point":"113","priority":"6","details":"114"},"CWE-ID: 524Use of Cache Containing Sensitive Information","The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.Guidelines:",{"point":"116","priority":"6","details":"117"},"CWE-ID: 525Use of Web Browser Cache Containing Sensitive Information","The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.Guidelines:",{"point":"119","priority":"6","details":"11a"},"CWE-ID: 526Cleartext Storage of Sensitive Information in an Environment Variable","The product uses an environment variable to store unencrypted sensitive information.Guidelines:",{"point":"11c","priority":"6","details":"11d"},"CWE-ID: 527Exposure of Version-Control Repository to an Unauthorized Control Sphere","The product stores a CVS, git, or other repository in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.Guidelines:",{"point":"11f","priority":"6","details":"11g"},"CWE-ID: 528Exposure of Core Dump File to an Unauthorized Control Sphere","The product generates a core dump file in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.Guidelines:",{"point":"11i","priority":"6","details":"11j"},"CWE-ID: 529Exposure of Access Control List Files to an Unauthorized Control Sphere","The product stores access control list files in a directory or other container that is accessible to actors outside of the intended control sphere.Guidelines:",{"point":"11l","priority":"6","details":"11m"},"CWE-ID: 530Exposure of Backup File to an Unauthorized Control Sphere","A backup file is stored in a directory or archive that is made accessible to unauthorized actors.Guidelines:",{"point":"11o","priority":"6","details":"11p"},"CWE-ID: 531Inclusion of Sensitive Information in Test Code","Accessible test applications can pose a variety of security risks. Since developers or administrators rarely consider that someone besides themselves would even know about the existence of these applications, it is common for them to contain sensitive information or functions.Guidelines:",{"point":"11r","priority":"6","details":"11s"},"CWE-ID: 532Insertion of Sensitive Information into Log File","Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.Guidelines:",{"point":"11u","priority":"6","details":"11v"},"CWE-ID: 535Exposure of Information Through Shell Error Message","A command shell error message indicates that there exists an unhandled exception in the web application code. In many cases, an attacker can leverage the conditions that cause these errors in order to gain unauthorized access to the system.Guidelines:",{"point":"11x","priority":"6","details":"11y"},"CWE-ID: 536Servlet Runtime Error Message Containing Sensitive Information","A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker.Guidelines:",{"point":"120","priority":"6","details":"121"},"CWE-ID: 537Java Runtime Error Message Containing Sensitive Information","In many cases, an attacker can leverage the conditions that cause unhandled exception errors in order to gain unauthorized access to the system.Guidelines:",{"point":"123","priority":"6","details":"124"},"CWE-ID: 538Insertion of Sensitive Information into Externally-Accessible File or Directory","The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.Guidelines:::TYPE:Maintenance:NOTE:Depending on usage, this could be a weakness or a category. Further study of all its children is needed, and the entire sub-tree may need to be clarified. The current organization is based primarily on the exposure of sensitive information as a consequence, instead of as a primary weakness.::TYPE:Maintenance:NOTE:There is a close relationship with CWE-552, which is more focused on weaknesses. As a result, it may be more appropriate to convert CWE-538 to a category.::",{"point":"126","priority":"6","details":"127"},"CWE-ID: 539Use of Persistent Cookies Containing Sensitive Information","The web application uses persistent cookies, but the cookies contain sensitive information.Guidelines:",{"point":"129","priority":"6","details":"12a"},"CWE-ID: 540Inclusion of Sensitive Information in Source Code","Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.Guidelines:",{"point":"12c","priority":"6","details":"12d"},"CWE-ID: 541Inclusion of Sensitive Information in an Include File","If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system.Guidelines:",{"point":"12f","priority":"6","details":"12g"},"CWE-ID: 543Use of Singleton Pattern Without Synchronization in a Multithreaded Context","The product uses the singleton pattern when creating a resource within a multithreaded environment.Guidelines:",{"point":"12i","priority":"6","details":"12j"},"CWE-ID: 544Missing Standardized Error Handling Mechanism","The product does not use a standardized method for handling errors throughout the code, which might introduce inconsistent error handling and resultant weaknesses.Guidelines:",{"point":"12l","priority":"6","details":"12m"},"CWE-ID: 546Suspicious Comment","The code contains comments that suggest the presence of bugs, incomplete functionality, or weaknesses.Guidelines:",{"point":"12o","priority":"6","details":"12p"},"CWE-ID: 547Use of Hard-coded, Security-relevant Constants","The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change.Guidelines:",{"point":"12r","priority":"6","details":"12s"},"CWE-ID: 548Exposure of Information Through Directory Listing","A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers.Guidelines:",{"point":"12u","priority":"6","details":"12v"},"CWE-ID: 549Missing Password Field Masking","The product does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords.Guidelines:",{"point":"12x","priority":"6","details":"12y"},"CWE-ID: 550Server-generated Error Message Containing Sensitive Information","Certain conditions, such as network failure, will cause a server error message to be displayed.Guidelines:",{"point":"130","priority":"6","details":"131"},"CWE-ID: 551Incorrect Behavior Order: Authorization Before Parsing and Canonicalization","If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.Guidelines:",{"point":"133","priority":"6","details":"134"},"CWE-ID: 552Files or Directories Accessible to External Parties","The product makes files or directories accessible to unauthorized actors, even though they should not be.Guidelines:",{"point":"136","priority":"6","details":"137"},"CWE-ID: 553Command Shell in Externally Accessible Directory","A possible shell file exists in /cgi-bin/ or other accessible directories. This is extremely dangerous and can be used by an attacker to execute commands on the web server.Guidelines:",{"point":"139","priority":"6","details":"13a"},"CWE-ID: 554ASP.NET Misconfiguration: Not Using Input Validation Framework","The ASP.NET application does not use an input validation framework.Guidelines:",{"point":"13c","priority":"6","details":"13d"},"CWE-ID: 555J2EE Misconfiguration: Plaintext Password in Configuration File","The J2EE application stores a plaintext password in a configuration file.Guidelines:",{"point":"13f","priority":"6","details":"13g"},"CWE-ID: 556ASP.NET Misconfiguration: Use of Identity Impersonation","Configuring an ASP.NET application to run with impersonated credentials may give the application unnecessary privileges.Guidelines:",{"point":"13i","priority":"6","details":"13j"},"CWE-ID: 558Use of getlogin() in Multithreaded Application","The product uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values.Guidelines:",{"point":"13l","priority":"6","details":"13m"},"CWE-ID: 560Use of umask() with chmod-style Argument","The product calls umask() with an incorrect argument that is specified as if it is an argument to chmod().Guidelines:::TYPE:Other:NOTE:Some umask() manual pages begin with the false statement: umask sets the umask to mask & 0777 Although this behavior would better align with the usage of chmod(), where the user provided argument specifies the bits to enable on the specified file, the behavior of umask() is in fact opposite: umask() sets the umask to ~mask & 0777. The documentation goes on to describe the correct usage of umask(): The umask is used by open() to set initial file permissions on a newly-created file. Specifically, permissions in the umask are turned off from the mode argument to open(2) (so, for example, the common umask default value of 022 results in new files being created with permissions 0666 & ~022 = 0644 = rw-r--r-- in the usual case where the mode is specified as 0666).::",{"point":"13o","priority":"6","details":"13p"},"CWE-ID: 561Dead Code","The product contains dead code, which can never be executed.Guidelines:",{"point":"13r","priority":"6","details":"13s"},"CWE-ID: 562Return of Stack Variable Address","A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.Guidelines:",{"point":"13u","priority":"6","details":"13v"},"CWE-ID: 563Assignment to Variable without Use","The variable's value is assigned but never used, making it a dead store.Guidelines:",{"point":"13x","priority":"6","details":"13y"},"CWE-ID: 564SQL Injection: Hibernate","Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.Guidelines:",{"point":"140","priority":"6","details":"141"},"CWE-ID: 565Reliance on Cookies without Validation and Integrity Checking","The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.Guidelines:::TYPE:Relationship:NOTE:This problem can be primary to many types of weaknesses in web applications. A developer may perform proper validation against URL parameters while assuming that attackers cannot modify cookies. As a result, the program might skip basic input validation to enable cross-site scripting, SQL injection, price tampering, and other attacks..::",{"point":"143","priority":"6","details":"144"},"CWE-ID: 566Authorization Bypass Through User-Controlled SQL Primary Key","The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.Guidelines:",{"point":"146","priority":"6","details":"147"},"CWE-ID: 567Unsynchronized Access to Shared Data in a Multithreaded Context","The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.Guidelines:",{"point":"149","priority":"6","details":"14a"},"CWE-ID: 568finalize() Method Without super.finalize()","The product contains a finalize() method that does not call super.finalize().Guidelines:",{"point":"14c","priority":"6","details":"14d"},"CWE-ID: 570Expression is Always False","The product contains an expression that will always evaluate to false.Guidelines:",{"point":"14f","priority":"6","details":"14g"},"CWE-ID: 571Expression is Always True","The product contains an expression that will always evaluate to true.Guidelines:",{"point":"14i","priority":"6","details":"14j"},"CWE-ID: 572Call to Thread run() instead of start()","The product calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee.Guidelines:",{"point":"14l","priority":"6","details":"14m"},"CWE-ID: 573Improper Following of Specification by Caller","The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.Guidelines:",{"point":"14o","priority":"6","details":"14p"},"CWE-ID: 574EJB Bad Practices: Use of Synchronization Primitives","The product violates the Enterprise JavaBeans (EJB) specification by using thread synchronization primitives.Guidelines:",{"point":"14r","priority":"6","details":"14s"},"CWE-ID: 575EJB Bad Practices: Use of AWT Swing","The product violates the Enterprise JavaBeans (EJB) specification by using AWT/Swing.Guidelines:",{"point":"14u","priority":"6","details":"14v"},"CWE-ID: 576EJB Bad Practices: Use of Java I/O","The product violates the Enterprise JavaBeans (EJB) specification by using the java.io package.Guidelines:",{"point":"14x","priority":"6","details":"14y"},"CWE-ID: 577EJB Bad Practices: Use of Sockets","The product violates the Enterprise JavaBeans (EJB) specification by using sockets.Guidelines:",{"point":"150","priority":"6","details":"151"},"CWE-ID: 578EJB Bad Practices: Use of Class Loader","The product violates the Enterprise JavaBeans (EJB) specification by using the class loader.Guidelines:",{"point":"153","priority":"6","details":"154"},"CWE-ID: 579J2EE Bad Practices: Non-serializable Object Stored in Session","The product stores a non-serializable object as an HttpSession attribute, which can hurt reliability.Guidelines:",{"point":"156","priority":"6","details":"157"},"CWE-ID: 580clone() Method Without super.clone()","The product contains a clone() method that does not call super.clone() to obtain the new object.Guidelines:",{"point":"159","priority":"6","details":"15a"},"CWE-ID: 581Object Model Violation: Just One of Equals and Hashcode Defined","The product does not maintain equal hashcodes for equal objects.Guidelines:",{"point":"15c","priority":"6","details":"15d"},"CWE-ID: 582Array Declared Public, Final, and Static","The product declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified.Guidelines:",{"point":"15f","priority":"6","details":"15g"},"CWE-ID: 583finalize() Method Declared Public","The product violates secure coding principles for mobile code by declaring a finalize() method public.Guidelines:",{"point":"15i","priority":"6","details":"15j"},"CWE-ID: 584Return Inside Finally Block","The code has a return statement inside a finally block, which will cause any thrown exception in the try block to be discarded.Guidelines:",{"point":"15l","priority":"6","details":"15m"},"CWE-ID: 585Empty Synchronized Block","The product contains an empty synchronized block.Guidelines:",{"point":"15o","priority":"6","details":"15p"},"CWE-ID: 586Explicit Call to Finalize()","The product makes an explicit call to the finalize() method from outside the finalizer.Guidelines:",{"point":"15r","priority":"6","details":"15s"},"CWE-ID: 587Assignment of a Fixed Address to a Pointer","The product sets a pointer to a specific address other than NULL or 0.Guidelines:",{"point":"15u","priority":"6","details":"15v"},"CWE-ID: 588Attempt to Access Child of a Non-structure Pointer","Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption.Guidelines:",{"point":"15x","priority":"6","details":"15y"},"CWE-ID: 589Call to Non-ubiquitous API","The product uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allow denial of service or other consequences.Guidelines:",{"point":"160","priority":"6","details":"161"},"CWE-ID: 590Free of Memory not on the Heap","The product calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc().Guidelines:::TYPE:Other:NOTE:In C++, if the new operator was used to allocate the memory, it may be allocated with the malloc(), calloc() or realloc() family of functions in the implementation. Someone aware of this behavior might choose to map this problem to CWE-590 or to its parent, CWE-762, depending on their perspective.::",{"point":"163","priority":"6","details":"164"},"CWE-ID: 591Sensitive Data Storage in Improperly Locked Memory","The product stores sensitive data in memory that is not locked, or that has been incorrectly locked, which might cause the memory to be written to swap files on disk by the virtual memory manager. This can make the data more accessible to external actors.Guidelines:",{"point":"166","priority":"6","details":"167"},"CWE-ID: 593Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created","The product modifies the SSL context after connection creation has begun.Guidelines:",{"point":"169","priority":"6","details":"16a"},"CWE-ID: 594J2EE Framework: Saving Unserializable Objects to Disk","When the J2EE container attempts to write unserializable objects to disk there is no guarantee that the process will complete successfully.Guidelines:",{"point":"16c","priority":"6","details":"16d"},"CWE-ID: 595Comparison of Object References Instead of Object Contents","The product compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects.Guidelines:",{"point":"16f","priority":"6","details":"16g"},"CWE-ID: 597Use of Wrong Operator in String Comparison","The product uses the wrong operator when comparing a string, such as using == when the .equals() method should be used instead.Guidelines:",{"point":"16i","priority":"6","details":"16j"},"CWE-ID: 598Use of GET Request Method With Sensitive Query Strings","The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.Guidelines:",{"point":"16l","priority":"6","details":"16m"},"CWE-ID: 599Missing Validation of OpenSSL Certificate","The product uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all necessary security requirements.Guidelines:::TYPE:Relationship:NOTE:CWE-295 and CWE-599 are very similar, although CWE-599 has a more narrow scope that is only applied to OpenSSL certificates. As a result, other children of CWE-295 can be regarded as children of CWE-599 as well. CWE's use of one-dimensional hierarchical relationships is not well-suited to handle different kinds of abstraction relationships based on concepts like types of resources (OpenSSL certificate as a child of any certificate) and types of behaviors (not validating expiration as a child of improper validation).::",{"point":"16o","priority":"6","details":"16p"},"CWE-ID: 600Uncaught Exception in Servlet","The Servlet does not catch all exceptions, which may reveal sensitive debugging information.Guidelines:::TYPE:Maintenance:NOTE:The Missing Catch Block concept is probably broader than just Servlets, but the broader concept is not sufficiently covered in CWE.::",{"point":"16r","priority":"6","details":"16s"},"CWE-ID: 601URL Redirection to Untrusted Site ('Open Redirect')","A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.Guidelines:",{"point":"16u","priority":"6","details":"16v"},"CWE-ID: 602Client-Side Enforcement of Server-Side Security","The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.Guidelines:",{"point":"16x","priority":"6","details":"16y"},"CWE-ID: 603Use of Client-Side Authentication","A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check.Guidelines:",{"point":"170","priority":"6","details":"171"},"CWE-ID: 605Multiple Binds to the Same Port","When multiple sockets are allowed to bind to the same port, other services on that port may be stolen or spoofed.Guidelines:",{"point":"173","priority":"6","details":"174"},"CWE-ID: 606Unchecked Input for Loop Condition","The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping.Guidelines:",{"point":"176","priority":"6","details":"177"},"CWE-ID: 607Public Static Final Field References Mutable Object","A public or protected static final field references a mutable object, which allows the object to be changed by malicious code, or accidentally from another package.Guidelines:",{"point":"179","priority":"6","details":"17a"},"CWE-ID: 608Struts: Non-private Field in ActionForm Class","An ActionForm class contains a field that has not been declared private, which can be accessed without using a setter or getter.Guidelines:",{"point":"17c","priority":"6","details":"17d"},"CWE-ID: 609Double-Checked Locking","The product uses double-checked locking to access a resource without the overhead of explicit synchronization, but the locking is insufficient.Guidelines:",{"point":"17f","priority":"6","details":"17g"},"CWE-ID: 610Externally Controlled Reference to a Resource in Another Sphere","The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.Guidelines:::TYPE:Relationship:NOTE:This is a general class of weakness, but most research is focused on more specialized cases, such as path traversal (CWE-22) and symlink following (CWE-61). A symbolic link has a name; in general, it appears like any other file in the file system. However, the link includes a reference to another file, often in another directory - perhaps in another sphere of control. Many common library functions that accept filenames will follow a symbolic link and use the link's target instead.::TYPE:Maintenance:NOTE:The relationship between CWE-99 and CWE-610 needs further investigation and clarification. They might be duplicates. CWE-99 Resource Injection, as originally defined in Seven Pernicious Kingdoms taxonomy, emphasizes the identifier used to access a system resource such as a file name or port number, yet it explicitly states that the resource injection term does not apply to path manipulation, which effectively identifies the path at which a resource can be found and could be considered to be one aspect of a resource identifier. Also, CWE-610 effectively covers any type of resource, whether that resource is at the system layer, the application layer, or the code layer.::",{"point":"17i","priority":"6","details":"17j"},"CWE-ID: 611Improper Restriction of XML External Entity Reference","The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.Guidelines:::TYPE:Relationship:NOTE:CWE-918 (SSRF) and CWE-611 (XXE) are closely related, because they both involve web-related technologies and can launch outbound requests to unexpected destinations. However, XXE can be performed client-side, or in other contexts in which the software is not acting directly as a server, so the Server portion of the SSRF acronym does not necessarily apply.::",{"point":"17l","priority":"6","details":"17m"},"CWE-ID: 612Improper Authorization of Index Containing Sensitive Information","The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the original information.Guidelines:::TYPE:Research Gap:NOTE:This weakness is probably under-studied and under-reported.::",{"point":"17o","priority":"6","details":"17p"},"CWE-ID: 613Insufficient Session Expiration","According to WASC, Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.Guidelines:::TYPE:Other:NOTE:The lack of proper session expiration may improve the likely success of certain attacks. For example, an attacker may intercept a session ID, possibly via a network sniffer or Cross-site Scripting attack. Although short session expiration times do not help if a stolen token is immediately used, they will protect against ongoing replaying of the session ID. In another scenario, a user might access a web site from a shared computer (such as at a library, Internet cafe, or open work environment). Insufficient Session Expiration could allow an attacker to use the browser's back button to access web pages previously accessed by the victim.::",{"point":"17r","priority":"6","details":"17s"},"CWE-ID: 614Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.Guidelines:",{"point":"17u","priority":"6","details":"17v"},"CWE-ID: 615Inclusion of Sensitive Information in Source Code Comments","While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc.Guidelines:",{"point":"17x","priority":"6","details":"17y"},"CWE-ID: 616Incomplete Identification of Uploaded File Variables (PHP)","The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files.Guidelines:",{"point":"180","priority":"6","details":"181"},"CWE-ID: 617Reachable Assertion","The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.Guidelines:",{"point":"183","priority":"6","details":"184"},"CWE-ID: 618Exposed Unsafe ActiveX Method","An ActiveX control is intended for use in a web browser, but it exposes dangerous methods that perform actions that are outside of the browser's security model (e.g. the zone or domain).Guidelines:",{"point":"186","priority":"6","details":"187"},"CWE-ID: 619Dangling Database Cursor ('Cursor Injection')","If a database cursor is not closed properly, then it could become accessible to other users while retaining the same privileges that were originally assigned, leaving the cursor dangling.Guidelines:",{"point":"189","priority":"6","details":"18a"},"CWE-ID: 620Unverified Password Change","When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.Guidelines:",{"point":"18c","priority":"6","details":"18d"},"CWE-ID: 621Variable Extraction Error","The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables.Guidelines:::TYPE:Research Gap:NOTE:Probably under-reported for PHP. Seems under-studied for other interpreted languages.::",{"point":"18f","priority":"6","details":"18g"},"CWE-ID: 622Improper Validation of Function Hook Arguments","The product adds hooks to user-accessible API functions, but it does not properly validate the arguments. This could lead to resultant vulnerabilities.Guidelines:",{"point":"18i","priority":"6","details":"18j"},"CWE-ID: 623Unsafe ActiveX Control Marked Safe For Scripting","An ActiveX control is intended for restricted use, but it has been marked as safe-for-scripting.Guidelines:",{"point":"18l","priority":"6","details":"18m"},"CWE-ID: 624Executable Regular Expression Error","The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.Guidelines:::TYPE:Research Gap:NOTE:Under-studied. The existing PHP reports are limited to highly skilled researchers, but there are few examples for other languages. It is suspected that this is under-reported for all languages. Usability factors might make it more prevalent in PHP, but this theory has not been investigated.::",{"point":"18o","priority":"6","details":"18p"},"CWE-ID: 625Permissive Regular Expression","The product uses a regular expression that does not sufficiently restrict the set of allowed values.Guidelines:",{"point":"18r","priority":"6","details":"18s"},"CWE-ID: 626Null Byte Interaction Error (Poison Null Byte)","The product does not properly handle null bytes or NUL characters when passing data between different representations or components.Guidelines:::TYPE:Terminology:NOTE:Current usage of poison null byte is typically related to this C/Perl/PHP interaction error, but the original term in 1998 was applied to an off-by-one buffer overflow involving a null byte.::TYPE:Research Gap:NOTE:There are not many CVE examples, because the poison NULL byte is a design limitation, which typically is not included in CVE by itself. It is typically used as a facilitator manipulation to widen the scope of potential attacks against other vulnerabilities.::",{"point":"18u","priority":"6","details":"18v"},"CWE-ID: 627Dynamic Variable Evaluation","In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions.Guidelines:::TYPE:Research Gap:NOTE:Under-studied, probably under-reported. Few researchers look for this issue; most public reports are for PHP, although other languages are affected. This issue is likely to grow in PHP as developers begin to implement functionality in place of register_globals.::",{"point":"18x","priority":"6","details":"18y"},"CWE-ID: 628Function Call with Incorrectly Specified Arguments","The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.Guidelines:",{"point":"190","priority":"6","details":"191"},"CWE-ID: 636Not Failing Securely ('Failing Open')","When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.Guidelines:::TYPE:Research Gap:NOTE:Since design issues are hard to fix, they are rarely publicly reported, so there are few CVE examples of this problem as of January 2008. Most publicly reported issues occur as the result of an implementation error instead of design, such as CVE-2005-3177 (Improper handling of large numbers of resources) or CVE-2005-2969 (inadvertently disabling a verification step, leading to selection of a weaker protocol).::",{"point":"193","priority":"6","details":"194"},"CWE-ID: 637Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')","The product uses a more complex mechanism than necessary, which could lead to resultant weaknesses when the mechanism is not correctly understood, modeled, configured, implemented, or used.Guidelines:",{"point":"196","priority":"6","details":"197"},"CWE-ID: 638Not Using Complete Mediation","The product does not perform access checks on a resource every time the resource is accessed by an entity, which can create resultant weaknesses if that entity's rights or privileges change over time.Guidelines:",{"point":"199","priority":"6","details":"19a"},"CWE-ID: 639Authorization Bypass Through User-Controlled Key","The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.Guidelines:",{"point":"19c","priority":"6","details":"19d"},"CWE-ID: 640Weak Password Recovery Mechanism for Forgotten Password","The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.Guidelines:::TYPE:Maintenance:NOTE:This entry might be reclassified as a category or loose composite, since it lists multiple specific errors that can make the mechanism weak. However, under view 1000, it could be a weakness under protection mechanism failure, although it is different from most PMF issues since it is related to a feature that is designed to bypass a protection mechanism (specifically, the lack of knowledge of a password).::TYPE:Maintenance:NOTE:This entry probably needs to be split; see extended description.::",{"point":"19f","priority":"6","details":"19g"},"CWE-ID: 641Improper Restriction of Names for Files and Other Resources","The product constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name.Guidelines:",{"point":"19i","priority":"6","details":"19j"},"CWE-ID: 642External Control of Critical State Data","The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.Guidelines:",{"point":"19l","priority":"6","details":"19m"},"CWE-ID: 643Improper Neutralization of Data within XPath Expressions ('XPath Injection')","The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.Guidelines:::TYPE:Relationship:NOTE:This weakness is similar to other weaknesses that enable injection style attacks, such as SQL injection, command injection and LDAP injection. The main difference is that the target of attack here is the XML database.::",{"point":"19o","priority":"6","details":"19p"},"CWE-ID: 644Improper Neutralization of HTTP Headers for Scripting Syntax","The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.Guidelines:",{"point":"19r","priority":"6","details":"19s"},"CWE-ID: 645Overly Restrictive Account Lockout Mechanism","The product contains an account lockout protection mechanism, but the mechanism is too restrictive and can be triggered too easily, which allows attackers to deny service to legitimate users by causing their accounts to be locked out.Guidelines:",{"point":"19u","priority":"6","details":"19v"},"CWE-ID: 646Reliance on File Name or Extension of Externally-Supplied File","The product allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attackers to cause the file to be misclassified and processed in a dangerous fashion.Guidelines:",{"point":"19x","priority":"6","details":"19y"},"CWE-ID: 647Use of Non-Canonical URL Paths for Authorization Decisions","The product defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization.Guidelines:",{"point":"1a0","priority":"6","details":"1a1"},"CWE-ID: 648Incorrect Use of Privileged APIs","The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.Guidelines:",{"point":"1a3","priority":"6","details":"1a4"},"CWE-ID: 649Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking","The product uses obfuscation or encryption of inputs that should not be mutable by an external actor, but the product does not use integrity checks to detect if those inputs have been modified.Guidelines:",{"point":"1a6","priority":"6","details":"1a7"},"CWE-ID: 650Trusting HTTP Permission Methods on the Server Side","The server contains a protection mechanism that assumes that any URI that is accessed using HTTP GET will not cause a state change to the associated resource. This might allow attackers to bypass intended access restrictions and conduct resource modification and deletion attacks, since some applications allow GET to modify state.Guidelines:",{"point":"1a9","priority":"6","details":"1aa"},"CWE-ID: 651Exposure of WSDL File Containing Sensitive Information","The Web services architecture may require exposing a Web Service Definition Language (WSDL) file that contains information on the publicly accessible services and how callers of these services should interact with them (e.g. what parameters they expect and what types they return).Guidelines:",{"point":"1ac","priority":"6","details":"1ad"},"CWE-ID: 652Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')","The product uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.Guidelines:::TYPE:Relationship:NOTE:This weakness is similar to other weaknesses that enable injection style attacks, such as SQL injection, command injection and LDAP injection. The main difference is that the target of attack here is the XML database.::",{"point":"1af","priority":"6","details":"1ag"},"CWE-ID: 653Improper Isolation or Compartmentalization","The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.Guidelines:::TYPE:Relationship:NOTE:There is a close association with CWE-250 (Execution with Unnecessary Privileges). CWE-653 is about providing separate components for each privilege; CWE-250 is about ensuring that each component has the least amount of privileges possible. In this fashion, compartmentalization becomes one mechanism for reducing privileges.::TYPE:Terminology:NOTE:The term Separation of Privilege is used in several different ways in the industry, but they generally combine two closely related principles: compartmentalization (this node) and using only one factor in a security decision (CWE-654). Proper compartmentalization implicitly introduces multiple factors into a security decision, but there can be cases in which multiple factors are required for authentication or other mechanisms that do not involve compartmentalization, such as performing all required checks on a submitted certificate. It is likely that CWE-653 and CWE-654 will provoke further discussion.::",{"point":"1ai","priority":"6","details":"1aj"},"CWE-ID: 654Reliance on a Single Factor in a Security Decision","A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality.Guidelines:::TYPE:Maintenance:NOTE:This entry is closely associated with the term Separation of Privilege. This term is used in several different ways in the industry, but they generally combine two closely related principles: compartmentalization (CWE-653) and using only one factor in a security decision (this entry). Proper compartmentalization implicitly introduces multiple factors into a security decision, but there can be cases in which multiple factors are required for authentication or other mechanisms that do not involve compartmentalization, such as performing all required checks on a submitted certificate. It is likely that CWE-653 and CWE-654 will provoke further discussion.::",{"point":"1al","priority":"6","details":"1am"},"CWE-ID: 655Insufficient Psychological Acceptability","The product has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose.Guidelines:::TYPE:Other:NOTE:This weakness covers many security measures causing user inconvenience, requiring effort or causing frustration, that are disproportionate to the risks or value of the protected assets, or that are perceived to be ineffective.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"1ao","priority":"6","details":"1ap"},"CWE-ID: 656Reliance on Security Through Obscurity","The product uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism.Guidelines:::TYPE:Relationship:NOTE:Note that there is a close relationship between this weakness and CWE-603 (Use of Client-Side Authentication). If developers do not believe that a user can reverse engineer a client, then they are more likely to choose client-side authentication in the belief that it is safe.::",{"point":"1ar","priority":"6","details":"1as"},"CWE-ID: 657Violation of Secure Design Principles","The product violates well-established principles for secure design.Guidelines:::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"1au","priority":"6","details":"1av"},"CWE-ID: 662Improper Synchronization","The product utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.Guidelines:::TYPE:Maintenance:NOTE:Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships.::",{"point":"1ax","priority":"6","details":"1ay"},"CWE-ID: 663Use of a Non-reentrant Function in a Concurrent Context","The product calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity to call the same function or otherwise influence its state.Guidelines:",{"point":"1b0","priority":"6","details":"1b1"},"CWE-ID: 664Improper Control of a Resource Through its Lifetime","The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.Guidelines:::TYPE:Maintenance:NOTE:More work is needed on this entry and its children. There are perspective/layering issues; for example, one breakdown is based on lifecycle phase (CWE-404, CWE-665), while other children are independent of lifecycle, such as CWE-400. Others do not specify as many bases or variants, such as CWE-704, which primarily covers numbers at this stage.::",{"point":"1b3","priority":"6","details":"1b4"},"CWE-ID: 665Improper Initialization","The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.Guidelines:",{"point":"1b6","priority":"6","details":"1b7"},"CWE-ID: 666Operation on Resource in Wrong Phase of Lifetime","The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors.Guidelines:",{"point":"1b9","priority":"6","details":"1ba"},"CWE-ID: 667Improper Locking","The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.Guidelines:::TYPE:Maintenance:NOTE:Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships.::",{"point":"1bc","priority":"6","details":"1bd"},"CWE-ID: 668Exposure of Resource to Wrong Sphere","The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.Guidelines:::TYPE:Theoretical:NOTE:A control sphere is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product's security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for administrators who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be users who are authenticated to the operating system on which the product is installed. Each sphere has different sets of actors and allowable behaviors.::",{"point":"1bf","priority":"6","details":"1bg"},"CWE-ID: 669Incorrect Resource Transfer Between Spheres","The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.Guidelines:",{"point":"1bi","priority":"6","details":"1bj"},"CWE-ID: 670Always-Incorrect Control Flow Implementation","The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.Guidelines:::TYPE:Maintenance:NOTE:This node could possibly be split into lower-level nodes. Early Return is for returning control to the caller too soon (e.g., CWE-584). Excess Return is when control is returned too far up the call stack (CWE-600, CWE-395). Improper control limitation occurs when the product maintains control at a lower level of execution, when control should be returned further up the call stack (CWE-455). Incorrect syntax covers code that's just plain wrong such as CWE-484 and CWE-483.::",{"point":"1bl","priority":"6","details":"1bm"},"CWE-ID: 671Lack of Administrator Control over Security","The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.Guidelines:",{"point":"1bo","priority":"6","details":"1bp"},"CWE-ID: 672Operation on a Resource after Expiration or Release","The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.Guidelines:",{"point":"1br","priority":"6","details":"1bs"},"CWE-ID: 673External Influence of Sphere Definition","The product does not prevent the definition of control spheres from external actors.Guidelines:::TYPE:Theoretical:NOTE:A control sphere is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product's security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for administrators who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be users who are authenticated to the operating system on which the product is installed. Each sphere has different sets of actors and allowable behaviors.::",{"point":"1bu","priority":"6","details":"1bv"},"CWE-ID: 674Uncontrolled Recursion","The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.Guidelines:",{"point":"1bx","priority":"6","details":"1by"},"CWE-ID: 675Multiple Operations on Resource in Single-Operation Context","The product performs the same operation on a resource two or more times, when the operation should only be applied once.Guidelines:::TYPE:Relationship:NOTE:This weakness is probably closely associated with other issues related to doubling, such as CWE-462 (duplicate key in alist) or CWE-102 (Struts duplicate validation forms). It's usually a case of an API contract violation (CWE-227).::",{"point":"1c0","priority":"6","details":"1c1"},"CWE-ID: 676Use of Potentially Dangerous Function","The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.Guidelines:::TYPE:Relationship:NOTE:This weakness is different than CWE-242 (Use of Inherently Dangerous Function). CWE-242 covers functions with such significant security problems that they can never be guaranteed to be safe. Some functions, if used properly, do not directly pose a security risk, but can introduce a weakness if not called correctly. These are regarded as potentially dangerous. A well-known example is the strcpy() function. When provided with a destination buffer that is larger than its source, strcpy() will not overflow. However, it is so often misused that some developers prohibit strcpy() entirely.::",{"point":"1c3","priority":"6","details":"1c4"},"CWE-ID: 680Integer Overflow to Buffer Overflow","The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow.Guidelines:",{"point":"1c6","priority":"6","details":"1c7"},"CWE-ID: 681Incorrect Conversion between Numeric Types","When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.Guidelines:",{"point":"1c9","priority":"6","details":"1ca"},"CWE-ID: 682Incorrect Calculation","The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.Guidelines:::TYPE:Research Gap:NOTE:Weaknesses related to this Pillar appear to be under-studied, especially with respect to classification schemes. Input from academic and other communities could help identify and resolve gaps or organizational difficulties within CWE.::",{"point":"1cc","priority":"6","details":"1cd"},"CWE-ID: 683Function Call With Incorrect Order of Arguments","The product calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses.Guidelines:",{"point":"1cf","priority":"6","details":"1cg"},"CWE-ID: 684Incorrect Provision of Specified Functionality","The code does not function according to its published specifications, potentially leading to incorrect usage.Guidelines:",{"point":"1ci","priority":"6","details":"1cj"},"CWE-ID: 685Function Call With Incorrect Number of Arguments","The product calls a function, procedure, or routine, but the caller specifies too many arguments, or too few arguments, which may lead to undefined behavior and resultant weaknesses.Guidelines:",{"point":"1cl","priority":"6","details":"1cm"},"CWE-ID: 686Function Call With Incorrect Argument Type","The product calls a function, procedure, or routine, but the caller specifies an argument that is the wrong data type, which may lead to resultant weaknesses.Guidelines:",{"point":"1co","priority":"6","details":"1cp"},"CWE-ID: 687Function Call With Incorrectly Specified Argument Value","The product calls a function, procedure, or routine, but the caller specifies an argument that contains the wrong value, which may lead to resultant weaknesses.Guidelines:::TYPE:Relationship:NOTE:When primary, this weakness is most likely to occur in rarely-tested code, since the wrong value can change the semantic meaning of the program's execution and lead to obviously-incorrect behavior. It can also be resultant from issues in which the program assigns the wrong value to a variable, and that variable is later used in a function call. In that sense, this issue could be argued as having chaining relationships with many implementation errors in CWE.::",{"point":"1cr","priority":"6","details":"1cs"},"CWE-ID: 688Function Call With Incorrect Variable or Reference as Argument","The product calls a function, procedure, or routine, but the caller specifies the wrong variable or reference as one of the arguments, which may lead to undefined behavior and resultant weaknesses.Guidelines:",{"point":"1cu","priority":"6","details":"1cv"},"CWE-ID: 689Permission Race Condition During Resource Copy","The product, while copying or cloning a resource, does not set the resource's permissions or access control until the copy is complete, leaving the resource exposed to other spheres while the copy is taking place.Guidelines:::TYPE:Research Gap:NOTE:Under-studied. It seems likely that this weakness could occur in any situation in which a complex or large copy operation occurs, when the resource can be made available to other spheres as soon as it is created, but before its initialization is complete.::",{"point":"1cx","priority":"6","details":"1cy"},"CWE-ID: 690Unchecked Return Value to NULL Pointer Dereference","The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference.Guidelines:",{"point":"1d0","priority":"6","details":"1d1"},"CWE-ID: 691Insufficient Control Flow Management","The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.Guidelines:",{"point":"1d3","priority":"6","details":"1d4"},"CWE-ID: 692Incomplete Denylist to Cross-Site Scripting","The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.Guidelines:",{"point":"1d6","priority":"6","details":"1d7"},"CWE-ID: 693Protection Mechanism Failure","The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.Guidelines:::TYPE:Research Gap:NOTE:The concept of protection mechanisms is well established, but protection mechanism failures have not been studied comprehensively. It is suspected that protection mechanisms can have significantly different types of weaknesses than the weaknesses that they are intended to prevent.::",{"point":"1d9","priority":"6","details":"1da"},"CWE-ID: 694Use of Multiple Resources with Duplicate Identifier","The product uses multiple resources that can have the same identifier, in a context in which unique identifiers are required.Guidelines:::TYPE:Relationship:NOTE:This weakness is probably closely associated with other issues related to doubling, such as CWE-675 (Duplicate Operations on Resource). It's often a case of an API contract violation (CWE-227).::",{"point":"1dc","priority":"6","details":"1dd"},"CWE-ID: 695Use of Low-Level Functionality","The product uses low-level functionality that is explicitly prohibited by the framework or specification under which the product is supposed to operate.Guidelines:",{"point":"1df","priority":"6","details":"1dg"},"CWE-ID: 696Incorrect Behavior Order","The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses.Guidelines:",{"point":"1di","priority":"6","details":"1dj"},"CWE-ID: 697Incorrect Comparison","The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.Guidelines:::TYPE:Research Gap:NOTE:Weaknesses related to this Pillar appear to be under-studied, especially with respect to classification schemes. Input from academic and other communities could help identify and resolve gaps or organizational difficulties within CWE.::TYPE:Maintenance:NOTE:This entry likely has some relationships with case sensitivity (CWE-178), but case sensitivity is a factor in other types of weaknesses besides comparison. Also, in cryptography, certain attacks are possible when certain comparison operations do not take place in constant time, causing a timing-related information leak (CWE-208).::",{"point":"1dl","priority":"6","details":"1dm"},"CWE-ID: 698Execution After Redirect (EAR)","The web application sends a redirect to another location, but instead of exiting, it executes additional code.Guidelines:",{"point":"1do","priority":"6","details":"1dp"},"CWE-ID: 703Improper Check or Handling of Exceptional Conditions","The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.Guidelines:::TYPE:Relationship:NOTE:This is a high-level class that might have some overlap with other classes. It could be argued that even normal weaknesses such as buffer overflows involve unusual or exceptional conditions. In that sense, this might be an inherent aspect of most other weaknesses within CWE, similar to API Abuse (CWE-227) and Indicator of Poor Code Quality (CWE-398). However, this entry is currently intended to unify disparate concepts that do not have other places within the Research Concepts view (CWE-1000).::",{"point":"1dr","priority":"6","details":"1ds"},"CWE-ID: 704Incorrect Type Conversion or Cast","The product does not correctly convert an object, resource, or structure from one type to a different type.Guidelines:",{"point":"1du","priority":"6","details":"1dv"},"CWE-ID: 705Incorrect Control Flow Scoping","The product does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.Guidelines:",{"point":"1dx","priority":"6","details":"1dy"},"CWE-ID: 706Use of Incorrectly-Resolved Name or Reference","The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.Guidelines:",{"point":"1e0","priority":"6","details":"1e1"},"CWE-ID: 707Improper Neutralization","The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.Guidelines:::TYPE:Maintenance:NOTE:Concepts such as validation, data transformation, and neutralization are being refined, so relationships between CWE-20 and other entries such as CWE-707 may change in future versions, along with an update to the Vulnerability Theory document.::",{"point":"1e3","priority":"6","details":"1e4"},"CWE-ID: 708Incorrect Ownership Assignment","The product assigns an owner to a resource, but the owner is outside of the intended control sphere.Guidelines:::TYPE:Maintenance:NOTE:This overlaps verification errors, permissions, and privileges. A closely related weakness is the incorrect assignment of groups to a resource. It is not clear whether it would fall under this entry or require a different entry.::",{"point":"1e6","priority":"6","details":"1e7"},"CWE-ID: 710Improper Adherence to Coding Standards","The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.Guidelines:",{"point":"1e9","priority":"6","details":"1ea"},"CWE-ID: 732Incorrect Permission Assignment for Critical Resource","The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.Guidelines:::TYPE:Maintenance:NOTE:The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693).::",{"point":"1ec","priority":"6","details":"1ed"},"CWE-ID: 733Compiler Optimization Removal or Modification of Security-critical Code","The developer builds a security-critical protection mechanism into the software, but the compiler optimizes the program such that the mechanism is removed or modified.Guidelines:",{"point":"1ef","priority":"6","details":"1eg"},"CWE-ID: 749Exposed Dangerous Method or Function","The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.Guidelines:::TYPE:Research Gap:NOTE:Under-reported and under-studied. This weakness could appear in any technology, language, or framework that allows the programmer to provide a functional interface to external parties, but it is not heavily reported. In 2007, CVE began showing a notable increase in reports of exposed method vulnerabilities in ActiveX applications, as well as IOCTL access to OS-level resources. These weaknesses have been documented for Java applications in various secure programming sources, but there are few reports in CVE, which suggests limited awareness in most parts of the vulnerability research community.::",{"point":"1ei","priority":"6","details":"1ej"},"CWE-ID: 754Improper Check for Unusual or Exceptional Conditions","The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.Guidelines:::TYPE:Relationship:NOTE:Sometimes, when a return value can be used to indicate an error, an unchecked return value is a code-layer instance of a missing application-layer check for exceptional conditions. However, return values are not always needed to communicate exceptional conditions. For example, expiration of resources, values passed by reference, asynchronously modified data, sockets, etc. may indicate exceptional conditions without the use of a return value.::",{"point":"1el","priority":"6","details":"1em"},"CWE-ID: 755Improper Handling of Exceptional Conditions","The product does not handle or incorrectly handles an exceptional condition.Guidelines:",{"point":"1eo","priority":"6","details":"1ep"},"CWE-ID: 756Missing Custom Error Page","The product does not return custom error pages to the user, possibly exposing sensitive information.Guidelines:",{"point":"1er","priority":"6","details":"1es"},"CWE-ID: 757Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')","A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties.Guidelines:::TYPE:Relationship:NOTE:This is related to CWE-300, although not all downgrade attacks necessarily require an entity that redirects or interferes with the network. See examples.::",{"point":"1eu","priority":"6","details":"1ev"},"CWE-ID: 758Reliance on Undefined, Unspecified, or Implementation-Defined Behavior","The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity.Guidelines:",{"point":"1ex","priority":"6","details":"1ey"},"CWE-ID: 759Use of a One-Way Hash without a Salt","The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.Guidelines:",{"point":"1f0","priority":"6","details":"1f1"},"CWE-ID: 760Use of a One-Way Hash with a Predictable Salt","The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"1f3","priority":"6","details":"1f4"},"CWE-ID: 761Free of Pointer not at Start of Buffer","The product calls free() on a pointer to a memory resource that was allocated on the heap, but the pointer is not at the start of the buffer.Guidelines:::TYPE:Maintenance:NOTE:Currently, CWE-763 is the parent, however it may be desirable to have an intermediate parent which is not function-specific, similar to how CWE-762 is an intermediate parent between CWE-763 and CWE-590.::",{"point":"1f6","priority":"6","details":"1f7"},"CWE-ID: 762Mismatched Memory Management Routines","The product attempts to return a memory resource to the system, but it calls a release function that is not compatible with the function that was originally used to allocate that resource.Guidelines:::TYPE:Applicable Platform:NOTE:This weakness is possible in any programming language that allows manual management of memory.::",{"point":"1f9","priority":"6","details":"1fa"},"CWE-ID: 763Release of Invalid Pointer or Reference","The product attempts to return a memory resource to the system, but it calls the wrong release function or calls the appropriate release function incorrectly.Guidelines:::TYPE:Maintenance:NOTE:The view-1000 subtree that is associated with this weakness needs additional work. Several entries will likely be created in this branch. Currently the focus is on free() of memory, but delete and other related release routines may require the creation of intermediate entries that are not specific to a particular function. In addition, the role of other types of invalid pointers, such as an expired pointer, i.e. CWE-415 Double Free and release of uninitialized pointers, related to CWE-457.::",{"point":"1fc","priority":"6","details":"1fd"},"CWE-ID: 764Multiple Locks of a Critical Resource","The product locks a critical resource more times than intended, leading to an unexpected state in the system.Guidelines:::TYPE:Maintenance:NOTE:An alternate way to think about this weakness is as an imbalance between the number of locks / unlocks in the control flow. Over the course of execution, if each lock call is not followed by a subsequent call to unlock in a reasonable amount of time, then system performance may be degraded or at least operating at less than peak levels if there is competition for the locks. This entry may need to be modified to reflect these concepts in the future.::",{"point":"1ff","priority":"6","details":"1fg"},"CWE-ID: 765Multiple Unlocks of a Critical Resource","The product unlocks a critical resource more times than intended, leading to an unexpected state in the system.Guidelines:::TYPE:Maintenance:NOTE:An alternate way to think about this weakness is as an imbalance between the number of locks / unlocks in the control flow. Over the course of execution, if each lock call is not followed by a subsequent call to unlock in a reasonable amount of time, then system performance may be degraded or at least operating at less than peak levels if there is competition for the locks. This entry may need to be modified to reflect these concepts in the future.::",{"point":"1fi","priority":"6","details":"1fj"},"CWE-ID: 766Critical Data Element Declared Public","The product declares a critical variable, field, or member to be public when intended security policy requires it to be private.Guidelines:",{"point":"1fl","priority":"6","details":"1fm"},"CWE-ID: 767Access to Critical Private Variable via Public Method","The product defines a public method that reads or modifies a private variable.Guidelines:::TYPE:Maintenance:NOTE:This entry is closely associated with access control for public methods. If the public methods are restricted with proper access controls, then the information in the private variable will not be exposed to unexpected parties. There may be chaining or composite relationships between improper access controls and this weakness.::",{"point":"1fo","priority":"6","details":"1fp"},"CWE-ID: 768Incorrect Short Circuit Evaluation","The product contains a conditional statement with multiple logical expressions in which one of the non-leading expressions may produce side effects. This may lead to an unexpected state in the program after the execution of the conditional, because short-circuiting logic may prevent the side effects from occurring.Guidelines:",{"point":"1fr","priority":"6","details":"1fs"},"CWE-ID: 770Allocation of Resources Without Limits or Throttling","The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.Guidelines:::TYPE:Relationship:NOTE:This entry is different from uncontrolled resource consumption (CWE-400) in that there are other weaknesses that are related to inability to control resource consumption, such as holding on to a resource too long after use, or not correctly keeping track of active resources so that they can be managed and released when they are finished (CWE-771).::TYPE:Theoretical:NOTE:Vulnerability theory is largely about how behaviors and resources interact. Resource exhaustion can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect one of the underlying weaknesses that enable these attacks (or consequences) to take place.::",{"point":"1fu","priority":"6","details":"1fv"},"CWE-ID: 771Missing Reference to Active Allocated Resource","The product does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed.Guidelines:",{"point":"1fx","priority":"6","details":"1fy"},"CWE-ID: 772Missing Release of Resource after Effective Lifetime","The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.Guidelines:::TYPE:Maintenance:NOTE:Resource exhaustion (CWE-400) is currently treated as a weakness, although it is more like a category of weaknesses that all have the same type of consequence. While this entry treats CWE-400 as a parent in view 1000, the relationship is probably more appropriately described as a chain.::TYPE:Theoretical:NOTE:Vulnerability theory is largely about how behaviors and resources interact. Resource exhaustion can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect one of the underlying weaknesses that enable these attacks (or consequences) to take place.::",{"point":"1g0","priority":"6","details":"1g1"},"CWE-ID: 773Missing Reference to Active File Descriptor or Handle","The product does not properly maintain references to a file descriptor or handle, which prevents that file descriptor/handle from being reclaimed.Guidelines:",{"point":"1g3","priority":"6","details":"1g4"},"CWE-ID: 774Allocation of File Descriptors or Handles Without Limits or Throttling","The product allocates file descriptors or handles on behalf of an actor without imposing any restrictions on how many descriptors can be allocated, in violation of the intended security policy for that actor.Guidelines:",{"point":"1g6","priority":"6","details":"1g7"},"CWE-ID: 775Missing Release of File Descriptor or Handle after Effective Lifetime","The product does not release a file descriptor or handle after its effective lifetime has ended, i.e., after the file descriptor/handle is no longer needed.Guidelines:",{"point":"1g9","priority":"6","details":"1ga"},"CWE-ID: 776Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.Guidelines:",{"point":"1gc","priority":"6","details":"1gd"},"CWE-ID: 777Regular Expression without Anchors","The product uses a regular expression to perform neutralization, but the regular expression is not anchored and may allow malicious or malformed data to slip through.Guidelines:",{"point":"1gf","priority":"6","details":"1gg"},"CWE-ID: 778Insufficient Logging","When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.Guidelines:",{"point":"1gi","priority":"6","details":"1gj"},"CWE-ID: 779Logging of Excessive Data","The product logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack.Guidelines:",{"point":"1gl","priority":"6","details":"1gm"},"CWE-ID: 780Use of RSA Algorithm without OAEP","The product uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption.Guidelines:::TYPE:Maintenance:NOTE:This entry could probably have a new parent related to improper padding, however the role of padding in cryptographic algorithms can vary, such as hiding the length of the plaintext and providing additional random bits for the cipher. In general, cryptographic problems in CWE are not well organized and further research is needed.::",{"point":"1go","priority":"6","details":"1gp"},"CWE-ID: 781Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code","The product defines an IOCTL that uses METHOD_NEITHER for I/O, but it does not validate or incorrectly validates the addresses that are provided.Guidelines:::TYPE:Applicable Platform:NOTE:Because IOCTL functionality is typically performing low-level actions and closely interacts with the operating system, this weakness may only appear in code that is written in low-level languages.::TYPE:Research Gap:NOTE:While this type of issue has been known since 2006, it is probably still under-studied and under-reported. Most of the focus has been on high-profile software and security products, but other kinds of system software also use drivers. Since exploitation requires the development of custom code, it requires some skill to find this weakness. Because exploitation typically requires local privileges, it might not be a priority for active attackers. However, remote exploitation may be possible for software such as device drivers. Even when remote vectors are not available, it may be useful as the final privilege-escalation step in multi-stage remote attacks against application-layer software, or as the primary attack by a local user on a multi-user system.::",{"point":"1gr","priority":"6","details":"1gs"},"CWE-ID: 782Exposed IOCTL with Insufficient Access Control","The product implements an IOCTL with functionality that should be restricted, but it does not properly enforce access control for the IOCTL.Guidelines:::TYPE:Relationship:NOTE:This can be primary to many other weaknesses when the programmer assumes that the IOCTL can only be accessed by trusted parties. For example, a program or driver might not validate incoming addresses in METHOD_NEITHER IOCTLs in Windows environments (CWE-781), which could allow buffer overflow and similar attacks to take place, even when the attacker never should have been able to access the IOCTL at all.::TYPE:Applicable Platform:NOTE:Because IOCTL functionality is typically performing low-level actions and closely interacts with the operating system, this weakness may only appear in code that is written in low-level languages.::",{"point":"1gu","priority":"6","details":"1gv"},"CWE-ID: 783Operator Precedence Logic Error","The product uses an expression in which operator precedence causes incorrect logic to be used.Guidelines:",{"point":"1gx","priority":"6","details":"1gy"},"CWE-ID: 784Reliance on Cookies without Validation and Integrity Checking in a Security Decision","The product uses a protection mechanism that relies on the existence or values of a cookie, but it does not properly ensure that the cookie is valid for the associated user.Guidelines:::TYPE:Maintenance:NOTE:A new parent might need to be defined for this entry. This entry is specific to cookies, which reflects the significant number of vulnerabilities being reported for cookie-based authentication in CVE during 2008 and 2009. However, other types of inputs - such as parameters or headers - could also be used for similar authentication or authorization. Similar issues (under the Research view) include CWE-247 and CWE-472.::",{"point":"1h0","priority":"6","details":"1h1"},"CWE-ID: 785Use of Path Manipulation Function without Maximum-sized Buffer","The product invokes a function for normalizing paths or file names, but it provides an output buffer that is smaller than the maximum possible size, such as PATH_MAX.Guidelines:::TYPE:Maintenance:NOTE:This entry is at a much lower level of abstraction than most entries because it is function-specific. It also has significant overlap with other entries that can vary depending on the perspective. For example, incorrect usage could trigger either a stack-based overflow (CWE-121) or a heap-based overflow (CWE-122). The CWE team has not decided how to handle such entries.::",{"point":"1h3","priority":"6","details":"1h4"},"CWE-ID: 786Access of Memory Location Before Start of Buffer","The product reads or writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.Guidelines:",{"point":"1h6","priority":"6","details":"1h7"},"CWE-ID: 787Out-of-bounds Write","The product writes data past the end, or before the beginning, of the intended buffer.Guidelines:",{"point":"1h9","priority":"6","details":"1ha"},"CWE-ID: 788Access of Memory Location After End of Buffer","The product reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer.Guidelines:",{"point":"1hc","priority":"6","details":"1hd"},"CWE-ID: 789Memory Allocation with Excessive Size Value","The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.Guidelines:::TYPE:Relationship:NOTE:This weakness can be closely associated with integer overflows (CWE-190). Integer overflow attacks would concentrate on providing an extremely large number that triggers an overflow that causes less memory to be allocated than expected. By providing a large value that does not trigger an integer overflow, the attacker could still cause excessive amounts of memory to be allocated.::TYPE:Applicable Platform:NOTE:Uncontrolled memory allocation is possible in many languages, such as dynamic array allocation in perl or initial size parameters in Collections in Java. However, languages like C and C++ where programmers have the power to more directly control memory management will be more susceptible.::",{"point":"1hf","priority":"6","details":"1hg"},"CWE-ID: 790Improper Filtering of Special Elements","The product receives data from an upstream component, but does not filter or incorrectly filters special elements before sending it to a downstream component.Guidelines:",{"point":"1hi","priority":"6","details":"1hj"},"CWE-ID: 791Incomplete Filtering of Special Elements","The product receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component.Guidelines:",{"point":"1hl","priority":"6","details":"1hm"},"CWE-ID: 792Incomplete Filtering of One or More Instances of Special Elements","The product receives data from an upstream component, but does not completely filter one or more instances of special elements before sending it to a downstream component.Guidelines:",{"point":"1ho","priority":"6","details":"1hp"},"CWE-ID: 793Only Filtering One Instance of a Special Element","The product receives data from an upstream component, but only filters a single instance of a special element before sending it to a downstream component.Guidelines:",{"point":"1hr","priority":"6","details":"1hs"},"CWE-ID: 794Incomplete Filtering of Multiple Instances of Special Elements","The product receives data from an upstream component, but does not filter all instances of a special element before sending it to a downstream component.Guidelines:",{"point":"1hu","priority":"6","details":"1hv"},"CWE-ID: 795Only Filtering Special Elements at a Specified Location","The product receives data from an upstream component, but only accounts for special elements at a specified location, thereby missing remaining special elements that may exist before sending it to a downstream component.Guidelines:",{"point":"1hx","priority":"6","details":"1hy"},"CWE-ID: 796Only Filtering Special Elements Relative to a Marker","The product receives data from an upstream component, but only accounts for special elements positioned relative to a marker (e.g. at the beginning/end of a string; the second argument), thereby missing remaining special elements that may exist before sending it to a downstream component.Guidelines:",{"point":"1i0","priority":"6","details":"1i1"},"CWE-ID: 797Only Filtering Special Elements at an Absolute Position","The product receives data from an upstream component, but only accounts for special elements at an absolute position (e.g. byte number 10), thereby missing remaining special elements that may exist before sending it to a downstream component.Guidelines:",{"point":"1i3","priority":"6","details":"1i4"},"CWE-ID: 798Use of Hard-coded Credentials","The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.Guidelines:::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"1i6","priority":"6","details":"1i7"},"CWE-ID: 799Improper Control of Interaction Frequency","The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.Guidelines:",{"point":"1i9","priority":"6","details":"1ia"},"CWE-ID: 804Guessable CAPTCHA","The product uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.Guidelines:",{"point":"1ic","priority":"6","details":"1id"},"CWE-ID: 805Buffer Access with Incorrect Length Value","The product uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer.Guidelines:",{"point":"1if","priority":"6","details":"1ig"},"CWE-ID: 806Buffer Access Using Size of Source Buffer","The product uses the size of a source buffer when reading from or writing to a destination buffer, which may cause it to access memory that is outside of the bounds of the buffer.Guidelines:",{"point":"1ii","priority":"6","details":"1ij"},"CWE-ID: 807Reliance on Untrusted Inputs in a Security Decision","The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.Guidelines:",{"point":"1il","priority":"6","details":"1im"},"CWE-ID: 820Missing Synchronization","The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.Guidelines:::TYPE:Maintenance:NOTE:Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships.::",{"point":"1io","priority":"6","details":"1ip"},"CWE-ID: 821Incorrect Synchronization","The product utilizes a shared resource in a concurrent manner, but it does not correctly synchronize access to the resource.Guidelines:::TYPE:Maintenance:NOTE:Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships.::",{"point":"1ir","priority":"6","details":"1is"},"CWE-ID: 822Untrusted Pointer Dereference","The product obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer.Guidelines:::TYPE:Maintenance:NOTE:There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.::TYPE:Terminology:NOTE:Many weaknesses related to pointer dereferences fall under the general term of memory corruption or memory safety. As of September 2010, there is no commonly-used terminology that covers the lower-level variants.::",{"point":"1iu","priority":"6","details":"1iv"},"CWE-ID: 823Use of Out-of-range Pointer Offset","The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.Guidelines:::TYPE:Maintenance:NOTE:There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.::TYPE:Terminology:NOTE:Many weaknesses related to pointer dereferences fall under the general term of memory corruption or memory safety. As of September 2010, there is no commonly-used terminology that covers the lower-level variants.::",{"point":"1ix","priority":"6","details":"1iy"},"CWE-ID: 824Access of Uninitialized Pointer","The product accesses or uses a pointer that has not been initialized.Guidelines:::TYPE:Maintenance:NOTE:There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.::TYPE:Terminology:NOTE:Many weaknesses related to pointer dereferences fall under the general term of memory corruption or memory safety. As of September 2010, there is no commonly-used terminology that covers the lower-level variants.::",{"point":"1j0","priority":"6","details":"1j1"},"CWE-ID: 825Expired Pointer Dereference","The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.Guidelines:::TYPE:Maintenance:NOTE:There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.::TYPE:Terminology:NOTE:Many weaknesses related to pointer dereferences fall under the general term of memory corruption or memory safety. As of September 2010, there is no commonly-used terminology that covers the lower-level variants.::",{"point":"1j3","priority":"6","details":"1j4"},"CWE-ID: 826Premature Release of Resource During Expected Lifetime","The product releases a resource that is still intended to be used by itself or another actor.Guidelines:::TYPE:Research Gap:NOTE:Under-studied and under-reported as of September 2010. This weakness has been reported in high-visibility software, although the focus has been primarily on memory allocation and de-allocation. There are very few examples of this weakness that are not directly related to memory management, although such weaknesses are likely to occur in real-world software for other types of resources.::",{"point":"1j6","priority":"6","details":"1j7"},"CWE-ID: 827Improper Control of Document Type Definition","The product does not restrict a reference to a Document Type Definition (DTD) to the intended control sphere. This might allow attackers to reference arbitrary DTDs, possibly causing the product to expose files, consume excessive system resources, or execute arbitrary http requests on behalf of the attacker.Guidelines:",{"point":"1j9","priority":"6","details":"1ja"},"CWE-ID: 828Signal Handler with Functionality that is not Asynchronous-Safe","The product defines a signal handler that contains code sequences that are not asynchronous-safe, i.e., the functionality is not reentrant, or it can be interrupted.Guidelines:",{"point":"1jc","priority":"6","details":"1jd"},"CWE-ID: 829Inclusion of Functionality from Untrusted Control Sphere","The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.Guidelines:",{"point":"1jf","priority":"6","details":"1jg"},"CWE-ID: 830Inclusion of Web Functionality from an Untrusted Source","The product includes web functionality (such as a web widget) from another domain, which causes it to operate within the domain of the product, potentially granting total access and control of the product to the untrusted source.Guidelines:",{"point":"1ji","priority":"6","details":"1jj"},"CWE-ID: 831Signal Handler Function Associated with Multiple Signals","The product defines a function that is used as a handler for more than one signal.Guidelines:",{"point":"1jl","priority":"6","details":"1jm"},"CWE-ID: 832Unlock of a Resource that is not Locked","The product attempts to unlock a resource that is not locked.Guidelines:",{"point":"1jo","priority":"6","details":"1jp"},"CWE-ID: 833Deadlock","The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.Guidelines:",{"point":"1jr","priority":"6","details":"1js"},"CWE-ID: 834Excessive Iteration","The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.Guidelines:",{"point":"1ju","priority":"6","details":"1jv"},"CWE-ID: 835Loop with Unreachable Exit Condition ('Infinite Loop')","The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.Guidelines:",{"point":"1jx","priority":"6","details":"1jy"},"CWE-ID: 836Use of Password Hash Instead of Password for Authentication","The product records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store.Guidelines:",{"point":"1k0","priority":"6","details":"1k1"},"CWE-ID: 837Improper Enforcement of a Single, Unique Action","The product requires that an actor should only be able to perform an action once, or to have only one unique action, but the product does not enforce or improperly enforces this restriction.Guidelines:",{"point":"1k3","priority":"6","details":"1k4"},"CWE-ID: 838Inappropriate Encoding for Output Context","The product uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is expected by the downstream component.Guidelines:",{"point":"1k6","priority":"6","details":"1k7"},"CWE-ID: 839Numeric Range Comparison Without Minimum Check","The product checks a value to ensure that it is less than or equal to a maximum, but it does not also verify that the value is greater than or equal to the minimum.Guidelines:",{"point":"1k9","priority":"6","details":"1ka"},"CWE-ID: 841Improper Enforcement of Behavioral Workflow","The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.Guidelines:::TYPE:Research Gap:NOTE:This weakness is typically associated with business logic flaws, except when it produces resultant weaknesses. The classification of business logic flaws has been under-studied, although exploitation of business flaws frequently happens in real-world systems, and many applied vulnerability researchers investigate them. The greatest focus is in web applications. There is debate within the community about whether these problems represent particularly new concepts, or if they are variations of well-known principles. Many business logic flaws appear to be oriented toward business processes, application flows, and sequences of behaviors, which are not as well-represented in CWE as weaknesses related to input validation, memory management, etc.::",{"point":"1kc","priority":"6","details":"1kd"},"CWE-ID: 842Placement of User into Incorrect Group","The product or the administrator places a user into an incorrect group.Guidelines:",{"point":"1kf","priority":"6","details":"1kg"},"CWE-ID: 843Access of Resource Using Incompatible Type ('Type Confusion')","The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.Guidelines:::TYPE:Applicable Platform:NOTE:This weakness is possible in any type-unsafe programming language.::TYPE:Research Gap:NOTE:Type confusion weaknesses have received some attention by applied researchers and major software vendors for C and C++ code. Some publicly-reported vulnerabilities probably have type confusion as a root-cause weakness, but these may be described as memory corruption instead. For other languages, there are very few public reports of type confusion weaknesses. These are probably under-studied. Since many programs rely directly or indirectly on loose typing, a potential type confusion behavior might be intentional, possibly requiring more manual analysis.::",{"point":"1ki","priority":"6","details":"1kj"},"CWE-ID: 862Missing Authorization","The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Guidelines:",{"point":"1kl","priority":"6","details":"1km"},"CWE-ID: 863Incorrect Authorization","The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.Guidelines:",{"point":"1ko","priority":"6","details":"1kp"},"CWE-ID: 908Use of Uninitialized Resource","The product uses or accesses a resource that has not been initialized.Guidelines:",{"point":"1kr","priority":"6","details":"1ks"},"CWE-ID: 909Missing Initialization of Resource","The product does not initialize a critical resource.Guidelines:",{"point":"1ku","priority":"6","details":"1kv"},"CWE-ID: 910Use of Expired File Descriptor","The product uses or accesses a file descriptor after it has been closed.Guidelines:",{"point":"1kx","priority":"6","details":"1ky"},"CWE-ID: 911Improper Update of Reference Count","The product uses a reference count to manage a resource, but it does not update or incorrectly updates the reference count.Guidelines:",{"point":"1l0","priority":"6","details":"1l1"},"CWE-ID: 912Hidden Functionality","The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the product's users or administrators.Guidelines:",{"point":"1l3","priority":"6","details":"1l4"},"CWE-ID: 913Improper Control of Dynamically-Managed Code Resources","The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.Guidelines:",{"point":"1l6","priority":"6","details":"1l7"},"CWE-ID: 914Improper Control of Dynamically-Identified Variables","The product does not properly restrict reading from or writing to dynamically-identified variables.Guidelines:",{"point":"1l9","priority":"6","details":"1la"},"CWE-ID: 915Improperly Controlled Modification of Dynamically-Determined Object Attributes","The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.Guidelines:::TYPE:Maintenance:NOTE:The relationships between CWE-502 and CWE-915 need further exploration. CWE-915 is more narrowly scoped to object modification, and is not necessarily used for deserialization.::",{"point":"1lc","priority":"6","details":"1ld"},"CWE-ID: 916Use of Password Hash With Insufficient Computational Effort","The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.Guidelines:",{"point":"1lf","priority":"6","details":"1lg"},"CWE-ID: 917Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')","The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.Guidelines:::TYPE:Maintenance:NOTE:The interrelationships and differences between CWE-917 and CWE-1336 need to be further clarified.::TYPE:Relationship:NOTE:In certain versions of Spring 3.0.5 and earlier, there was a vulnerability (CVE-2011-2730) in which Expression Language tags would be evaluated twice, which effectively exposed any application to EL injection. However, even for later versions, this weakness is still possible depending on configuration.::",{"point":"1li","priority":"6","details":"1lj"},"CWE-ID: 918Server-Side Request Forgery (SSRF)","The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.Guidelines:::TYPE:Relationship:NOTE:CWE-918 (SSRF) and CWE-611 (XXE) are closely related, because they both involve web-related technologies and can launch outbound requests to unexpected destinations. However, XXE can be performed client-side, or in other contexts in which the software is not acting directly as a server, so the Server portion of the SSRF acronym does not necessarily apply.::",{"point":"1ll","priority":"6","details":"1lm"},"CWE-ID: 920Improper Restriction of Power Consumption","The product operates in an environment in which power is a limited resource that cannot be automatically replenished, but the product does not properly restrict the amount of power that its operation consumes.Guidelines:",{"point":"1lo","priority":"6","details":"1lp"},"CWE-ID: 921Storage of Sensitive Data in a Mechanism without Access Control","The product stores sensitive information in a file system or device that does not have built-in access control.Guidelines:",{"point":"1lr","priority":"6","details":"1ls"},"CWE-ID: 922Insecure Storage of Sensitive Information","The product stores sensitive information without properly limiting read or write access by unauthorized actors.Guidelines:::TYPE:Relationship:NOTE:There is an overlapping relationship between insecure storage of sensitive information (CWE-922) and missing encryption of sensitive information (CWE-311). Encryption is often used to prevent an attacker from reading the sensitive data. However, encryption does not prevent the attacker from erasing or overwriting the data. While data tampering would be visible upon inspection, the integrity and availability of the data is compromised prior to the audit.::TYPE:Maintenance:NOTE:This is a high-level entry that includes children from various parts of the CWE research view (CWE-1000). Currently, most of the information is in these child entries. This entry will be made more comprehensive in later CWE versions.::",{"point":"1lu","priority":"6","details":"1lv"},"CWE-ID: 923Improper Restriction of Communication Channel to Intended Endpoints","The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.Guidelines:",{"point":"1lx","priority":"6","details":"1ly"},"CWE-ID: 924Improper Enforcement of Message Integrity During Transmission in a Communication Channel","The product establishes a communication channel with an endpoint and receives a message from that endpoint, but it does not sufficiently ensure that the message was not modified during transmission.Guidelines:::TYPE:Maintenance:NOTE:This entry should be made more comprehensive in later CWE versions, as it is likely an important design flaw that underlies (or chains to) other weaknesses.::",{"point":"1m0","priority":"6","details":"1m1"},"CWE-ID: 925Improper Verification of Intent by Broadcast Receiver","The Android application uses a Broadcast Receiver that receives an Intent but does not properly verify that the Intent came from an authorized source.Guidelines:::TYPE:Maintenance:NOTE:This entry will be made more comprehensive in later CWE versions.::",{"point":"1m3","priority":"6","details":"1m4"},"CWE-ID: 926Improper Export of Android Application Components","The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.Guidelines:",{"point":"1m6","priority":"6","details":"1m7"},"CWE-ID: 927Use of Implicit Intent for Sensitive Communication","The Android application uses an implicit intent for transmitting sensitive data to other applications.Guidelines:",{"point":"1m9","priority":"6","details":"1ma"},"CWE-ID: 939Improper Authorization in Handler for Custom URL Scheme","The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.Guidelines:",{"point":"1mc","priority":"6","details":"1md"},"CWE-ID: 940Improper Verification of Source of a Communication Channel","The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin.Guidelines:::TYPE:Relationship:NOTE:While many access control issues involve authenticating the user, this weakness is more about authenticating the actual source of the communication channel itself; there might not be any user in such cases.::",{"point":"1mf","priority":"6","details":"1mg"},"CWE-ID: 941Incorrectly Specified Destination in a Communication Channel","The product creates a communication channel to initiate an outgoing request to an actor, but it does not correctly specify the intended destination for that actor.Guidelines:",{"point":"1mi","priority":"6","details":"1mj"},"CWE-ID: 942Permissive Cross-domain Policy with Untrusted Domains","The product uses a cross-domain policy file that includes domains that should not be trusted.Guidelines:",{"point":"1ml","priority":"6","details":"1mm"},"CWE-ID: 943Improper Neutralization of Special Elements in Data Query Logic","The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.Guidelines:::TYPE:Relationship:NOTE:It could be argued that data query languages are effectively a command language - albeit with a limited set of commands - and thus any query-language injection issue could be treated as a child of CWE-74. However, CWE-943 is intended to better organize query-oriented issues to separate them from fully-functioning programming languages, and also to provide a more precise identifier for the many query languages that do not have their own CWE identifier.::",{"point":"1mo","priority":"6","details":"1mp"},"CWE-ID: 1004Sensitive Cookie Without 'HttpOnly' Flag","The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.Guidelines:",{"point":"1mr","priority":"6","details":"1ms"},"CWE-ID: 1007Insufficient Visual Distinction of Homoglyphs Presented to User","The product displays information or identifiers to a user, but the display mechanism does not make it easy for the user to distinguish between visually similar or identical glyphs (homoglyphs), which may cause the user to misinterpret a glyph and perform an unintended, insecure action.Guidelines:",{"point":"1mu","priority":"6","details":"1mv"},"CWE-ID: 1021Improper Restriction of Rendered UI Layers or Frames","The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.Guidelines:",{"point":"1mx","priority":"6","details":"1my"},"CWE-ID: 1022Use of Web Link to Untrusted Target with window.opener Access","The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property.Guidelines:",{"point":"1n0","priority":"6","details":"1n1"},"CWE-ID: 1023Incomplete Comparison with Missing Factors","The product performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors.Guidelines:",{"point":"1n3","priority":"6","details":"1n4"},"CWE-ID: 1024Comparison of Incompatible Types","The product performs a comparison between two entities, but the entities are of different, incompatible types that cannot be guaranteed to provide correct results when they are directly compared.Guidelines:",{"point":"1n6","priority":"6","details":"1n7"},"CWE-ID: 1025Comparison Using Wrong Factors","The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.Guidelines:",{"point":"1n9","priority":"6","details":"1na"},"CWE-ID: 1037Processor Optimization Removal or Modification of Security-critical Code","The developer builds a security-critical protection mechanism into the software, but the processor optimizes the execution of the program such that the mechanism is removed or modified.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. As a result, this entry might change significantly in CWE 4.10.::",{"point":"1nc","priority":"6","details":"1nd"},"CWE-ID: 1038Insecure Automated Optimizations","The product uses a mechanism that automatically optimizes code, e.g. to improve a characteristic such as performance, but the optimizations can have an unintended side effect that might violate an intended security assumption.Guidelines:",{"point":"1nf","priority":"6","details":"1ng"},"CWE-ID: 1039Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations","The product uses an automated mechanism such as machine learning to recognize complex data inputs (e.g. image or audio) as a particular concept or category, but it does not properly detect or handle inputs that have been modified or constructed in a way that causes the mechanism to detect a different, incorrect concept.Guidelines:::TYPE:Relationship:NOTE:Further investigation is needed to determine if better relationships exist or if additional organizational entries need to be created. For example, this issue might be better related to recognition of input as an incorrect type, which might place it as a sibling of CWE-704 (incorrect type conversion).::",{"point":"1ni","priority":"6","details":"1nj"},"CWE-ID: 1041Use of Redundant Code","The product has multiple functions, methods, procedures, macros, etc. that contain the same code.Guidelines:",{"point":"1nl","priority":"6","details":"1nm"},"CWE-ID: 1042Static Member Data Element outside of a Singleton Class Element","The code contains a member element that is declared as static (but not final), in which its parent class element is not a singleton class - that is, a class element that can be used only once in the 'to' association of a Create action.Guidelines:",{"point":"1no","priority":"6","details":"1np"},"CWE-ID: 1043Data Element Aggregating an Excessively Large Number of Non-Primitive Elements","The product uses a data element that has an excessively large number of sub-elements with non-primitive data types such as structures or aggregated objects.Guidelines:",{"point":"1nr","priority":"6","details":"1ns"},"CWE-ID: 1044Architecture with Number of Horizontal Layers Outside of Expected Range","The product's architecture contains too many - or too few - horizontal layers.Guidelines:",{"point":"1nu","priority":"6","details":"1nv"},"CWE-ID: 1045Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor","A parent class has a virtual destructor method, but the parent has a child class that does not have a virtual destructor.Guidelines:",{"point":"1nx","priority":"6","details":"1ny"},"CWE-ID: 1046Creation of Immutable Text Using String Concatenation","The product creates an immutable text string using string concatenation operations.Guidelines:",{"point":"1o0","priority":"6","details":"1o1"},"CWE-ID: 1047Modules with Circular Dependencies","The product contains modules in which one module has references that cycle back to itself, i.e., there are circular dependencies.Guidelines:",{"point":"1o3","priority":"6","details":"1o4"},"CWE-ID: 1048Invokable Control Element with Large Number of Outward Calls","The code contains callable control elements that contain an excessively large number of references to other application objects external to the context of the callable, i.e. a Fan-Out value that is excessively large.Guidelines:",{"point":"1o6","priority":"6","details":"1o7"},"CWE-ID: 1049Excessive Data Query Operations in a Large Data Table","The product performs a data query with a large number of joins and sub-queries on a large data table.Guidelines:",{"point":"1o9","priority":"6","details":"1oa"},"CWE-ID: 1050Excessive Platform Resource Consumption within a Loop","The product has a loop body or loop condition that contains a control element that directly or indirectly consumes platform resources, e.g. messaging, sessions, locks, or file descriptors.Guidelines:",{"point":"1oc","priority":"6","details":"1od"},"CWE-ID: 1051Initialization with Hard-Coded Network Resource Configuration Data","The product initializes data using hard-coded values that act as network resource identifiers.Guidelines:",{"point":"1of","priority":"6","details":"1og"},"CWE-ID: 1052Excessive Use of Hard-Coded Literals in Initialization","The product initializes a data element using a hard-coded literal that is not a simple integer or static constant element.Guidelines:",{"point":"1oi","priority":"6","details":"1oj"},"CWE-ID: 1053Missing Documentation for Design","The product does not have documentation that represents how it is designed.Guidelines:",{"point":"1ol","priority":"6","details":"1om"},"CWE-ID: 1054Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer","The code at one architectural layer invokes code that resides at a deeper layer than the adjacent layer, i.e., the invocation skips at least one layer, and the invoked code is not part of a vertical utility layer that can be referenced from any horizontal layer.Guidelines:",{"point":"1oo","priority":"6","details":"1op"},"CWE-ID: 1055Multiple Inheritance from Concrete Classes","The product contains a class with inheritance from more than one concrete class.Guidelines:",{"point":"1or","priority":"6","details":"1os"},"CWE-ID: 1056Invokable Control Element with Variadic Parameters","A named-callable or method control element has a signature that supports a variable (variadic) number of parameters or arguments.Guidelines:",{"point":"1ou","priority":"6","details":"1ov"},"CWE-ID: 1057Data Access Operations Outside of Expected Data Manager Component","The product uses a dedicated, central data manager component as required by design, but it contains code that performs data-access operations that do not use this data manager.Guidelines:",{"point":"1ox","priority":"6","details":"1oy"},"CWE-ID: 1058Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element","The code contains a function or method that operates in a multi-threaded environment but owns an unsafe non-final static storable or member data element.Guidelines:",{"point":"1p0","priority":"6","details":"1p1"},"CWE-ID: 1059Insufficient Technical Documentation","The product does not contain sufficient technical or engineering documentation (whether on paper or in electronic form) that contains descriptions of all the relevant software/hardware elements of the product, such as its usage, structure, architectural components, interfaces, design, implementation, configuration, operation, etc.Guidelines:",{"point":"1p3","priority":"6","details":"1p4"},"CWE-ID: 1060Excessive Number of Inefficient Server-Side Data Accesses","The product performs too many data queries without using efficient data processing functionality such as stored procedures.Guidelines:",{"point":"1p6","priority":"6","details":"1p7"},"CWE-ID: 1061Insufficient Encapsulation","The product does not sufficiently hide the internal representation and implementation details of data or methods, which might allow external components or modules to modify data unexpectedly, invoke unexpected functionality, or introduce dependencies that the programmer did not intend.Guidelines:",{"point":"1p9","priority":"6","details":"1pa"},"CWE-ID: 1062Parent Class with References to Child Class","The code has a parent class that contains references to a child class, its methods, or its members.Guidelines:",{"point":"1pc","priority":"6","details":"1pd"},"CWE-ID: 1063Creation of Class Instance within a Static Code Block","A static code block creates an instance of a class.Guidelines:",{"point":"1pf","priority":"6","details":"1pg"},"CWE-ID: 1064Invokable Control Element with Signature Containing an Excessive Number of Parameters","The product contains a function, subroutine, or method whose signature has an unnecessarily large number of parameters/arguments.Guidelines:",{"point":"1pi","priority":"6","details":"1pj"},"CWE-ID: 1065Runtime Resource Management Control Element in a Component Built to Run on Application Servers","The product uses deployed components from application servers, but it also uses low-level functions/methods for management of resources, instead of the API provided by the application server.Guidelines:",{"point":"1pl","priority":"6","details":"1pm"},"CWE-ID: 1066Missing Serialization Control Element","The product contains a serializable data element that does not have an associated serialization method.Guidelines:",{"point":"1po","priority":"6","details":"1pp"},"CWE-ID: 1067Excessive Execution of Sequential Searches of Data Resource","The product contains a data query against an SQL table or view that is configured in a way that does not utilize an index and may cause sequential searches to be performed.Guidelines:",{"point":"1pr","priority":"6","details":"1ps"},"CWE-ID: 1068Inconsistency Between Implementation and Documented Design","The implementation of the product is not consistent with the design as described within the relevant documentation.Guidelines:",{"point":"1pu","priority":"6","details":"1pv"},"CWE-ID: 1069Empty Exception Block","An invokable code block contains an exception handling block that does not contain any code, i.e. is empty.Guidelines:",{"point":"1px","priority":"6","details":"1py"},"CWE-ID: 1070Serializable Data Element Containing non-Serializable Item Elements","The product contains a serializable, storable data element such as a field or member, but the data element contains member elements that are not serializable.Guidelines:",{"point":"1q0","priority":"6","details":"1q1"},"CWE-ID: 1071Empty Code Block","The source code contains a block that does not contain any code, i.e., the block is empty.Guidelines:",{"point":"1q3","priority":"6","details":"1q4"},"CWE-ID: 1072Data Resource Access without Use of Connection Pooling","The product accesses a data resource through a database without using a connection pooling capability.Guidelines:",{"point":"1q6","priority":"6","details":"1q7"},"CWE-ID: 1073Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses","The product contains a client with a function or method that contains a large number of data accesses/queries that are sent through a data manager, i.e., does not use efficient database capabilities.Guidelines:",{"point":"1q9","priority":"6","details":"1qa"},"CWE-ID: 1074Class with Excessively Deep Inheritance","A class has an inheritance level that is too high, i.e., it has a large number of parent classes.Guidelines:",{"point":"1qc","priority":"6","details":"1qd"},"CWE-ID: 1075Unconditional Control Flow Transfer outside of Switch Block","The product performs unconditional control transfer (such as a goto) in code outside of a branching structure such as a switch block.Guidelines:",{"point":"1qf","priority":"6","details":"1qg"},"CWE-ID: 1076Insufficient Adherence to Expected Conventions","The product's architecture, source code, design, documentation, or other artifact does not follow required conventions.Guidelines:",{"point":"1qi","priority":"6","details":"1qj"},"CWE-ID: 1077Floating Point Comparison with Incorrect Operator","The code performs a comparison such as an equality test between two float (floating point) values, but it uses comparison operators that do not account for the possibility of loss of precision.Guidelines:",{"point":"1ql","priority":"6","details":"1qm"},"CWE-ID: 1078Inappropriate Source Code Style or Formatting","The source code does not follow desired style or formatting for indentation, white space, comments, etc.Guidelines:",{"point":"1qo","priority":"6","details":"1qp"},"CWE-ID: 1079Parent Class without Virtual Destructor Method","A parent class contains one or more child classes, but the parent class does not have a virtual destructor method.Guidelines:",{"point":"1qr","priority":"6","details":"1qs"},"CWE-ID: 1080Source Code File with Excessive Number of Lines of Code","A source code file has too many lines of code.Guidelines:",{"point":"1qu","priority":"6","details":"1qv"},"CWE-ID: 1082Class Instance Self Destruction Control Element","The code contains a class instance that calls the method or function to delete or destroy itself.Guidelines:",{"point":"1qx","priority":"6","details":"1qy"},"CWE-ID: 1083Data Access from Outside Expected Data Manager Component","The product is intended to manage data access through a particular data manager component such as a relational or non-SQL database, but it contains code that performs data access operations without using that component.Guidelines:",{"point":"1r0","priority":"6","details":"1r1"},"CWE-ID: 1084Invokable Control Element with Excessive File or Data Access Operations","A function or method contains too many operations that utilize a data manager or file resource.Guidelines:",{"point":"1r3","priority":"6","details":"1r4"},"CWE-ID: 1085Invokable Control Element with Excessive Volume of Commented-out Code","A function, method, procedure, etc. contains an excessive amount of code that has been commented out within its body.Guidelines:",{"point":"1r6","priority":"6","details":"1r7"},"CWE-ID: 1086Class with Excessive Number of Child Classes","A class contains an unnecessarily large number of children.Guidelines:",{"point":"1r9","priority":"6","details":"1ra"},"CWE-ID: 1087Class with Virtual Method without a Virtual Destructor","A class contains a virtual method, but the method does not have an associated virtual destructor.Guidelines:",{"point":"1rc","priority":"6","details":"1rd"},"CWE-ID: 1088Synchronous Access of Remote Resource without Timeout","The code has a synchronous call to a remote resource, but there is no timeout for the call, or the timeout is set to infinite.Guidelines:",{"point":"1rf","priority":"6","details":"1rg"},"CWE-ID: 1089Large Data Table with Excessive Number of Indices","The product uses a large data table that contains an excessively large number of indices.Guidelines:",{"point":"1ri","priority":"6","details":"1rj"},"CWE-ID: 1090Method Containing Access of a Member Element from Another Class","A method for a class performs an operation that directly accesses a member element from another class.Guidelines:",{"point":"1rl","priority":"6","details":"1rm"},"CWE-ID: 1091Use of Object without Invoking Destructor Method","The product contains a method that accesses an object but does not later invoke the element's associated finalize/destructor method.Guidelines:",{"point":"1ro","priority":"6","details":"1rp"},"CWE-ID: 1092Use of Same Invokable Control Element in Multiple Architectural Layers","The product uses the same control element across multiple architectural layers.Guidelines:",{"point":"1rr","priority":"6","details":"1rs"},"CWE-ID: 1093Excessively Complex Data Representation","The product uses an unnecessarily complex internal representation for its data structures or interrelationships between those structures.Guidelines:",{"point":"1ru","priority":"6","details":"1rv"},"CWE-ID: 1094Excessive Index Range Scan for a Data Resource","The product contains an index range scan for a large data table, but the scan can cover a large number of rows.Guidelines:",{"point":"1rx","priority":"6","details":"1ry"},"CWE-ID: 1095Loop Condition Value Update within the Loop","The product uses a loop with a control flow condition based on a value that is updated within the body of the loop.Guidelines:",{"point":"1s0","priority":"6","details":"1s1"},"CWE-ID: 1096Singleton Class Instance Creation without Proper Locking or Synchronization","The product implements a Singleton design pattern but does not use appropriate locking or other synchronization mechanism to ensure that the singleton class is only instantiated once.Guidelines:",{"point":"1s3","priority":"6","details":"1s4"},"CWE-ID: 1097Persistent Storable Data Element without Associated Comparison Control Element","The product uses a storable data element that does not have all of the associated functions or methods that are necessary to support comparison.Guidelines:",{"point":"1s6","priority":"6","details":"1s7"},"CWE-ID: 1098Data Element containing Pointer Item without Proper Copy Control Element","The code contains a data element with a pointer that does not have an associated copy or constructor method.Guidelines:",{"point":"1s9","priority":"6","details":"1sa"},"CWE-ID: 1099Inconsistent Naming Conventions for Identifiers","The product's code, documentation, or other artifacts do not consistently use the same naming conventions for variables, callables, groups of related callables, I/O capabilities, data types, file names, or similar types of elements.Guidelines:",{"point":"1sc","priority":"6","details":"1sd"},"CWE-ID: 1100Insufficient Isolation of System-Dependent Functions","The product or code does not isolate system-dependent functionality into separate standalone modules.Guidelines:",{"point":"1sf","priority":"6","details":"1sg"},"CWE-ID: 1101Reliance on Runtime Component in Generated Code","The product uses automatically-generated code that cannot be executed without a specific runtime support component.Guidelines:",{"point":"1si","priority":"6","details":"1sj"},"CWE-ID: 1102Reliance on Machine-Dependent Data Representation","The code uses a data representation that relies on low-level data representation or constructs that may vary across different processors, physical machines, OSes, or other physical components.Guidelines:",{"point":"1sl","priority":"6","details":"1sm"},"CWE-ID: 1103Use of Platform-Dependent Third Party Components","The product relies on third-party components that do not provide equivalent functionality across all desirable platforms.Guidelines:",{"point":"1so","priority":"6","details":"1sp"},"CWE-ID: 1104Use of Unmaintained Third Party Components","The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer.Guidelines:",{"point":"1sr","priority":"6","details":"1ss"},"CWE-ID: 1105Insufficient Encapsulation of Machine-Dependent Functionality","The product or code uses machine-dependent functionality, but it does not sufficiently encapsulate or isolate this functionality from the rest of the code.Guidelines:",{"point":"1su","priority":"6","details":"1sv"},"CWE-ID: 1106Insufficient Use of Symbolic Constants","The source code uses literal constants that may need to change or evolve over time, instead of using symbolic constants.Guidelines:",{"point":"1sx","priority":"6","details":"1sy"},"CWE-ID: 1107Insufficient Isolation of Symbolic Constant Definitions","The source code uses symbolic constants, but it does not sufficiently place the definitions of these constants into a more centralized or isolated location.Guidelines:",{"point":"1t0","priority":"6","details":"1t1"},"CWE-ID: 1108Excessive Reliance on Global Variables","The code is structured in a way that relies too much on using or setting global variables throughout various points in the code, instead of preserving the associated information in a narrower, more local context.Guidelines:",{"point":"1t3","priority":"6","details":"1t4"},"CWE-ID: 1109Use of Same Variable for Multiple Purposes","The code contains a callable, block, or other code element in which the same variable is used to control more than one unique task or store more than one instance of data.Guidelines:",{"point":"1t6","priority":"6","details":"1t7"},"CWE-ID: 1110Incomplete Design Documentation","The product's design documentation does not adequately describe control flow, data flow, system initialization, relationships between tasks, components, rationales, or other important aspects of the design.Guidelines:",{"point":"1t9","priority":"6","details":"1ta"},"CWE-ID: 1111Incomplete I/O Documentation","The product's documentation does not adequately define inputs, outputs, or system/software interfaces.Guidelines:",{"point":"1tc","priority":"6","details":"1td"},"CWE-ID: 1112Incomplete Documentation of Program Execution","The document does not fully define all mechanisms that are used to control or influence how product-specific programs are executed.Guidelines:",{"point":"1tf","priority":"6","details":"1tg"},"CWE-ID: 1113Inappropriate Comment Style","The source code uses comment styles or formats that are inconsistent or do not follow expected standards for the product.Guidelines:",{"point":"1ti","priority":"6","details":"1tj"},"CWE-ID: 1114Inappropriate Whitespace Style","The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product.Guidelines:",{"point":"1tl","priority":"6","details":"1tm"},"CWE-ID: 1115Source Code Element without Standard Prologue","The source code contains elements such as source files that do not consistently provide a prologue or header that has been standardized for the project.Guidelines:",{"point":"1to","priority":"6","details":"1tp"},"CWE-ID: 1116Inaccurate Comments","The source code contains comments that do not accurately describe or explain aspects of the portion of the code with which the comment is associated.Guidelines:",{"point":"1tr","priority":"6","details":"1ts"},"CWE-ID: 1117Callable with Insufficient Behavioral Summary","The code contains a function or method whose signature and/or associated inline documentation does not sufficiently describe the callable's inputs, outputs, side effects, assumptions, or return codes.Guidelines:",{"point":"1tu","priority":"6","details":"1tv"},"CWE-ID: 1118Insufficient Documentation of Error Handling Techniques","The documentation does not sufficiently describe the techniques that are used for error handling, exception processing, or similar mechanisms.Guidelines:",{"point":"1tx","priority":"6","details":"1ty"},"CWE-ID: 1119Excessive Use of Unconditional Branching","The code uses too many unconditional branches (such as goto).Guidelines:",{"point":"1u0","priority":"6","details":"1u1"},"CWE-ID: 1120Excessive Code Complexity","The code is too complex, as calculated using a well-defined, quantitative measure.Guidelines:",{"point":"1u3","priority":"6","details":"1u4"},"CWE-ID: 1121Excessive McCabe Cyclomatic Complexity","The code contains McCabe cyclomatic complexity that exceeds a desirable maximum.Guidelines:",{"point":"1u6","priority":"6","details":"1u7"},"CWE-ID: 1122Excessive Halstead Complexity","The code is structured in a way that a Halstead complexity measure exceeds a desirable maximum.Guidelines:",{"point":"1u9","priority":"6","details":"1ua"},"CWE-ID: 1123Excessive Use of Self-Modifying Code","The product uses too much self-modifying code.Guidelines:",{"point":"1uc","priority":"6","details":"1ud"},"CWE-ID: 1124Excessively Deep Nesting","The code contains a callable or other code grouping in which the nesting / branching is too deep.Guidelines:",{"point":"1uf","priority":"6","details":"1ug"},"CWE-ID: 1125Excessive Attack Surface","The product has an attack surface whose quantitative measurement exceeds a desirable maximum.Guidelines:",{"point":"1ui","priority":"6","details":"1uj"},"CWE-ID: 1126Declaration of Variable with Unnecessarily Wide Scope","The source code declares a variable in one scope, but the variable is only used within a narrower scope.Guidelines:",{"point":"1ul","priority":"6","details":"1um"},"CWE-ID: 1127Compilation with Insufficient Warnings or Errors","The code is compiled without sufficient warnings enabled, which may prevent the detection of subtle bugs or quality issues.Guidelines:",{"point":"1uo","priority":"6","details":"1up"},"CWE-ID: 1164Irrelevant Code","The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness.Guidelines:",{"point":"1ur","priority":"6","details":"1us"},"CWE-ID: 1173Improper Use of Validation Framework","The product does not use, or incorrectly uses, an input validation framework that is provided by the source language or an independent library.Guidelines:",{"point":"1uu","priority":"6","details":"1uv"},"CWE-ID: 1174ASP.NET Misconfiguration: Improper Model Validation","The ASP.NET application does not use, or incorrectly uses, the model validation framework.Guidelines:",{"point":"1ux","priority":"6","details":"1uy"},"CWE-ID: 1176Inefficient CPU Computation","The product performs CPU computations using algorithms that are not as efficient as they could be for the needs of the developer, i.e., the computations can be optimized further.Guidelines:",{"point":"1v0","priority":"6","details":"1v1"},"CWE-ID: 1177Use of Prohibited Code","The product uses a function, library, or third party component that has been explicitly prohibited, whether by the developer or the customer.Guidelines:",{"point":"1v3","priority":"6","details":"1v4"},"CWE-ID: 1188Initialization of a Resource with an Insecure Default","The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.Guidelines:::TYPE:Maintenance:NOTE:This entry improves organization of concepts under initialization. The typical CWE model is to cover Missing and Incorrect behaviors. Arguably, this entry could be named as Incorrect instead of Insecure. This might be changed in the near future.::",{"point":"1v6","priority":"6","details":"1v7"},"CWE-ID: 1189Improper Isolation of Shared Resources on System-on-a-Chip (SoC)","The System-On-a-Chip (SoC) does not properly isolate shared resources between trusted and untrusted agents.Guidelines:",{"point":"1v9","priority":"6","details":"1va"},"CWE-ID: 1190DMA Device Enabled Too Early in Boot Phase","The product enables a Direct Memory Access (DMA) capable device before the security configuration settings are established, which allows an attacker to extract data from or gain privileges on the product.Guidelines:",{"point":"1vc","priority":"6","details":"1vd"},"CWE-ID: 1191On-Chip Debug and Test Interface With Improper Access Control","The chip does not implement or does not correctly perform access control to check whether users are authorized to access internal registers and test modes through the physical debug/test interface.Guidelines:::TYPE:Relationship:NOTE:CWE-1191 and CWE-1244 both involve physical debug access, but the weaknesses are different. CWE-1191 is effectively about missing authorization for a debug interface, i.e. JTAG. CWE-1244 is about providing internal assets with the wrong debug access level, exposing the asset to untrusted debug agents.::",{"point":"1vf","priority":"6","details":"1vg"},"CWE-ID: 1192Improper Identifier for IP Block used in System-On-Chip (SOC)","The System-on-Chip (SoC) does not have unique, immutable identifiers for each of its components.Guidelines:",{"point":"1vi","priority":"6","details":"1vj"},"CWE-ID: 1193Power-On of Untrusted Execution Core Before Enabling Fabric Access Control","The product enables components that contain untrusted firmware before memory and fabric access controls have been enabled.Guidelines:",{"point":"1vl","priority":"6","details":"1vm"},"CWE-ID: 1204Generation of Weak Initialization Vector (IV)","The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or unique according to the expected cryptographic requirements for that primitive.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"1vo","priority":"6","details":"1vp"},"CWE-ID: 1209Failure to Disable Reserved Bits","The reserved bits in a hardware design are not disabled prior to production. Typically, reserved bits are used for future capabilities and should not support any functional logic in the design. However, designers might covertly use these bits to debug or further develop new capabilities in production hardware. Adversaries with access to these bits will write to them in hopes of compromising hardware state.Guidelines:",{"point":"1vr","priority":"6","details":"1vs"},"CWE-ID: 1220Insufficient Granularity of Access Control","The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.Guidelines:",{"point":"1vu","priority":"6","details":"1vv"},"CWE-ID: 1221Incorrect Register Defaults or Module Parameters","Hardware description language code incorrectly defines register defaults or hardware Intellectual Property (IP) parameters to insecure values.Guidelines:",{"point":"1vx","priority":"6","details":"1vy"},"CWE-ID: 1222Insufficient Granularity of Address Regions Protected by Register Locks","The product defines a large address region protected from modification by the same register lock control bit. This results in a conflict between the functional requirement that some addresses need to be writable by software during operation and the security requirement that the system configuration lock bit must be set during the boot process.Guidelines:",{"point":"1w0","priority":"6","details":"1w1"},"CWE-ID: 1223Race Condition for Write-Once Attributes","A write-once register in hardware design is programmable by an untrusted software component earlier than the trusted software component, resulting in a race condition issue.Guidelines:",{"point":"1w3","priority":"6","details":"1w4"},"CWE-ID: 1224Improper Restriction of Write-Once Bit Fields","The hardware design control register sticky bits or write-once bit fields are improperly implemented, such that they can be reprogrammed by software.Guidelines:",{"point":"1w6","priority":"6","details":"1w7"},"CWE-ID: 1229Creation of Emergent Resource","The product manages resources or behaves in a way that indirectly creates a new, distinct resource that can be used by attackers in violation of the intended policy.Guidelines:",{"point":"1w9","priority":"6","details":"1wa"},"CWE-ID: 1230Exposure of Sensitive Information Through Metadata","The product prevents direct access to a resource containing sensitive information, but it does not sufficiently limit access to metadata that is derived from the original, sensitive information.Guidelines:",{"point":"1wc","priority":"6","details":"1wd"},"CWE-ID: 1231Improper Prevention of Lock Bit Modification","The product uses a trusted lock bit for restricting access to registers, address regions, or other resources, but the product does not prevent the value of the lock bit from being modified after it has been set.Guidelines:",{"point":"1wf","priority":"6","details":"1wg"},"CWE-ID: 1232Improper Lock Behavior After Power State Transition","Register lock bit protection disables changes to system configuration once the bit is set. Some of the protected registers or lock bits become programmable after power state transitions (e.g., Entry and wake from low power sleep modes) causing the system configuration to be changeable.Guidelines:",{"point":"1wi","priority":"6","details":"1wj"},"CWE-ID: 1233Security-Sensitive Hardware Controls with Missing Lock Bit Protection","The product uses a register lock bit protection mechanism, but it does not ensure that the lock bit prevents modification of system registers or controls that perform changes to important hardware system configuration.Guidelines:",{"point":"1wl","priority":"6","details":"1wm"},"CWE-ID: 1234Hardware Internal or Debug Modes Allow Override of Locks","System configuration protection may be bypassed during debug mode.Guidelines:",{"point":"1wo","priority":"6","details":"1wp"},"CWE-ID: 1235Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations","The code uses boxed primitives, which may introduce inefficiencies into performance-critical operations.Guidelines:",{"point":"1wr","priority":"6","details":"1ws"},"CWE-ID: 1236Improper Neutralization of Formula Elements in a CSV File","The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.Guidelines:",{"point":"1wu","priority":"6","details":"1wv"},"CWE-ID: 1239Improper Zeroization of Hardware Register","The hardware product does not properly clear sensitive information from built-in registers when the user of the hardware block changes.Guidelines:",{"point":"1wx","priority":"6","details":"1wy"},"CWE-ID: 1240Use of a Cryptographic Primitive with a Risky Implementation","To fulfill the need for a cryptographic primitive, the product implements a cryptographic algorithm using a non-standard, unproven, or disallowed/non-compliant cryptographic implementation.Guidelines:::TYPE:Terminology:NOTE:Terminology for cryptography varies widely, from informal and colloquial to mathematically-defined, with different precision and formalism depending on whether the stakeholder is a developer, cryptologist, etc. Yet there is a need for CWE to be self-consistent while remaining understandable and acceptable to multiple audiences. As of CWE 4.6, CWE terminology around primitives and algorithms is emerging as shown by the following example, subject to future consultation and agreement within the CWE and cryptography communities. Suppose one wishes to send encrypted data using a CLI tool such as OpenSSL. One might choose to use AES with a 256-bit key and require tamper protection (GCM mode, for instance). For compatibility's sake, one might also choose the ciphertext to be formatted to the PKCS#5 standard. In this case, the cryptographic system would be AES-256-GCM with PKCS#5 formatting. The cryptographic function would be AES-256 in the GCM mode of operation, and the algorithm would be AES. Colloquially, one would say that AES (and sometimes AES-256) is the cryptographic primitive, because it is the algorithm that realizes the concept of symmetric encryption (without modes of operation or other protocol related modifications). In practice, developers and architects typically refer to base cryptographic algorithms (AES, SHA, etc.) as cryptographic primitives.::TYPE:Maintenance:NOTE:Since CWE 4.4, various cryptography-related entries, including CWE-327 and CWE-1240, have been slated for extensive research, analysis, and community consultation to define consistent terminology, improve relationships, and reduce overlap or duplication. As of CWE 4.6, this work is still ongoing.::",{"point":"1x0","priority":"6","details":"1x1"},"CWE-ID: 1241Use of Predictable Algorithm in Random Number Generator","The device uses an algorithm that is predictable and generates a pseudo-random number.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"1x3","priority":"6","details":"1x4"},"CWE-ID: 1242Inclusion of Undocumented Features or Chicken Bits","The device includes chicken bits or undocumented features that can create entry points for unauthorized actors.Guidelines:",{"point":"1x6","priority":"6","details":"1x7"},"CWE-ID: 1243Sensitive Non-Volatile Information Not Protected During Debug","Access to security-sensitive information stored in fuses is not limited during debug.Guidelines:",{"point":"1x9","priority":"6","details":"1xa"},"CWE-ID: 1244Internal Asset Exposed to Unsafe Debug Access Level or State","The product uses physical debug or test interfaces with support for multiple access levels, but it assigns the wrong debug access level to an internal asset, providing unintended access to the asset from untrusted debug agents.Guidelines:::TYPE:Relationship:NOTE:CWE-1191 and CWE-1244 both involve physical debug access, but the weaknesses are different. CWE-1191 is effectively about missing authorization for a debug interface, i.e. JTAG. CWE-1244 is about providing internal assets with the wrong debug access level, exposing the asset to untrusted debug agents.::",{"point":"1xc","priority":"6","details":"1xd"},"CWE-ID: 1245Improper Finite State Machines (FSMs) in Hardware Logic","Faulty finite state machines (FSMs) in the hardware logic allow an attacker to put the system in an undefined state, to cause a denial of service (DoS) or gain privileges on the victim's system.Guidelines:",{"point":"1xf","priority":"6","details":"1xg"},"CWE-ID: 1246Improper Write Handling in Limited-write Non-Volatile Memories","The product does not implement or incorrectly implements wear leveling operations in limited-write non-volatile memories.Guidelines:",{"point":"1xi","priority":"6","details":"1xj"},"CWE-ID: 1247Improper Protection Against Voltage and Clock Glitches","The device does not contain or contains incorrectly implemented circuitry or sensors to detect and mitigate voltage and clock glitches and protect sensitive information or software contained on the device.Guidelines:",{"point":"1xl","priority":"6","details":"1xm"},"CWE-ID: 1248Semiconductor Defects in Hardware Logic with Security-Sensitive Implications","The security-sensitive hardware module contains semiconductor defects.Guidelines:",{"point":"1xo","priority":"6","details":"1xp"},"CWE-ID: 1249Application-Level Admin Tool with Inconsistent View of Underlying Operating System","The product provides an application for administrators to manage parts of the underlying operating system, but the application does not accurately identify all of the relevant entities or resources that exist in the OS; that is, the application's model of the OS's state is inconsistent with the OS's actual state.Guidelines:",{"point":"1xr","priority":"6","details":"1xs"},"CWE-ID: 1250Improper Preservation of Consistency Between Independent Representations of Shared State","The product has or supports multiple distributed components or sub-systems that are each required to keep their own local copy of shared data - such as state or cache - but the product does not ensure that all local copies remain consistent with each other.Guidelines:::TYPE:Research Gap:NOTE:Issues related to state and cache - creation, preservation, and update - are a significant gap in CWE that is expected to be addressed in future versions. It likely has relationships to concurrency and synchronization, incorrect behavior order, and other areas that already have some coverage in CWE, although the focus has typically been on independent processes on the same operating system - not on independent systems that are all a part of a larger system-of-systems.::",{"point":"1xu","priority":"6","details":"1xv"},"CWE-ID: 1251Mirrored Regions with Different Values","The product's architecture mirrors regions without ensuring that their contents always stay in sync.Guidelines:::TYPE:Research Gap:NOTE:Issues related to state and cache - creation, preservation, and update - are a significant gap in CWE that is expected to be addressed in future versions. It has relationships to concurrency and synchronization, incorrect behavior order, and other areas that already have some coverage in CWE, although the focus has typically been on independent processes on the same operating system - not on independent systems that are all a part of a larger system-of-systems.::",{"point":"1xx","priority":"6","details":"1xy"},"CWE-ID: 1252CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations","The CPU is not configured to provide hardware support for exclusivity of write and execute operations on memory. This allows an attacker to execute data from all of memory.Guidelines:",{"point":"1y0","priority":"6","details":"1y1"},"CWE-ID: 1253Incorrect Selection of Fuse Values","The logic level used to set a system to a secure state relies on a fuse being unblown. An attacker can set the system to an insecure state merely by blowing the fuse.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1y3","priority":"6","details":"1y4"},"CWE-ID: 1254Incorrect Comparison Logic Granularity","The product's comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failure on one of these steps, the operation may be vulnerable to a timing attack that can result in the interception of the process for nefarious purposes.Guidelines:",{"point":"1y6","priority":"6","details":"1y7"},"CWE-ID: 1255Comparison Logic is Vulnerable to Power Side-Channel Attacks","A device's real time power consumption may be monitored during security token evaluation and the information gleaned may be used to determine the value of the reference token.Guidelines:",{"point":"1y9","priority":"6","details":"1ya"},"CWE-ID: 1256Improper Restriction of Software Interfaces to Hardware Features","The product provides software-controllable device functionality for capabilities such as power and clock management, but it does not properly limit functionality that can lead to modification of hardware memory or register bits, or the ability to observe physical side channels.Guidelines:",{"point":"1yc","priority":"6","details":"1yd"},"CWE-ID: 1257Improper Access Control Applied to Mirrored or Aliased Memory Regions","Aliased or mirrored memory regions in hardware designs may have inconsistent read/write permissions enforced by the hardware. A possible result is that an untrusted agent is blocked from accessing a memory region but is not blocked from accessing the corresponding aliased memory region.Guidelines:",{"point":"1yf","priority":"6","details":"1yg"},"CWE-ID: 1258Exposure of Sensitive System Information Due to Uncleared Debug Information","The hardware does not fully clear security-sensitive values, such as keys and intermediate values in cryptographic operations, when debug mode is entered.Guidelines:",{"point":"1yi","priority":"6","details":"1yj"},"CWE-ID: 1259Improper Restriction of Security Token Assignment","The System-On-A-Chip (SoC) implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens are improperly protected.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements. Currently it is expressed as a general absence of a protection mechanism as opposed to a specific mistake, and the entry's name and description could be interpreted as applying to software.::",{"point":"1yl","priority":"6","details":"1ym"},"CWE-ID: 1260Improper Handling of Overlap Between Protected Memory Ranges","The product allows address regions to overlap, which can result in the bypassing of intended memory protection.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.6, CWE-1260 and CWE-1316 are siblings under view 1000, but CWE-1260 might be a parent of CWE-1316. More analysis is warranted.::",{"point":"1yo","priority":"6","details":"1yp"},"CWE-ID: 1261Improper Handling of Single Event Upsets","The hardware logic does not effectively handle when single-event upsets (SEUs) occur.Guidelines:",{"point":"1yr","priority":"6","details":"1ys"},"CWE-ID: 1262Improper Access Control for Register Interface","The product uses memory-mapped I/O registers that act as an interface to hardware functionality from software, but there is improper access control to those registers.Guidelines:",{"point":"1yu","priority":"6","details":"1yv"},"CWE-ID: 1263Improper Physical Access Control","The product is designed with access restricted to certain information, but it does not sufficiently protect against an unauthorized actor with physical access to these areas.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1yx","priority":"6","details":"1yy"},"CWE-ID: 1264Hardware Logic with Insecure De-Synchronization between Control and Data Channels","The hardware logic for error handling and security checks can incorrectly forward data before the security check is complete.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. As a result, this entry might change significantly in CWE 4.10.::",{"point":"1z0","priority":"6","details":"1z1"},"CWE-ID: 1265Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls","During execution of non-reentrant code, the product performs a call that unintentionally produces a nested invocation of the non-reentrant code.Guidelines:",{"point":"1z3","priority":"6","details":"1z4"},"CWE-ID: 1266Improper Scrubbing of Sensitive Data from Decommissioned Device","The product does not properly provide a capability for the product administrator to remove sensitive data at the time the product is decommissioned. A scrubbing capability could be missing, insufficient, or incorrect.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1z6","priority":"6","details":"1z7"},"CWE-ID: 1267Policy Uses Obsolete Encoding","The product uses an obsolete encoding mechanism to implement access controls.Guidelines:",{"point":"1z9","priority":"6","details":"1za"},"CWE-ID: 1268Policy Privileges are not Assigned Consistently Between Control and Data Agents","The product's hardware-enforced access control for a particular resource improperly accounts for privilege discrepancies between control and write policies.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1zc","priority":"6","details":"1zd"},"CWE-ID: 1269Product Released in Non-Release Configuration","The product released to market is released in pre-production or manufacturing configuration.Guidelines:",{"point":"1zf","priority":"6","details":"1zg"},"CWE-ID: 1270Generation of Incorrect Security Tokens","The product implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens generated in the system are incorrect.Guidelines:",{"point":"1zi","priority":"6","details":"1zj"},"CWE-ID: 1271Uninitialized Value on Reset for Registers Holding Security Settings","Security-critical logic is not set to a known value on reset.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1zl","priority":"6","details":"1zm"},"CWE-ID: 1272Sensitive Information Uncleared Before Debug/Power State Transition","The product performs a power or debug state transition, but it does not clear sensitive information that should no longer be accessible due to changes to information access restrictions.Guidelines:",{"point":"1zo","priority":"6","details":"1zp"},"CWE-ID: 1273Device Unlock Credential Sharing","The credentials necessary for unlocking a device are shared across multiple parties and may expose sensitive information.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1zr","priority":"6","details":"1zs"},"CWE-ID: 1274Improper Access Control for Volatile Memory Containing Boot Code","The product conducts a secure-boot process that transfers bootloader code from Non-Volatile Memory (NVM) into Volatile Memory (VM), but it does not have sufficient access control or other protections for the Volatile Memory.Guidelines:",{"point":"1zu","priority":"6","details":"1zv"},"CWE-ID: 1275Sensitive Cookie with Improper SameSite Attribute","The SameSite attribute for sensitive cookies is not set, or an insecure value is used.Guidelines:",{"point":"1zx","priority":"6","details":"1zy"},"CWE-ID: 1276Hardware Child Block Incorrectly Connected to Parent System","Signals between a hardware IP and the parent system design are incorrectly connected causing security risks.Guidelines:",{"point":"200","priority":"6","details":"201"},"CWE-ID: 1277Firmware Not Updateable","The product does not provide its users with the ability to update or patch its firmware to address any vulnerabilities or weaknesses that may be present.Guidelines:::TYPE:Terminology:NOTE:The firmware term does not have a single commonly-shared definition, so there may be variations in how this CWE entry is interpreted during mapping.::",{"point":"203","priority":"6","details":"204"},"CWE-ID: 1278Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques","Information stored in hardware may be recovered by an attacker with the capability to capture and analyze images of the integrated circuit using techniques such as scanning electron microscopy.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements. It is more attack-oriented, so it might be more suited for CAPEC.::",{"point":"206","priority":"6","details":"207"},"CWE-ID: 1279Cryptographic Operations are run Before Supporting Units are Ready","Performing cryptographic operations without ensuring that the supporting inputs are ready to supply valid data may compromise the cryptographic result.Guidelines:",{"point":"209","priority":"6","details":"20a"},"CWE-ID: 1280Access Control Check Implemented After Asset is Accessed","A product's hardware-based access control check occurs after the asset has been accessed.Guidelines:",{"point":"20c","priority":"6","details":"20d"},"CWE-ID: 1281Sequence of Processor Instructions Leads to Unexpected Behavior","Specific combinations of processor instructions lead to undesirable behavior such as locking the processor until a hard reset performed.Guidelines:",{"point":"20f","priority":"6","details":"20g"},"CWE-ID: 1282Assumed-Immutable Data is Stored in Writable Memory","Immutable data, such as a first-stage bootloader, device identifiers, and write-once configuration settings are stored in writable memory that can be re-programmed or updated in the field.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::TYPE:Maintenance:NOTE:As of CWE 4.3, CWE-1282 and CWE-1233 are being investigated for potential duplication or overlap.::",{"point":"20i","priority":"6","details":"20j"},"CWE-ID: 1283Mutable Attestation or Measurement Reporting Data","The register contents used for attestation or measurement reporting data to verify boot flow are modifiable by an adversary.Guidelines:::TYPE:Maintenance:NOTE:This entry is still in development and will continue to see updates and content improvements.::",{"point":"20l","priority":"6","details":"20m"},"CWE-ID: 1284Improper Validation of Specified Quantity in Input","The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"20o","priority":"6","details":"20p"},"CWE-ID: 1285Improper Validation of Specified Index, Position, or Offset in Input","The product receives input that is expected to specify an index, position, or offset into an indexable resource such as a buffer or file, but it does not validate or incorrectly validates that the specified index/position/offset has the required properties.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"20r","priority":"6","details":"20s"},"CWE-ID: 1286Improper Validation of Syntactic Correctness of Input","The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"20u","priority":"6","details":"20v"},"CWE-ID: 1287Improper Validation of Specified Type of Input","The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"20x","priority":"6","details":"20y"},"CWE-ID: 1288Improper Validation of Consistency within Input","The product receives a complex input with multiple elements or fields that must be consistent with each other, but it does not validate or incorrectly validates that the input is actually consistent.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"210","priority":"6","details":"211"},"CWE-ID: 1289Improper Validation of Unsafe Equivalence in Input","The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"213","priority":"6","details":"214"},"CWE-ID: 1290Incorrect Decoding of Security Identifiers","The product implements a decoding mechanism to decode certain bus-transaction signals to security identifiers. If the decoding is implemented incorrectly, then untrusted agents can now gain unauthorized access to the asset.Guidelines:",{"point":"216","priority":"6","details":"217"},"CWE-ID: 1291Public Key Re-Use for Signing both Debug and Production Code","The same public key is used for signing both debug and production code.Guidelines:",{"point":"219","priority":"6","details":"21a"},"CWE-ID: 1292Incorrect Conversion of Security Identifiers","The product implements a conversion mechanism to map certain bus-transaction signals to security identifiers. However, if the conversion is incorrectly implemented, untrusted agents can gain unauthorized access to the asset.Guidelines:",{"point":"21c","priority":"6","details":"21d"},"CWE-ID: 1293Missing Source Correlation of Multiple Independent Data","The product relies on one source of data, preventing the ability to detect if an adversary has compromised a data source.Guidelines:",{"point":"21f","priority":"6","details":"21g"},"CWE-ID: 1294Insecure Security Identifier Mechanism","The System-on-Chip (SoC) implements a Security Identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Identifiers are not correctly implemented.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"21i","priority":"6","details":"21j"},"CWE-ID: 1295Debug Messages Revealing Unnecessary Information","The product fails to adequately prevent the revealing of unnecessary and potentially sensitive system information within debugging messages.Guidelines:",{"point":"21l","priority":"6","details":"21m"},"CWE-ID: 1296Incorrect Chaining or Granularity of Debug Components","The product's debug components contain incorrect chaining or granularity of debug components.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"21o","priority":"6","details":"21p"},"CWE-ID: 1297Unprotected Confidential Information on Device is Accessible by OSAT Vendors","The product does not adequately protect confidential information on the device from being accessed by Outsourced Semiconductor Assembly and Test (OSAT) vendors.Guidelines:::TYPE:Maintenance:NOTE:This entry might be subject to CWE Scope Exclusion SCOPE.SITUATIONS (Focus on situations in which weaknesses may appear); SCOPE.HUMANPROC (Human/organizational process; and/or SCOPE.CUSTREL (Not customer-relevant).::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"21r","priority":"6","details":"21s"},"CWE-ID: 1298Hardware Logic Contains Race Conditions","A race condition in the hardware logic results in undermining security guarantees of the system.Guidelines:",{"point":"21u","priority":"6","details":"21v"},"CWE-ID: 1299Missing Protection Mechanism for Alternate Hardware Interface","The lack of protections on alternate paths to access control-protected assets (such as unprotected shadow registers and other external facing unguarded interfaces) allows an attacker to bypass existing protections to the asset that are only performed against the primary path.Guidelines:",{"point":"21x","priority":"6","details":"21y"},"CWE-ID: 1300Improper Protection of Physical Side Channels","The device does not contain sufficient protection mechanisms to prevent physical side channels from exposing sensitive information due to patterns in physically observable phenomena such as variations in power consumption, electromagnetic emissions (EME), or acoustic emissions.Guidelines:",{"point":"220","priority":"6","details":"221"},"CWE-ID: 1301Insufficient or Incomplete Data Removal within Hardware Component","The product's data removal process does not completely delete all data and potentially sensitive information within hardware components.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"223","priority":"6","details":"224"},"CWE-ID: 1302Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)","The product implements a security identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. A transaction is sent without a security identifier.Guidelines:",{"point":"226","priority":"6","details":"227"},"CWE-ID: 1303Non-Transparent Sharing of Microarchitectural Resources","Hardware structures shared across execution contexts (e.g., caches and branch predictors) can violate the expected architecture isolation between contexts.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. Finally, this entry's demonstrative example might not be appropriate. As a result, this entry might change significantly in CWE 4.10.::",{"point":"229","priority":"6","details":"22a"},"CWE-ID: 1304Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation","The product performs a power save/restore operation, but it does not ensure that the integrity of the configuration state is maintained and/or verified between the beginning and ending of the operation.Guidelines:",{"point":"22c","priority":"6","details":"22d"},"CWE-ID: 1310Missing Ability to Patch ROM Code","Missing an ability to patch ROM code may leave a System or System-on-Chip (SoC) in a vulnerable state.Guidelines:",{"point":"22f","priority":"6","details":"22g"},"CWE-ID: 1311Improper Translation of Security Attributes by Fabric Bridge","The bridge incorrectly translates security attributes from either trusted to untrusted or from untrusted to trusted when converting from one fabric protocol to another.Guidelines:",{"point":"22i","priority":"6","details":"22j"},"CWE-ID: 1312Missing Protection for Mirrored Regions in On-Chip Fabric Firewall","The firewall in an on-chip fabric protects the main addressed region, but it does not protect any mirrored memory or memory-mapped-IO (MMIO) regions.Guidelines:",{"point":"22l","priority":"6","details":"22m"},"CWE-ID: 1313Hardware Allows Activation of Test or Debug Logic at Runtime","During runtime, the hardware allows for test or debug logic (feature) to be activated, which allows for changing the state of the hardware. This feature can alter the intended behavior of the system and allow for alteration and leakage of sensitive data by an adversary.Guidelines:",{"point":"22o","priority":"6","details":"22p"},"CWE-ID: 1314Missing Write Protection for Parametric Data Values","The device does not write-protect the parametric data values for sensors that scale the sensor value, allowing untrusted software to manipulate the apparent result and potentially damage hardware or cause operational failure.Guidelines:",{"point":"22r","priority":"6","details":"22s"},"CWE-ID: 1315Improper Setting of Bus Controlling Capability in Fabric End-point","The bus controller enables bits in the fabric end-point to allow responder devices to control transactions on the fabric.Guidelines:",{"point":"22u","priority":"6","details":"22v"},"CWE-ID: 1316Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges","The address map of the on-chip fabric has protected and unprotected regions overlapping, allowing an attacker to bypass access control to the overlapping portion of the protected region.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.6, CWE-1260 and CWE-1316 are siblings under view 1000, but CWE-1260 might be a parent of CWE-1316. More analysis is warranted.::",{"point":"22x","priority":"6","details":"22y"},"CWE-ID: 1317Improper Access Control in Fabric Bridge","The product uses a fabric bridge for transactions between two Intellectual Property (IP) blocks, but the bridge does not properly perform the expected privilege, identity, or other access control checks between those IP blocks.Guidelines:",{"point":"230","priority":"6","details":"231"},"CWE-ID: 1318Missing Support for Security Features in On-chip Fabrics or Buses","On-chip fabrics or buses either do not support or are not configured to support privilege separation or other security features, such as access control.Guidelines:",{"point":"233","priority":"6","details":"234"},"CWE-ID: 1319Improper Protection against Electromagnetic Fault Injection (EM-FI)","The device is susceptible to electromagnetic fault injection attacks, causing device internal information to be compromised or security mechanisms to be bypassed.Guidelines:::TYPE:Maintenance:NOTE:This entry is attack-oriented and may require significant modification in future versions, or even deprecation. It is not clear whether there is really a design mistake that enables such attacks, so this is not necessarily a weakness and may be more appropriate for CAPEC.::",{"point":"236","priority":"6","details":"237"},"CWE-ID: 1320Improper Protection for Outbound Error Messages and Alert Signals","Untrusted agents can disable alerts about signal conditions exceeding limits or the response mechanism that handles such alerts.Guidelines:",{"point":"239","priority":"6","details":"23a"},"CWE-ID: 1321Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')","The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.Guidelines:",{"point":"23c","priority":"6","details":"23d"},"CWE-ID: 1322Use of Blocking Code in Single-threaded, Non-blocking Context","The product uses a non-blocking model that relies on a single threaded process for features such as scalability, but it contains code that can block when it is invoked.Guidelines:",{"point":"23f","priority":"6","details":"23g"},"CWE-ID: 1323Improper Management of Sensitive Trace Data","Trace data collected from several sources on the System-on-Chip (SoC) is stored in unprotected locations or transported to untrusted agents.Guidelines:",{"point":"23i","priority":"6","details":"23j"},"CWE-ID: 1325Improperly Controlled Sequential Memory Allocation","The product manages a group of objects or resources and performs a separate memory allocation for each object, but it does not properly limit the total amount of memory that is consumed by all of the combined objects.Guidelines:",{"point":"23l","priority":"6","details":"23m"},"CWE-ID: 1326Missing Immutable Root of Trust in Hardware","A missing immutable root of trust in the hardware results in the ability to bypass secure boot or execute untrusted or adversarial boot code.Guidelines:",{"point":"23o","priority":"6","details":"23p"},"CWE-ID: 1327Binding to an Unrestricted IP Address","The product assigns the address 0.0.0.0 for a database server, a cloud service/instance, or any computing resource that communicates remotely.Guidelines:",{"point":"23r","priority":"6","details":"23s"},"CWE-ID: 1328Security Version Number Mutable to Older Versions","Security-version number in hardware is mutable, resulting in the ability to downgrade (roll-back) the boot firmware to vulnerable code versions.Guidelines:",{"point":"23u","priority":"6","details":"23v"},"CWE-ID: 1329Reliance on Component That is Not Updateable","The product contains a component that cannot be updated or patched in order to remove vulnerabilities or significant bugs.Guidelines:",{"point":"23x","priority":"6","details":"23y"},"CWE-ID: 1330Remanent Data Readable after Memory Erase","Confidential information stored in memory circuits is readable or recoverable after being cleared or erased.Guidelines:",{"point":"240","priority":"6","details":"241"},"CWE-ID: 1331Improper Isolation of Shared Resources in Network On Chip (NoC)","The Network On Chip (NoC) does not isolate or incorrectly isolates its on-chip-fabric and internal resources such that they are shared between trusted and untrusted agents, creating timing channels.Guidelines:",{"point":"243","priority":"6","details":"244"},"CWE-ID: 1332Improper Handling of Faults that Lead to Instruction Skips","The device is missing or incorrectly implements circuitry or sensors that detect and mitigate the skipping of security-critical CPU instructions when they occur.Guidelines:",{"point":"246","priority":"6","details":"247"},"CWE-ID: 1333Inefficient Regular Expression Complexity","The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.Guidelines:",{"point":"249","priority":"6","details":"24a"},"CWE-ID: 1334Unauthorized Error Injection Can Degrade Hardware Redundancy","An unauthorized agent can inject errors into a redundant block to deprive the system of redundancy or put the system in a degraded operating mode.Guidelines:",{"point":"24c","priority":"6","details":"24d"},"CWE-ID: 1335Incorrect Bitwise Shift of Integer","An integer value is specified to be shifted by a negative amount or an amount greater than or equal to the number of bits contained in the value causing an unexpected or indeterminate result.Guidelines:",{"point":"24f","priority":"6","details":"24g"},"CWE-ID: 1336Improper Neutralization of Special Elements Used in a Template Engine","The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.Guidelines:::TYPE:Relationship:NOTE:Since expression languages are often used in templating languages, there may be some overlap with CWE-917 (Expression Language Injection). XSS (CWE-79) is also co-located with template injection.::TYPE:Maintenance:NOTE:The interrelationships and differences between CWE-917 and CWE-1336 need to be further clarified.::",{"point":"24i","priority":"6","details":"24j"},"CWE-ID: 1338Improper Protections Against Hardware Overheating","A hardware device is missing or has inadequate protection features to prevent overheating.Guidelines:",{"point":"24l","priority":"6","details":"24m"},"CWE-ID: 1339Insufficient Precision or Accuracy of a Real Number","The product processes a real number with an implementation in which the number's representation does not preserve required accuracy and precision in its fractional part, causing an incorrect result.Guidelines:",{"point":"24o","priority":"6","details":"24p"},"CWE-ID: 1341Multiple Releases of Same Resource or Handle","The product attempts to close or release a resource or handle more than once, without any successful open between the close operations.Guidelines:::TYPE:Terminology:NOTE:The terms related to release may vary depending on the type of resource, programming language, specification, or framework. Close has been used synonymously for the release of resources like file descriptors and file handles. Return is sometimes used instead of Release. Free is typically used when releasing memory or buffers back into the system for reuse.::",{"point":"24r","priority":"6","details":"24s"},"CWE-ID: 1342Information Exposure through Microarchitectural State after Transient Execution","The processor does not properly clear microarchitectural state after incorrect microcode assists or speculative execution, resulting in transient execution.Guidelines:::TYPE:Relationship:NOTE:CWE-1342 differs from CWE-1303, which is related to misprediction and biasing microarchitectural components, while CWE-1342 addresses illegal data flows and retention. For example, Spectre is an instance of CWE-1303 biasing branch prediction to steer the transient execution indirectly.::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. As a result, this entry might change significantly in CWE 4.10.::",{"point":"24u","priority":"6","details":"24v"},"CWE-ID: 1351Improper Handling of Hardware Behavior in Exceptionally Cold Environments","A hardware device, or the firmware running on it, is missing or has incorrect protection features to maintain goals of security primitives when the device is cooled below standard operating temperatures.Guidelines:",{"point":"24x","priority":"6","details":"24y"},"CWE-ID: 1357Reliance on Insufficiently Trustworthy Component","The product is built from multiple separate components, but it uses a component that is not sufficiently trusted to meet expectations for security, reliability, updateability, and maintainability.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.10, the name and description for this entry has undergone significant change and is still under public discussion, especially by members of the HW SIG.::",{"point":"250","priority":"6","details":"251"},"CWE-ID: 1384Improper Handling of Physical or Environmental Conditions","The product does not properly handle unexpected physical or environmental conditions that occur naturally or are artificially induced.Guidelines:",{"point":"253","priority":"6","details":"254"},"CWE-ID: 1385Missing Origin Validation in WebSockets","The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid.Guidelines:",{"point":"256","priority":"6","details":"257"},"CWE-ID: 1386Insecure Operation on Windows Junction / Mount Point","The product opens a file or directory, but it does not properly prevent the name from being associated with a junction or mount point to a destination that is outside of the intended control sphere.Guidelines:::TYPE:Terminology:NOTE:Symbolic links, hard links, junctions, and mount points can be confusing terminology, as there are differences in how they operate between UNIX-based systems and Windows, and there are interactions between them.::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"259","priority":"6","details":"25a"},"CWE-ID: 1389Incorrect Parsing of Numbers with Different Radices","The product parses numeric input assuming base 10 (decimal) values, but it does not account for inputs that use a different base number (radix).Guidelines:",{"point":"25c","priority":"6","details":"25d"},"CWE-ID: 1390Weak Authentication","The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.Guidelines:",{"point":"25f","priority":"6","details":"25g"},"CWE-ID: 1391Use of Weak Credentials","The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker.Guidelines:",{"point":"25i","priority":"6","details":"25j"},"CWE-ID: 1392Use of Default Credentials","The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality.Guidelines:",{"point":"25l","priority":"6","details":"25m"},"CWE-ID: 1393Use of Default Password","The product uses default passwords for potentially critical functionality.Guidelines:",{"point":"25o","priority":"6","details":"25p"},"CWE-ID: 1394Use of Default Cryptographic Key","The product uses a default cryptographic key for potentially critical functionality.Guidelines:",{"point":"25r","priority":"6","details":"25s"},"CWE-ID: 1395Dependency on Vulnerable Third-Party Component","The product has a dependency on a third-party component that contains one or more known vulnerabilities.Guidelines:",{"point":"25u","priority":"6","details":"25v"},"CWE-ID: 1419Incorrect Initialization of Resource","The product attempts to initialize a resource but does not correctly do so, which might leave the resource in an unexpected, incorrect, or insecure state when it is accessed.Guidelines:",{"point":"25x","priority":"6","details":"25y"},"CWE-ID: 1420Exposure of Sensitive Information during Transient Execution","A processor event or prediction may allow incorrect operations (or correct operations with incorrect data) to execute transiently, potentially exposing data over a covert channel.Guidelines:",{"point":"260","priority":"6","details":"261"},"CWE-ID: 1421Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution","A processor event may allow transient operations to access architecturally restricted data (for example, in another address space) in a shared microarchitectural structure (for example, a CPU cache), potentially exposing the data over a covert channel.Guidelines:",{"point":"263","priority":"6","details":"264"},"CWE-ID: 1422Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution","A processor event or prediction may allow incorrect or stale data to be forwarded to transient operations, potentially exposing data over a covert channel.Guidelines:",{"point":"266","priority":"6","details":"267"},"CWE-ID: 1423Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution","Shared microarchitectural predictor state may allow code to influence transient execution across a hardware boundary, potentially exposing data that is accessible beyond the boundary over a covert channel.Guidelines:",{"point":"269","priority":"6","details":"26a"},["8","b","e","h","k","n","q","t","w","z","12","15","18","1b","1e","1h","1k","1n","1q","1t","1w","1z","22","25","28","2b","2e","2h","2k","2n","2q","2t","2w","2z","32","35","38","3b","3e","3h","3k","3n","3q","3t","3w","3z","42","45","48","4b","4e","4h","4k","4n","4q","4t","4w","4z","52","55","58","5b","5e","5h","5k","5n","5q","5t","5w","5z","62","65","68","6b","6e","6h","6k","6n","6q","6t","6w","6z","72","75","78","7b","7e","7h","7k","7n","7q","7t","7w","7z","82","85","88","8b","8e","8h","8k","8n","8q","8t","8w","8z","92","95","98","9b","9e","9h","9k","9n","9q","9t","9w","9z","a2","a5","a8","ab","ae","ah","ak","an","aq","at","aw","az","b2","b5","b8","bb","be","bh","bk","bn","bq","bt","bw","bz","c2","c5","c8","cb","ce","ch","ck","cn","cq","ct","cw","cz","d2","d5","d8","db","de","dh","dk","dn","dq","dt","dw","dz","e2","e5","e8","eb","ee","eh","ek","en","eq","et","ew","ez","f2","f5","f8","fb","fe","fh","fk","fn","fq","ft","fw","fz","g2","g5","g8","gb","ge","gh","gk","gn","gq","gt","gw","gz","h2","h5","h8","hb","he","hh","hk","hn","hq","ht","hw","hz","i2","i5","i8","ib","ie","ih","ik","in","iq","it","iw","iz","j2","j5","j8","jb","je","jh","jk","jn","jq","jt","jw","jz","k2","k5","k8","kb","ke","kh","kk","kn","kq","kt","kw","kz","l2","l5","l8","lb","le","lh","lk","ln","lq","lt","lw","lz","m2","m5","m8","mb","me","mh","mk","mn","mq","mt","mw","mz","n2","n5","n8","nb","ne","nh","nk","nn","nq","nt","nw","nz","o2","o5","o8","ob","oe","oh","ok","on","oq","ot","ow","oz","p2","p5","p8","pb","pe","ph","pk","pn","pq","pt","pw","pz","q2","q5","q8","qb","qe","qh","qk","qn","qq","qt","qw","qz","r2","r5","r8","rb","re","rh","rk","rn","rq","rt","rw","rz","s2","s5","s8","sb","se","sh","sk","sn","sq","st","sw","sz","t2","t5","t8","tb","te","th","tk","tn","tq","tt","tw","tz","u2","u5","u8","ub","ue","uh","uk","un","uq","ut","uw","uz","v2","v5","v8","vb","ve","vh","vk","vn","vq","vt","vw","vz","w2","w5","w8","wb","we","wh","wk","wn","wq","wt","ww","wz","x2","x5","x8","xb","xe","xh","xk","xn","xq","xt","xw","xz","y2","y5","y8","yb","ye","yh","yk","yn","yq","yt","yw","yz","z2","z5","z8","zb","ze","zh","zk","zn","zq","zt","zw","zz","102","105","108","10b","10e","10h","10k","10n","10q","10t","10w","10z","112","115","118","11b","11e","11h","11k","11n","11q","11t","11w","11z","122","125","128","12b","12e","12h","12k","12n","12q","12t","12w","12z","132","135","138","13b","13e","13h","13k","13n","13q","13t","13w","13z","142","145","148","14b","14e","14h","14k","14n","14q","14t","14w","14z","152","155","158","15b","15e","15h","15k","15n","15q","15t","15w","15z","162","165","168","16b","16e","16h","16k","16n","16q","16t","16w","16z","172","175","178","17b","17e","17h","17k","17n","17q","17t","17w","17z","182","185","188","18b","18e","18h","18k","18n","18q","18t","18w","18z","192","195","198","19b","19e","19h","19k","19n","19q","19t","19w","19z","1a2","1a5","1a8","1ab","1ae","1ah","1ak","1an","1aq","1at","1aw","1az","1b2","1b5","1b8","1bb","1be","1bh","1bk","1bn","1bq","1bt","1bw","1bz","1c2","1c5","1c8","1cb","1ce","1ch","1ck","1cn","1cq","1ct","1cw","1cz","1d2","1d5","1d8","1db","1de","1dh","1dk","1dn","1dq","1dt","1dw","1dz","1e2","1e5","1e8","1eb","1ee","1eh","1ek","1en","1eq","1et","1ew","1ez","1f2","1f5","1f8","1fb","1fe","1fh","1fk","1fn","1fq","1ft","1fw","1fz","1g2","1g5","1g8","1gb","1ge","1gh","1gk","1gn","1gq","1gt","1gw","1gz","1h2","1h5","1h8","1hb","1he","1hh","1hk","1hn","1hq","1ht","1hw","1hz","1i2","1i5","1i8","1ib","1ie","1ih","1ik","1in","1iq","1it","1iw","1iz","1j2","1j5","1j8","1jb","1je","1jh","1jk","1jn","1jq","1jt","1jw","1jz","1k2","1k5","1k8","1kb","1ke","1kh","1kk","1kn","1kq","1kt","1kw","1kz","1l2","1l5","1l8","1lb","1le","1lh","1lk","1ln","1lq","1lt","1lw","1lz","1m2","1m5","1m8","1mb","1me","1mh","1mk","1mn","1mq","1mt","1mw","1mz","1n2","1n5","1n8","1nb","1ne","1nh","1nk","1nn","1nq","1nt","1nw","1nz","1o2","1o5","1o8","1ob","1oe","1oh","1ok","1on","1oq","1ot","1ow","1oz","1p2","1p5","1p8","1pb","1pe","1ph","1pk","1pn","1pq","1pt","1pw","1pz","1q2","1q5","1q8","1qb","1qe","1qh","1qk","1qn","1qq","1qt","1qw","1qz","1r2","1r5","1r8","1rb","1re","1rh","1rk","1rn","1rq","1rt","1rw","1rz","1s2","1s5","1s8","1sb","1se","1sh","1sk","1sn","1sq","1st","1sw","1sz","1t2","1t5","1t8","1tb","1te","1th","1tk","1tn","1tq","1tt","1tw","1tz","1u2","1u5","1u8","1ub","1ue","1uh","1uk","1un","1uq","1ut","1uw","1uz","1v2","1v5","1v8","1vb","1ve","1vh","1vk","1vn","1vq","1vt","1vw","1vz","1w2","1w5","1w8","1wb","1we","1wh","1wk","1wn","1wq","1wt","1ww","1wz","1x2","1x5","1x8","1xb","1xe","1xh","1xk","1xn","1xq","1xt","1xw","1xz","1y2","1y5","1y8","1yb","1ye","1yh","1yk","1yn","1yq","1yt","1yw","1yz","1z2","1z5","1z8","1zb","1ze","1zh","1zk","1zn","1zq","1zt","1zw","1zz","202","205","208","20b","20e","20h","20k","20n","20q","20t","20w","20z","212","215","218","21b","21e","21h","21k","21n","21q","21t","21w","21z","222","225","228","22b","22e","22h","22k","22n","22q","22t","22w","22z","232","235","238","23b","23e","23h","23k","23n","23q","23t","23w","23z","242","245","248","24b","24e","24h","24k","24n","24q","24t","24w","24z","252","255","258","25b","25e","25h","25k","25n","25q","25t","25w","25z","262","265","268","26b"],"red",{"title":"0","slug":"1","description":"2","icon":"3","intro":"4","checklist":"26c","color":"26d"},"CWE: Weaknesses During Design","cwe-design","This view (slice) lists weaknesses that can be introduced during design.","physical","This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities.","CWE-ID:20 Improper Input Validation","::METHOD:Automated Static Analysis:DESCRIPTION:Some instances of improper input validation can be detected using automated static analysis. A static analysis tool might allow the user to specify which application-specific methods or functions perform input validation; the tool might also have built-in knowledge of validation frameworks such as Struts. The tool may then suppress or de-prioritize any associated warnings. This allows the analyst to focus on areas of the software in which input validation does not appear to be present. Except in the cases described in the previous paragraph, automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes.::METHOD:Manual Static Analysis:DESCRIPTION:When custom input validation is required, such as when enforcing business rules, manual analysis is necessary to ensure that the validation is properly implemented.::METHOD:Fuzzing:DESCRIPTION:Fuzzing techniques can be useful for detecting input validation errors. When unexpected inputs are provided to the software, the software should not crash or otherwise become unstable, and it should generate application-controlled error messages. If exceptions or interpreter-generated error messages occur, this indicates that the input was not detected and handled within the application logic itself.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer Cost effective for partial coverage: Host Application Interface Scanner Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"26k","priority":"6","details":"11","howto":"26l"},"CWE-ID:73 External Control of File Name or Path","::METHOD:Automated Static Analysis:DESCRIPTION:The external control or influence of filenames can often be detected using automated static analysis that models data flow within the product. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes.::",{"point":"26n","priority":"6","details":"4y","howto":"26o"},"CWE-ID:99 Improper Control of Resource Identifiers ('Resource Injection')","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"26q","priority":"6","details":"71","howto":"26r"},"CWE-ID:115 Misinterpretation of Input","::METHOD:Fuzzing:DESCRIPTION:Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.:EFFECTIVENESS:High::",{"point":"26t","priority":"6","details":"87","howto":"26u"},"CWE-ID:184 Incomplete List of Disallowed Inputs","::METHOD:Black Box:DESCRIPTION:Exploitation of a vulnerability with commonly-used manipulations might fail, but minor variations might succeed.::",{"point":"26w","priority":"6","details":"dd","howto":"26x"},"CWE-ID:200 Exposure of Sensitive Information to an Unauthorized Actor","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Inter-application Flow Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Source code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"26z","priority":"6","details":"ej","howto":"270"},"CWE-ID:201 Insertion of Sensitive Information Into Sent Data",{"point":"272","priority":"6","details":"em","howto":"26r"},"CWE-ID:202 Exposure of Sensitive Information Through Data Queries","",{"point":"274","priority":"6","details":"ep","howto":"275"},"CWE-ID:203 Observable Discrepancy",{"point":"277","priority":"6","details":"es","howto":"275"},"CWE-ID:204 Observable Response Discrepancy",{"point":"279","priority":"6","details":"ev","howto":"275"},"CWE-ID:205 Observable Behavioral Discrepancy",{"point":"27b","priority":"6","details":"ey","howto":"275"},"CWE-ID:208 Observable Timing Discrepancy",{"point":"27d","priority":"6","details":"f7","howto":"275"},"CWE-ID:209 Generation of Error Message Containing Sensitive Information","::METHOD:Manual Analysis:DESCRIPTION:This weakness generally requires domain-specific interpretation using manual analysis. However, the number of potential error conditions may be too large to cover completely within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Analysis:DESCRIPTION:Automated methods may be able to detect certain idioms automatically, such as exposed stack traces or pathnames, but violation of business rules or privacy requirements is not typically feasible.:EFFECTIVENESS:Moderate::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Error conditions may be triggered with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.)::",{"point":"27f","priority":"6","details":"fa","howto":"27g"},"CWE-ID:210 Self-generated Error Message Containing Sensitive Information",{"point":"27i","priority":"6","details":"fd","howto":"275"},"CWE-ID:211 Externally-Generated Error Message Containing Sensitive Information",{"point":"27k","priority":"6","details":"fg","howto":"275"},"CWE-ID:212 Improper Removal of Sensitive Information Before Storage or Transfer",{"point":"27m","priority":"6","details":"fj","howto":"275"},"CWE-ID:213 Exposure of Sensitive Information Due to Incompatible Policies",{"point":"27o","priority":"6","details":"fm","howto":"275"},"CWE-ID:214 Invocation of Process Using Visible Sensitive Information",{"point":"27q","priority":"6","details":"fp","howto":"275"},"CWE-ID:221 Information Loss or Omission",{"point":"27s","priority":"6","details":"g1","howto":"275"},"CWE-ID:223 Omission of Security-relevant Information",{"point":"27u","priority":"6","details":"g7","howto":"275"},"CWE-ID:250 Execution with Unnecessary Privileges","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and perform a login. Look for library functions and system calls that indicate when privileges are being raised or dropped. Look for accesses of resources that are restricted to normal users.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Compare binary / bytecode to application permission manifest Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker Permission Manifest Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"27w","priority":"6","details":"i4","howto":"27x"},"CWE-ID:256 Plaintext Storage of a Password",{"point":"27z","priority":"6","details":"id","howto":"26r"},"CWE-ID:257 Storing Passwords in a Recoverable Format",{"point":"281","priority":"6","details":"ig","howto":"26r"},"CWE-ID:260 Password in Configuration File",{"point":"283","priority":"6","details":"ip","howto":"26r"},"CWE-ID:261 Weak Encoding for Password",{"point":"285","priority":"6","details":"is","howto":"26r"},"CWE-ID:262 Not Using Password Aging",{"point":"287","priority":"6","details":"iv","howto":"275"},"CWE-ID:263 Password Aging with Long Expiration",{"point":"289","priority":"6","details":"iy","howto":"275"},"CWE-ID:267 Privilege Defined With Unsafe Actions",{"point":"28b","priority":"6","details":"j4","howto":"275"},"CWE-ID:268 Privilege Chaining",{"point":"28d","priority":"6","details":"j7","howto":"275"},"CWE-ID:269 Improper Privilege Management",{"point":"28f","priority":"6","details":"ja","howto":"26r"},"CWE-ID:270 Privilege Context Switching Error",{"point":"28h","priority":"6","details":"jd","howto":"275"},"CWE-ID:271 Privilege Dropping / Lowering Errors",{"point":"28j","priority":"6","details":"jg","howto":"275"},"CWE-ID:276 Incorrect Default Permissions","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Inter-application Flow Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Host Application Interface Scanner Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Forced Path Execution:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"28l","priority":"6","details":"js","howto":"28m"},"CWE-ID:282 Improper Ownership Management",{"point":"28o","priority":"6","details":"ka","howto":"26r"},"CWE-ID:283 Unverified Ownership",{"point":"28q","priority":"6","details":"kd","howto":"275"},"CWE-ID:285 Improper Authorization","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries. Generally, automated static analysis tools have difficulty detecting custom authorization schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an authorization check; an automated technique that detects the absence of authorization may report false positives.:EFFECTIVENESS:Limited::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated dynamic analysis may find many or all possible interfaces that do not require authorization, but manual analysis is required to determine if the lack of authorization violates business logic::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer Forced Path Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"28s","priority":"6","details":"kj","howto":"28t"},"CWE-ID:286 Incorrect User Management",{"point":"28v","priority":"6","details":"km","howto":"275"},"CWE-ID:287 Improper Authentication","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting certain types of authentication. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authentication libraries. Generally, automated static analysis tools have difficulty detecting custom authentication schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an established identity; an automated technique that detects the absence of authentication may report false positives.:EFFECTIVENESS:Limited::METHOD:Manual Static Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Manual static analysis is useful for evaluating the correctness of custom authentication mechanisms.:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"28x","priority":"6","details":"kp","howto":"28y"},"CWE-ID:288 Authentication Bypass Using an Alternate Path or Channel",{"point":"290","priority":"6","details":"ks","howto":"275"},"CWE-ID:289 Authentication Bypass by Alternate Name",{"point":"292","priority":"6","details":"kv","howto":"275"},"CWE-ID:294 Authentication Bypass by Capture-replay",{"point":"294","priority":"6","details":"l7","howto":"275"},"CWE-ID:295 Improper Certificate Validation","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Man-in-the-middle attack tool:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"296","priority":"6","details":"la","howto":"297"},"CWE-ID:300 Channel Accessible by Non-Endpoint",{"point":"299","priority":"6","details":"lp","howto":"26r"},"CWE-ID:301 Reflection Attack in an Authentication Protocol",{"point":"29b","priority":"6","details":"ls","howto":"275"},"CWE-ID:302 Authentication Bypass by Assumed-Immutable Data",{"point":"29d","priority":"6","details":"lv","howto":"275"},"CWE-ID:306 Missing Authentication for Critical Function","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authentication mechanisms.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting commonly-used idioms for authentication. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authentication libraries. Generally, automated static analysis tools have difficulty detecting custom authentication schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an established identity; an automated technique that detects the absence of authentication may report false positives.:EFFECTIVENESS:Limited::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"29f","priority":"6","details":"m7","howto":"29g"},"CWE-ID:307 Improper Restriction of Excessive Authentication Attempts","::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer Cost effective for partial coverage: Forced Path Execution:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"29i","priority":"6","details":"ma","howto":"29j"},"CWE-ID:308 Use of Single-factor Authentication",{"point":"29l","priority":"6","details":"md","howto":"275"},"CWE-ID:309 Use of Password System for Primary Authentication",{"point":"29n","priority":"6","details":"mg","howto":"275"},"CWE-ID:311 Missing Encryption of Sensitive Data","::METHOD:Manual Analysis:DESCRIPTION:The characterizaton of sensitive data often requires domain-specific understanding, so manual methods are useful. However, manual efforts might not achieve desired code coverage within limited time constraints. Black box methods may produce artifacts (e.g. stored data or unencrypted network transfer) that require manual evaluation.:EFFECTIVENESS:High::METHOD:Automated Analysis:DESCRIPTION:Automated measurement of the entropy of an input/output source may indicate the use or lack of encryption, but human analysis is still required to distinguish intentionally-unencrypted data (e.g. metadata) from sensitive data.::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Network Sniffer Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Man-in-the-middle attack tool:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"29p","priority":"6","details":"mj","howto":"29q"},"CWE-ID:312 Cleartext Storage of Sensitive Information",{"point":"29s","priority":"6","details":"mm","howto":"26r"},"CWE-ID:319 Cleartext Transmission of Sensitive Information","::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process, trigger the feature that sends the data, and look for the presence or absence of common cryptographic functions in the call tree. Monitor the network and determine if the data packets contain readable commands. Tools exist for detecting if certain encodings are in use. If the traffic contains high entropy, this might indicate the usage of encryption.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"29u","priority":"6","details":"n7","howto":"29v"},"CWE-ID:322 Key Exchange without Entity Authentication",{"point":"29x","priority":"6","details":"nd","howto":"275"},"CWE-ID:323 Reusing a Nonce, Key Pair in Encryption",{"point":"29z","priority":"6","details":"ng","howto":"275"},"CWE-ID:324 Use of a Key Past its Expiration Date",{"point":"2a1","priority":"6","details":"nj","howto":"275"},"CWE-ID:326 Inadequate Encryption Strength",{"point":"2a3","priority":"6","details":"np","howto":"26r"},"CWE-ID:327 Use of a Broken or Risky Cryptographic Algorithm","::METHOD:Automated Analysis:DESCRIPTION:Automated methods may be useful for recognizing commonly-used libraries or features that have become obsolete.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis Binary / Bytecode simple extractor - strings, ELF readers, etc.:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Man-in-the-middle attack tool Cost effective for partial coverage: Framework-based Fuzzer Automated Monitored Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2a5","priority":"6","details":"ns","howto":"2a6"},"CWE-ID:328 Use of Weak Hash",{"point":"2a8","priority":"6","details":"nv","howto":"26r"},"CWE-ID:330 Use of Insufficiently Random Values","::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and look for library functions that indicate when randomness is being used. Run the process multiple times to see if the seed changes. Look for accesses of devices or equivalent resources that are commonly used for strong (or weak) randomness, such as /dev/urandom on Linux. Look for library or system calls that access predictable information such as process IDs and system time.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Man-in-the-middle attack tool:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2aa","priority":"6","details":"o1","howto":"2ab"},"CWE-ID:331 Insufficient Entropy",{"point":"2ad","priority":"6","details":"o4","howto":"275"},"CWE-ID:334 Small Space of Random Values",{"point":"2af","priority":"6","details":"od","howto":"275"},"CWE-ID:338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",{"point":"2ah","priority":"6","details":"op","howto":"26r"},"CWE-ID:340 Generation of Predictable Numbers or Identifiers",{"point":"2aj","priority":"6","details":"ov","howto":"275"},"CWE-ID:341 Predictable from Observable State",{"point":"2al","priority":"6","details":"oy","howto":"275"},"CWE-ID:342 Predictable Exact Value from Previous Values",{"point":"2an","priority":"6","details":"p1","howto":"275"},"CWE-ID:343 Predictable Value Range from Previous Values",{"point":"2ap","priority":"6","details":"p4","howto":"275"},"CWE-ID:344 Use of Invariant Value in Dynamically Changing Context",{"point":"2ar","priority":"6","details":"p7","howto":"275"},"CWE-ID:345 Insufficient Verification of Data Authenticity",{"point":"2at","priority":"6","details":"pa","howto":"26r"},"CWE-ID:346 Origin Validation Error",{"point":"2av","priority":"6","details":"pd","howto":"275"},"CWE-ID:347 Improper Verification of Cryptographic Signature",{"point":"2ax","priority":"6","details":"pg","howto":"26r"},"CWE-ID:348 Use of Less Trusted Source",{"point":"2az","priority":"6","details":"pj","howto":"275"},"CWE-ID:353 Missing Support for Integrity Check",{"point":"2b1","priority":"6","details":"py","howto":"275"},"CWE-ID:354 Improper Validation of Integrity Check Value",{"point":"2b3","priority":"6","details":"q1","howto":"275"},"CWE-ID:356 Product UI does not Warn User of Unsafe Actions",{"point":"2b5","priority":"6","details":"q4","howto":"275"},"CWE-ID:357 Insufficient UI Warning of Dangerous Operations",{"point":"2b7","priority":"6","details":"q7","howto":"275"},"CWE-ID:358 Improperly Implemented Security Check for Standard",{"point":"2b9","priority":"6","details":"qa","howto":"275"},"CWE-ID:359 Exposure of Private Personal Information to an Unauthorized Actor","::METHOD:Architecture or Design Review:DESCRIPTION:Private personal data can enter a program in a variety of ways: Directly from the user in the form of a password or personal information Accessed from a database or other data store by the application Indirectly from a partner or other third party If the data is written to an external location - such as the console, file system, or network - a privacy violation may occur.:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2bb","priority":"6","details":"qd","howto":"2bc"},"CWE-ID:360 Trust of System Event Data",{"point":"2be","priority":"6","details":"qg","howto":"275"},"CWE-ID:362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')","::METHOD:Black Box:DESCRIPTION:Black box methods may be able to identify evidence of race conditions via methods such as multiple simultaneous connections, which may cause the software to become instable or crash. However, race conditions with very narrow timing windows would not be detectable.::METHOD:White Box:DESCRIPTION:Common idioms are detectable in white box analysis, such as time-of-check-time-of-use (TOCTOU) file operations (CWE-367), or double-checked locking (CWE-609).::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Race conditions may be detected with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior. Insert breakpoints or delays in between relevant code statements to artificially expand the race window so that it will be easier to detect.:EFFECTIVENESS:Moderate::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Framework-based Fuzzer Cost effective for partial coverage: Fuzz Tester Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2bg","priority":"6","details":"qj","howto":"2bh"},"CWE-ID:363 Race Condition Enabling Link Following",{"point":"2bj","priority":"6","details":"qm","howto":"275"},"CWE-ID:368 Context Switching Race Condition",{"point":"2bl","priority":"6","details":"qy","howto":"275"},"CWE-ID:385 Covert Timing Channel",{"point":"2bn","priority":"6","details":"ry","howto":"275"},"CWE-ID:386 Symbolic Name not Mapping to Correct Object",{"point":"2bp","priority":"6","details":"s1","howto":"275"},"CWE-ID:400 Uncontrolled Resource Consumption","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis typically has limited utility in recognizing resource exhaustion problems, except for program-independent system resources such as files, sockets, and processes. For system resources, automated static analysis may be able to detect circumstances in which resources are not released after they have expired. Automated analysis of configuration files may be able to detect settings that do not specify a maximum value. Automated static analysis tools will not be appropriate for detecting exhaustion of custom resources, such as an intended security policy in which a bulletin board user is only allowed to make a limited number of posts per day.:EFFECTIVENESS:Limited::METHOD:Automated Dynamic Analysis:DESCRIPTION:Certain automated dynamic analysis techniques may be effective in spotting resource exhaustion problems, especially with resources such as processes, memory, and connections. The technique may involve generating a large number of requests to the product within a short time frame.:EFFECTIVENESS:Moderate::METHOD:Fuzzing:DESCRIPTION:While fuzzing is typically geared toward finding low-level implementation bugs, it can inadvertently find resource exhaustion problems. This can occur when the fuzzer generates a large number of test cases but does not restart the targeted product in between test cases. If an individual test case produces a crash, but it does not do so reliably, then an inability to handle resource exhaustion may be the cause.:EFFECTIVENESS:Opportunistic::",{"point":"2br","priority":"6","details":"ss","howto":"2bs"},"CWE-ID:402 Transmission of Private Resources into a New Sphere ('Resource Leak')",{"point":"2bu","priority":"6","details":"sy","howto":"26r"},"CWE-ID:405 Asymmetric Resource Consumption (Amplification)",{"point":"2bw","priority":"6","details":"t7","howto":"275"},"CWE-ID:406 Insufficient Control of Network Message Volume (Network Amplification)",{"point":"2by","priority":"6","details":"ta","howto":"275"},"CWE-ID:407 Inefficient Algorithmic Complexity",{"point":"2c0","priority":"6","details":"td","howto":"275"},"CWE-ID:408 Incorrect Behavior Order: Early Amplification",{"point":"2c2","priority":"6","details":"tg","howto":"275"},"CWE-ID:409 Improper Handling of Highly Compressed Data (Data Amplification)",{"point":"2c4","priority":"6","details":"tj","howto":"275"},"CWE-ID:410 Insufficient Resource Pool",{"point":"2c6","priority":"6","details":"tm","howto":"275"},"CWE-ID:412 Unrestricted Externally Accessible Lock","::METHOD:White Box:DESCRIPTION:Automated code analysis techniques might not be able to reliably detect this weakness, since the application's behavior and general security model dictate which resource locks are critical. Interpretation of the weakness might require knowledge of the environment, e.g. if the existence of a file is used as a lock, but the file is created in a world-writable directory.::",{"point":"2c8","priority":"6","details":"tp","howto":"2c9"},"CWE-ID:413 Improper Resource Locking",{"point":"2cb","priority":"6","details":"ts","howto":"26r"},"CWE-ID:414 Missing Lock Check",{"point":"2cd","priority":"6","details":"tv","howto":"275"},"CWE-ID:419 Unprotected Primary Channel",{"point":"2cf","priority":"6","details":"u4","howto":"275"},"CWE-ID:420 Unprotected Alternate Channel",{"point":"2ch","priority":"6","details":"u7","howto":"275"},"CWE-ID:421 Race Condition During Access to Alternate Channel",{"point":"2cj","priority":"6","details":"ua","howto":"275"},"CWE-ID:424 Improper Protection of Alternate Path",{"point":"2cl","priority":"6","details":"ug","howto":"275"},"CWE-ID:434 Unrestricted Upload of File with Dangerous Type","::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2cn","priority":"6","details":"v7","howto":"2co"},"CWE-ID:436 Interpretation Conflict",{"point":"2cq","priority":"6","details":"vd","howto":"275"},"CWE-ID:437 Incomplete Model of Endpoint Features",{"point":"2cs","priority":"6","details":"vg","howto":"275"},"CWE-ID:439 Behavioral Change in New Version or Environment",{"point":"2cu","priority":"6","details":"vj","howto":"275"},"CWE-ID:440 Expected Behavior Violation",{"point":"2cw","priority":"6","details":"vm","howto":"275"},"CWE-ID:441 Unintended Proxy or Intermediary ('Confused Deputy')",{"point":"2cy","priority":"6","details":"vp","howto":"26r"},"CWE-ID:446 UI Discrepancy for Security Feature",{"point":"2d0","priority":"6","details":"vv","howto":"275"},"CWE-ID:451 User Interface (UI) Misrepresentation of Critical Information",{"point":"2d2","priority":"6","details":"wa","howto":"275"},"CWE-ID:454 External Initialization of Trusted Variables or Data Stores",{"point":"2d4","priority":"6","details":"wg","howto":"275"},"CWE-ID:470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')",{"point":"2d6","priority":"6","details":"xj","howto":"26r"},"CWE-ID:471 Modification of Assumed-Immutable Data (MAID)",{"point":"2d8","priority":"6","details":"xm","howto":"275"},"CWE-ID:475 Undefined Behavior for Input to API",{"point":"2da","priority":"6","details":"xy","howto":"26r"},"CWE-ID:494 Download of Code Without Integrity Check","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is typically required to find the behavior that triggers the download of code, and to determine whether integrity-checking methods are in use.::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and also sniff the network connection. Trigger features related to product updates or plugin installation, which is likely to force a code download. Monitor when files are downloaded and separately executed, or if they are otherwise read back into the process. Look for evidence of cryptographic library calls that use integrity checking.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2dc","priority":"6","details":"zd","howto":"2dd"},"CWE-ID:501 Trust Boundary Violation",{"point":"2df","priority":"6","details":"zy","howto":"26r"},"CWE-ID:502 Deserialization of Untrusted Data",{"point":"2dh","priority":"6","details":"101","howto":"26r"},"CWE-ID:510 Trapdoor","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Inter-application Flow Analysis Binary / Bytecode simple extractor - strings, ELF readers, etc.:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies Generated Code Inspection:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Automated Monitored Execution Forced Path Execution Debugger Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Cost effective for partial coverage: Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"2dj","priority":"6","details":"10g","howto":"2dk"},"CWE-ID:511 Logic/Time Bomb",{"point":"2dm","priority":"6","details":"10j","howto":"275"},"CWE-ID:512 Spyware",{"point":"2do","priority":"6","details":"10m","howto":"275"},"CWE-ID:521 Weak Password Requirements",{"point":"2dq","priority":"6","details":"10y","howto":"26r"},"CWE-ID:522 Insufficiently Protected Credentials",{"point":"2ds","priority":"6","details":"111","howto":"26r"},"CWE-ID:523 Unprotected Transport of Credentials",{"point":"2du","priority":"6","details":"114","howto":"26r"},"CWE-ID:532 Insertion of Sensitive Information into Log File",{"point":"2dw","priority":"6","details":"11v","howto":"26r"},"CWE-ID:544 Missing Standardized Error Handling Mechanism",{"point":"2dy","priority":"6","details":"12m","howto":"275"},"CWE-ID:552 Files or Directories Accessible to External Parties",{"point":"2e0","priority":"6","details":"137","howto":"26r"},"CWE-ID:565 Reliance on Cookies without Validation and Integrity Checking",{"point":"2e2","priority":"6","details":"144","howto":"26r"},"CWE-ID:601 URL Redirection to Untrusted Site ('Open Redirect')","::METHOD:Manual Static Analysis:DESCRIPTION:Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated black box tools that supply URLs to every input may be able to spot Location header modifications, but test case coverage is a factor, and custom redirects may not be detected.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis tools may not be able to determine whether input influences the beginning of a URL, which is important for reducing false positives.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2e4","priority":"6","details":"16v","howto":"2e5"},"CWE-ID:602 Client-Side Enforcement of Server-Side Security",{"point":"2e7","priority":"6","details":"16y","howto":"275"},"CWE-ID:603 Use of Client-Side Authentication",{"point":"2e9","priority":"6","details":"171","howto":"275"},"CWE-ID:610 Externally Controlled Reference to a Resource in Another Sphere",{"point":"2eb","priority":"6","details":"17j","howto":"275"},"CWE-ID:612 Improper Authorization of Index Containing Sensitive Information",{"point":"2ed","priority":"6","details":"17p","howto":"275"},"CWE-ID:613 Insufficient Session Expiration",{"point":"2ef","priority":"6","details":"17s","howto":"26r"},"CWE-ID:620 Unverified Password Change",{"point":"2eh","priority":"6","details":"18d","howto":"275"},"CWE-ID:636 Not Failing Securely ('Failing Open')",{"point":"2ej","priority":"6","details":"194","howto":"275"},"CWE-ID:637 Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')",{"point":"2el","priority":"6","details":"197","howto":"275"},"CWE-ID:639 Authorization Bypass Through User-Controlled Key",{"point":"2en","priority":"6","details":"19d","howto":"26r"},"CWE-ID:640 Weak Password Recovery Mechanism for Forgotten Password",{"point":"2ep","priority":"6","details":"19g","howto":"275"},"CWE-ID:641 Improper Restriction of Names for Files and Other Resources",{"point":"2er","priority":"6","details":"19j","howto":"275"},"CWE-ID:642 External Control of Critical State Data",{"point":"2et","priority":"6","details":"19m","howto":"26r"},"CWE-ID:645 Overly Restrictive Account Lockout Mechanism",{"point":"2ev","priority":"6","details":"19v","howto":"275"},"CWE-ID:648 Incorrect Use of Privileged APIs",{"point":"2ex","priority":"6","details":"1a4","howto":"275"},"CWE-ID:649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking",{"point":"2ez","priority":"6","details":"1a7","howto":"275"},"CWE-ID:653 Improper Isolation or Compartmentalization","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Compare binary / bytecode to application permission manifest:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"2f1","priority":"6","details":"1aj","howto":"2f2"},"CWE-ID:654 Reliance on a Single Factor in a Security Decision",{"point":"2f4","priority":"6","details":"1am","howto":"275"},"CWE-ID:655 Insufficient Psychological Acceptability",{"point":"2f6","priority":"6","details":"1ap","howto":"275"},"CWE-ID:656 Reliance on Security Through Obscurity",{"point":"2f8","priority":"6","details":"1as","howto":"275"},"CWE-ID:657 Violation of Secure Design Principles",{"point":"2fa","priority":"6","details":"1av","howto":"275"},"CWE-ID:662 Improper Synchronization",{"point":"2fc","priority":"6","details":"1ay","howto":"275"},"CWE-ID:667 Improper Locking",{"point":"2fe","priority":"6","details":"1bd","howto":"26r"},"CWE-ID:668 Exposure of Resource to Wrong Sphere",{"point":"2fg","priority":"6","details":"1bg","howto":"275"},"CWE-ID:669 Incorrect Resource Transfer Between Spheres",{"point":"2fi","priority":"6","details":"1bj","howto":"275"},"CWE-ID:671 Lack of Administrator Control over Security",{"point":"2fk","priority":"6","details":"1bp","howto":"275"},"CWE-ID:673 External Influence of Sphere Definition",{"point":"2fm","priority":"6","details":"1bv","howto":"275"},"CWE-ID:694 Use of Multiple Resources with Duplicate Identifier",{"point":"2fo","priority":"6","details":"1dd","howto":"275"},"CWE-ID:696 Incorrect Behavior Order",{"point":"2fq","priority":"6","details":"1dj","howto":"275"},"CWE-ID:706 Use of Incorrectly-Resolved Name or Reference",{"point":"2fs","priority":"6","details":"1e1","howto":"275"},"CWE-ID:708 Incorrect Ownership Assignment",{"point":"2fu","priority":"6","details":"1e7","howto":"275"},"CWE-ID:732 Incorrect Permission Assignment for Critical Resource","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis may be effective in detecting permission problems for system resources such as files, directories, shared memory, device interfaces, etc. Automated techniques may be able to detect the use of library functions that modify permissions, then analyze function calls for arguments that contain potentially insecure values. However, since the software's intended security policy might allow loose permissions for certain operations (such as publishing a file on a web server), automated static analysis may produce some false positives - i.e., warnings that do not have any security consequences or require any code changes. When custom permissions models are used - such as defining who can read messages in a particular forum in a bulletin board system - these can be difficult to detect using automated static analysis. It may be possible to define custom signatures that identify any custom functions that implement the permission checks and assignments.::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated dynamic analysis may be effective in detecting permission problems for system resources such as files, directories, shared memory, device interfaces, etc. However, since the software's intended security policy might allow loose permissions for certain operations (such as publishing a file on a web server), automated dynamic analysis may produce some false positives - i.e., warnings that do not have any security consequences or require any code changes. When custom permissions models are used - such as defining who can read messages in a particular forum in a bulletin board system - these can be difficult to detect using automated dynamic analysis. It may be possible to define custom signatures that identify any custom functions that implement the permission checks and assignments.::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.::METHOD:Manual Static Analysis:DESCRIPTION:Manual static analysis may be effective in detecting the use of custom permissions models and functions. The code could then be examined to identifying usage of the related functions. Then the human analyst could evaluate permission assignments in the context of the intended security model of the software.::METHOD:Manual Dynamic Analysis:DESCRIPTION:Manual dynamic analysis may be effective in detecting the use of custom permissions models and functions. The program could then be executed with a focus on exercising code paths that are related to the custom permissions. Then the human analyst could evaluate permission assignments in the context of the intended security model of the software.::METHOD:Fuzzing:DESCRIPTION:Fuzzing is not effective in detecting this weakness.::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and watch for library functions or system calls on OS resources such as files, directories, and shared memory. Examine the arguments to these calls to infer which permissions are being used.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Inter-application Flow Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Host Application Interface Scanner Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Forced Path Execution:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2fw","priority":"6","details":"1ed","howto":"2fx"},"CWE-ID:749 Exposed Dangerous Method or Function",{"point":"2fz","priority":"6","details":"1ej","howto":"26r"},"CWE-ID:757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')",{"point":"2g1","priority":"6","details":"1ev","howto":"26r"},"CWE-ID:770 Allocation of Resources Without Limits or Throttling","::METHOD:Manual Static Analysis:DESCRIPTION:Manual static analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. If denial-of-service is not considered a significant risk, or if there is strong emphasis on consequences such as code execution, then manual analysis may not focus on this weakness at all.::METHOD:Fuzzing:DESCRIPTION:While fuzzing is typically geared toward finding low-level implementation bugs, it can inadvertently find uncontrolled resource allocation problems. This can occur when the fuzzer generates a large number of test cases but does not restart the targeted product in between test cases. If an individual test case produces a crash, but it does not do so reliably, then an inability to limit resource allocation may be the cause. When the allocation is directly affected by numeric inputs, then fuzzing may produce indications of this weakness.:EFFECTIVENESS:Opportunistic::METHOD:Automated Dynamic Analysis:DESCRIPTION:Certain automated dynamic analysis techniques may be effective in producing side effects of uncontrolled resource allocation problems, especially with resources such as processes, memory, and connections. The technique may involve generating a large number of requests to the product within a short time frame. Manual analysis is likely required to interpret the results.::METHOD:Automated Static Analysis:DESCRIPTION:Specialized configuration or tuning may be required to train automated tools to recognize this weakness. Automated static analysis typically has limited utility in recognizing unlimited allocation problems, except for the missing release of program-independent system resources such as files, sockets, and processes, or unchecked arguments to memory. For system resources, automated static analysis may be able to detect circumstances in which resources are not released after they have expired, or if too much of a resource is requested at once, as can occur with memory. Automated analysis of configuration files may be able to detect settings that do not specify a maximum value. Automated static analysis tools will not be appropriate for detecting exhaustion of custom resources, such as an intended security policy in which a bulletin board user is only allowed to make a limited number of posts per day.::",{"point":"2g3","priority":"6","details":"1fv","howto":"2g4"},"CWE-ID:798 Use of Hard-coded Credentials","::METHOD:Black Box:DESCRIPTION:Credential storage in configuration files is findable using black box methods, but the use of hard-coded credentials for an incoming authentication routine typically involves an account that is not visible outside of the code.:EFFECTIVENESS:Moderate::METHOD:Automated Static Analysis:DESCRIPTION:Automated white box techniques have been published for detecting hard-coded credentials for incoming authentication, but there is some expert disagreement regarding their effectiveness and applicability to a broad range of methods.::METHOD:Manual Static Analysis:DESCRIPTION:This weakness may be detectable using manual code analysis. Unless authentication is decentralized and applied throughout the product, there can be sufficient time for the analyst to find incoming authentication routines and examine the program logic looking for usage of hard-coded credentials. Configuration files could also be analyzed.::METHOD:Manual Dynamic Analysis:DESCRIPTION:For hard-coded credentials in incoming authentication: use monitoring tools that examine the product's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the product was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and perform a login. Using call trees or similar artifacts from the output, examine the associated behaviors and see if any of them appear to be comparing the input to a fixed string or value.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Network Sniffer Forced Path Execution:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"2g6","priority":"6","details":"1i7","howto":"2g7"},"CWE-ID:799 Improper Control of Interaction Frequency",{"point":"2g9","priority":"6","details":"1ia","howto":"275"},"CWE-ID:804 Guessable CAPTCHA",{"point":"2gb","priority":"6","details":"1id","howto":"275"},"CWE-ID:807 Reliance on Untrusted Inputs in a Security Decision","::METHOD:Manual Static Analysis:DESCRIPTION:Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"2gd","priority":"6","details":"1im","howto":"2ge"},"CWE-ID:862 Missing Authorization","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries. Generally, automated static analysis tools have difficulty detecting custom authorization schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an authorization check; an automated technique that detects the absence of authorization may report false positives.:EFFECTIVENESS:Limited::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated dynamic analysis may find many or all possible interfaces that do not require authorization, but manual analysis is required to determine if the lack of authorization violates business logic.::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"2gg","priority":"6","details":"1km","howto":"2gh"},"CWE-ID:863 Incorrect Authorization","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries. Generally, automated static analysis tools have difficulty detecting custom authorization schemes. Even if they can be customized to recognize these schemes, they might not be able to tell whether the scheme correctly performs the authorization in a way that cannot be bypassed or subverted by an attacker.:EFFECTIVENESS:Limited::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated dynamic analysis may not be able to find interfaces that are protected by authorization checks, even if those checks contain weaknesses.::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer Forced Path Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2gj","priority":"6","details":"1kp","howto":"2gk"},"CWE-ID:912 Hidden Functionality",{"point":"2gm","priority":"6","details":"1l4","howto":"275"},"CWE-ID:913 Improper Control of Dynamically-Managed Code Resources",{"point":"2go","priority":"6","details":"1l7","howto":"26u"},"CWE-ID:915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",{"point":"2gq","priority":"6","details":"1ld","howto":"26r"},"CWE-ID:916 Use of Password Hash With Insufficient Computational Effort","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2gs","priority":"6","details":"1lg","howto":"2gt"},"CWE-ID:917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')",{"point":"2gv","priority":"6","details":"1lj","howto":"26r"},"CWE-ID:918 Server-Side Request Forgery (SSRF)",{"point":"2gx","priority":"6","details":"1lm","howto":"26r"},"CWE-ID:920 Improper Restriction of Power Consumption",{"point":"2gz","priority":"6","details":"1lp","howto":"275"},"CWE-ID:921 Storage of Sensitive Data in a Mechanism without Access Control",{"point":"2h1","priority":"6","details":"1ls","howto":"275"},"CWE-ID:922 Insecure Storage of Sensitive Information",{"point":"2h3","priority":"6","details":"1lv","howto":"26r"},"CWE-ID:923 Improper Restriction of Communication Channel to Intended Endpoints",{"point":"2h5","priority":"6","details":"1ly","howto":"26r"},"CWE-ID:924 Improper Enforcement of Message Integrity During Transmission in a Communication Channel",{"point":"2h7","priority":"6","details":"1m1","howto":"275"},"CWE-ID:940 Improper Verification of Source of a Communication Channel",{"point":"2h9","priority":"6","details":"1mg","howto":"275"},"CWE-ID:941 Incorrectly Specified Destination in a Communication Channel",{"point":"2hb","priority":"6","details":"1mj","howto":"275"},"CWE-ID:1007 Insufficient Visual Distinction of Homoglyphs Presented to User","::METHOD:Manual Dynamic Analysis:DESCRIPTION:If utilizing user accounts, attempt to submit a username that contains homoglyphs. Similarly, check to see if links containing homoglyphs can be sent via email, web browsers, or other mechanisms.:EFFECTIVENESS:Moderate::",{"point":"2hd","priority":"6","details":"1mv","howto":"2he"},"CWE-ID:1037 Processor Optimization Removal or Modification of Security-critical Code","::METHOD:White Box:DESCRIPTION:In theory this weakness can be detected through the use of white box testing techniques where specifically crafted test cases are used in conjunction with debuggers to verify the order of statements being executed.:EFFECTIVENESS:Opportunistic::",{"point":"2hg","priority":"6","details":"1nd","howto":"2hh"},"CWE-ID:1038 Insecure Automated Optimizations",{"point":"2hj","priority":"6","details":"1ng","howto":"275"},"CWE-ID:1039 Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations",{"point":"2hl","priority":"6","details":"1nj","howto":"275"},"CWE-ID:1044 Architecture with Number of Horizontal Layers Outside of Expected Range",{"point":"2hn","priority":"6","details":"1nv","howto":"275"},"CWE-ID:1059 Insufficient Technical Documentation",{"point":"2hp","priority":"6","details":"1p4","howto":"275"},"CWE-ID:1173 Improper Use of Validation Framework","::METHOD:Automated Static Analysis:DESCRIPTION:Some instances of improper input validation can be detected using automated static analysis. A static analysis tool might allow the user to specify which application-specific methods or functions perform input validation; the tool might also have built-in knowledge of validation frameworks such as Struts. The tool may then suppress or de-prioritize any associated warnings. This allows the analyst to focus on areas of the software in which input validation does not appear to be present. Except in the cases described in the previous paragraph, automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes.::",{"point":"2hr","priority":"6","details":"1uv","howto":"2hs"},"CWE-ID:1176 Inefficient CPU Computation",{"point":"2hu","priority":"6","details":"1v1","howto":"275"},"CWE-ID:1189 Improper Isolation of Shared Resources on System-on-a-Chip (SoC)","::METHOD:Automated Dynamic Analysis:DESCRIPTION:Pre-silicon / post-silicon: Test access to shared systems resources (memory ranges, control registers, etc.) from untrusted software to verify that the assets are not incorrectly exposed to untrusted agents. Note that access to shared resources can be dynamically allowed or revoked based on system flows. Security testing should cover such dynamic shared resource allocation and access control modification flows.:EFFECTIVENESS:High::",{"point":"2hw","priority":"6","details":"1va","howto":"2hx"},"CWE-ID:1190 DMA Device Enabled Too Early in Boot Phase",{"point":"2hz","priority":"6","details":"1vd","howto":"275"},"CWE-ID:1191 On-Chip Debug and Test Interface With Improper Access Control","::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Authentication and authorization of debug and test interfaces should be part of the architecture and design review process. Withholding of private register documentation from the debug and test interface public specification (Security by obscurity) should not be considered as sufficient security.::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Dynamic tests should be done in the pre-silicon and post-silicon stages to verify that the debug and test interfaces are not open by default.::METHOD:Fuzzing:DESCRIPTION:Tests that fuzz Debug and Test Interfaces should ensure that no access without appropriate authentication and authorization is possible.:EFFECTIVENESS:Moderate::",{"point":"2i1","priority":"6","details":"1vg","howto":"2i2"},"CWE-ID:1192 Improper Identifier for IP Block used in System-On-Chip (SOC)",{"point":"2i4","priority":"6","details":"1vj","howto":"275"},"CWE-ID:1209 Failure to Disable Reserved Bits",{"point":"2i6","priority":"6","details":"1vs","howto":"275"},"CWE-ID:1220 Insufficient Granularity of Access Control",{"point":"2i8","priority":"6","details":"1vv","howto":"275"},"CWE-ID:1223 Race Condition for Write-Once Attributes",{"point":"2ia","priority":"6","details":"1w4","howto":"275"},"CWE-ID:1224 Improper Restriction of Write-Once Bit Fields",{"point":"2ic","priority":"6","details":"1w7","howto":"275"},"CWE-ID:1230 Exposure of Sensitive Information Through Metadata",{"point":"2ie","priority":"6","details":"1wd","howto":"275"},"CWE-ID:1231 Improper Prevention of Lock Bit Modification","::METHOD:Manual Analysis:DESCRIPTION:Set the lock bit. Power cycle the device. Attempt to clear the lock bit. If the information is changed, implement a design fix. Retest. Also, attempt to indirectly clear the lock bit or bypass it.:EFFECTIVENESS:High::",{"point":"2ig","priority":"6","details":"1wg","howto":"2ih"},"CWE-ID:1232 Improper Lock Behavior After Power State Transition",{"point":"2ij","priority":"6","details":"1wj","howto":"275"},"CWE-ID:1233 Security-Sensitive Hardware Controls with Missing Lock Bit Protection","::METHOD:Manual Analysis:DESCRIPTION:Set the lock bit. Attempt to modify the information protected by the lock bit. If the information is changed, implement a design fix. Retest. Also, attempt to indirectly clear the lock bit or bypass it.:EFFECTIVENESS:High::",{"point":"2il","priority":"6","details":"1wm","howto":"2im"},"CWE-ID:1234 Hardware Internal or Debug Modes Allow Override of Locks",{"point":"2io","priority":"6","details":"1wp","howto":"275"},"CWE-ID:1240 Use of a Cryptographic Primitive with a Risky Implementation","::METHOD:Architecture or Design Review:DESCRIPTION:Review requirements, documentation, and product design to ensure that primitives are consistent with the strongest-available recommendations from trusted parties. If the product appears to be using custom or proprietary implementations that have not had sufficient public review and approval, then this is a significant concern.:EFFECTIVENESS:High::METHOD:Manual Analysis:DESCRIPTION:Analyze the product to ensure that implementations for each primitive do not contain any known vulnerabilities and are not using any known-weak algorithms, including MD4, MD5, SHA1, DES, etc.:EFFECTIVENESS:Moderate::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:For hardware, during the implementation (pre-Silicon / post-Silicon) phase, dynamic tests should be done to ensure that outputs from cryptographic routines are indeed working properly, such as test vectors provided by NIST [REF-1236].:EFFECTIVENESS:Moderate::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:It needs to be determined if the output of a cryptographic primitive is lacking entropy, which is one clear sign that something went wrong with the crypto implementation. There exist many methods of measuring the entropy of a bytestream, from sophisticated ones (like calculating Shannon's entropy of a sequence of characters) to crude ones (by compressing it and comparing the size of the original bytestream vs. the compressed - a truly random byte stream should not be compressible and hence the uncompressed and compressed bytestreams should be nearly identical in size).:EFFECTIVENESS:Moderate::",{"point":"2iq","priority":"6","details":"1x1","howto":"2ir"},"CWE-ID:1241 Use of Predictable Algorithm in Random Number Generator",{"point":"2it","priority":"6","details":"1x4","howto":"275"},"CWE-ID:1242 Inclusion of Undocumented Features or Chicken Bits",{"point":"2iv","priority":"6","details":"1x7","howto":"275"},"CWE-ID:1243 Sensitive Non-Volatile Information Not Protected During Debug",{"point":"2ix","priority":"6","details":"1xa","howto":"275"},"CWE-ID:1244 Internal Asset Exposed to Unsafe Debug Access Level or State","::METHOD:Manual Analysis:DESCRIPTION:Check 2 devices for their passcode to authenticate access to JTAG/debugging ports. If the passcodes are missing or the same, update the design to fix and retest. Check communications over JTAG/debugging ports for encryption. If the communications are not encrypted, fix the design and retest.:EFFECTIVENESS:Moderate::",{"point":"2iz","priority":"6","details":"1xd","howto":"2j0"},"CWE-ID:1245 Improper Finite State Machines (FSMs) in Hardware Logic",{"point":"2j2","priority":"6","details":"1xg","howto":"275"},"CWE-ID:1246 Improper Write Handling in Limited-write Non-Volatile Memories",{"point":"2j4","priority":"6","details":"1xj","howto":"275"},"CWE-ID:1249 Application-Level Admin Tool with Inconsistent View of Underlying Operating System",{"point":"2j6","priority":"6","details":"1xs","howto":"275"},"CWE-ID:1252 CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations",{"point":"2j8","priority":"6","details":"1y1","howto":"275"},"CWE-ID:1253 Incorrect Selection of Fuse Values",{"point":"2ja","priority":"6","details":"1y4","howto":"275"},"CWE-ID:1254 Incorrect Comparison Logic Granularity",{"point":"2jc","priority":"6","details":"1y7","howto":"275"},"CWE-ID:1256 Improper Restriction of Software Interfaces to Hardware Features","::METHOD:Manual Analysis:DESCRIPTION:Perform a security evaluation of system-level architecture and design with software-aided physical attacks in scope.::METHOD:Automated Dynamic Analysis:DESCRIPTION:Use custom software to change registers that control clock settings or power settings to try to bypass security locks, or repeatedly write DRAM to try to change adjacent locations. This can be effective in extracting or changing data. The drawback is that it cannot be run before manufacturing, and it may require specialized software.:EFFECTIVENESS:Moderate::",{"point":"2je","priority":"6","details":"1yd","howto":"2jf"},"CWE-ID:1257 Improper Access Control Applied to Mirrored or Aliased Memory Regions",{"point":"2jh","priority":"6","details":"1yg","howto":"275"},"CWE-ID:1258 Exposure of Sensitive System Information Due to Uncleared Debug Information",{"point":"2jj","priority":"6","details":"1yj","howto":"275"},"CWE-ID:1259 Improper Restriction of Security Token Assignment",{"point":"2jl","priority":"6","details":"1ym","howto":"275"},"CWE-ID:1260 Improper Handling of Overlap Between Protected Memory Ranges","::METHOD:Manual Analysis:DESCRIPTION:Create a high privilege memory block of any arbitrary size. Attempt to create a lower privilege memory block with an overlap of the high privilege memory block. If the creation attempt works, fix the hardware. Repeat the test.:EFFECTIVENESS:High::",{"point":"2jn","priority":"6","details":"1yp","howto":"2jo"},"CWE-ID:1261 Improper Handling of Single Event Upsets",{"point":"2jq","priority":"6","details":"1ys","howto":"275"},"CWE-ID:1262 Improper Access Control for Register Interface","::METHOD:Manual Analysis:DESCRIPTION:This is applicable in the Architecture phase before implementation started. Make sure access policy is specified for the entire memory map. Manual analysis may not ensure the implementation is correct.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Registers controlling hardware should have access control implemented. This access control may be checked manually for correct implementation. Items to check consist of how are trusted parties set, how are trusted parties verified, how are accesses verified, etc. Effectiveness of a manual analysis will vary depending upon how complicated the interface is constructed.:EFFECTIVENESS:Moderate::METHOD:Simulation / Emulation:DESCRIPTION:Functional simulation is applicable during the Implementation Phase. Testcases must be created and executed for memory mapped registers to verify adherence to the access control policy. This method can be effective, since functional verification needs to be performed on the design, and verification for this weakness will be included. There can be difficulty covering the entire memory space during the test.:EFFECTIVENESS:Moderate::METHOD:Formal Verification:DESCRIPTION:Formal verification is applicable during the Implementation phase. Assertions need to be created in order to capture illegal register access scenarios and prove that they cannot occur. Formal methods are exhaustive and can be very effective, but creating the cases for large designs may be complex and difficult.:EFFECTIVENESS:High::METHOD:Automated Analysis:DESCRIPTION:Information flow tracking can be applicable during the Implementation phase. Security sensitive data (assets) - for example, as stored in registers - is automatically tracked over time through the design to verify the data doesn't reach illegal destinations that violate the access policies for the memory map. This method can be very effective when used together with simulation and emulation, since detecting violations doesn't rely on specific scenarios or data values. This method does rely on simulation and emulation, so testcases must exist in order to use this method.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Manual documentation review of the system memory map, register specification, and permissions associated with accessing security-relevant functionality exposed via memory-mapped registers.:EFFECTIVENESS:Moderate::METHOD:Fuzzing:DESCRIPTION:Perform penetration testing (either manual or semi-automated with fuzzing) to verify that access control mechanisms such as the memory protection units or on-chip bus firewall settings adequately protect critical hardware registers from software access.:EFFECTIVENESS:Moderate::",{"point":"2js","priority":"6","details":"1yv","howto":"2jt"},"CWE-ID:1263 Improper Physical Access Control",{"point":"2jv","priority":"6","details":"1yy","howto":"275"},"CWE-ID:1264 Hardware Logic with Insecure De-Synchronization between Control and Data Channels",{"point":"2jx","priority":"6","details":"1z1","howto":"275"},"CWE-ID:1266 Improper Scrubbing of Sensitive Data from Decommissioned Device",{"point":"2jz","priority":"6","details":"1z7","howto":"275"},"CWE-ID:1267 Policy Uses Obsolete Encoding",{"point":"2k1","priority":"6","details":"1za","howto":"275"},"CWE-ID:1268 Policy Privileges are not Assigned Consistently Between Control and Data Agents",{"point":"2k3","priority":"6","details":"1zd","howto":"275"},"CWE-ID:1270 Generation of Incorrect Security Tokens",{"point":"2k5","priority":"6","details":"1zj","howto":"275"},"CWE-ID:1272 Sensitive Information Uncleared Before Debug/Power State Transition","::METHOD:Manual Analysis:DESCRIPTION:Write a known pattern into each sensitive location. Enter the power/debug state in question. Read data back from the sensitive locations. If the reads are successful, and the data is the same as the pattern that was originally written, the test fails and the device needs to be fixed. Note that this test can likely be automated.:EFFECTIVENESS:High::",{"point":"2k7","priority":"6","details":"1zp","howto":"2k8"},"CWE-ID:1274 Improper Access Control for Volatile Memory Containing Boot Code","::METHOD:Manual Analysis:DESCRIPTION:Ensure the volatile memory is lockable or has locks. Ensure the volatile memory is locked for writes from untrusted agents or adversaries. Try modifying the volatile memory from an untrusted agent, and ensure these writes are dropped.:EFFECTIVENESS:High::METHOD:Manual Analysis:DESCRIPTION:Analyze the device using the following steps: Identify all fabric master agents that are active during system Boot Flow when initial code is loaded from Non-volatile storage to volatile memory. Identify the volatile memory regions that are used for storing loaded system executable program. During system boot, test programming the identified memory regions in step 2 from all the masters identified in step 1. Only trusted masters should be allowed to write to the memory regions. For example, pluggable device peripherals should not have write access to program load memory regions.:EFFECTIVENESS:Moderate::",{"point":"2ka","priority":"6","details":"1zv","howto":"2kb"},"CWE-ID:1277 Firmware Not Updateable","::METHOD:Manual Analysis:DESCRIPTION:Create a new installable boot image of the current build with a minor version number change. Use the standard installation method to update the boot image. Verify that the minor version number has changed. Create a fake image. Verify that the boot updater will not install the fake image and generates an invalid image error message or equivalent.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Check the consumer or maintainer documentation, the architecture/design documentation, or the original requirements to ensure that the documentation includes details for how to update the firmware.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Determine if there is a lack of a capability to update read-only memory (ROM) structure. This could manifest as a difference between the latest firmware version and the current version within the device.:EFFECTIVENESS:High::",{"point":"2kd","priority":"6","details":"204","howto":"2ke"},"CWE-ID:1278 Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques",{"point":"2kg","priority":"6","details":"207","howto":"275"},"CWE-ID:1279 Cryptographic Operations are run Before Supporting Units are Ready",{"point":"2ki","priority":"6","details":"20a","howto":"275"},"CWE-ID:1281 Sequence of Processor Instructions Leads to Unexpected Behavior",{"point":"2kk","priority":"6","details":"20g","howto":"275"},"CWE-ID:1283 Mutable Attestation or Measurement Reporting Data",{"point":"2km","priority":"6","details":"20m","howto":"275"},"CWE-ID:1290 Incorrect Decoding of Security Identifiers ",{"point":"2ko","priority":"6","details":"217","howto":"275"},"CWE-ID:1292 Incorrect Conversion of Security Identifiers",{"point":"2kq","priority":"6","details":"21d","howto":"275"},"CWE-ID:1293 Missing Source Correlation of Multiple Independent Data",{"point":"2ks","priority":"6","details":"21g","howto":"275"},"CWE-ID:1294 Insecure Security Identifier Mechanism",{"point":"2ku","priority":"6","details":"21j","howto":"275"},"CWE-ID:1298 Hardware Logic Contains Race Conditions",{"point":"2kw","priority":"6","details":"21v","howto":"275"},"CWE-ID:1299 Missing Protection Mechanism for Alternate Hardware Interface",{"point":"2ky","priority":"6","details":"21y","howto":"275"},"CWE-ID:1302 Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)",{"point":"2l0","priority":"6","details":"227","howto":"275"},"CWE-ID:1303 Non-Transparent Sharing of Microarchitectural Resources",{"point":"2l2","priority":"6","details":"22a","howto":"275"},"CWE-ID:1304 Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation",{"point":"2l4","priority":"6","details":"22d","howto":"275"},"CWE-ID:1310 Missing Ability to Patch ROM Code",{"point":"2l6","priority":"6","details":"22g","howto":"275"},"CWE-ID:1311 Improper Translation of Security Attributes by Fabric Bridge",{"point":"2l8","priority":"6","details":"22j","howto":"275"},"CWE-ID:1312 Missing Protection for Mirrored Regions in On-Chip Fabric Firewall","::METHOD:Manual Dynamic Analysis:DESCRIPTION:Using an external debugger, send write transactions to mirrored regions to test if original, write-protected regions are modified. Similarly, send read transactions to mirrored regions to test if the original, read-protected signals can be read.:EFFECTIVENESS:High::",{"point":"2la","priority":"6","details":"22m","howto":"2lb"},"CWE-ID:1313 Hardware Allows Activation of Test or Debug Logic at Runtime",{"point":"2ld","priority":"6","details":"22p","howto":"275"},"CWE-ID:1314 Missing Write Protection for Parametric Data Values",{"point":"2lf","priority":"6","details":"22s","howto":"275"},"CWE-ID:1315 Improper Setting of Bus Controlling Capability in Fabric End-point",{"point":"2lh","priority":"6","details":"22v","howto":"275"},"CWE-ID:1316 Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges","::METHOD:Automated Dynamic Analysis:DESCRIPTION:Review address map in specification to see if there are any overlapping ranges.:EFFECTIVENESS:High::METHOD:Manual Static Analysis:DESCRIPTION:Negative testing of access control on overlapped ranges.:EFFECTIVENESS:High::",{"point":"2lj","priority":"6","details":"22y","howto":"2lk"},"CWE-ID:1317 Improper Access Control in Fabric Bridge","::METHOD:Simulation / Emulation:DESCRIPTION:RTL simulation to ensure that bridge-access controls are implemented properly.:EFFECTIVENESS:High::METHOD:Formal Verification:DESCRIPTION:Formal verification of bridge RTL to ensure that access control cannot be bypassed.:EFFECTIVENESS:High::",{"point":"2lm","priority":"6","details":"231","howto":"2ln"},"CWE-ID:1318 Missing Support for Security Features in On-chip Fabrics or Buses","::METHOD:Architecture or Design Review:DESCRIPTION:Review the fabric specification and ensure that it contains signals to transfer security-sensitive signals.:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:Lack of security features can also be confirmed through manual RTL review of the fabric RTL.:EFFECTIVENESS:High::",{"point":"2lp","priority":"6","details":"234","howto":"2lq"},"CWE-ID:1319 Improper Protection against Electromagnetic Fault Injection (EM-FI)",{"point":"2ls","priority":"6","details":"237","howto":"275"},"CWE-ID:1320 Improper Protection for Outbound Error Messages and Alert Signals",{"point":"2lu","priority":"6","details":"23a","howto":"275"},"CWE-ID:1323 Improper Management of Sensitive Trace Data",{"point":"2lw","priority":"6","details":"23j","howto":"275"},"CWE-ID:1326 Missing Immutable Root of Trust in Hardware","::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated testing can verify that RoT components are immutable.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Root of trust elements and memory should be part of architecture and design reviews.:EFFECTIVENESS:High::",{"point":"2ly","priority":"6","details":"23p","howto":"2lz"},"CWE-ID:1328 Security Version Number Mutable to Older Versions","::METHOD:Automated Dynamic Analysis:DESCRIPTION:Mutability of stored security version numbers and programming with older firmware images should be part of automated testing.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Anti-roll-back features should be reviewed as part of Architecture or Design review.:EFFECTIVENESS:High::",{"point":"2m1","priority":"6","details":"23v","howto":"2m2"},"CWE-ID:1329 Reliance on Component That is Not Updateable","::METHOD:Architecture or Design Review:DESCRIPTION:Check the consumer or maintainer documentation, the architecture/design documentation, or the original requirements to ensure that the documentation includes details for how to update the firmware.:EFFECTIVENESS:Moderate::",{"point":"2m4","priority":"6","details":"23y","howto":"2m5"},"CWE-ID:1331 Improper Isolation of Shared Resources in Network On Chip (NoC)","::METHOD:Manual Analysis:DESCRIPTION:Providing marker flags to send through the interfaces coupled with examination of which users are able to read or manipulate the flags will help verify that the proper isolation has been achieved and is effective.:EFFECTIVENESS:Moderate::",{"point":"2m7","priority":"6","details":"244","howto":"2m8"},"CWE-ID:1332 Improper Handling of Faults that Lead to Instruction Skips","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can be found using automated static analysis once a developer has indicated which code paths are critical to protect.:EFFECTIVENESS:Moderate::METHOD:Simulation / Emulation:DESCRIPTION:This weakness can be found using automated dynamic analysis. Both emulation of a CPU with instruction skips, as well as RTL simulation of a CPU IP, can indicate parts of the code that are sensitive to faults due to instruction skips.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:This weakness can be found using manual (static) analysis. The analyst has security objectives that are matched against the high-level code. This method is less precise than emulation, especially if the analysis is done at the higher level language rather than at assembly level.:EFFECTIVENESS:Moderate::",{"point":"2ma","priority":"6","details":"247","howto":"2mb"},"CWE-ID:1334 Unauthorized Error Injection Can Degrade Hardware Redundancy",{"point":"2md","priority":"6","details":"24d","howto":"275"},"CWE-ID:1336 Improper Neutralization of Special Elements Used in a Template Engine",{"point":"2mf","priority":"6","details":"24j","howto":"275"},"CWE-ID:1338 Improper Protections Against Hardware Overheating","::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Dynamic tests should be performed to stress-test temperature controls.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Power management controls should be part of Architecture and Design reviews.:EFFECTIVENESS:High::",{"point":"2mh","priority":"6","details":"24m","howto":"2mi"},"CWE-ID:1342 Information Exposure through Microarchitectural State after Transient Execution",{"point":"2mk","priority":"6","details":"24v","howto":"275"},"CWE-ID:1351 Improper Handling of Hardware Behavior in Exceptionally Cold Environments",{"point":"2mm","priority":"6","details":"24y","howto":"275"},"CWE-ID:1357 Reliance on Insufficiently Trustworthy Component",{"point":"2mo","priority":"6","details":"251","howto":"275"},"CWE-ID:1384 Improper Handling of Physical or Environmental Conditions",{"point":"2mq","priority":"6","details":"254","howto":"275"},"CWE-ID:1390 Weak Authentication",{"point":"2ms","priority":"6","details":"25g","howto":"275"},"CWE-ID:1391 Use of Weak Credentials",{"point":"2mu","priority":"6","details":"25j","howto":"275"},"CWE-ID:1392 Use of Default Credentials",{"point":"2mw","priority":"6","details":"25m","howto":"275"},"CWE-ID:1393 Use of Default Password",{"point":"2my","priority":"6","details":"25p","howto":"275"},"CWE-ID:1394 Use of Default Cryptographic Key",{"point":"2n0","priority":"6","details":"25s","howto":"275"},"CWE-ID:1395 Dependency on Vulnerable Third-Party Component","::METHOD:Automated Analysis:DESCRIPTION:For software, use Software Composition Analysis (SCA) tools, which automatically analyze products to identify third-party dependencies. Often, SCA tools can be used to link with known vulnerabilities in the dependencies that they detect. There are commercial and open-source alternatives, such as OWASP Dependency-Check [REF-1312]. Many languages or frameworks have package managers with similar capabilities, such as npm audit for JavaScript, pip-audit for Python, govulncheck for Go, and many others. Dynamic methods can detect loading of third-party components.:EFFECTIVENESS:High::",{"point":"2n2","priority":"6","details":"25v","howto":"2n3"},"CWE-ID:1420 Exposure of Sensitive Information during Transient Execution","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected in hardware by manually inspecting processor specifications. Features that exhibit this weakness may include microarchitectural predictors, access control checks that occur out-of-order, or any other features that can allow operations to execute without committing to architectural state. Academic researchers have demonstrated that new hardware weaknesses can be discovered by exhaustively analyzing a processor's machine clear (or nuke) conditions ([REF-1427]).:EFFECTIVENESS:Moderate::METHOD:Fuzzing:DESCRIPTION:Academic researchers have demonstrated that this weakness can be detected in hardware using software fuzzing tools that treat the underlying hardware as a black box ([REF-1428]).:EFFECTIVENESS:Opportunistic::METHOD:Fuzzing:DESCRIPTION:Academic researchers have demonstrated that this weakness can be detected in software using software fuzzing tools ([REF-1429]).:EFFECTIVENESS:Opportunistic::METHOD:Automated Static Analysis:DESCRIPTION:A variety of automated static analysis tools can identify potentially exploitable code sequences in software. These tools may perform the analysis on source code, on binary code, or on an intermediate code representation (for example, during compilation).:EFFECTIVENESS:Limited::METHOD:Automated Analysis:DESCRIPTION:Software vendors can release tools that detect presence of known weaknesses on a processor. For example, some of these tools can attempt to transiently execute a vulnerable code sequence and detect whether code successfully leaks data in a manner consistent with the weakness under test. Alternatively, some hardware vendors provide enumeration for the presence of a weakness (or lack of a weakness). These enumeration bits can be checked and reported by system software. For example, Linux supports these checks for many commodity processors: $ cat /proc/cpuinfo | grep bugs | head -n 1 bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit srbds mmio_stale_data retbleed:EFFECTIVENESS:High::",{"point":"2n5","priority":"6","details":"261","howto":"2n6"},"CWE-ID:1421 Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected in hardware by manually inspecting processor specifications. Features that exhibit this weakness may include microarchitectural predictors, access control checks that occur out-of-order, or any other features that can allow operations to execute without committing to architectural state. Academic researchers have demonstrated that new hardware weaknesses can be discovered by examining publicly available patent filings, for example [REF-1405] and [REF-1406]. Hardware designers can also scrutinize aspects of the instruction set architecture that have undefined behavior; these can become a focal point when applying other detection methods.:EFFECTIVENESS:Moderate::METHOD:Automated Analysis:DESCRIPTION:This weakness can be detected (pre-discovery) in hardware by employing static or dynamic taint analysis methods [REF-1401]. These methods can label data in one context (for example, kernel data) and perform information flow analysis (or a simulation, etc.) to determine whether tainted data can appear in another context (for example, user mode). Alternatively, stale or invalid data in shared microarchitectural resources can be marked as tainted, and the taint analysis framework can identify when transient operations encounter tainted data.:EFFECTIVENESS:Moderate::METHOD:Automated Analysis:DESCRIPTION:Software vendors can release tools that detect presence of known weaknesses (post-discovery) on a processor. For example, some of these tools can attempt to transiently execute a vulnerable code sequence and detect whether code successfully leaks data in a manner consistent with the weakness under test. Alternatively, some hardware vendors provide enumeration for the presence of a weakness (or lack of a weakness). These enumeration bits can be checked and reported by system software. For example, Linux supports these checks for many commodity processors: $ cat /proc/cpuinfo | grep bugs | head -n 1 bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit srbds mmio_stale_data retbleed:EFFECTIVENESS:High::METHOD:Fuzzing:DESCRIPTION:Academic researchers have demonstrated that this weakness can be detected in hardware using software fuzzing tools that treat the underlying hardware as a black box ([REF-1406], [REF-1430]):EFFECTIVENESS:Opportunistic::",{"point":"2n8","priority":"6","details":"264","howto":"2n9"},"CWE-ID:1422 Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution","::METHOD:Automated Static Analysis:DESCRIPTION:A variety of automated static analysis tools can identify potentially exploitable code sequences in software. These tools may perform the analysis on source code, on binary code, or on an intermediate code representation (for example, during compilation).:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected in hardware by manually inspecting processor specifications. Features that exhibit this weakness may include microarchitectural predictors, access control checks that occur out-of-order, or any other features that can allow operations to execute without committing to architectural state.Hardware designers can also scrutinize aspects of the instruction set architecture that have undefined behavior; these can become a focal point when applying other detection methods.:EFFECTIVENESS:Moderate::METHOD:Automated Analysis:DESCRIPTION:Software vendors can release tools that detect presence of known weaknesses on a processor. For example, some of these tools can attempt to transiently execute a vulnerable code sequence and detect whether code successfully leaks data in a manner consistent with the weakness under test. Alternatively, some hardware vendors provide enumeration for the presence of a weakness (or lack of a weakness). These enumeration bits can be checked and reported by system software. For example, Linux supports these checks for many commodity processors: $ cat /proc/cpuinfo | grep bugs | head -n 1 bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit srbds mmio_stale_data retbleed:EFFECTIVENESS:High::",{"point":"2nb","priority":"6","details":"267","howto":"2nc"},"CWE-ID:1423 Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected in hardware by manually inspecting processor specifications. Features that exhibit this weakness may have microarchitectural predictor state that is shared between hardware threads, execution contexts (for example, user and kernel), or other components that may host mutually distrusting software (or firmware, etc.).:EFFECTIVENESS:Moderate::METHOD:Automated Analysis:DESCRIPTION:Software vendors can release tools that detect presence of known weaknesses on a processor. For example, some of these tools can attempt to transiently execute a vulnerable code sequence and detect whether code successfully leaks data in a manner consistent with the weakness under test. Alternatively, some hardware vendors provide enumeration for the presence of a weakness (or lack of a weakness). These enumeration bits can be checked and reported by system software. For example, Linux supports these checks for many commodity processors: $ cat /proc/cpuinfo | grep bugs | head -n 1 bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit srbds mmio_stale_data retbleed:EFFECTIVENESS:High::METHOD:Automated Analysis:DESCRIPTION:This weakness can be detected in hardware by employing static or dynamic taint analysis methods [REF-1401]. These methods can label each predictor entry (or prediction history, etc.) according to the processor context that created it. Taint analysis or information flow analysis can then be applied to detect when predictor state created in one context can influence predictions made in another context.:EFFECTIVENESS:Moderate::",{"point":"2ne","priority":"6","details":"26a","howto":"2nf"},["26m","26p","26s","26v","26y","271","273","276","278","27a","27c","27e","27h","27j","27l","27n","27p","27r","27t","27v","27y","280","282","284","286","288","28a","28c","28e","28g","28i","28k","28n","28p","28r","28u","28w","28z","291","293","295","298","29a","29c","29e","29h","29k","29m","29o","29r","29t","29w","29y","2a0","2a2","2a4","2a7","2a9","2ac","2ae","2ag","2ai","2ak","2am","2ao","2aq","2as","2au","2aw","2ay","2b0","2b2","2b4","2b6","2b8","2ba","2bd","2bf","2bi","2bk","2bm","2bo","2bq","2bt","2bv","2bx","2bz","2c1","2c3","2c5","2c7","2ca","2cc","2ce","2cg","2ci","2ck","2cm","2cp","2cr","2ct","2cv","2cx","2cz","2d1","2d3","2d5","2d7","2d9","2db","2de","2dg","2di","2dl","2dn","2dp","2dr","2dt","2dv","2dx","2dz","2e1","2e3","2e6","2e8","2ea","2ec","2ee","2eg","2ei","2ek","2em","2eo","2eq","2es","2eu","2ew","2ey","2f0","2f3","2f5","2f7","2f9","2fb","2fd","2ff","2fh","2fj","2fl","2fn","2fp","2fr","2ft","2fv","2fy","2g0","2g2","2g5","2g8","2ga","2gc","2gf","2gi","2gl","2gn","2gp","2gr","2gu","2gw","2gy","2h0","2h2","2h4","2h6","2h8","2ha","2hc","2hf","2hi","2hk","2hm","2ho","2hq","2ht","2hv","2hy","2i0","2i3","2i5","2i7","2i9","2ib","2id","2if","2ii","2ik","2in","2ip","2is","2iu","2iw","2iy","2j1","2j3","2j5","2j7","2j9","2jb","2jd","2jg","2ji","2jk","2jm","2jp","2jr","2ju","2jw","2jy","2k0","2k2","2k4","2k6","2k9","2kc","2kf","2kh","2kj","2kl","2kn","2kp","2kr","2kt","2kv","2kx","2kz","2l1","2l3","2l5","2l7","2l9","2lc","2le","2lg","2li","2ll","2lo","2lr","2lt","2lv","2lx","2m0","2m3","2m6","2m9","2mc","2me","2mg","2mj","2ml","2mn","2mp","2mr","2mt","2mv","2mx","2mz","2n1","2n4","2n7","2na","2nd","2ng"],"magenta",{"title":"26f","slug":"26g","description":"26h","icon":"26i","intro":"26j","checklist":"2nh","color":"2ni"},"CWE :Weaknesses During Implementation","implementation-security","This view (slice) lists weaknesses that can be introduced during implementation.","shield","CWE-ID:5 J2EE Misconfiguration: Data Transmission Without Encryption",{"point":"2no","priority":"6","details":"7","howto":"275"},"CWE-ID:6 J2EE Misconfiguration: Insufficient Session-ID Length",{"point":"2nq","priority":"6","details":"a","howto":"275"},"CWE-ID:7 J2EE Misconfiguration: Missing Custom Error Page",{"point":"2ns","priority":"6","details":"d","howto":"275"},"CWE-ID:8 J2EE Misconfiguration: Entity Bean Declared Remote",{"point":"2nu","priority":"6","details":"g","howto":"275"},"CWE-ID:9 J2EE Misconfiguration: Weak Access Permissions for EJB Methods",{"point":"2nw","priority":"6","details":"j","howto":"275"},"CWE-ID:11 ASP.NET Misconfiguration: Creating Debug Binary",{"point":"2ny","priority":"6","details":"m","howto":"26r"},"CWE-ID:12 ASP.NET Misconfiguration: Missing Custom Error Page",{"point":"2o0","priority":"6","details":"p","howto":"275"},"CWE-ID:13 ASP.NET Misconfiguration: Password in Configuration File",{"point":"2o2","priority":"6","details":"s","howto":"275"},"CWE-ID:14 Compiler Removal of Code to Clear Buffers","::METHOD:Black Box:DESCRIPTION:This specific weakness is impossible to detect using black box methods. While an analyst could examine memory to see that it has not been scrubbed, an analysis of the executable would not be successful. This is because the compiler has already removed the relevant code. Only the source code shows whether the programmer intended to clear the memory or not, so this weakness is indistinguishable from others.::METHOD:White Box:DESCRIPTION:This weakness is only detectable using white box methods (see black box detection factor). Careful analysis is required to determine if the code is likely to be removed by the compiler.::",{"point":"2o4","priority":"6","details":"v","howto":"2o5"},"CWE-ID:15 External Control of System or Configuration Setting",{"point":"2o7","priority":"6","details":"y","howto":"26r"},{"point":"26k","priority":"6","details":"11","howto":"26l"},"CWE-ID:22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","::METHOD:Automated Static Analysis:DESCRIPTION:Automated techniques can find areas where path traversal weaknesses exist. However, tuning or customization may be required to remove or de-prioritize path-traversal problems that are only exploitable by the product's administrator - or other privileged users - and thus potentially valid behavior or, at worst, a bug instead of a vulnerability.:EFFECTIVENESS:High::METHOD:Manual Static Analysis:DESCRIPTION:Manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all file access operations can be assessed within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2oa","priority":"6","details":"14","howto":"2ob"},"CWE-ID:23 Relative Path Traversal",{"point":"2od","priority":"6","details":"17","howto":"26r"},"CWE-ID:24 Path Traversal: '../filedir'",{"point":"2of","priority":"6","details":"1a","howto":"275"},"CWE-ID:25 Path Traversal: '/../filedir'",{"point":"2oh","priority":"6","details":"1d","howto":"275"},"CWE-ID:26 Path Traversal: '/dir/../filename'",{"point":"2oj","priority":"6","details":"1g","howto":"275"},"CWE-ID:27 Path Traversal: 'dir/../../filename'",{"point":"2ol","priority":"6","details":"1j","howto":"275"},"CWE-ID:28 Path Traversal: '..filedir'",{"point":"2on","priority":"6","details":"1m","howto":"275"},"CWE-ID:29 Path Traversal: '..filename'",{"point":"2op","priority":"6","details":"1p","howto":"275"},"CWE-ID:30 Path Traversal: 'dir..filename'",{"point":"2or","priority":"6","details":"1s","howto":"275"},"CWE-ID:31 Path Traversal: 'dir....filename'",{"point":"2ot","priority":"6","details":"1v","howto":"275"},"CWE-ID:32 Path Traversal: '...' (Triple Dot)",{"point":"2ov","priority":"6","details":"1y","howto":"275"},"CWE-ID:33 Path Traversal: '....' (Multiple Dot)",{"point":"2ox","priority":"6","details":"21","howto":"275"},"CWE-ID:34 Path Traversal: '....//'","::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"2oz","priority":"6","details":"24","howto":"2p0"},"CWE-ID:35 Path Traversal: '.../...//'",{"point":"2p2","priority":"6","details":"27","howto":"275"},"CWE-ID:36 Absolute Path Traversal",{"point":"2p4","priority":"6","details":"2a","howto":"26r"},"CWE-ID:37 Path Traversal: '/absolute/pathname/here'",{"point":"2p6","priority":"6","details":"2d","howto":"275"},"CWE-ID:38 Path Traversal: 'absolutepathnamehere'",{"point":"2p8","priority":"6","details":"2g","howto":"275"},"CWE-ID:39 Path Traversal: 'C:dirname'",{"point":"2pa","priority":"6","details":"2j","howto":"275"},"CWE-ID:40 Path Traversal: 'UNCsharename' (Windows UNC Share)",{"point":"2pc","priority":"6","details":"2m","howto":"275"},"CWE-ID:41 Improper Resolution of Path Equivalence","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2pe","priority":"6","details":"2p","howto":"2pf"},"CWE-ID:42 Path Equivalence: 'filename.' (Trailing Dot)",{"point":"2ph","priority":"6","details":"2s","howto":"275"},"CWE-ID:43 Path Equivalence: 'filename....' (Multiple Trailing Dot)",{"point":"2pj","priority":"6","details":"2v","howto":"275"},"CWE-ID:44 Path Equivalence: 'file.name' (Internal Dot)",{"point":"2pl","priority":"6","details":"2y","howto":"275"},"CWE-ID:45 Path Equivalence: 'file...name' (Multiple Internal Dot)",{"point":"2pn","priority":"6","details":"31","howto":"275"},"CWE-ID:46 Path Equivalence: 'filename ' (Trailing Space)",{"point":"2pp","priority":"6","details":"34","howto":"275"},"CWE-ID:47 Path Equivalence: ' filename' (Leading Space)",{"point":"2pr","priority":"6","details":"37","howto":"275"},"CWE-ID:48 Path Equivalence: 'file name' (Internal Whitespace)",{"point":"2pt","priority":"6","details":"3a","howto":"275"},"CWE-ID:49 Path Equivalence: 'filename/' (Trailing Slash)",{"point":"2pv","priority":"6","details":"3d","howto":"275"},"CWE-ID:50 Path Equivalence: '//multiple/leading/slash'",{"point":"2px","priority":"6","details":"3g","howto":"275"},"CWE-ID:51 Path Equivalence: '/multiple//internal/slash'",{"point":"2pz","priority":"6","details":"3j","howto":"275"},"CWE-ID:52 Path Equivalence: '/multiple/trailing/slash//'",{"point":"2q1","priority":"6","details":"3m","howto":"275"},"CWE-ID:53 Path Equivalence: 'multipleinternalbackslash'",{"point":"2q3","priority":"6","details":"3p","howto":"275"},"CWE-ID:54 Path Equivalence: 'filedir' (Trailing Backslash)",{"point":"2q5","priority":"6","details":"3s","howto":"275"},"CWE-ID:55 Path Equivalence: '/./' (Single Dot Directory)",{"point":"2q7","priority":"6","details":"3v","howto":"275"},"CWE-ID:56 Path Equivalence: 'filedir*' (Wildcard)",{"point":"2q9","priority":"6","details":"3y","howto":"275"},"CWE-ID:57 Path Equivalence: 'fakedir/../realdir/filename'",{"point":"2qb","priority":"6","details":"41","howto":"275"},"CWE-ID:58 Path Equivalence: Windows 8.3 Filename",{"point":"2qd","priority":"6","details":"44","howto":"275"},"CWE-ID:59 Improper Link Resolution Before File Access ('Link Following')",{"point":"2qf","priority":"6","details":"47","howto":"2pf"},"CWE-ID:61 UNIX Symbolic Link (Symlink) Following",{"point":"2qh","priority":"6","details":"4a","howto":"275"},"CWE-ID:62 UNIX Hard Link",{"point":"2qj","priority":"6","details":"4d","howto":"275"},"CWE-ID:65 Windows Hard Link",{"point":"2ql","priority":"6","details":"4j","howto":"275"},"CWE-ID:66 Improper Handling of File Names that Identify Virtual Resources",{"point":"2qn","priority":"6","details":"4m","howto":"2pf"},"CWE-ID:67 Improper Handling of Windows Device Names",{"point":"2qp","priority":"6","details":"4p","howto":"275"},"CWE-ID:69 Improper Handling of Windows ::DATA Alternate Data Stream",{"point":"2qr","priority":"6","details":"4s","howto":"275"},"CWE-ID:72 Improper Handling of Apple HFS+ Alternate Data Stream Path",{"point":"2qt","priority":"6","details":"4v","howto":"275"},{"point":"26n","priority":"6","details":"4y","howto":"26o"},"CWE-ID:74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')",{"point":"2qw","priority":"6","details":"51","howto":"26r"},"CWE-ID:75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)",{"point":"2qy","priority":"6","details":"54","howto":"275"},"CWE-ID:76 Improper Neutralization of Equivalent Special Elements",{"point":"2r0","priority":"6","details":"57","howto":"275"},"CWE-ID:77 Improper Neutralization of Special Elements used in a Command ('Command Injection')",{"point":"2r2","priority":"6","details":"5a","howto":"26r"},"CWE-ID:78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes. Automated static analysis might not be able to detect the usage of custom API functions or third-party libraries that indirectly invoke OS commands, leading to false negatives - especially if the API/library code is not available for analysis.::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis:DESCRIPTION:Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2r4","priority":"6","details":"5d","howto":"2r5"},"CWE-ID:79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","::METHOD:Automated Static Analysis:DESCRIPTION:Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible, especially when multiple components are involved.:EFFECTIVENESS:Moderate::METHOD:Black Box:DESCRIPTION:Use the XSS Cheat Sheet [REF-714] or automated test-generation tools to help launch a wide variety of attacks against your web application. The Cheat Sheet contains many subtle XSS variations that are specifically targeted against weak XSS defenses.:EFFECTIVENESS:Moderate::",{"point":"2r7","priority":"6","details":"5g","howto":"2r8"},"CWE-ID:80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",{"point":"2ra","priority":"6","details":"5j","howto":"26r"},"CWE-ID:81 Improper Neutralization of Script in an Error Message Web Page",{"point":"2rc","priority":"6","details":"5m","howto":"275"},"CWE-ID:82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page",{"point":"2re","priority":"6","details":"5p","howto":"275"},"CWE-ID:83 Improper Neutralization of Script in Attributes in a Web Page",{"point":"2rg","priority":"6","details":"5s","howto":"26r"},"CWE-ID:84 Improper Neutralization of Encoded URI Schemes in a Web Page",{"point":"2ri","priority":"6","details":"5v","howto":"275"},"CWE-ID:85 Doubled Character XSS Manipulations",{"point":"2rk","priority":"6","details":"5y","howto":"275"},"CWE-ID:86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages",{"point":"2rm","priority":"6","details":"61","howto":"26r"},"CWE-ID:87 Improper Neutralization of Alternate XSS Syntax",{"point":"2ro","priority":"6","details":"64","howto":"275"},"CWE-ID:88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')",{"point":"2rq","priority":"6","details":"67","howto":"26r"},"CWE-ID:89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or do not require any code changes. Automated static analysis might not be able to detect the usage of custom API functions or third-party libraries that indirectly invoke SQL commands, leading to false negatives - especially if the API/library code is not available for analysis.::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Database Scanners Cost effective for partial coverage: Web Application Scanner Web Services Scanner:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2rs","priority":"6","details":"6a","howto":"2rt"},"CWE-ID:90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')",{"point":"2rv","priority":"6","details":"6d","howto":"26r"},"CWE-ID:91 XML Injection (aka Blind XPath Injection)",{"point":"2rx","priority":"6","details":"6g","howto":"26r"},"CWE-ID:93 Improper Neutralization of CRLF Sequences ('CRLF Injection')",{"point":"2rz","priority":"6","details":"6j","howto":"26r"},"CWE-ID:94 Improper Control of Generation of Code ('Code Injection')",{"point":"2s1","priority":"6","details":"6m","howto":"26r"},"CWE-ID:95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')",{"point":"2s3","priority":"6","details":"6p","howto":"26r"},"CWE-ID:96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')",{"point":"2s5","priority":"6","details":"6s","howto":"275"},"CWE-ID:97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page",{"point":"2s7","priority":"6","details":"6v","howto":"275"},"CWE-ID:98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')","::METHOD:Manual Analysis:DESCRIPTION:Manual white-box analysis can be very effective for finding this issue, since there is typically a relatively small number of include or require statements in each program.:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:The external control or influence of filenames can often be detected using automated static analysis that models data flow within the product. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes. If the program uses a customized input validation library, then some tools may allow the analyst to create custom signatures to detect usage of those routines.::",{"point":"2s9","priority":"6","details":"6y","howto":"2sa"},{"point":"26q","priority":"6","details":"71","howto":"26r"},"CWE-ID:102 Struts: Duplicate Validation Forms",{"point":"2sd","priority":"6","details":"74","howto":"275"},"CWE-ID:103 Struts: Incomplete validate() Method Definition",{"point":"2sf","priority":"6","details":"77","howto":"26r"},"CWE-ID:104 Struts: Form Bean Does Not Extend Validation Class",{"point":"2sh","priority":"6","details":"7a","howto":"26r"},"CWE-ID:105 Struts: Form Field Without Validator",{"point":"2sj","priority":"6","details":"7d","howto":"275"},"CWE-ID:106 Struts: Plug-in Framework not in Use",{"point":"2sl","priority":"6","details":"7g","howto":"275"},"CWE-ID:107 Struts: Unused Validation Form",{"point":"2sn","priority":"6","details":"7j","howto":"275"},"CWE-ID:108 Struts: Unvalidated Action Form",{"point":"2sp","priority":"6","details":"7m","howto":"275"},"CWE-ID:109 Struts: Validator Turned Off",{"point":"2sr","priority":"6","details":"7p","howto":"275"},"CWE-ID:110 Struts: Validator Without Form Field","::METHOD:Automated Static Analysis:DESCRIPTION:To find the issue in the implementation, manual checks or automated static analysis could be applied to the XML configuration files.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis:DESCRIPTION:To find the issue in the implementation, manual checks or automated static analysis could be applied to the XML configuration files.:EFFECTIVENESS:Moderate::",{"point":"2st","priority":"6","details":"7s","howto":"2su"},"CWE-ID:111 Direct Use of Unsafe JNI",{"point":"2sw","priority":"6","details":"7v","howto":"26r"},"CWE-ID:112 Missing XML Validation",{"point":"2sy","priority":"6","details":"7y","howto":"26r"},"CWE-ID:113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')",{"point":"2t0","priority":"6","details":"81","howto":"26r"},"CWE-ID:114 Process Control",{"point":"2t2","priority":"6","details":"84","howto":"26r"},{"point":"26t","priority":"6","details":"87","howto":"26u"},"CWE-ID:116 Improper Encoding or Escaping of Output","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.:EFFECTIVENESS:Moderate::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::",{"point":"2t5","priority":"6","details":"8a","howto":"2t6"},"CWE-ID:117 Improper Output Neutralization for Logs",{"point":"2t8","priority":"6","details":"8d","howto":"26r"},"CWE-ID:118 Incorrect Access of Indexable Resource ('Range Error')",{"point":"2ta","priority":"6","details":"8g","howto":"275"},"CWE-ID:119 Improper Restriction of Operations within the Bounds of a Memory Buffer","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode Quality Analysis Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Source Code Quality Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2tc","priority":"6","details":"8j","howto":"2td"},"CWE-ID:120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::METHOD:Manual Analysis:DESCRIPTION:Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2tf","priority":"6","details":"8m","howto":"2tg"},"CWE-ID:121 Stack-based Buffer Overflow","::METHOD:Fuzzing:DESCRIPTION:Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2ti","priority":"6","details":"8p","howto":"2tj"},"CWE-ID:122 Heap-based Buffer Overflow",{"point":"2tl","priority":"6","details":"8s","howto":"26u"},"CWE-ID:123 Write-what-where Condition",{"point":"2tn","priority":"6","details":"8v","howto":"275"},"CWE-ID:124 Buffer Underwrite ('Buffer Underflow')",{"point":"2tp","priority":"6","details":"8y","howto":"275"},"CWE-ID:125 Out-of-bounds Read",{"point":"2tr","priority":"6","details":"91","howto":"2tj"},"CWE-ID:126 Buffer Over-read",{"point":"2tt","priority":"6","details":"94","howto":"26r"},"CWE-ID:127 Buffer Under-read",{"point":"2tv","priority":"6","details":"97","howto":"275"},"CWE-ID:128 Wrap-around Error",{"point":"2tx","priority":"6","details":"9a","howto":"275"},"CWE-ID:129 Improper Validation of Array Index","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report array index errors that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::METHOD:Black Box:DESCRIPTION:Black box methods might not get the needed code coverage within limited time constraints, and a dynamic test might not produce any noticeable side effects even if it is successful.::",{"point":"2tz","priority":"6","details":"9d","howto":"2u0"},"CWE-ID:130 Improper Handling of Length Parameter Inconsistency",{"point":"2u2","priority":"6","details":"9g","howto":"275"},"CWE-ID:131 Incorrect Calculation of Buffer Size","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting potential errors in buffer calculations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of allocation calculations. This can be useful for detecting overflow conditions (CWE-190) or similar weaknesses that might have serious security impacts on the program.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Source Code Quality Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2u4","priority":"6","details":"9j","howto":"2u5"},"CWE-ID:134 Use of Externally-Controlled Format String","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.::METHOD:Black Box:DESCRIPTION:Since format strings often occur in rarely-occurring erroneous conditions (e.g. for error message logging), they can be difficult to detect using black box methods. It is highly likely that many latent issues exist in executables that do not have associated source code (or equivalent source.:EFFECTIVENESS:Limited::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary / Bytecode simple extractor - strings, ELF readers, etc.:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Warning Flags:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2u7","priority":"6","details":"9m","howto":"2u8"},"CWE-ID:135 Incorrect Calculation of Multi-Byte String Length",{"point":"2ua","priority":"6","details":"9p","howto":"26r"},"CWE-ID:138 Improper Neutralization of Special Elements",{"point":"2uc","priority":"6","details":"9s","howto":"275"},"CWE-ID:140 Improper Neutralization of Delimiters",{"point":"2ue","priority":"6","details":"9v","howto":"275"},"CWE-ID:141 Improper Neutralization of Parameter/Argument Delimiters",{"point":"2ug","priority":"6","details":"9y","howto":"275"},"CWE-ID:142 Improper Neutralization of Value Delimiters",{"point":"2ui","priority":"6","details":"a1","howto":"275"},"CWE-ID:143 Improper Neutralization of Record Delimiters",{"point":"2uk","priority":"6","details":"a4","howto":"275"},"CWE-ID:144 Improper Neutralization of Line Delimiters",{"point":"2um","priority":"6","details":"a7","howto":"275"},"CWE-ID:145 Improper Neutralization of Section Delimiters",{"point":"2uo","priority":"6","details":"aa","howto":"275"},"CWE-ID:146 Improper Neutralization of Expression/Command Delimiters",{"point":"2uq","priority":"6","details":"ad","howto":"275"},"CWE-ID:147 Improper Neutralization of Input Terminators",{"point":"2us","priority":"6","details":"ag","howto":"275"},"CWE-ID:148 Improper Neutralization of Input Leaders",{"point":"2uu","priority":"6","details":"aj","howto":"275"},"CWE-ID:149 Improper Neutralization of Quoting Syntax",{"point":"2uw","priority":"6","details":"am","howto":"275"},"CWE-ID:150 Improper Neutralization of Escape, Meta, or Control Sequences",{"point":"2uy","priority":"6","details":"ap","howto":"275"},"CWE-ID:151 Improper Neutralization of Comment Delimiters",{"point":"2v0","priority":"6","details":"as","howto":"275"},"CWE-ID:152 Improper Neutralization of Macro Symbols",{"point":"2v2","priority":"6","details":"av","howto":"275"},"CWE-ID:153 Improper Neutralization of Substitution Characters",{"point":"2v4","priority":"6","details":"ay","howto":"275"},"CWE-ID:154 Improper Neutralization of Variable Name Delimiters",{"point":"2v6","priority":"6","details":"b1","howto":"275"},"CWE-ID:155 Improper Neutralization of Wildcards or Matching Symbols",{"point":"2v8","priority":"6","details":"b4","howto":"275"},"CWE-ID:156 Improper Neutralization of Whitespace",{"point":"2va","priority":"6","details":"b7","howto":"275"},"CWE-ID:157 Failure to Sanitize Paired Delimiters",{"point":"2vc","priority":"6","details":"ba","howto":"275"},"CWE-ID:158 Improper Neutralization of Null Byte or NUL Character",{"point":"2ve","priority":"6","details":"bd","howto":"275"},"CWE-ID:159 Improper Handling of Invalid Use of Special Elements",{"point":"2vg","priority":"6","details":"bg","howto":"275"},"CWE-ID:160 Improper Neutralization of Leading Special Elements",{"point":"2vi","priority":"6","details":"bj","howto":"275"},"CWE-ID:161 Improper Neutralization of Multiple Leading Special Elements",{"point":"2vk","priority":"6","details":"bm","howto":"275"},"CWE-ID:162 Improper Neutralization of Trailing Special Elements",{"point":"2vm","priority":"6","details":"bp","howto":"275"},"CWE-ID:163 Improper Neutralization of Multiple Trailing Special Elements",{"point":"2vo","priority":"6","details":"bs","howto":"275"},"CWE-ID:164 Improper Neutralization of Internal Special Elements",{"point":"2vq","priority":"6","details":"bv","howto":"275"},"CWE-ID:165 Improper Neutralization of Multiple Internal Special Elements",{"point":"2vs","priority":"6","details":"by","howto":"275"},"CWE-ID:166 Improper Handling of Missing Special Element",{"point":"2vu","priority":"6","details":"c1","howto":"275"},"CWE-ID:167 Improper Handling of Additional Special Element",{"point":"2vw","priority":"6","details":"c4","howto":"275"},"CWE-ID:168 Improper Handling of Inconsistent Special Elements",{"point":"2vy","priority":"6","details":"c7","howto":"275"},"CWE-ID:170 Improper Null Termination",{"point":"2w0","priority":"6","details":"ca","howto":"26r"},"CWE-ID:172 Encoding Error",{"point":"2w2","priority":"6","details":"cd","howto":"275"},"CWE-ID:173 Improper Handling of Alternate Encoding",{"point":"2w4","priority":"6","details":"cg","howto":"275"},"CWE-ID:174 Double Decoding of the Same Data",{"point":"2w6","priority":"6","details":"cj","howto":"275"},"CWE-ID:175 Improper Handling of Mixed Encoding",{"point":"2w8","priority":"6","details":"cm","howto":"275"},"CWE-ID:176 Improper Handling of Unicode Encoding",{"point":"2wa","priority":"6","details":"cp","howto":"275"},"CWE-ID:177 Improper Handling of URL Encoding (Hex Encoding)",{"point":"2wc","priority":"6","details":"cs","howto":"275"},"CWE-ID:178 Improper Handling of Case Sensitivity",{"point":"2we","priority":"6","details":"cv","howto":"275"},"CWE-ID:179 Incorrect Behavior Order: Early Validation",{"point":"2wg","priority":"6","details":"cy","howto":"275"},"CWE-ID:180 Incorrect Behavior Order: Validate Before Canonicalize",{"point":"2wi","priority":"6","details":"d1","howto":"275"},"CWE-ID:181 Incorrect Behavior Order: Validate Before Filter",{"point":"2wk","priority":"6","details":"d4","howto":"275"},"CWE-ID:182 Collapse of Data into Unsafe Value",{"point":"2wm","priority":"6","details":"d7","howto":"26r"},"CWE-ID:183 Permissive List of Allowed Inputs",{"point":"2wo","priority":"6","details":"da","howto":"26r"},{"point":"26w","priority":"6","details":"dd","howto":"26x"},"CWE-ID:185 Incorrect Regular Expression",{"point":"2wr","priority":"6","details":"dg","howto":"26r"},"CWE-ID:186 Overly Restrictive Regular Expression",{"point":"2wt","priority":"6","details":"dj","howto":"275"},"CWE-ID:187 Partial String Comparison",{"point":"2wv","priority":"6","details":"dm","howto":"275"},"CWE-ID:188 Reliance on Data/Memory Layout",{"point":"2wx","priority":"6","details":"dp","howto":"26u"},"CWE-ID:190 Integer Overflow or Wraparound","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.:EFFECTIVENESS:High::METHOD:Black Box:DESCRIPTION:Sometimes, evidence of this weakness can be detected using dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of allocation calculations. This can be useful for detecting overflow conditions (CWE-190) or similar weaknesses that might have serious security impacts on the program.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2wz","priority":"6","details":"ds","howto":"2x0"},"CWE-ID:191 Integer Underflow (Wrap or Wraparound)",{"point":"2x2","priority":"6","details":"dv","howto":"26r"},"CWE-ID:192 Integer Coercion Error",{"point":"2x4","priority":"6","details":"dy","howto":"26r"},"CWE-ID:193 Off-by-one Error",{"point":"2x6","priority":"6","details":"e1","howto":"26r"},"CWE-ID:194 Unexpected Sign Extension",{"point":"2x8","priority":"6","details":"e4","howto":"275"},"CWE-ID:195 Signed to Unsigned Conversion Error",{"point":"2xa","priority":"6","details":"e7","howto":"26r"},"CWE-ID:196 Unsigned to Signed Conversion Error",{"point":"2xc","priority":"6","details":"ea","howto":"275"},"CWE-ID:197 Numeric Truncation Error",{"point":"2xe","priority":"6","details":"ed","howto":"2tj"},"CWE-ID:198 Use of Incorrect Byte Ordering","::METHOD:Black Box:DESCRIPTION:Because byte ordering bugs are usually very noticeable even with normal inputs, this bug is more likely to occur in rarely triggered error conditions, making them difficult to detect using black box methods.::",{"point":"2xg","priority":"6","details":"eg","howto":"2xh"},{"point":"26z","priority":"6","details":"ej","howto":"270"},{"point":"272","priority":"6","details":"em","howto":"26r"},{"point":"274","priority":"6","details":"ep","howto":"275"},{"point":"277","priority":"6","details":"es","howto":"275"},{"point":"279","priority":"6","details":"ev","howto":"275"},{"point":"27b","priority":"6","details":"ey","howto":"275"},"CWE-ID:206 Observable Internal Behavioral Discrepancy",{"point":"2xp","priority":"6","details":"f1","howto":"275"},"CWE-ID:207 Observable Behavioral Discrepancy With Equivalent Products",{"point":"2xr","priority":"6","details":"f4","howto":"275"},{"point":"27d","priority":"6","details":"f7","howto":"275"},{"point":"27f","priority":"6","details":"fa","howto":"27g"},{"point":"27i","priority":"6","details":"fd","howto":"275"},{"point":"27k","priority":"6","details":"fg","howto":"275"},{"point":"27m","priority":"6","details":"fj","howto":"275"},{"point":"27o","priority":"6","details":"fm","howto":"275"},{"point":"27q","priority":"6","details":"fp","howto":"275"},"CWE-ID:215 Insertion of Sensitive Information Into Debugging Code",{"point":"2y0","priority":"6","details":"fs","howto":"26r"},"CWE-ID:219 Storage of File with Sensitive Data Under Web Root",{"point":"2y2","priority":"6","details":"fv","howto":"275"},{"point":"27s","priority":"6","details":"g1","howto":"275"},"CWE-ID:222 Truncation of Security-relevant Information",{"point":"2y5","priority":"6","details":"g4","howto":"275"},{"point":"27u","priority":"6","details":"g7","howto":"275"},"CWE-ID:224 Obscured Security-relevant Information by Alternate Name",{"point":"2y8","priority":"6","details":"ga","howto":"275"},"CWE-ID:226 Sensitive Information in Resource Not Removed Before Reuse","::METHOD:Manual Analysis:DESCRIPTION:Write a known pattern into each sensitive location. Trigger the release of the resource or cause the desired state transition to occur. Read data back from the sensitive locations. If the reads are successful, and the data is the same as the pattern that was originally written, the test fails and the product needs to be fixed. Note that this test can likely be automated.:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2ya","priority":"6","details":"gd","howto":"2yb"},"CWE-ID:228 Improper Handling of Syntactically Invalid Structure",{"point":"2yd","priority":"6","details":"gg","howto":"26r"},"CWE-ID:229 Improper Handling of Values",{"point":"2yf","priority":"6","details":"gj","howto":"275"},"CWE-ID:230 Improper Handling of Missing Values",{"point":"2yh","priority":"6","details":"gm","howto":"275"},"CWE-ID:231 Improper Handling of Extra Values",{"point":"2yj","priority":"6","details":"gp","howto":"275"},"CWE-ID:232 Improper Handling of Undefined Values",{"point":"2yl","priority":"6","details":"gs","howto":"275"},"CWE-ID:233 Improper Handling of Parameters",{"point":"2yn","priority":"6","details":"gv","howto":"2tj"},"CWE-ID:234 Failure to Handle Missing Parameter",{"point":"2yp","priority":"6","details":"gy","howto":"275"},"CWE-ID:235 Improper Handling of Extra Parameters",{"point":"2yr","priority":"6","details":"h1","howto":"275"},"CWE-ID:236 Improper Handling of Undefined Parameters",{"point":"2yt","priority":"6","details":"h4","howto":"275"},"CWE-ID:238 Improper Handling of Incomplete Structural Elements",{"point":"2yv","priority":"6","details":"ha","howto":"275"},"CWE-ID:239 Failure to Handle Incomplete Element",{"point":"2yx","priority":"6","details":"hd","howto":"275"},"CWE-ID:240 Improper Handling of Inconsistent Structural Elements",{"point":"2yz","priority":"6","details":"hg","howto":"275"},"CWE-ID:241 Improper Handling of Unexpected Data Type",{"point":"2z1","priority":"6","details":"hj","howto":"275"},"CWE-ID:242 Use of Inherently Dangerous Function",{"point":"2z3","priority":"6","details":"hm","howto":"26r"},"CWE-ID:243 Creation of chroot Jail Without Changing Working Directory",{"point":"2z5","priority":"6","details":"hp","howto":"26r"},"CWE-ID:244 Improper Clearing of Heap Memory Before Release ('Heap Inspection')",{"point":"2z7","priority":"6","details":"hs","howto":"275"},"CWE-ID:245 J2EE Bad Practices: Direct Management of Connections",{"point":"2z9","priority":"6","details":"hv","howto":"26r"},"CWE-ID:246 J2EE Bad Practices: Direct Use of Sockets",{"point":"2zb","priority":"6","details":"hy","howto":"26r"},"CWE-ID:248 Uncaught Exception",{"point":"2zd","priority":"6","details":"i1","howto":"26r"},{"point":"27w","priority":"6","details":"i4","howto":"27x"},"CWE-ID:252 Unchecked Return Value",{"point":"2zg","priority":"6","details":"i7","howto":"26r"},"CWE-ID:253 Incorrect Check of Function Return Value",{"point":"2zi","priority":"6","details":"ia","howto":"275"},"CWE-ID:258 Empty Password in Configuration File",{"point":"2zk","priority":"6","details":"ij","howto":"275"},"CWE-ID:259 Use of Hard-coded Password","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and perform a login. Using disassembled code, look at the associated instructions and see if any of them appear to be comparing the input to a fixed string or value.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2zm","priority":"6","details":"im","howto":"2zn"},{"point":"283","priority":"6","details":"ip","howto":"26r"},"CWE-ID:266 Incorrect Privilege Assignment",{"point":"2zq","priority":"6","details":"j1","howto":"275"},{"point":"28b","priority":"6","details":"j4","howto":"275"},{"point":"28d","priority":"6","details":"j7","howto":"275"},{"point":"28f","priority":"6","details":"ja","howto":"26r"},{"point":"28h","priority":"6","details":"jd","howto":"275"},{"point":"28j","priority":"6","details":"jg","howto":"275"},"CWE-ID:272 Least Privilege Violation","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Compare binary / bytecode to application permission manifest:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Permission Manifest Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"2zx","priority":"6","details":"jj","howto":"2zy"},"CWE-ID:273 Improper Check for Dropped Privileges",{"point":"300","priority":"6","details":"jm","howto":"26r"},"CWE-ID:274 Improper Handling of Insufficient Privileges",{"point":"302","priority":"6","details":"jp","howto":"26r"},{"point":"28l","priority":"6","details":"js","howto":"28m"},"CWE-ID:277 Insecure Inherited Permissions",{"point":"305","priority":"6","details":"jv","howto":"275"},"CWE-ID:279 Incorrect Execution-Assigned Permissions",{"point":"307","priority":"6","details":"k1","howto":"275"},"CWE-ID:280 Improper Handling of Insufficient Permissions or Privileges ",{"point":"309","priority":"6","details":"k4","howto":"275"},"CWE-ID:281 Improper Preservation of Permissions",{"point":"30b","priority":"6","details":"k7","howto":"275"},"CWE-ID:284 Improper Access Control",{"point":"30d","priority":"6","details":"kg","howto":"275"},{"point":"28s","priority":"6","details":"kj","howto":"28t"},{"point":"28v","priority":"6","details":"km","howto":"275"},{"point":"28x","priority":"6","details":"kp","howto":"28y"},{"point":"292","priority":"6","details":"kv","howto":"275"},"CWE-ID:290 Authentication Bypass by Spoofing",{"point":"30j","priority":"6","details":"ky","howto":"275"},{"point":"296","priority":"6","details":"la","howto":"297"},"CWE-ID:296 Improper Following of a Certificate's Chain of Trust",{"point":"30m","priority":"6","details":"ld","howto":"26r"},"CWE-ID:297 Improper Validation of Certificate with Host Mismatch","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Set up an untrusted endpoint (e.g. a server) with which the product will connect. Create a test certificate that uses an invalid hostname but is signed by a trusted CA and provide this certificate from the untrusted endpoint. If the product performs any operations instead of disconnecting and reporting an error, then this indicates that the hostname is not being checked and the test certificate has been accepted.::METHOD:Black Box:DESCRIPTION:When Certificate Pinning is being used in a mobile application, consider using a tool such as Spinner [REF-955]. This methodology might be extensible to other technologies.::",{"point":"30o","priority":"6","details":"lg","howto":"30p"},"CWE-ID:298 Improper Validation of Certificate Expiration",{"point":"30r","priority":"6","details":"lj","howto":"275"},"CWE-ID:299 Improper Check for Certificate Revocation",{"point":"30t","priority":"6","details":"lm","howto":"26r"},{"point":"29d","priority":"6","details":"lv","howto":"275"},"CWE-ID:303 Incorrect Implementation of Authentication Algorithm",{"point":"30w","priority":"6","details":"ly","howto":"275"},"CWE-ID:304 Missing Critical Step in Authentication",{"point":"30y","priority":"6","details":"m1","howto":"26r"},"CWE-ID:305 Authentication Bypass by Primary Weakness",{"point":"310","priority":"6","details":"m4","howto":"275"},"CWE-ID:318 Cleartext Storage of Sensitive Information in Executable",{"point":"312","priority":"6","details":"n4","howto":"275"},"CWE-ID:325 Missing Cryptographic Step",{"point":"314","priority":"6","details":"nm","howto":"275"},{"point":"2a5","priority":"6","details":"ns","howto":"2a6"},"CWE-ID:329 Generation of Predictable IV with CBC Mode",{"point":"317","priority":"6","details":"ny","howto":"26r"},{"point":"2aa","priority":"6","details":"o1","howto":"2ab"},{"point":"2ad","priority":"6","details":"o4","howto":"275"},"CWE-ID:332 Insufficient Entropy in PRNG",{"point":"31b","priority":"6","details":"o7","howto":"275"},"CWE-ID:333 Improper Handling of Insufficient Entropy in TRNG",{"point":"31d","priority":"6","details":"oa","howto":"275"},{"point":"2af","priority":"6","details":"od","howto":"275"},"CWE-ID:335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)",{"point":"31g","priority":"6","details":"og","howto":"275"},"CWE-ID:336 Same Seed in Pseudo-Random Number Generator (PRNG)",{"point":"31i","priority":"6","details":"oj","howto":"26r"},"CWE-ID:337 Predictable Seed in Pseudo-Random Number Generator (PRNG)",{"point":"31k","priority":"6","details":"om","howto":"275"},{"point":"2ah","priority":"6","details":"op","howto":"26r"},"CWE-ID:339 Small Seed Space in PRNG",{"point":"31n","priority":"6","details":"os","howto":"275"},{"point":"2aj","priority":"6","details":"ov","howto":"275"},{"point":"2al","priority":"6","details":"oy","howto":"275"},{"point":"2an","priority":"6","details":"p1","howto":"275"},{"point":"2ap","priority":"6","details":"p4","howto":"275"},{"point":"2ar","priority":"6","details":"p7","howto":"275"},{"point":"2at","priority":"6","details":"pa","howto":"26r"},{"point":"2av","priority":"6","details":"pd","howto":"275"},{"point":"2ax","priority":"6","details":"pg","howto":"26r"},{"point":"2az","priority":"6","details":"pj","howto":"275"},"CWE-ID:349 Acceptance of Extraneous Untrusted Data With Trusted Data",{"point":"31y","priority":"6","details":"pm","howto":"275"},"CWE-ID:351 Insufficient Type Distinction",{"point":"320","priority":"6","details":"ps","howto":"275"},{"point":"2b1","priority":"6","details":"py","howto":"275"},{"point":"2b3","priority":"6","details":"q1","howto":"275"},{"point":"2b5","priority":"6","details":"q4","howto":"275"},{"point":"2b7","priority":"6","details":"q7","howto":"275"},{"point":"2b9","priority":"6","details":"qa","howto":"275"},{"point":"2bb","priority":"6","details":"qd","howto":"2bc"},{"point":"2be","priority":"6","details":"qg","howto":"275"},{"point":"2bg","priority":"6","details":"qj","howto":"2bh"},{"point":"2bj","priority":"6","details":"qm","howto":"275"},"CWE-ID:364 Signal Handler Race Condition",{"point":"32b","priority":"6","details":"qp","howto":"275"},"CWE-ID:366 Race Condition within a Thread",{"point":"32d","priority":"6","details":"qs","howto":"26r"},"CWE-ID:367 Time-of-check Time-of-use (TOCTOU) Race Condition",{"point":"32f","priority":"6","details":"qv","howto":"26r"},{"point":"2bl","priority":"6","details":"qy","howto":"275"},"CWE-ID:369 Divide By Zero","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::METHOD:Fuzzing:DESCRIPTION:Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.:EFFECTIVENESS:High::",{"point":"32i","priority":"6","details":"r1","howto":"32j"},"CWE-ID:370 Missing Check for Certificate Revocation after Initial Check",{"point":"32l","priority":"6","details":"r4","howto":"275"},"CWE-ID:372 Incomplete Internal State Distinction",{"point":"32n","priority":"6","details":"r7","howto":"275"},"CWE-ID:374 Passing Mutable Objects to an Untrusted Method",{"point":"32p","priority":"6","details":"ra","howto":"275"},"CWE-ID:375 Returning a Mutable Object to an Untrusted Caller",{"point":"32r","priority":"6","details":"rd","howto":"275"},"CWE-ID:377 Insecure Temporary File",{"point":"32t","priority":"6","details":"rg","howto":"26r"},"CWE-ID:378 Creation of Temporary File With Insecure Permissions",{"point":"32v","priority":"6","details":"rj","howto":"275"},"CWE-ID:379 Creation of Temporary File in Directory with Insecure Permissions",{"point":"32x","priority":"6","details":"rm","howto":"26r"},"CWE-ID:382 J2EE Bad Practices: Use of System.exit()",{"point":"32z","priority":"6","details":"rp","howto":"26r"},"CWE-ID:383 J2EE Bad Practices: Direct Use of Threads",{"point":"331","priority":"6","details":"rs","howto":"26r"},"CWE-ID:384 Session Fixation",{"point":"333","priority":"6","details":"rv","howto":"275"},{"point":"2bn","priority":"6","details":"ry","howto":"275"},{"point":"2bp","priority":"6","details":"s1","howto":"275"},"CWE-ID:390 Detection of Error Condition Without Action",{"point":"337","priority":"6","details":"s4","howto":"26r"},"CWE-ID:391 Unchecked Error Condition",{"point":"339","priority":"6","details":"s7","howto":"26r"},"CWE-ID:392 Missing Report of Error Condition",{"point":"33b","priority":"6","details":"sa","howto":"275"},"CWE-ID:393 Return of Wrong Status Code",{"point":"33d","priority":"6","details":"sd","howto":"26u"},"CWE-ID:394 Unexpected Status Code or Return Value",{"point":"33f","priority":"6","details":"sg","howto":"275"},"CWE-ID:395 Use of NullPointerException Catch to Detect NULL Pointer Dereference","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"33h","priority":"6","details":"sj","howto":"33i"},"CWE-ID:396 Declaration of Catch for Generic Exception",{"point":"33k","priority":"6","details":"sm","howto":"26r"},"CWE-ID:397 Declaration of Throws for Generic Exception",{"point":"33m","priority":"6","details":"sp","howto":"26r"},{"point":"2br","priority":"6","details":"ss","howto":"2bs"},"CWE-ID:401 Missing Release of Memory after Effective Lifetime",{"point":"33p","priority":"6","details":"sv","howto":"2tj"},{"point":"2bu","priority":"6","details":"sy","howto":"26r"},"CWE-ID:403 Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')",{"point":"33s","priority":"6","details":"t1","howto":"275"},"CWE-ID:404 Improper Resource Shutdown or Release","::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Resource clean up errors might be detected with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the product under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"33u","priority":"6","details":"t4","howto":"33v"},{"point":"2bw","priority":"6","details":"t7","howto":"275"},{"point":"2by","priority":"6","details":"ta","howto":"275"},{"point":"2c0","priority":"6","details":"td","howto":"275"},{"point":"2c2","priority":"6","details":"tg","howto":"275"},{"point":"2c4","priority":"6","details":"tj","howto":"275"},{"point":"2c6","priority":"6","details":"tm","howto":"275"},{"point":"2c8","priority":"6","details":"tp","howto":"2c9"},{"point":"2cb","priority":"6","details":"ts","howto":"26r"},{"point":"2cd","priority":"6","details":"tv","howto":"275"},"CWE-ID:415 Double Free",{"point":"346","priority":"6","details":"ty","howto":"2tj"},"CWE-ID:416 Use After Free",{"point":"348","priority":"6","details":"u1","howto":"2tj"},{"point":"2cf","priority":"6","details":"u4","howto":"275"},{"point":"2ch","priority":"6","details":"u7","howto":"275"},"CWE-ID:425 Direct Request ('Forced Browsing')",{"point":"34c","priority":"6","details":"uj","howto":"275"},"CWE-ID:426 Untrusted Search Path","::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and look for library functions and system calls that suggest when a search path is being used. One pattern is when the program performs multiple accesses of the same file but in different directories, with repeated failures until the proper filename is found. Library calls such as getenv() or their equivalent can be checked to see if any path-related variables are being accessed.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::METHOD:Manual Analysis:DESCRIPTION:Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.::",{"point":"34e","priority":"6","details":"um","howto":"34f"},"CWE-ID:427 Uncontrolled Search Path Element",{"point":"34h","priority":"6","details":"up","howto":"26r"},"CWE-ID:428 Unquoted Search Path or Element",{"point":"34j","priority":"6","details":"us","howto":"275"},"CWE-ID:430 Deployment of Wrong Handler",{"point":"34l","priority":"6","details":"uv","howto":"275"},"CWE-ID:431 Missing Handler",{"point":"34n","priority":"6","details":"uy","howto":"275"},"CWE-ID:432 Dangerous Signal Handler not Disabled During Sensitive Operations",{"point":"34p","priority":"6","details":"v1","howto":"275"},"CWE-ID:433 Unparsed Raw Web Content Delivery",{"point":"34r","priority":"6","details":"v4","howto":"275"},{"point":"2cn","priority":"6","details":"v7","howto":"2co"},"CWE-ID:435 Improper Interaction Between Multiple Correctly-Behaving Entities",{"point":"34u","priority":"6","details":"va","howto":"275"},{"point":"2cq","priority":"6","details":"vd","howto":"275"},{"point":"2cs","priority":"6","details":"vg","howto":"275"},{"point":"2cu","priority":"6","details":"vj","howto":"275"},{"point":"2cw","priority":"6","details":"vm","howto":"275"},"CWE-ID:444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')",{"point":"350","priority":"6","details":"vs","howto":"275"},{"point":"2d0","priority":"6","details":"vv","howto":"275"},"CWE-ID:447 Unimplemented or Unsupported Feature in UI",{"point":"353","priority":"6","details":"vy","howto":"275"},"CWE-ID:448 Obsolete Feature in UI",{"point":"355","priority":"6","details":"w1","howto":"275"},"CWE-ID:449 The UI Performs the Wrong Action",{"point":"357","priority":"6","details":"w4","howto":"275"},"CWE-ID:450 Multiple Interpretations of UI Input",{"point":"359","priority":"6","details":"w7","howto":"275"},{"point":"2d2","priority":"6","details":"wa","howto":"275"},"CWE-ID:453 Insecure Default Variable Initialization",{"point":"35c","priority":"6","details":"wd","howto":"275"},{"point":"2d4","priority":"6","details":"wg","howto":"275"},"CWE-ID:455 Non-exit on Failed Initialization",{"point":"35f","priority":"6","details":"wj","howto":"275"},"CWE-ID:456 Missing Initialization of a Variable",{"point":"35h","priority":"6","details":"wm","howto":"26r"},"CWE-ID:457 Use of Uninitialized Variable",{"point":"35j","priority":"6","details":"wp","howto":"2tj"},"CWE-ID:459 Incomplete Cleanup",{"point":"35l","priority":"6","details":"ws","howto":"26r"},"CWE-ID:460 Improper Cleanup on Thrown Exception",{"point":"35n","priority":"6","details":"wv","howto":"26r"},"CWE-ID:462 Duplicate Key in Associative List (Alist)",{"point":"35p","priority":"6","details":"wy","howto":"275"},"CWE-ID:463 Deletion of Data Structure Sentinel",{"point":"35r","priority":"6","details":"x1","howto":"275"},"CWE-ID:464 Addition of Data Structure Sentinel",{"point":"35t","priority":"6","details":"x4","howto":"275"},"CWE-ID:466 Return of Pointer Value Outside of Expected Range",{"point":"35v","priority":"6","details":"x7","howto":"275"},"CWE-ID:467 Use of sizeof() on a Pointer Type",{"point":"35x","priority":"6","details":"xa","howto":"26r"},"CWE-ID:468 Incorrect Pointer Scaling",{"point":"35z","priority":"6","details":"xd","howto":"275"},"CWE-ID:469 Use of Pointer Subtraction to Determine Size",{"point":"361","priority":"6","details":"xg","howto":"2tj"},{"point":"2d6","priority":"6","details":"xj","howto":"26r"},{"point":"2d8","priority":"6","details":"xm","howto":"275"},"CWE-ID:472 External Control of Assumed-Immutable Web Parameter",{"point":"365","priority":"6","details":"xp","howto":"26r"},"CWE-ID:473 PHP External Variable Modification",{"point":"367","priority":"6","details":"xs","howto":"275"},"CWE-ID:474 Use of Function with Inconsistent Implementations",{"point":"369","priority":"6","details":"xv","howto":"26r"},{"point":"2da","priority":"6","details":"xy","howto":"26r"},"CWE-ID:476 NULL Pointer Dereference","::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"36c","priority":"6","details":"y1","howto":"36d"},"CWE-ID:477 Use of Obsolete Function","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Binary / Bytecode Quality Analysis Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Debugger:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source Code Quality Analyzer Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Origin Analysis:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"36f","priority":"6","details":"y4","howto":"36g"},"CWE-ID:478 Missing Default Case in Multiple Condition Expression",{"point":"36i","priority":"6","details":"y7","howto":"26r"},"CWE-ID:479 Signal Handler Use of a Non-reentrant Function",{"point":"36k","priority":"6","details":"ya","howto":"26r"},"CWE-ID:480 Use of Incorrect Operator","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can be found easily using static analysis. However in some cases an operator might appear to be incorrect, but is actually correct and reflects unusual logic within the program.::METHOD:Manual Static Analysis:DESCRIPTION:This weakness can be found easily using static analysis. However in some cases an operator might appear to be incorrect, but is actually correct and reflects unusual logic within the program.::",{"point":"36m","priority":"6","details":"yd","howto":"36n"},"CWE-ID:481 Assigning instead of Comparing",{"point":"36p","priority":"6","details":"yg","howto":"26r"},"CWE-ID:482 Comparing instead of Assigning",{"point":"36r","priority":"6","details":"yj","howto":"26r"},"CWE-ID:483 Incorrect Block Delimitation",{"point":"36t","priority":"6","details":"ym","howto":"26r"},"CWE-ID:484 Omitted Break Statement in Switch","::METHOD:White Box:DESCRIPTION:Omission of a break statement might be intentional, in order to support fallthrough. Automated detection methods might therefore be erroneous. Semantic understanding of expected product behavior is required to interpret whether the code is correct.::METHOD:Black Box:DESCRIPTION:Since this weakness is associated with a code construct, it would be indistinguishable from other errors that produce the same behavior.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"36v","priority":"6","details":"yp","howto":"36w"},"CWE-ID:486 Comparison of Classes by Name",{"point":"36y","priority":"6","details":"ys","howto":"26r"},"CWE-ID:487 Reliance on Package-level Scope",{"point":"370","priority":"6","details":"yv","howto":"275"},"CWE-ID:488 Exposure of Data Element to Wrong Session",{"point":"372","priority":"6","details":"yy","howto":"26r"},"CWE-ID:489 Active Debug Code",{"point":"374","priority":"6","details":"z1","howto":"26r"},"CWE-ID:491 Public cloneable() Method Without Final ('Object Hijack')",{"point":"376","priority":"6","details":"z4","howto":"275"},"CWE-ID:492 Use of Inner Class Containing Sensitive Data",{"point":"378","priority":"6","details":"z7","howto":"26r"},"CWE-ID:493 Critical Public Variable Without Final Modifier",{"point":"37a","priority":"6","details":"za","howto":"26r"},{"point":"2dc","priority":"6","details":"zd","howto":"2dd"},"CWE-ID:495 Private Data Structure Returned From A Public Method",{"point":"37d","priority":"6","details":"zg","howto":"26r"},"CWE-ID:496 Public Data Assigned to Private Array-Typed Field",{"point":"37f","priority":"6","details":"zj","howto":"26r"},"CWE-ID:497 Exposure of Sensitive System Information to an Unauthorized Control Sphere",{"point":"37h","priority":"6","details":"zm","howto":"26r"},"CWE-ID:498 Cloneable Class Containing Sensitive Information",{"point":"37j","priority":"6","details":"zp","howto":"275"},"CWE-ID:499 Serializable Class Containing Sensitive Data",{"point":"37l","priority":"6","details":"zs","howto":"26r"},"CWE-ID:500 Public Static Field Not Marked Final",{"point":"37n","priority":"6","details":"zv","howto":"26r"},{"point":"2dh","priority":"6","details":"101","howto":"26r"},"CWE-ID:506 Embedded Malicious Code","::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies Generated Code Inspection:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Automated Monitored Execution:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Origin Analysis:EFFECTIVENESS:SOAR Partial::",{"point":"37q","priority":"6","details":"104","howto":"37r"},"CWE-ID:507 Trojan Horse",{"point":"37t","priority":"6","details":"107","howto":"275"},"CWE-ID:508 Non-Replicating Malicious Code",{"point":"37v","priority":"6","details":"10a","howto":"275"},"CWE-ID:509 Replicating Malicious Code (Virus or Worm)",{"point":"37x","priority":"6","details":"10d","howto":"275"},{"point":"2dj","priority":"6","details":"10g","howto":"2dk"},{"point":"2dm","priority":"6","details":"10j","howto":"275"},{"point":"2do","priority":"6","details":"10m","howto":"275"},"CWE-ID:514 Covert Channel","::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:SOAR Partial::",{"point":"382","priority":"6","details":"10p","howto":"383"},"CWE-ID:515 Covert Storage Channel",{"point":"385","priority":"6","details":"10s","howto":"275"},"CWE-ID:520 .NET Misconfiguration: Use of Impersonation",{"point":"387","priority":"6","details":"10v","howto":"275"},{"point":"2dq","priority":"6","details":"10y","howto":"26r"},{"point":"2ds","priority":"6","details":"111","howto":"26r"},"CWE-ID:524 Use of Cache Containing Sensitive Information",{"point":"38b","priority":"6","details":"117","howto":"26r"},"CWE-ID:525 Use of Web Browser Cache Containing Sensitive Information",{"point":"38d","priority":"6","details":"11a","howto":"275"},"CWE-ID:526 Cleartext Storage of Sensitive Information in an Environment Variable",{"point":"38f","priority":"6","details":"11d","howto":"26r"},{"point":"2dw","priority":"6","details":"11v","howto":"26r"},"CWE-ID:535 Exposure of Information Through Shell Error Message",{"point":"38i","priority":"6","details":"11y","howto":"26r"},"CWE-ID:536 Servlet Runtime Error Message Containing Sensitive Information",{"point":"38k","priority":"6","details":"121","howto":"275"},"CWE-ID:537 Java Runtime Error Message Containing Sensitive Information",{"point":"38m","priority":"6","details":"124","howto":"275"},"CWE-ID:538 Insertion of Sensitive Information into Externally-Accessible File or Directory",{"point":"38o","priority":"6","details":"127","howto":"26r"},"CWE-ID:539 Use of Persistent Cookies Containing Sensitive Information",{"point":"38q","priority":"6","details":"12a","howto":"26r"},"CWE-ID:540 Inclusion of Sensitive Information in Source Code",{"point":"38s","priority":"6","details":"12d","howto":"275"},"CWE-ID:541 Inclusion of Sensitive Information in an Include File",{"point":"38u","priority":"6","details":"12g","howto":"275"},"CWE-ID:543 Use of Singleton Pattern Without Synchronization in a Multithreaded Context",{"point":"38w","priority":"6","details":"12j","howto":"275"},"CWE-ID:546 Suspicious Comment",{"point":"38y","priority":"6","details":"12p","howto":"275"},"CWE-ID:547 Use of Hard-coded, Security-relevant Constants",{"point":"390","priority":"6","details":"12s","howto":"26r"},"CWE-ID:548 Exposure of Information Through Directory Listing",{"point":"392","priority":"6","details":"12v","howto":"26r"},"CWE-ID:549 Missing Password Field Masking",{"point":"394","priority":"6","details":"12y","howto":"26r"},"CWE-ID:550 Server-generated Error Message Containing Sensitive Information",{"point":"396","priority":"6","details":"131","howto":"275"},"CWE-ID:551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization",{"point":"398","priority":"6","details":"134","howto":"275"},{"point":"2e0","priority":"6","details":"137","howto":"26r"},"CWE-ID:553 Command Shell in Externally Accessible Directory",{"point":"39b","priority":"6","details":"13a","howto":"275"},"CWE-ID:554 ASP.NET Misconfiguration: Not Using Input Validation Framework",{"point":"39d","priority":"6","details":"13d","howto":"275"},"CWE-ID:555 J2EE Misconfiguration: Plaintext Password in Configuration File",{"point":"39f","priority":"6","details":"13g","howto":"275"},"CWE-ID:556 ASP.NET Misconfiguration: Use of Identity Impersonation",{"point":"39h","priority":"6","details":"13j","howto":"275"},"CWE-ID:558 Use of getlogin() in Multithreaded Application",{"point":"39j","priority":"6","details":"13m","howto":"275"},"CWE-ID:560 Use of umask() with chmod-style Argument",{"point":"39l","priority":"6","details":"13p","howto":"275"},"CWE-ID:561 Dead Code","::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Binary / Bytecode Quality Analysis Compare binary / bytecode to application permission manifest:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Automated Monitored Execution:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Permission Manifest Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source Code Quality Analyzer Cost effective for partial coverage: Warning Flags Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::",{"point":"39n","priority":"6","details":"13s","howto":"39o"},"CWE-ID:562 Return of Stack Variable Address",{"point":"39q","priority":"6","details":"13v","howto":"2tj"},"CWE-ID:563 Assignment to Variable without Use",{"point":"39s","priority":"6","details":"13y","howto":"26r"},"CWE-ID:564 SQL Injection: Hibernate",{"point":"39u","priority":"6","details":"141","howto":"275"},{"point":"2e2","priority":"6","details":"144","howto":"26r"},"CWE-ID:566 Authorization Bypass Through User-Controlled SQL Primary Key",{"point":"39x","priority":"6","details":"147","howto":"26r"},"CWE-ID:567 Unsynchronized Access to Shared Data in a Multithreaded Context",{"point":"39z","priority":"6","details":"14a","howto":"26r"},"CWE-ID:568 finalize() Method Without super.finalize()",{"point":"3a1","priority":"6","details":"14d","howto":"26r"},"CWE-ID:570 Expression is Always False",{"point":"3a3","priority":"6","details":"14g","howto":"26r"},"CWE-ID:571 Expression is Always True",{"point":"3a5","priority":"6","details":"14j","howto":"26r"},"CWE-ID:572 Call to Thread run() instead of start()",{"point":"3a7","priority":"6","details":"14m","howto":"26r"},"CWE-ID:573 Improper Following of Specification by Caller",{"point":"3a9","priority":"6","details":"14p","howto":"275"},"CWE-ID:574 EJB Bad Practices: Use of Synchronization Primitives",{"point":"3ab","priority":"6","details":"14s","howto":"275"},"CWE-ID:575 EJB Bad Practices: Use of AWT Swing",{"point":"3ad","priority":"6","details":"14v","howto":"275"},"CWE-ID:576 EJB Bad Practices: Use of Java I/O",{"point":"3af","priority":"6","details":"14y","howto":"275"},"CWE-ID:577 EJB Bad Practices: Use of Sockets",{"point":"3ah","priority":"6","details":"151","howto":"275"},"CWE-ID:578 EJB Bad Practices: Use of Class Loader",{"point":"3aj","priority":"6","details":"154","howto":"275"},"CWE-ID:579 J2EE Bad Practices: Non-serializable Object Stored in Session",{"point":"3al","priority":"6","details":"157","howto":"26r"},"CWE-ID:580 clone() Method Without super.clone()",{"point":"3an","priority":"6","details":"15a","howto":"26r"},"CWE-ID:581 Object Model Violation: Just One of Equals and Hashcode Defined",{"point":"3ap","priority":"6","details":"15d","howto":"26r"},"CWE-ID:582 Array Declared Public, Final, and Static",{"point":"3ar","priority":"6","details":"15g","howto":"275"},"CWE-ID:583 finalize() Method Declared Public",{"point":"3at","priority":"6","details":"15j","howto":"26r"},"CWE-ID:584 Return Inside Finally Block",{"point":"3av","priority":"6","details":"15m","howto":"26r"},"CWE-ID:585 Empty Synchronized Block",{"point":"3ax","priority":"6","details":"15p","howto":"26r"},"CWE-ID:586 Explicit Call to Finalize()",{"point":"3az","priority":"6","details":"15s","howto":"26r"},"CWE-ID:587 Assignment of a Fixed Address to a Pointer",{"point":"3b1","priority":"6","details":"15v","howto":"275"},"CWE-ID:588 Attempt to Access Child of a Non-structure Pointer",{"point":"3b3","priority":"6","details":"15y","howto":"275"},"CWE-ID:589 Call to Non-ubiquitous API",{"point":"3b5","priority":"6","details":"161","howto":"26r"},"CWE-ID:590 Free of Memory not on the Heap",{"point":"3b7","priority":"6","details":"164","howto":"2tj"},"CWE-ID:591 Sensitive Data Storage in Improperly Locked Memory",{"point":"3b9","priority":"6","details":"167","howto":"275"},"CWE-ID:593 Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created",{"point":"3bb","priority":"6","details":"16a","howto":"275"},"CWE-ID:594 J2EE Framework: Saving Unserializable Objects to Disk",{"point":"3bd","priority":"6","details":"16d","howto":"275"},"CWE-ID:595 Comparison of Object References Instead of Object Contents",{"point":"3bf","priority":"6","details":"16g","howto":"26r"},"CWE-ID:597 Use of Wrong Operator in String Comparison",{"point":"3bh","priority":"6","details":"16j","howto":"26r"},"CWE-ID:598 Use of GET Request Method With Sensitive Query Strings",{"point":"3bj","priority":"6","details":"16m","howto":"26r"},"CWE-ID:599 Missing Validation of OpenSSL Certificate",{"point":"3bl","priority":"6","details":"16p","howto":"275"},"CWE-ID:600 Uncaught Exception in Servlet ",{"point":"3bn","priority":"6","details":"16s","howto":"275"},{"point":"2e4","priority":"6","details":"16v","howto":"2e5"},{"point":"2e9","priority":"6","details":"171","howto":"275"},"CWE-ID:605 Multiple Binds to the Same Port",{"point":"3br","priority":"6","details":"174","howto":"275"},"CWE-ID:606 Unchecked Input for Loop Condition",{"point":"3bt","priority":"6","details":"177","howto":"26r"},"CWE-ID:607 Public Static Final Field References Mutable Object",{"point":"3bv","priority":"6","details":"17a","howto":"26r"},"CWE-ID:608 Struts: Non-private Field in ActionForm Class",{"point":"3bx","priority":"6","details":"17d","howto":"275"},"CWE-ID:609 Double-Checked Locking",{"point":"3bz","priority":"6","details":"17g","howto":"275"},"CWE-ID:611 Improper Restriction of XML External Entity Reference",{"point":"3c1","priority":"6","details":"17m","howto":"26r"},{"point":"2ed","priority":"6","details":"17p","howto":"275"},{"point":"2ef","priority":"6","details":"17s","howto":"26r"},"CWE-ID:614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute",{"point":"3c5","priority":"6","details":"17v","howto":"26r"},"CWE-ID:615 Inclusion of Sensitive Information in Source Code Comments",{"point":"3c7","priority":"6","details":"17y","howto":"26r"},"CWE-ID:616 Incomplete Identification of Uploaded File Variables (PHP)",{"point":"3c9","priority":"6","details":"181","howto":"275"},"CWE-ID:617 Reachable Assertion",{"point":"3cb","priority":"6","details":"184","howto":"26r"},"CWE-ID:618 Exposed Unsafe ActiveX Method",{"point":"3cd","priority":"6","details":"187","howto":"26r"},"CWE-ID:619 Dangling Database Cursor ('Cursor Injection')",{"point":"3cf","priority":"6","details":"18a","howto":"275"},{"point":"2eh","priority":"6","details":"18d","howto":"275"},"CWE-ID:621 Variable Extraction Error",{"point":"3ci","priority":"6","details":"18g","howto":"275"},"CWE-ID:622 Improper Validation of Function Hook Arguments",{"point":"3ck","priority":"6","details":"18j","howto":"275"},"CWE-ID:623 Unsafe ActiveX Control Marked Safe For Scripting",{"point":"3cm","priority":"6","details":"18m","howto":"275"},"CWE-ID:624 Executable Regular Expression Error",{"point":"3co","priority":"6","details":"18p","howto":"275"},"CWE-ID:625 Permissive Regular Expression",{"point":"3cq","priority":"6","details":"18s","howto":"26r"},"CWE-ID:626 Null Byte Interaction Error (Poison Null Byte)",{"point":"3cs","priority":"6","details":"18v","howto":"275"},"CWE-ID:627 Dynamic Variable Evaluation",{"point":"3cu","priority":"6","details":"18y","howto":"275"},"CWE-ID:628 Function Call with Incorrectly Specified Arguments","::METHOD:Other:DESCRIPTION:Since these bugs typically introduce incorrect behavior that is obvious to users, they are found quickly, unless they occur in rarely-tested code paths. Managing the correct number of arguments can be made more difficult in cases where format strings are used, or when variable numbers of arguments are supported.::",{"point":"3cw","priority":"6","details":"191","howto":"3cx"},{"point":"2ej","priority":"6","details":"194","howto":"275"},{"point":"2el","priority":"6","details":"197","howto":"275"},"CWE-ID:638 Not Using Complete Mediation",{"point":"3d1","priority":"6","details":"19a","howto":"275"},{"point":"2ep","priority":"6","details":"19g","howto":"275"},{"point":"2er","priority":"6","details":"19j","howto":"275"},{"point":"2et","priority":"6","details":"19m","howto":"26r"},"CWE-ID:643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')",{"point":"3d6","priority":"6","details":"19p","howto":"26r"},"CWE-ID:644 Improper Neutralization of HTTP Headers for Scripting Syntax",{"point":"3d8","priority":"6","details":"19s","howto":"275"},"CWE-ID:646 Reliance on File Name or Extension of Externally-Supplied File",{"point":"3da","priority":"6","details":"19y","howto":"275"},"CWE-ID:647 Use of Non-Canonical URL Paths for Authorization Decisions",{"point":"3dc","priority":"6","details":"1a1","howto":"26r"},{"point":"2ex","priority":"6","details":"1a4","howto":"275"},{"point":"2ez","priority":"6","details":"1a7","howto":"275"},"CWE-ID:650 Trusting HTTP Permission Methods on the Server Side",{"point":"3dg","priority":"6","details":"1aa","howto":"275"},"CWE-ID:651 Exposure of WSDL File Containing Sensitive Information",{"point":"3di","priority":"6","details":"1ad","howto":"275"},"CWE-ID:652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')",{"point":"3dk","priority":"6","details":"1ag","howto":"275"},{"point":"2f1","priority":"6","details":"1aj","howto":"2f2"},{"point":"2f4","priority":"6","details":"1am","howto":"275"},{"point":"2f8","priority":"6","details":"1as","howto":"275"},{"point":"2fa","priority":"6","details":"1av","howto":"275"},{"point":"2fc","priority":"6","details":"1ay","howto":"275"},"CWE-ID:663 Use of a Non-reentrant Function in a Concurrent Context",{"point":"3dr","priority":"6","details":"1b1","howto":"275"},"CWE-ID:664 Improper Control of a Resource Through its Lifetime",{"point":"3dt","priority":"6","details":"1b4","howto":"275"},"CWE-ID:665 Improper Initialization","::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Initialization problems may be detected with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"3dv","priority":"6","details":"1b7","howto":"3dw"},"CWE-ID:666 Operation on Resource in Wrong Phase of Lifetime",{"point":"3dy","priority":"6","details":"1ba","howto":"275"},{"point":"2fe","priority":"6","details":"1bd","howto":"26r"},{"point":"2fg","priority":"6","details":"1bg","howto":"275"},{"point":"2fi","priority":"6","details":"1bj","howto":"275"},"CWE-ID:670 Always-Incorrect Control Flow Implementation",{"point":"3e3","priority":"6","details":"1bm","howto":"275"},{"point":"2fk","priority":"6","details":"1bp","howto":"275"},"CWE-ID:672 Operation on a Resource after Expiration or Release",{"point":"3e6","priority":"6","details":"1bs","howto":"275"},{"point":"2fm","priority":"6","details":"1bv","howto":"275"},"CWE-ID:674 Uncontrolled Recursion",{"point":"3e9","priority":"6","details":"1by","howto":"26r"},"CWE-ID:675 Multiple Operations on Resource in Single-Operation Context",{"point":"3eb","priority":"6","details":"1c1","howto":"275"},"CWE-ID:676 Use of Potentially Dangerous Function","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary / Bytecode Quality Analysis Binary / Bytecode simple extractor - strings, ELF readers, etc.:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Debugger Cost effective for partial coverage: Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Warning Flags Source Code Quality Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Origin Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"3ed","priority":"6","details":"1c4","howto":"3ee"},"CWE-ID:681 Incorrect Conversion between Numeric Types",{"point":"3eg","priority":"6","details":"1ca","howto":"275"},"CWE-ID:682 Incorrect Calculation","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of allocation calculations. This can be useful for detecting overflow conditions (CWE-190) or similar weaknesses that might have serious security impacts on the program.:EFFECTIVENESS:High::",{"point":"3ei","priority":"6","details":"1cd","howto":"3ej"},"CWE-ID:683 Function Call With Incorrect Order of Arguments",{"point":"3el","priority":"6","details":"1cg","howto":"275"},"CWE-ID:684 Incorrect Provision of Specified Functionality",{"point":"3en","priority":"6","details":"1cj","howto":"275"},"CWE-ID:685 Function Call With Incorrect Number of Arguments","::METHOD:Other:DESCRIPTION:While this weakness might be caught by the compiler in some languages, it can occur more frequently in cases in which the called function accepts variable numbers of arguments, such as format strings in C. It also can occur in languages or environments that do not require that functions always be called with the correct number of arguments, such as Perl.::",{"point":"3ep","priority":"6","details":"1cm","howto":"3eq"},"CWE-ID:686 Function Call With Incorrect Argument Type",{"point":"3es","priority":"6","details":"1cp","howto":"275"},"CWE-ID:687 Function Call With Incorrectly Specified Argument Value","::METHOD:Manual Static Analysis:DESCRIPTION:This might require an understanding of intended program behavior or design to determine whether the value is incorrect.::",{"point":"3eu","priority":"6","details":"1cs","howto":"3ev"},"CWE-ID:688 Function Call With Incorrect Variable or Reference as Argument","::METHOD:Other:DESCRIPTION:While this weakness might be caught by the compiler in some languages, it can occur more frequently in cases in which the called function accepts variable numbers of arguments, such as format strings in C. It also can occur in loosely typed languages or environments. This might require an understanding of intended program behavior or design to determine whether the value is incorrect.::",{"point":"3ex","priority":"6","details":"1cv","howto":"3ey"},"CWE-ID:689 Permission Race Condition During Resource Copy",{"point":"3f0","priority":"6","details":"1cy","howto":"275"},"CWE-ID:690 Unchecked Return Value to NULL Pointer Dereference","::METHOD:Black Box:DESCRIPTION:This typically occurs in rarely-triggered error conditions, reducing the chances of detection during black box testing.::METHOD:White Box:DESCRIPTION:Code analysis can require knowledge of API behaviors for library functions that might return NULL, reducing the chances of detection when unknown libraries are used.::",{"point":"3f2","priority":"6","details":"1d1","howto":"3f3"},"CWE-ID:691 Insufficient Control Flow Management",{"point":"3f5","priority":"6","details":"1d4","howto":"275"},"CWE-ID:693 Protection Mechanism Failure",{"point":"3f7","priority":"6","details":"1da","howto":"275"},{"point":"2fo","priority":"6","details":"1dd","howto":"275"},"CWE-ID:695 Use of Low-Level Functionality",{"point":"3fa","priority":"6","details":"1dg","howto":"26r"},{"point":"2fq","priority":"6","details":"1dj","howto":"275"},"CWE-ID:697 Incorrect Comparison",{"point":"3fd","priority":"6","details":"1dm","howto":"275"},"CWE-ID:698 Execution After Redirect (EAR)","::METHOD:Black Box:DESCRIPTION:This issue might not be detected if testing is performed using a web browser, because the browser might obey the redirect and move the user to a different page before the application has produced outputs that indicate something is amiss.::",{"point":"3ff","priority":"6","details":"1dp","howto":"3fg"},"CWE-ID:703 Improper Check or Handling of Exceptional Conditions","::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fault Injection - source code Fault Injection - binary Cost effective for partial coverage: Forced Path Execution:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"3fi","priority":"6","details":"1ds","howto":"3fj"},"CWE-ID:704 Incorrect Type Conversion or Cast",{"point":"3fl","priority":"6","details":"1dv","howto":"26u"},"CWE-ID:705 Incorrect Control Flow Scoping",{"point":"3fn","priority":"6","details":"1dy","howto":"275"},{"point":"2fs","priority":"6","details":"1e1","howto":"275"},"CWE-ID:707 Improper Neutralization",{"point":"3fq","priority":"6","details":"1e4","howto":"275"},{"point":"2fu","priority":"6","details":"1e7","howto":"275"},"CWE-ID:710 Improper Adherence to Coding Standards",{"point":"3ft","priority":"6","details":"1ea","howto":"275"},{"point":"2fw","priority":"6","details":"1ed","howto":"2fx"},{"point":"2fz","priority":"6","details":"1ej","howto":"26r"},"CWE-ID:754 Improper Check for Unusual or Exceptional Conditions","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis may be useful for detecting unusual conditions involving system resources or common programming idioms, but not for violations of business rules.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::",{"point":"3fx","priority":"6","details":"1em","howto":"3fy"},"CWE-ID:755 Improper Handling of Exceptional Conditions",{"point":"3g0","priority":"6","details":"1ep","howto":"275"},"CWE-ID:759 Use of a One-Way Hash without a Salt",{"point":"3g2","priority":"6","details":"1f1","howto":"2gt"},"CWE-ID:760 Use of a One-Way Hash with a Predictable Salt",{"point":"3g4","priority":"6","details":"1f4","howto":"26r"},"CWE-ID:761 Free of Pointer not at Start of Buffer",{"point":"3g6","priority":"6","details":"1f7","howto":"275"},"CWE-ID:762 Mismatched Memory Management Routines",{"point":"3g8","priority":"6","details":"1fa","howto":"275"},"CWE-ID:763 Release of Invalid Pointer or Reference",{"point":"3ga","priority":"6","details":"1fd","howto":"26u"},"CWE-ID:764 Multiple Locks of a Critical Resource",{"point":"3gc","priority":"6","details":"1fg","howto":"275"},"CWE-ID:765 Multiple Unlocks of a Critical Resource",{"point":"3ge","priority":"6","details":"1fj","howto":"275"},"CWE-ID:766 Critical Data Element Declared Public",{"point":"3gg","priority":"6","details":"1fm","howto":"26r"},"CWE-ID:767 Access to Critical Private Variable via Public Method",{"point":"3gi","priority":"6","details":"1fp","howto":"275"},"CWE-ID:768 Incorrect Short Circuit Evaluation",{"point":"3gk","priority":"6","details":"1fs","howto":"275"},{"point":"2g3","priority":"6","details":"1fv","howto":"2g4"},"CWE-ID:771 Missing Reference to Active Allocated Resource",{"point":"3gn","priority":"6","details":"1fy","howto":"275"},"CWE-ID:772 Missing Release of Resource after Effective Lifetime",{"point":"3gp","priority":"6","details":"1g1","howto":"275"},"CWE-ID:773 Missing Reference to Active File Descriptor or Handle",{"point":"3gr","priority":"6","details":"1g4","howto":"275"},"CWE-ID:774 Allocation of File Descriptors or Handles Without Limits or Throttling",{"point":"3gt","priority":"6","details":"1g7","howto":"275"},"CWE-ID:775 Missing Release of File Descriptor or Handle after Effective Lifetime",{"point":"3gv","priority":"6","details":"1ga","howto":"275"},"CWE-ID:776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')",{"point":"3gx","priority":"6","details":"1gd","howto":"26r"},"CWE-ID:777 Regular Expression without Anchors",{"point":"3gz","priority":"6","details":"1gg","howto":"275"},"CWE-ID:780 Use of RSA Algorithm without OAEP",{"point":"3h1","priority":"6","details":"1gp","howto":"26r"},"CWE-ID:781 Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code",{"point":"3h3","priority":"6","details":"1gs","howto":"275"},"CWE-ID:782 Exposed IOCTL with Insufficient Access Control",{"point":"3h5","priority":"6","details":"1gv","howto":"275"},"CWE-ID:783 Operator Precedence Logic Error",{"point":"3h7","priority":"6","details":"1gy","howto":"275"},"CWE-ID:784 Reliance on Cookies without Validation and Integrity Checking in a Security Decision",{"point":"3h9","priority":"6","details":"1h1","howto":"275"},"CWE-ID:785 Use of Path Manipulation Function without Maximum-sized Buffer",{"point":"3hb","priority":"6","details":"1h4","howto":"275"},"CWE-ID:787 Out-of-bounds Write","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::",{"point":"3hd","priority":"6","details":"1ha","howto":"3he"},"CWE-ID:789 Memory Allocation with Excessive Size Value",{"point":"3hg","priority":"6","details":"1hg","howto":"2tj"},"CWE-ID:790 Improper Filtering of Special Elements",{"point":"3hi","priority":"6","details":"1hj","howto":"275"},"CWE-ID:791 Incomplete Filtering of Special Elements",{"point":"3hk","priority":"6","details":"1hm","howto":"275"},"CWE-ID:792 Incomplete Filtering of One or More Instances of Special Elements",{"point":"3hm","priority":"6","details":"1hp","howto":"275"},"CWE-ID:793 Only Filtering One Instance of a Special Element",{"point":"3ho","priority":"6","details":"1hs","howto":"275"},"CWE-ID:794 Incomplete Filtering of Multiple Instances of Special Elements",{"point":"3hq","priority":"6","details":"1hv","howto":"275"},"CWE-ID:795 Only Filtering Special Elements at a Specified Location",{"point":"3hs","priority":"6","details":"1hy","howto":"275"},"CWE-ID:796 Only Filtering Special Elements Relative to a Marker",{"point":"3hu","priority":"6","details":"1i1","howto":"275"},"CWE-ID:797 Only Filtering Special Elements at an Absolute Position",{"point":"3hw","priority":"6","details":"1i4","howto":"275"},{"point":"2g9","priority":"6","details":"1ia","howto":"275"},{"point":"2gb","priority":"6","details":"1id","howto":"275"},"CWE-ID:805 Buffer Access with Incorrect Length Value","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.::",{"point":"3i0","priority":"6","details":"1ig","howto":"3i1"},"CWE-ID:806 Buffer Access Using Size of Source Buffer",{"point":"3i3","priority":"6","details":"1ij","howto":"275"},{"point":"2gd","priority":"6","details":"1im","howto":"2ge"},"CWE-ID:827 Improper Control of Document Type Definition",{"point":"3i6","priority":"6","details":"1ja","howto":"275"},"CWE-ID:829 Inclusion of Functionality from Untrusted Control Sphere","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Forced Path Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"3i8","priority":"6","details":"1jg","howto":"3i9"},"CWE-ID:830 Inclusion of Web Functionality from an Untrusted Source",{"point":"3ib","priority":"6","details":"1jj","howto":"275"},"CWE-ID:836 Use of Password Hash Instead of Password for Authentication",{"point":"3id","priority":"6","details":"1k1","howto":"275"},"CWE-ID:841 Improper Enforcement of Behavioral Workflow",{"point":"3if","priority":"6","details":"1kd","howto":"275"},"CWE-ID:842 Placement of User into Incorrect Group",{"point":"3ih","priority":"6","details":"1kg","howto":"275"},"CWE-ID:843 Access of Resource Using Incompatible Type ('Type Confusion')",{"point":"3ij","priority":"6","details":"1kj","howto":"275"},{"point":"2gg","priority":"6","details":"1km","howto":"2gh"},{"point":"2gj","priority":"6","details":"1kp","howto":"2gk"},"CWE-ID:908 Use of Uninitialized Resource",{"point":"3in","priority":"6","details":"1ks","howto":"275"},"CWE-ID:909 Missing Initialization of Resource",{"point":"3ip","priority":"6","details":"1kv","howto":"275"},"CWE-ID:910 Use of Expired File Descriptor",{"point":"3ir","priority":"6","details":"1ky","howto":"275"},"CWE-ID:911 Improper Update of Reference Count",{"point":"3it","priority":"6","details":"1l1","howto":"275"},{"point":"2gm","priority":"6","details":"1l4","howto":"275"},{"point":"2go","priority":"6","details":"1l7","howto":"26u"},"CWE-ID:914 Improper Control of Dynamically-Identified Variables",{"point":"3ix","priority":"6","details":"1la","howto":"275"},{"point":"2gq","priority":"6","details":"1ld","howto":"26r"},{"point":"2gv","priority":"6","details":"1lj","howto":"26r"},{"point":"2gx","priority":"6","details":"1lm","howto":"26r"},{"point":"2h3","priority":"6","details":"1lv","howto":"26r"},"CWE-ID:939 Improper Authorization in Handler for Custom URL Scheme",{"point":"3j3","priority":"6","details":"1md","howto":"275"},{"point":"2h9","priority":"6","details":"1mg","howto":"275"},{"point":"2hb","priority":"6","details":"1mj","howto":"275"},"CWE-ID:942 Permissive Cross-domain Policy with Untrusted Domains",{"point":"3j7","priority":"6","details":"1mm","howto":"26r"},"CWE-ID:943 Improper Neutralization of Special Elements in Data Query Logic",{"point":"3j9","priority":"6","details":"1mp","howto":"26r"},"CWE-ID:1004 Sensitive Cookie Without 'HttpOnly' Flag",{"point":"3jb","priority":"6","details":"1ms","howto":"26r"},{"point":"2hd","priority":"6","details":"1mv","howto":"2he"},"CWE-ID:1021 Improper Restriction of Rendered UI Layers or Frames",{"point":"3je","priority":"6","details":"1my","howto":"26r"},"CWE-ID:1022 Use of Web Link to Untrusted Target with window.opener Access",{"point":"3jg","priority":"6","details":"1n1","howto":"26r"},"CWE-ID:1023 Incomplete Comparison with Missing Factors",{"point":"3ji","priority":"6","details":"1n4","howto":"275"},"CWE-ID:1024 Comparison of Incompatible Types",{"point":"3jk","priority":"6","details":"1n7","howto":"275"},"CWE-ID:1025 Comparison Using Wrong Factors",{"point":"3jm","priority":"6","details":"1na","howto":"275"},"CWE-ID:1068 Inconsistency Between Implementation and Documented Design",{"point":"3jo","priority":"6","details":"1pv","howto":"275"},{"point":"2hr","priority":"6","details":"1uv","howto":"2hs"},"CWE-ID:1174 ASP.NET Misconfiguration: Improper Model Validation",{"point":"3jr","priority":"6","details":"1uy","howto":"275"},{"point":"2hu","priority":"6","details":"1v1","howto":"275"},"CWE-ID:1177 Use of Prohibited Code",{"point":"3ju","priority":"6","details":"1v4","howto":"275"},{"point":"2hw","priority":"6","details":"1va","howto":"2hx"},{"point":"2i1","priority":"6","details":"1vg","howto":"2i2"},{"point":"2i4","priority":"6","details":"1vj","howto":"275"},"CWE-ID:1204 Generation of Weak Initialization Vector (IV)",{"point":"3jz","priority":"6","details":"1vp","howto":"275"},{"point":"2i6","priority":"6","details":"1vs","howto":"275"},{"point":"2i8","priority":"6","details":"1vv","howto":"275"},"CWE-ID:1221 Incorrect Register Defaults or Module Parameters",{"point":"3k3","priority":"6","details":"1vy","howto":"275"},{"point":"2ic","priority":"6","details":"1w7","howto":"275"},{"point":"2ig","priority":"6","details":"1wg","howto":"2ih"},{"point":"2ij","priority":"6","details":"1wj","howto":"275"},{"point":"2il","priority":"6","details":"1wm","howto":"2im"},{"point":"2io","priority":"6","details":"1wp","howto":"275"},"CWE-ID:1235 Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations",{"point":"3ka","priority":"6","details":"1ws","howto":"275"},"CWE-ID:1236 Improper Neutralization of Formula Elements in a CSV File",{"point":"3kc","priority":"6","details":"1wv","howto":"275"},"CWE-ID:1239 Improper Zeroization of Hardware Register",{"point":"3ke","priority":"6","details":"1wy","howto":"275"},{"point":"2iq","priority":"6","details":"1x1","howto":"2ir"},{"point":"2it","priority":"6","details":"1x4","howto":"275"},{"point":"2iv","priority":"6","details":"1x7","howto":"275"},{"point":"2ix","priority":"6","details":"1xa","howto":"275"},{"point":"2iz","priority":"6","details":"1xd","howto":"2j0"},{"point":"2j2","priority":"6","details":"1xg","howto":"275"},{"point":"2j4","priority":"6","details":"1xj","howto":"275"},{"point":"2j6","priority":"6","details":"1xs","howto":"275"},{"point":"2ja","priority":"6","details":"1y4","howto":"275"},{"point":"2jc","priority":"6","details":"1y7","howto":"275"},"CWE-ID:1255 Comparison Logic is Vulnerable to Power Side-Channel Attacks",{"point":"3kq","priority":"6","details":"1ya","howto":"275"},{"point":"2je","priority":"6","details":"1yd","howto":"2jf"},{"point":"2jh","priority":"6","details":"1yg","howto":"275"},{"point":"2jj","priority":"6","details":"1yj","howto":"275"},{"point":"2jl","priority":"6","details":"1ym","howto":"275"},{"point":"2jn","priority":"6","details":"1yp","howto":"2jo"},{"point":"2jq","priority":"6","details":"1ys","howto":"275"},{"point":"2js","priority":"6","details":"1yv","howto":"2jt"},{"point":"2jx","priority":"6","details":"1z1","howto":"275"},{"point":"2jz","priority":"6","details":"1z7","howto":"275"},{"point":"2k1","priority":"6","details":"1za","howto":"275"},{"point":"2k3","priority":"6","details":"1zd","howto":"275"},"CWE-ID:1269 Product Released in Non-Release Configuration",{"point":"3l3","priority":"6","details":"1zg","howto":"275"},{"point":"2k5","priority":"6","details":"1zj","howto":"275"},"CWE-ID:1271 Uninitialized Value on Reset for Registers Holding Security Settings",{"point":"3l6","priority":"6","details":"1zm","howto":"275"},"CWE-ID:1275 Sensitive Cookie with Improper SameSite Attribute",{"point":"3l8","priority":"6","details":"1zy","howto":"26r"},"CWE-ID:1276 Hardware Child Block Incorrectly Connected to Parent System",{"point":"3la","priority":"6","details":"201","howto":"275"},{"point":"2kd","priority":"6","details":"204","howto":"2ke"},{"point":"2ki","priority":"6","details":"20a","howto":"275"},"CWE-ID:1280 Access Control Check Implemented After Asset is Accessed",{"point":"3le","priority":"6","details":"20d","howto":"275"},{"point":"2kk","priority":"6","details":"20g","howto":"275"},"CWE-ID:1282 Assumed-Immutable Data is Stored in Writable Memory",{"point":"3lh","priority":"6","details":"20j","howto":"275"},{"point":"2km","priority":"6","details":"20m","howto":"275"},"CWE-ID:1284 Improper Validation of Specified Quantity in Input",{"point":"3lk","priority":"6","details":"20p","howto":"275"},"CWE-ID:1285 Improper Validation of Specified Index, Position, or Offset in Input",{"point":"3lm","priority":"6","details":"20s","howto":"275"},"CWE-ID:1286 Improper Validation of Syntactic Correctness of Input",{"point":"3lo","priority":"6","details":"20v","howto":"275"},"CWE-ID:1287 Improper Validation of Specified Type of Input",{"point":"3lq","priority":"6","details":"20y","howto":"275"},"CWE-ID:1288 Improper Validation of Consistency within Input",{"point":"3ls","priority":"6","details":"211","howto":"275"},"CWE-ID:1289 Improper Validation of Unsafe Equivalence in Input",{"point":"3lu","priority":"6","details":"214","howto":"275"},{"point":"2ko","priority":"6","details":"217","howto":"275"},"CWE-ID:1291 Public Key Re-Use for Signing both Debug and Production Code","::METHOD:Architecture or Design Review:DESCRIPTION:Compare the debug key with the production key to make sure that they are not the same.:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Compare the debug key with the production key to make sure that they are not the same.:EFFECTIVENESS:High::",{"point":"3lx","priority":"6","details":"21a","howto":"3ly"},{"point":"2kq","priority":"6","details":"21d","howto":"275"},{"point":"2ks","priority":"6","details":"21g","howto":"275"},{"point":"2ku","priority":"6","details":"21j","howto":"275"},"CWE-ID:1295 Debug Messages Revealing Unnecessary Information",{"point":"3m3","priority":"6","details":"21m","howto":"275"},"CWE-ID:1296 Incorrect Chaining or Granularity of Debug Components","::METHOD:Architecture or Design Review:DESCRIPTION:Appropriate Post-Si tests should be carried out at various authorization levels to ensure that debug components are properly chained and accessible only to users with appropriate credentials.:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Appropriate Post-Si tests should be carried out at various authorization levels to ensure that debug components are properly chained and accessible only to users with appropriate credentials.:EFFECTIVENESS:High::",{"point":"3m5","priority":"6","details":"21p","howto":"3m6"},"CWE-ID:1297 Unprotected Confidential Information on Device is Accessible by OSAT Vendors","::METHOD:Architecture or Design Review:DESCRIPTION:Appropriate Post-Si tests should be carried out to ensure that residual confidential information is not left on parts leaving one facility for another facility.:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Appropriate Post-Si tests should be carried out to ensure that residual confidential information is not left on parts leaving one facility for another facility.:EFFECTIVENESS:Moderate::",{"point":"3m8","priority":"6","details":"21s","howto":"3m9"},{"point":"2kw","priority":"6","details":"21v","howto":"275"},{"point":"2ky","priority":"6","details":"21y","howto":"275"},"CWE-ID:1300 Improper Protection of Physical Side Channels","::METHOD:Manual Analysis:DESCRIPTION:Perform a set of leakage detection tests such as the procedure outlined in the Test Vector Leakage Assessment (TVLA) test requirements for AES [REF-1230]. TVLA is the basis for the ISO standard 17825 [REF-1229]. A separate methodology is provided by [REF-1228]. Note that sole reliance on this method might not yield expected results [REF-1239] [REF-1240].:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Post-silicon, perform full side-channel attacks (penetration testing) covering as many known leakage models as possible against test code.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Pre-silicon - while the aforementioned TVLA methods can be performed post-silicon, models of device power consumption or other physical emanations can be built from information present at various stages of the hardware design process before fabrication. TVLA or known side-channel attacks can be applied to these simulated traces and countermeasures applied before tape-out. Academic research in this field includes [REF-1231] [REF-1232] [REF-1233].:EFFECTIVENESS:Moderate::",{"point":"3md","priority":"6","details":"221","howto":"3me"},"CWE-ID:1301 Insufficient or Incomplete Data Removal within Hardware Component",{"point":"3mg","priority":"6","details":"224","howto":"275"},{"point":"2l0","priority":"6","details":"227","howto":"275"},{"point":"2l2","priority":"6","details":"22a","howto":"275"},{"point":"2l6","priority":"6","details":"22g","howto":"275"},{"point":"2l8","priority":"6","details":"22j","howto":"275"},{"point":"2la","priority":"6","details":"22m","howto":"2lb"},{"point":"2ld","priority":"6","details":"22p","howto":"275"},{"point":"2lf","priority":"6","details":"22s","howto":"275"},{"point":"2lh","priority":"6","details":"22v","howto":"275"},{"point":"2lj","priority":"6","details":"22y","howto":"2lk"},{"point":"2lm","priority":"6","details":"231","howto":"2ln"},{"point":"2lp","priority":"6","details":"234","howto":"2lq"},{"point":"2ls","priority":"6","details":"237","howto":"275"},{"point":"2lu","priority":"6","details":"23a","howto":"275"},"CWE-ID:1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')",{"point":"3mv","priority":"6","details":"23d","howto":"275"},"CWE-ID:1322 Use of Blocking Code in Single-threaded, Non-blocking Context",{"point":"3mx","priority":"6","details":"23g","howto":"275"},{"point":"2lw","priority":"6","details":"23j","howto":"275"},"CWE-ID:1325 Improperly Controlled Sequential Memory Allocation",{"point":"3n0","priority":"6","details":"23m","howto":"275"},{"point":"2ly","priority":"6","details":"23p","howto":"2lz"},{"point":"2m1","priority":"6","details":"23v","howto":"2m2"},{"point":"2m4","priority":"6","details":"23y","howto":"2m5"},"CWE-ID:1330 Remanent Data Readable after Memory Erase","::METHOD:Architecture or Design Review:DESCRIPTION:Testing of memory-device contents after clearing or erase commands. Dynamic analysis of memory contents during device operation to detect specific, confidential assets. Architecture and design analysis of memory clear and erase operations.::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Testing of memory-device contents after clearing or erase commands. Dynamic analysis of memory contents during device operation to detect specific, confidential assets. Architecture and design analysis of memory clear and erase operations.::",{"point":"3n5","priority":"6","details":"241","howto":"3n6"},{"point":"2m7","priority":"6","details":"244","howto":"2m8"},{"point":"2ma","priority":"6","details":"247","howto":"2mb"},"CWE-ID:1333 Inefficient Regular Expression Complexity",{"point":"3na","priority":"6","details":"24a","howto":"275"},{"point":"2md","priority":"6","details":"24d","howto":"275"},"CWE-ID:1335 Incorrect Bitwise Shift of Integer",{"point":"3nd","priority":"6","details":"24g","howto":"275"},{"point":"2mf","priority":"6","details":"24j","howto":"275"},{"point":"2mh","priority":"6","details":"24m","howto":"2mi"},"CWE-ID:1339 Insufficient Precision or Accuracy of a Real Number",{"point":"3nh","priority":"6","details":"24p","howto":"275"},"CWE-ID:1341 Multiple Releases of Same Resource or Handle","::METHOD:Automated Static Analysis:DESCRIPTION:For commonly-used APIs and resource types, automated tools often have signatures that can spot this issue.::METHOD:Automated Dynamic Analysis:DESCRIPTION:Some compiler instrumentation tools such as AddressSanitizer (ASan) can indirectly detect some instances of this weakness.::",{"point":"3nj","priority":"6","details":"24s","howto":"3nk"},{"point":"2mm","priority":"6","details":"24y","howto":"275"},"CWE-ID:1385 Missing Origin Validation in WebSockets",{"point":"3nn","priority":"6","details":"257","howto":"275"},"CWE-ID:1386 Insecure Operation on Windows Junction / Mount Point",{"point":"3np","priority":"6","details":"25a","howto":"275"},"CWE-ID:1389 Incorrect Parsing of Numbers with Different Radices",{"point":"3nr","priority":"6","details":"25d","howto":"275"},{"point":"2ms","priority":"6","details":"25g","howto":"275"},{"point":"2n2","priority":"6","details":"25v","howto":"2n3"},"CWE-ID:1419 Incorrect Initialization of Resource",{"point":"3nv","priority":"6","details":"25y","howto":"275"},{"point":"2n5","priority":"6","details":"261","howto":"2n6"},{"point":"2n8","priority":"6","details":"264","howto":"2n9"},{"point":"2ne","priority":"6","details":"26a","howto":"2nf"},["2np","2nr","2nt","2nv","2nx","2nz","2o1","2o3","2o6","2o8","2o9","2oc","2oe","2og","2oi","2ok","2om","2oo","2oq","2os","2ou","2ow","2oy","2p1","2p3","2p5","2p7","2p9","2pb","2pd","2pg","2pi","2pk","2pm","2po","2pq","2ps","2pu","2pw","2py","2q0","2q2","2q4","2q6","2q8","2qa","2qc","2qe","2qg","2qi","2qk","2qm","2qo","2qq","2qs","2qu","2qv","2qx","2qz","2r1","2r3","2r6","2r9","2rb","2rd","2rf","2rh","2rj","2rl","2rn","2rp","2rr","2ru","2rw","2ry","2s0","2s2","2s4","2s6","2s8","2sb","2sc","2se","2sg","2si","2sk","2sm","2so","2sq","2ss","2sv","2sx","2sz","2t1","2t3","2t4","2t7","2t9","2tb","2te","2th","2tk","2tm","2to","2tq","2ts","2tu","2tw","2ty","2u1","2u3","2u6","2u9","2ub","2ud","2uf","2uh","2uj","2ul","2un","2up","2ur","2ut","2uv","2ux","2uz","2v1","2v3","2v5","2v7","2v9","2vb","2vd","2vf","2vh","2vj","2vl","2vn","2vp","2vr","2vt","2vv","2vx","2vz","2w1","2w3","2w5","2w7","2w9","2wb","2wd","2wf","2wh","2wj","2wl","2wn","2wp","2wq","2ws","2wu","2ww","2wy","2x1","2x3","2x5","2x7","2x9","2xb","2xd","2xf","2xi","2xj","2xk","2xl","2xm","2xn","2xo","2xq","2xs","2xt","2xu","2xv","2xw","2xx","2xy","2xz","2y1","2y3","2y4","2y6","2y7","2y9","2yc","2ye","2yg","2yi","2yk","2ym","2yo","2yq","2ys","2yu","2yw","2yy","2z0","2z2","2z4","2z6","2z8","2za","2zc","2ze","2zf","2zh","2zj","2zl","2zo","2zp","2zr","2zs","2zt","2zu","2zv","2zw","2zz","301","303","304","306","308","30a","30c","30e","30f","30g","30h","30i","30k","30l","30n","30q","30s","30u","30v","30x","30z","311","313","315","316","318","319","31a","31c","31e","31f","31h","31j","31l","31m","31o","31p","31q","31r","31s","31t","31u","31v","31w","31x","31z","321","322","323","324","325","326","327","328","329","32a","32c","32e","32g","32h","32k","32m","32o","32q","32s","32u","32w","32y","330","332","334","335","336","338","33a","33c","33e","33g","33j","33l","33n","33o","33q","33r","33t","33w","33x","33y","33z","340","341","342","343","344","345","347","349","34a","34b","34d","34g","34i","34k","34m","34o","34q","34s","34t","34v","34w","34x","34y","34z","351","352","354","356","358","35a","35b","35d","35e","35g","35i","35k","35m","35o","35q","35s","35u","35w","35y","360","362","363","364","366","368","36a","36b","36e","36h","36j","36l","36o","36q","36s","36u","36x","36z","371","373","375","377","379","37b","37c","37e","37g","37i","37k","37m","37o","37p","37s","37u","37w","37y","37z","380","381","384","386","388","389","38a","38c","38e","38g","38h","38j","38l","38n","38p","38r","38t","38v","38x","38z","391","393","395","397","399","39a","39c","39e","39g","39i","39k","39m","39p","39r","39t","39v","39w","39y","3a0","3a2","3a4","3a6","3a8","3aa","3ac","3ae","3ag","3ai","3ak","3am","3ao","3aq","3as","3au","3aw","3ay","3b0","3b2","3b4","3b6","3b8","3ba","3bc","3be","3bg","3bi","3bk","3bm","3bo","3bp","3bq","3bs","3bu","3bw","3by","3c0","3c2","3c3","3c4","3c6","3c8","3ca","3cc","3ce","3cg","3ch","3cj","3cl","3cn","3cp","3cr","3ct","3cv","3cy","3cz","3d0","3d2","3d3","3d4","3d5","3d7","3d9","3db","3dd","3de","3df","3dh","3dj","3dl","3dm","3dn","3do","3dp","3dq","3ds","3du","3dx","3dz","3e0","3e1","3e2","3e4","3e5","3e7","3e8","3ea","3ec","3ef","3eh","3ek","3em","3eo","3er","3et","3ew","3ez","3f1","3f4","3f6","3f8","3f9","3fb","3fc","3fe","3fh","3fk","3fm","3fo","3fp","3fr","3fs","3fu","3fv","3fw","3fz","3g1","3g3","3g5","3g7","3g9","3gb","3gd","3gf","3gh","3gj","3gl","3gm","3go","3gq","3gs","3gu","3gw","3gy","3h0","3h2","3h4","3h6","3h8","3ha","3hc","3hf","3hh","3hj","3hl","3hn","3hp","3hr","3ht","3hv","3hx","3hy","3hz","3i2","3i4","3i5","3i7","3ia","3ic","3ie","3ig","3ii","3ik","3il","3im","3io","3iq","3is","3iu","3iv","3iw","3iy","3iz","3j0","3j1","3j2","3j4","3j5","3j6","3j8","3ja","3jc","3jd","3jf","3jh","3jj","3jl","3jn","3jp","3jq","3js","3jt","3jv","3jw","3jx","3jy","3k0","3k1","3k2","3k4","3k5","3k6","3k7","3k8","3k9","3kb","3kd","3kf","3kg","3kh","3ki","3kj","3kk","3kl","3km","3kn","3ko","3kp","3kr","3ks","3kt","3ku","3kv","3kw","3kx","3ky","3kz","3l0","3l1","3l2","3l4","3l5","3l7","3l9","3lb","3lc","3ld","3lf","3lg","3li","3lj","3ll","3ln","3lp","3lr","3lt","3lv","3lw","3lz","3m0","3m1","3m2","3m4","3m7","3ma","3mb","3mc","3mf","3mh","3mi","3mj","3mk","3ml","3mm","3mn","3mo","3mp","3mq","3mr","3ms","3mt","3mu","3mw","3my","3mz","3n1","3n2","3n3","3n4","3n7","3n8","3n9","3nb","3nc","3ne","3nf","3ng","3ni","3nl","3nm","3no","3nq","3ns","3nt","3nu","3nw","3nx","3ny","3nz"],"pink",{"title":"2nk","slug":"2nl","description":"2nm","icon":"2nn","intro":"2nm","checklist":"3o0","color":"3o1"},["26e","2nj","3o2"],{"R4G1hVIrQpw":"3o3"},"\u0001",200,"/checklist/",{"loaders":"3o4","action":"3o5","status":"3o6","href":"3o7"}]} \ No newline at end of file diff --git a/dist/framework/index.html b/dist/framework/index.html index 09c46c9..64af1e1 100644 --- a/dist/framework/index.html +++ b/dist/framework/index.html @@ -1,4 +1,4 @@ -About | Digital Defense

AI Accelerated Quality -PRO

Settings

About
\ No newline at end of file +About | Digital Defense

AI Accelerated Quality -PRO

Settings

About
\ No newline at end of file diff --git a/dist/framework/q-data.json b/dist/framework/q-data.json index 687d8a0..f43dbe8 100644 --- a/dist/framework/q-data.json +++ b/dist/framework/q-data.json @@ -1 +1 @@ -{"_entry":"3o8","_objs":["CWE: Categorization for Assurance","cwe-security","Researchers can use this view to evaluate the breadth and depth of software assurance with respect to mitigating and managing weaknesses before they become vulnerabilities","dev","This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.","CWE-ID: 5J2EE Misconfiguration: Data Transmission Without Encryption","Essential","Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.Guidelines:::TYPE:Other:NOTE:If an application uses SSL to guarantee confidential communication with client browsers, the application configuration should make it impossible to view any access controlled page without SSL. There are three common ways for SSL to be bypassed: A user manually enters URL and types HTTP rather than HTTPS. Attackers intentionally send a user to an insecure URL. A programmer erroneously creates a relative link to a page in the application, which does not switch from HTTP to HTTPS. (This is particularly easy to do when the link moves between public and secured areas on a web site.)::",{"point":"5","priority":"6","details":"7"},"CWE-ID: 6J2EE Misconfiguration: Insufficient Session-ID Length","The J2EE application is configured to use an insufficient session ID length.Guidelines:",{"point":"9","priority":"6","details":"a"},"CWE-ID: 7J2EE Misconfiguration: Missing Custom Error Page","The default error page of a web application should not display sensitive information about the product.Guidelines:",{"point":"c","priority":"6","details":"d"},"CWE-ID: 8J2EE Misconfiguration: Entity Bean Declared Remote","When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean's data. These methods could be leveraged to read sensitive information, or to change data in ways that violate the application's expectations, potentially leading to other vulnerabilities.Guidelines:::TYPE:Other:NOTE:Entity beans that expose a remote interface become part of an application's attack surface. For performance reasons, an application should rarely use remote entity beans, so there is a good chance that a remote entity bean declaration is an error.::",{"point":"f","priority":"6","details":"g"},"CWE-ID: 9J2EE Misconfiguration: Weak Access Permissions for EJB Methods","If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the product.Guidelines:",{"point":"i","priority":"6","details":"j"},"CWE-ID: 11ASP.NET Misconfiguration: Creating Debug Binary","Debugging messages help attackers learn about the system and plan a form of attack.Guidelines:",{"point":"l","priority":"6","details":"m"},"CWE-ID: 12ASP.NET Misconfiguration: Missing Custom Error Page","An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses.Guidelines:",{"point":"o","priority":"6","details":"p"},"CWE-ID: 13ASP.NET Misconfiguration: Password in Configuration File","Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers.Guidelines:",{"point":"r","priority":"6","details":"s"},"CWE-ID: 14Compiler Removal of Code to Clear Buffers","Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka dead store removal.Guidelines:",{"point":"u","priority":"6","details":"v"},"CWE-ID: 15External Control of System or Configuration Setting","One or more system settings or configuration elements can be externally controlled by a user.Guidelines:",{"point":"x","priority":"6","details":"y"},"CWE-ID: 20Improper Input Validation","The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Guidelines:::TYPE:Relationship:NOTE:CWE-116 and CWE-20 have a close association because, depending on the nature of the structured message, proper input validation can indirectly prevent special characters from changing the meaning of a structured message. For example, by validating that a numeric ID field should only contain the 0-9 characters, the programmer effectively prevents injection attacks.::TYPE:Maintenance:NOTE:As of 2020, this entry is used more often than preferred, and it is a source of frequent confusion. It is being actively modified for CWE 4.1 and subsequent versions.::TYPE:Maintenance:NOTE:Concepts such as validation, data transformation, and neutralization are being refined, so relationships between CWE-20 and other entries such as CWE-707 may change in future versions, along with an update to the Vulnerability Theory document.::TYPE:Maintenance:NOTE:Input validation - whether missing or incorrect - is such an essential and widespread part of secure development that it is implicit in many different weaknesses. Traditionally, problems such as buffer overflows and XSS have been classified as input validation problems by many security professionals. However, input validation is not necessarily the only protection mechanism available for avoiding such problems, and in some cases it is not even sufficient. The CWE team has begun capturing these subtleties in chains within the Research Concepts view (CWE-1000), but more work is needed.::TYPE:Terminology:NOTE:The input validation term is extremely common, but it is used in many different ways. In some cases its usage can obscure the real underlying weakness or otherwise hide chaining and composite relationships. Some people use input validation as a general term that covers many different neutralization techniques for ensuring that input is appropriate, such as filtering, canonicalization, and escaping. Others use the term in a more narrow context to simply mean checking if an input conforms to expectations without changing it. CWE uses this more narrow interpretation.::",{"point":"10","priority":"6","details":"11"},"CWE-ID: 22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Guidelines:::TYPE:Relationship:NOTE:Pathname equivalence can be regarded as a type of canonicalization error.::TYPE:Relationship:NOTE:Some pathname equivalence issues are not directly related to directory traversal, rather are used to bypass security-relevant checks for whether a file/directory can be accessed by the attacker (e.g. a trailing / on a filename could bypass access rules that don't expect a trailing /, causing a server to provide the file when it normally would not).::TYPE:Terminology:NOTE:Like other weaknesses, terminology is often based on the types of manipulations used, instead of the underlying weaknesses. Some people use directory traversal only to refer to the injection of .. and equivalent sequences whose specific meaning is to traverse directories. Other variants like absolute pathname and drive letter have the *effect* of directory traversal, but some people may not call it such, since it doesn't involve .. or equivalent.::TYPE:Research Gap:NOTE:Many variants of path traversal attacks are probably under-studied with respect to root cause. CWE-790 and CWE-182 begin to cover part of this gap.::TYPE:Research Gap:NOTE:Incomplete diagnosis or reporting of vulnerabilities can make it difficult to know which variant is affected. For example, a researcher might say that .. is vulnerable, but not test ../ which may also be vulnerable. Any combination of directory separators (/, , etc.) and numbers of . (e.g. ....) can produce unique variants; for example, the //../ variant is not listed (CVE-2004-0325). See this entry's children and lower-level descendants.::",{"point":"13","priority":"6","details":"14"},"CWE-ID: 23Relative Path Traversal","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as .. that can resolve to a location that is outside of that directory.Guidelines:",{"point":"16","priority":"6","details":"17"},"CWE-ID: 24Path Traversal: '../filedir'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize ../ sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"19","priority":"6","details":"1a"},"CWE-ID: 25Path Traversal: '/../filedir'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize /../ sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1c","priority":"6","details":"1d"},"CWE-ID: 26Path Traversal: '/dir/../filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize /dir/../filename sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1f","priority":"6","details":"1g"},"CWE-ID: 27Path Traversal: 'dir/../../filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize multiple internal ../ sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1i","priority":"6","details":"1j"},"CWE-ID: 28Path Traversal: '..filedir'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize .. sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1l","priority":"6","details":"1m"},"CWE-ID: 29Path Traversal: '..filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '..filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1o","priority":"6","details":"1p"},"CWE-ID: 30Path Traversal: 'dir..filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize 'dir..filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1r","priority":"6","details":"1s"},"CWE-ID: 31Path Traversal: 'dir....filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize 'dir....filename' (multiple internal backslash dot dot) sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1u","priority":"6","details":"1v"},"CWE-ID: 32Path Traversal: '...' (Triple Dot)","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '...' (triple dot) sequences that can resolve to a location that is outside of that directory.Guidelines:::TYPE:Maintenance:NOTE:This manipulation-focused entry is currently hiding two distinct weaknesses, so it might need to be split. The manipulation is effective in two different contexts: it is equivalent to .... on Windows, or it can take advantage of incomplete filtering, e.g. if the programmer does a single-pass removal of ./ in a string (collapse of data into unsafe value, CWE-182).::",{"point":"1x","priority":"6","details":"1y"},"CWE-ID: 33Path Traversal: '....' (Multiple Dot)","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....' (multiple dot) sequences that can resolve to a location that is outside of that directory.Guidelines:::TYPE:Maintenance:NOTE:Like the triple-dot CWE-32, this manipulation probably hides multiple weaknesses that should be made more explicit.::",{"point":"20","priority":"6","details":"21"},"CWE-ID: 34Path Traversal: '....//'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....//' (doubled dot dot slash) sequences that can resolve to a location that is outside of that directory.Guidelines:::TYPE:Relationship:NOTE:This could occur due to a cleansing error that removes a single ../ from ....//::",{"point":"23","priority":"6","details":"24"},"CWE-ID: 35Path Traversal: '.../...//'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"26","priority":"6","details":"27"},"CWE-ID: 36Absolute Path Traversal","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as /abs/path that can resolve to a location that is outside of that directory.Guidelines:",{"point":"29","priority":"6","details":"2a"},"CWE-ID: 37Path Traversal: '/absolute/pathname/here'","The product accepts input in the form of a slash absolute path ('/absolute/pathname/here') without appropriate validation, which can allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"2c","priority":"6","details":"2d"},"CWE-ID: 38Path Traversal: 'absolutepathnamehere'","The product accepts input in the form of a backslash absolute path ('absolutepathnamehere') without appropriate validation, which can allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"2f","priority":"6","details":"2g"},"CWE-ID: 39Path Traversal: 'C:dirname'","The product accepts input that contains a drive letter or Windows volume letter ('C:dirname') that potentially redirects access to an unintended location or arbitrary file.Guidelines:",{"point":"2i","priority":"6","details":"2j"},"CWE-ID: 40Path Traversal: 'UNCsharename' (Windows UNC Share)","The product accepts input that identifies a Windows UNC share ('UNCsharename') that potentially redirects access to an unintended location or arbitrary file.Guidelines:",{"point":"2l","priority":"6","details":"2m"},"CWE-ID: 41Improper Resolution of Path Equivalence","The product is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object.Guidelines:::TYPE:Relationship:NOTE:Some of these manipulations could be effective in path traversal issues, too.::",{"point":"2o","priority":"6","details":"2p"},"CWE-ID: 42Path Equivalence: 'filename.' (Trailing Dot)","The product accepts path input in the form of trailing dot ('filedir.') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"2r","priority":"6","details":"2s"},"CWE-ID: 43Path Equivalence: 'filename....' (Multiple Trailing Dot)","The product accepts path input in the form of multiple trailing dot ('filedir....') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"2u","priority":"6","details":"2v"},"CWE-ID: 44Path Equivalence: 'file.name' (Internal Dot)","The product accepts path input in the form of internal dot ('file.ordir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:::TYPE:Relationship:NOTE:An improper attempt to remove the internal dots from the string could lead to CWE-181 (Incorrect Behavior Order: Validate Before Filter).::",{"point":"2x","priority":"6","details":"2y"},"CWE-ID: 45Path Equivalence: 'file...name' (Multiple Internal Dot)","The product accepts path input in the form of multiple internal dot ('file...dir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:::TYPE:Relationship:NOTE:An improper attempt to remove the internal dots from the string could lead to CWE-181 (Incorrect Behavior Order: Validate Before Filter).::",{"point":"30","priority":"6","details":"31"},"CWE-ID: 46Path Equivalence: 'filename ' (Trailing Space)","The product accepts path input in the form of trailing space ('filedir ') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"33","priority":"6","details":"34"},"CWE-ID: 47Path Equivalence: ' filename' (Leading Space)","The product accepts path input in the form of leading space (' filedir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"36","priority":"6","details":"37"},"CWE-ID: 48Path Equivalence: 'file name' (Internal Whitespace)","The product accepts path input in the form of internal space ('file(SPACE)name') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:::TYPE:Relationship:NOTE:This weakness is likely to overlap quoting problems, e.g. the Program Files unquoted search path (CWE-428). It also could be an equivalence issue if filtering removes all extraneous spaces.::TYPE:Relationship:NOTE:Whitespace can be a factor in other weaknesses not directly related to equivalence. It can also be used to spoof icons or hide files with dangerous names (see icon manipulation and visual truncation in CWE-451).::",{"point":"39","priority":"6","details":"3a"},"CWE-ID: 49Path Equivalence: 'filename/' (Trailing Slash)","The product accepts path input in the form of trailing slash ('filedir/') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3c","priority":"6","details":"3d"},"CWE-ID: 50Path Equivalence: '//multiple/leading/slash'","The product accepts path input in the form of multiple leading slash ('//multiple/leading/slash') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3f","priority":"6","details":"3g"},"CWE-ID: 51Path Equivalence: '/multiple//internal/slash'","The product accepts path input in the form of multiple internal slash ('/multiple//internal/slash/') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3i","priority":"6","details":"3j"},"CWE-ID: 52Path Equivalence: '/multiple/trailing/slash//'","The product accepts path input in the form of multiple trailing slash ('/multiple/trailing/slash//') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3l","priority":"6","details":"3m"},"CWE-ID: 53Path Equivalence: 'multipleinternalbackslash'","The product accepts path input in the form of multiple internal backslash ('multipletrailingslash') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3o","priority":"6","details":"3p"},"CWE-ID: 54Path Equivalence: 'filedir' (Trailing Backslash)","The product accepts path input in the form of trailing backslash ('filedir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3r","priority":"6","details":"3s"},"CWE-ID: 55Path Equivalence: '/./' (Single Dot Directory)","The product accepts path input in the form of single dot directory exploit ('/./') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3u","priority":"6","details":"3v"},"CWE-ID: 56Path Equivalence: 'filedir*' (Wildcard)","The product accepts path input in the form of asterisk wildcard ('filedir*') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3x","priority":"6","details":"3y"},"CWE-ID: 57Path Equivalence: 'fakedir/../realdir/filename'","The product contains protection mechanisms to restrict access to 'realdir/filename', but it constructs pathnames using external input in the form of 'fakedir/../realdir/filename' that are not handled by those mechanisms. This allows attackers to perform unauthorized actions against the targeted file.Guidelines:::TYPE:Theoretical:NOTE:This is a manipulation that uses an injection for one consequence (containment violation using relative path) to achieve a different consequence (equivalence by alternate name).::",{"point":"40","priority":"6","details":"41"},"CWE-ID: 58Path Equivalence: Windows 8.3 Filename","The product contains a protection mechanism that restricts access to a long filename on a Windows operating system, but it does not properly restrict access to the equivalent short 8.3 filename.Guidelines:::TYPE:Research Gap:NOTE:Probably under-studied.::",{"point":"43","priority":"6","details":"44"},"CWE-ID: 59Improper Link Resolution Before File Access ('Link Following')","The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.Guidelines:::TYPE:Theoretical:NOTE:Link following vulnerabilities are Multi-factor Vulnerabilities (MFV). They are the combination of multiple elements: file or directory permissions, filename predictability, race conditions, and in some cases, a design limitation in which there is no mechanism for performing atomic file creation operations. Some potential factors are race conditions, permissions, and predictability.::",{"point":"46","priority":"6","details":"47"},"CWE-ID: 61UNIX Symbolic Link (Symlink) Following","The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.Guidelines:::TYPE:Research Gap:NOTE:Symlink vulnerabilities are regularly found in C and shell programs, but all programming languages can have this problem. Even shell programs are probably under-reported. Second-order symlink vulnerabilities may exist in programs that invoke other programs that follow symlinks. They are rarely reported but are likely to be fairly common when process invocation is used [REF-493].::",{"point":"49","priority":"6","details":"4a"},"CWE-ID: 62UNIX Hard Link","The product, when opening a file or directory, does not sufficiently account for when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.Guidelines:",{"point":"4c","priority":"6","details":"4d"},"CWE-ID: 64Windows Shortcut Following (.LNK)","The product, when opening a file or directory, does not sufficiently handle when the file is a Windows shortcut (.LNK) whose target is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.Guidelines:::TYPE:Research Gap:NOTE:Under-studied. Windows .LNK files are more portable than Unix symlinks and have been used in remote exploits. Some Windows API's will access LNK's as if they are regular files, so one would expect that they would be reported more frequently.::",{"point":"4f","priority":"6","details":"4g"},"CWE-ID: 65Windows Hard Link","The product, when opening a file or directory, does not sufficiently handle when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.Guidelines:",{"point":"4i","priority":"6","details":"4j"},"CWE-ID: 66Improper Handling of File Names that Identify Virtual Resources","The product does not handle or incorrectly handles a file name that identifies a virtual resource that is not directly specified within the directory that is associated with the file name, causing the product to perform file-based operations on a resource that is not a file.Guidelines:",{"point":"4l","priority":"6","details":"4m"},"CWE-ID: 67Improper Handling of Windows Device Names","The product constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.Guidelines:",{"point":"4o","priority":"6","details":"4p"},"CWE-ID: 69Improper Handling of Windows ::DATA Alternate Data Stream","The product does not properly prevent access to, or detect usage of, alternate data streams (ADS).Guidelines:::TYPE:Theoretical:NOTE:This and similar problems exist because the same resource can have multiple identifiers that dictate which behavior can be performed on the resource.::",{"point":"4r","priority":"6","details":"4s"},"CWE-ID: 72Improper Handling of Apple HFS+ Alternate Data Stream Path","The product does not properly handle special paths that may identify the data or resource fork of a file on the HFS+ file system.Guidelines:::TYPE:Theoretical:NOTE:This and similar problems exist because the same resource can have multiple identifiers that dictate which behavior can be performed on the resource.::TYPE:Research Gap:NOTE:Under-studied::",{"point":"4u","priority":"6","details":"4v"},"CWE-ID: 73External Control of File Name or Path","The product allows user input to control or influence paths or file names that are used in filesystem operations.Guidelines:::TYPE:Maintenance:NOTE:CWE-114 is a Class, but it is listed a child of CWE-73 in view 1000. This suggests some abstraction problems that should be resolved in future versions.::TYPE:Relationship:NOTE:The external control of filenames can be the primary link in chains with other file-related weaknesses, as seen in the CanPrecede relationships. This is because software systems use files for many different purposes: to execute programs, load code libraries, to store application data, to store configuration settings, record temporary data, act as signals or semaphores to other processes, etc. However, those weaknesses do not always require external control. For example, link-following weaknesses (CWE-59) often involve pathnames that are not controllable by the attacker at all. The external control can be resultant from other issues. For example, in PHP applications, the register_globals setting can allow an attacker to modify variables that the programmer thought were immutable, enabling file inclusion (CWE-98) and path traversal (CWE-22). Operating with excessive privileges (CWE-250) might allow an attacker to specify an input filename that is not directly readable by the attacker, but is accessible to the privileged program. A buffer overflow (CWE-119) might give an attacker control over nearby memory locations that are related to pathnames, but were not directly modifiable by the attacker.::",{"point":"4x","priority":"6","details":"4y"},"CWE-ID: 74Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')","The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Guidelines:::TYPE:Theoretical:NOTE:Many people treat injection only as an input validation problem (CWE-20) because many people do not distinguish between the consequence/attack (injection) and the protection mechanism that prevents the attack from succeeding. However, input validation is only one potential protection mechanism (output encoding is another), and there is a chaining relationship between improper input validation and the improper enforcement of the structure of messages to other components. Other issues not directly related to input validation, such as race conditions, could similarly impact message structure.::",{"point":"50","priority":"6","details":"51"},"CWE-ID: 75Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)","The product does not adequately filter user-controlled input for special elements with control implications.Guidelines:",{"point":"53","priority":"6","details":"54"},"CWE-ID: 76Improper Neutralization of Equivalent Special Elements","The product correctly neutralizes certain special elements, but it improperly neutralizes equivalent special elements.Guidelines:",{"point":"56","priority":"6","details":"57"},"CWE-ID: 77Improper Neutralization of Special Elements used in a Command ('Command Injection')","The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.Guidelines:::TYPE:Terminology:NOTE:The command injection phrase carries different meanings to different people. For some people, it refers to any type of attack that can allow the attacker to execute commands of their own choosing, regardless of how those commands are inserted. The command injection could thus be resultant from another weakness. This usage also includes cases in which the functionality allows the user to specify an entire command, which is then executed; within CWE, this situation might be better regarded as an authorization problem (since an attacker should not be able to specify arbitrary commands.) Another common usage, which includes CWE-77 and its descendants, involves cases in which the attacker injects separators into the command being constructed.::",{"point":"59","priority":"6","details":"5a"},"CWE-ID: 78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Guidelines:::TYPE:Terminology:NOTE:The OS command injection phrase carries different meanings to different people. For some people, it only refers to cases in which the attacker injects command separators into arguments for an application-controlled program that is being invoked. For some people, it refers to any type of attack that can allow the attacker to execute OS commands of their own choosing. This usage could include untrusted search path weaknesses (CWE-426) that cause the application to find and execute an attacker-controlled program. Further complicating the issue is the case when argument injection (CWE-88) allows alternate command-line switches or options to be inserted into the command line, such as an -exec switch whose purpose may be to execute the subsequent argument as a command (this -exec switch exists in the UNIX find command, for example). In this latter case, however, CWE-88 could be regarded as the primary weakness in a chain with CWE-78.::TYPE:Research Gap:NOTE:More investigation is needed into the distinction between the OS command injection variants, including the role with argument injection (CWE-88). Equivalent distinctions may exist in other injection-related problems such as SQL injection.::",{"point":"5c","priority":"6","details":"5d"},"CWE-ID: 79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Guidelines:::TYPE:Relationship:NOTE:There can be a close relationship between XSS and CSRF (CWE-352). An attacker might use CSRF in order to trick the victim into submitting requests to the server in which the requests contain an XSS payload. A well-known example of this was the Samy worm on MySpace [REF-956]. The worm used XSS to insert malicious HTML sequences into a user's profile and add the attacker as a MySpace friend. MySpace friends of that victim would then execute the payload to modify their own profiles, causing the worm to propagate exponentially. Since the victims did not intentionally insert the malicious script themselves, CSRF was a root cause.::TYPE:Applicable Platform:NOTE:XSS flaws are very common in web applications, since they require a great deal of developer discipline to avoid them.::",{"point":"5f","priority":"6","details":"5g"},"CWE-ID: 80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as <, >, and & that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.Guidelines:",{"point":"5i","priority":"6","details":"5j"},"CWE-ID: 81Improper Neutralization of Script in an Error Message Web Page","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters that could be interpreted as web-scripting elements when they are sent to an error page.Guidelines:",{"point":"5l","priority":"6","details":"5m"},"CWE-ID: 82Improper Neutralization of Script in Attributes of IMG Tags in a Web Page","The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute.Guidelines:",{"point":"5o","priority":"6","details":"5p"},"CWE-ID: 83Improper Neutralization of Script in Attributes in a Web Page","The product does not neutralize or incorrectly neutralizes javascript: or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.Guidelines:",{"point":"5r","priority":"6","details":"5s"},"CWE-ID: 84Improper Neutralization of Encoded URI Schemes in a Web Page","The web application improperly neutralizes user-controlled input for executable script disguised with URI encodings.Guidelines:",{"point":"5u","priority":"6","details":"5v"},"CWE-ID: 85Doubled Character XSS Manipulations","The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters.Guidelines:",{"point":"5x","priority":"6","details":"5y"},"CWE-ID: 86Improper Neutralization of Invalid Characters in Identifiers in Web Pages","The product does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers.Guidelines:",{"point":"60","priority":"6","details":"61"},"CWE-ID: 87Improper Neutralization of Alternate XSS Syntax","The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.Guidelines:",{"point":"63","priority":"6","details":"64"},"CWE-ID: 88Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')","The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.Guidelines:::TYPE:Relationship:NOTE:At one layer of abstraction, this can overlap other weaknesses that have whitespace problems, e.g. injection of javascript into attributes of HTML tags.::",{"point":"66","priority":"6","details":"67"},"CWE-ID: 89Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:SQL injection can be resultant from special character mismanagement, MAID, or denylist/allowlist problems. It can be primary to authentication errors.::",{"point":"69","priority":"6","details":"6a"},"CWE-ID: 90Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')","The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:Factors: resultant to special character mismanagement, MAID, or denylist/allowlist problems. Can be primary to authentication and verification errors.::",{"point":"6c","priority":"6","details":"6d"},"CWE-ID: 91XML Injection (aka Blind XPath Injection)","The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.Guidelines:::TYPE:Maintenance:NOTE:The description for this entry is generally applicable to XML, but the name includes blind XPath injection which is more closely associated with CWE-643. Therefore this entry might need to be deprecated or converted to a general category - although injection into raw XML is not covered by CWE-643 or CWE-652.::TYPE:Theoretical:NOTE:In vulnerability theory terms, this is a representation-specific case of a Data/Directive Boundary Error.::TYPE:Research Gap:NOTE:Under-reported. This is likely found regularly by third party code auditors, but there are very few publicly reported examples.::",{"point":"6f","priority":"6","details":"6g"},"CWE-ID: 93Improper Neutralization of CRLF Sequences ('CRLF Injection')","The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.Guidelines:",{"point":"6i","priority":"6","details":"6j"},"CWE-ID: 94Improper Control of Generation of Code ('Code Injection')","The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.Guidelines:",{"point":"6l","priority":"6","details":"6m"},"CWE-ID: 95Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. eval).Guidelines:::TYPE:Other:NOTE:Factors: special character errors can play a role in increasing the variety of code that can be injected, although some vulnerabilities do not require special characters at all, e.g. when a single function without arguments can be referenced and a terminator character is not necessary.::",{"point":"6o","priority":"6","details":"6p"},"CWE-ID: 96Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.Guidelines:::TYPE:Relationship:NOTE:HTML injection (see CWE-79: XSS) could be thought of as an example of this, but the code is injected and executed on the client side, not the server side. Server-Side Includes (SSI) are an example of direct static code injection.::",{"point":"6r","priority":"6","details":"6s"},"CWE-ID: 97Improper Neutralization of Server-Side Includes (SSI) Within a Web Page","The product generates a web page, but does not neutralize or incorrectly neutralizes user-controllable input that could be interpreted as a server-side include (SSI) directive.Guidelines:::TYPE:Relationship:NOTE:This can be resultant from XSS/HTML injection because the same special characters can be involved. However, this is server-side code execution, not client-side.::",{"point":"6u","priority":"6","details":"6v"},"CWE-ID: 98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')","The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in require, include, or similar functions.Guidelines:::TYPE:Relationship:NOTE:This is frequently a functional consequence of other weaknesses. It is usually multi-factor with other factors (e.g. MAID), although not all inclusion bugs involve assumed-immutable data. Direct request weaknesses frequently play a role. Can overlap directory traversal in local inclusion problems.::",{"point":"6x","priority":"6","details":"6y"},"CWE-ID: 99Improper Control of Resource Identifiers ('Resource Injection')","The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.Guidelines:::TYPE:Relationship:NOTE:Resource injection that involves resources stored on the filesystem goes by the name path manipulation (CWE-73).::TYPE:Maintenance:NOTE:The relationship between CWE-99 and CWE-610 needs further investigation and clarification. They might be duplicates. CWE-99 Resource Injection, as originally defined in Seven Pernicious Kingdoms taxonomy, emphasizes the identifier used to access a system resource such as a file name or port number, yet it explicitly states that the resource injection term does not apply to path manipulation, which effectively identifies the path at which a resource can be found and could be considered to be one aspect of a resource identifier. Also, CWE-610 effectively covers any type of resource, whether that resource is at the system layer, the application layer, or the code layer.::",{"point":"70","priority":"6","details":"71"},"CWE-ID: 102Struts: Duplicate Validation Forms","The product uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not expect.Guidelines:",{"point":"73","priority":"6","details":"74"},"CWE-ID: 103Struts: Incomplete validate() Method Definition","The product has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate().Guidelines:::TYPE:Relationship:NOTE:This could introduce other weaknesses related to missing input validation.::TYPE:Maintenance:NOTE:The current description implies a loose composite of two separate weaknesses, so this node might need to be split or converted into a low-level category.::",{"point":"76","priority":"6","details":"77"},"CWE-ID: 104Struts: Form Bean Does Not Extend Validation Class","If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation.Guidelines:",{"point":"79","priority":"6","details":"7a"},"CWE-ID: 105Struts: Form Field Without Validator","The product has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation.Guidelines:",{"point":"7c","priority":"6","details":"7d"},"CWE-ID: 106Struts: Plug-in Framework not in Use","When an application does not use an input validation framework such as the Struts Validator, there is a greater risk of introducing weaknesses related to insufficient input validation.Guidelines:",{"point":"7f","priority":"6","details":"7g"},"CWE-ID: 107Struts: Unused Validation Form","An unused validation form indicates that validation logic is not up-to-date.Guidelines:",{"point":"7i","priority":"6","details":"7j"},"CWE-ID: 108Struts: Unvalidated Action Form","Every Action Form must have a corresponding validation form.Guidelines:",{"point":"7l","priority":"6","details":"7m"},"CWE-ID: 109Struts: Validator Turned Off","Automatic filtering via a Struts bean has been turned off, which disables the Struts Validator and custom validation logic. This exposes the application to other weaknesses related to insufficient input validation.Guidelines:::TYPE:Other:NOTE:The Action Form mapping in the demonstrative example disables the form's validate() method. The Struts bean: write tag automatically encodes special HTML characters, replacing a < with < and a > with >. This action can be disabled by specifying filter=false as an attribute of the tag to disable specified JSP pages. However, being disabled makes these pages susceptible to cross-site scripting attacks. An attacker may be able to insert malicious scripts as user input to write to these JSP pages.::",{"point":"7o","priority":"6","details":"7p"},"CWE-ID: 110Struts: Validator Without Form Field","Validation fields that do not appear in forms they are associated with indicate that the validation logic is out of date.Guidelines:",{"point":"7r","priority":"6","details":"7s"},"CWE-ID: 111Direct Use of Unsafe JNI","When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that code, even if those weaknesses cannot occur in Java.Guidelines:",{"point":"7u","priority":"6","details":"7v"},"CWE-ID: 112Missing XML Validation","The product accepts XML from an untrusted source but does not validate the XML against the proper schema.Guidelines:",{"point":"7x","priority":"6","details":"7y"},"CWE-ID: 113Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')","The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.Guidelines:",{"point":"80","priority":"6","details":"81"},"CWE-ID: 114Process Control","Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) on behalf of an attacker.Guidelines:::TYPE:Maintenance:NOTE:CWE-114 is a Class, but it is listed a child of CWE-73 in view 1000. This suggests some abstraction problems that should be resolved in future versions.::TYPE:Maintenance:NOTE:This entry seems to have close relationships with CWE-426/CWE-427. It seems more attack-oriented.::",{"point":"83","priority":"6","details":"84"},"CWE-ID: 115Misinterpretation of Input","The product misinterprets an input, whether from an attacker or another product, in a security-relevant fashion.Guidelines:::TYPE:Research Gap:NOTE:This concept needs further study. It is likely a factor in several weaknesses, possibly resultant as well. Overlaps Multiple Interpretation Errors (MIE).::",{"point":"86","priority":"6","details":"87"},"CWE-ID: 116Improper Encoding or Escaping of Output","The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.Guidelines:::TYPE:Relationship:NOTE:This weakness is primary to all weaknesses related to injection (CWE-74) since the inherent nature of injection involves the violation of structured messages.::TYPE:Relationship:NOTE:CWE-116 and CWE-20 have a close association because, depending on the nature of the structured message, proper input validation can indirectly prevent special characters from changing the meaning of a structured message. For example, by validating that a numeric ID field should only contain the 0-9 characters, the programmer effectively prevents injection attacks. However, input validation is not always sufficient, especially when less stringent data types must be supported, such as free-form text. Consider a SQL injection scenario in which a last name is inserted into a query. The name O'Reilly would likely pass the validation step since it is a common last name in the English language. However, it cannot be directly inserted into the database because it contains the ' apostrophe character, which would need to be escaped or otherwise neutralized. In this case, stripping the apostrophe might reduce the risk of SQL injection, but it would produce incorrect behavior because the wrong name would be recorded.::TYPE:Terminology:NOTE:The usage of the encoding and escaping terms varies widely. For example, in some programming languages, the terms are used interchangeably, while other languages provide APIs that use both terms for different tasks. This overlapping usage extends to the Web, such as the escape JavaScript function whose purpose is stated to be encoding. The concepts of encoding and escaping predate the Web by decades. Given such a context, it is difficult for CWE to adopt a consistent vocabulary that will not be misinterpreted by some constituency.::TYPE:Theoretical:NOTE:This is a data/directive boundary error in which data boundaries are not sufficiently enforced before it is sent to a different control sphere.::TYPE:Research Gap:NOTE:While many published vulnerabilities are related to insufficient output encoding, there is such an emphasis on input validation as a protection mechanism that the underlying causes are rarely described. Within CVE, the focus is primarily on well-understood issues like cross-site scripting and SQL injection. It is likely that this weakness frequently occurs in custom protocols that support multiple encodings, which are not necessarily detectable with automated techniques.::",{"point":"89","priority":"6","details":"8a"},"CWE-ID: 117Improper Output Neutralization for Logs","The product does not neutralize or incorrectly neutralizes output that is written to logs.Guidelines:",{"point":"8c","priority":"6","details":"8d"},"CWE-ID: 118Incorrect Access of Indexable Resource ('Range Error')","The product does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files.Guidelines:",{"point":"8f","priority":"6","details":"8g"},"CWE-ID: 119Improper Restriction of Operations within the Bounds of a Memory Buffer","The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.Guidelines:::TYPE:Applicable Platform:NOTE:It is possible in any programming languages without memory management support to attempt an operation outside of the bounds of a memory buffer, but the consequences will vary widely depending on the language, platform, and chip architecture.::",{"point":"8i","priority":"6","details":"8j"},"CWE-ID: 120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')","The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.Guidelines:::TYPE:Relationship:NOTE:At the code level, stack-based and heap-based overflows do not differ significantly, so there usually is not a need to distinguish them. From the attacker perspective, they can be quite different, since different techniques are required to exploit them.::TYPE:Terminology:NOTE:Many issues that are now called buffer overflows are substantively different than the classic overflow, including entirely different bug types that rely on overflow exploit techniques, such as integer signedness errors, integer overflows, and format string bugs. This imprecise terminology can make it difficult to determine which variant is being reported.::",{"point":"8l","priority":"6","details":"8m"},"CWE-ID: 121Stack-based Buffer Overflow","A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).Guidelines:::TYPE:Other:NOTE:Stack-based buffer overflows can instantiate in return address overwrites, stack pointer overwrites or frame pointer overwrites. They can also be considered function pointer overwrites, array indexer overwrites or write-what-where condition, etc.::",{"point":"8o","priority":"6","details":"8p"},"CWE-ID: 122Heap-based Buffer Overflow","A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().Guidelines:::TYPE:Relationship:NOTE:Heap-based buffer overflows are usually just as dangerous as stack-based buffer overflows.::",{"point":"8r","priority":"6","details":"8s"},"CWE-ID: 123Write-what-where Condition","Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow.Guidelines:",{"point":"8u","priority":"6","details":"8v"},"CWE-ID: 124Buffer Underwrite ('Buffer Underflow')","The product writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.Guidelines:::TYPE:Relationship:NOTE:This could be resultant from several errors, including a bad offset or an array index that decrements before the beginning of the buffer (see CWE-129).::",{"point":"8x","priority":"6","details":"8y"},"CWE-ID: 125Out-of-bounds Read","The product reads data past the end, or before the beginning, of the intended buffer.Guidelines:",{"point":"90","priority":"6","details":"91"},"CWE-ID: 126Buffer Over-read","The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.Guidelines:::TYPE:Relationship:NOTE:These problems may be resultant from missing sentinel values (CWE-463) or trusting a user-influenced input length variable.::",{"point":"93","priority":"6","details":"94"},"CWE-ID: 127Buffer Under-read","The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"96","priority":"6","details":"97"},"CWE-ID: 128Wrap-around Error","Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore wraps around to a very small, negative, or undefined value.Guidelines:::TYPE:Relationship:NOTE:The relationship between overflow and wrap-around needs to be examined more closely, since several entries (including CWE-190) are closely related.::",{"point":"99","priority":"6","details":"9a"},"CWE-ID: 129Improper Validation of Array Index","The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.Guidelines:::TYPE:Relationship:NOTE:This weakness can precede uncontrolled memory allocation (CWE-789) in languages that automatically expand an array when an index is used that is larger than the size of the array, such as JavaScript.::TYPE:Theoretical:NOTE:An improperly validated array index might lead directly to the always-incorrect behavior of access of array using out-of-bounds index.::",{"point":"9c","priority":"6","details":"9d"},"CWE-ID: 130Improper Handling of Length Parameter Inconsistency","The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.Guidelines:::TYPE:Relationship:NOTE:This probably overlaps other categories including zero-length issues.::",{"point":"9f","priority":"6","details":"9g"},"CWE-ID: 131Incorrect Calculation of Buffer Size","The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.Guidelines:::TYPE:Maintenance:NOTE:This is a broad category. Some examples include: simple math errors, incorrectly updating parallel counters, not accounting for size differences when transforming one input to another format (e.g. URL canonicalization or other transformation that can generate a result that's larger than the original input, i.e. expansion). This level of detail is rarely available in public reports, so it is difficult to find good examples.::TYPE:Maintenance:NOTE:This weakness may be a composite or a chain. It also may contain layering or perspective differences. This issue may be associated with many different types of incorrect calculations (CWE-682), although the integer overflow (CWE-190) is probably the most prevalent. This can be primary to resource consumption problems (CWE-400), including uncontrolled memory allocation (CWE-789). However, its relationship with out-of-bounds buffer access (CWE-119) must also be considered.::",{"point":"9i","priority":"6","details":"9j"},"CWE-ID: 134Use of Externally-Controlled Format String","The product uses a function that accepts a format string as an argument, but the format string originates from an external source.Guidelines:::TYPE:Applicable Platform:NOTE:This weakness is possible in any programming language that support format strings.::TYPE:Other:NOTE:While Format String vulnerabilities typically fall under the Buffer Overflow category, technically they are not overflowed buffers. The Format String vulnerability is fairly new (circa 1999) and stems from the fact that there is no realistic way for a function that takes a variable number of arguments to determine just how many arguments were passed in. The most common functions that take a variable number of arguments, including C-runtime functions, are the printf() family of calls. The Format String problem appears in a number of ways. A *printf() call without a format specifier is dangerous and can be exploited. For example, printf(input); is exploitable, while printf(y, input); is not exploitable in that context. The result of the first call, used incorrectly, allows for an attacker to be able to peek at stack memory since the input string will be used as the format specifier. The attacker can stuff the input string with format specifiers and begin reading stack values, since the remaining parameters will be pulled from the stack. Worst case, this improper use may give away enough control to allow an arbitrary value (or values in the case of an exploit program) to be written into the memory of the running program. Frequently targeted entities are file names, process names, identifiers. Format string problems are a classic C/C++ issue that are now rare due to the ease of discovery. One main reason format string vulnerabilities can be exploited is due to the %n operator. The %n operator will write the number of characters, which have been printed by the format string therefore far, to the memory pointed to by its argument. Through skilled creation of a format string, a malicious user may use values on the stack to create a write-what-where condition. Once this is achieved, they can execute arbitrary code. Other operators can be used as well; for example, a %9999s operator could also trigger a buffer overflow, or when used in file-formatting functions like fprintf, it can generate a much larger output than intended.::TYPE:Research Gap:NOTE:Format string issues are under-studied for languages other than C. Memory or disk consumption, control flow or variable alteration, and data corruption may result from format string exploitation in applications written in other languages such as Perl, PHP, Python, etc.::",{"point":"9l","priority":"6","details":"9m"},"CWE-ID: 135Incorrect Calculation of Multi-Byte String Length","The product does not correctly calculate the length of strings that can contain wide or multi-byte characters.Guidelines:",{"point":"9o","priority":"6","details":"9p"},"CWE-ID: 138Improper Neutralization of Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:This weakness can be related to interpretation conflicts or interaction errors in intermediaries (such as proxies or application firewalls) when the intermediary's model of an endpoint does not account for protocol-specific special elements.::TYPE:Relationship:NOTE:See this entry's children for different types of special elements that have been observed at one point or another. However, it can be difficult to find suitable CVE examples. In an attempt to be complete, CWE includes some types that do not have any associated observed example.::TYPE:Research Gap:NOTE:This weakness is probably under-studied for proprietary or custom formats. It is likely that these issues are fairly common in applications that use their own custom format for configuration files, logs, meta-data, messaging, etc. They would only be found by accident or with a focused effort based on an understanding of the format.::",{"point":"9r","priority":"6","details":"9s"},"CWE-ID: 140Improper Neutralization of Delimiters","The product does not neutralize or incorrectly neutralizes delimiters.Guidelines:",{"point":"9u","priority":"6","details":"9v"},"CWE-ID: 141Improper Neutralization of Parameter/Argument Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component.Guidelines:",{"point":"9x","priority":"6","details":"9y"},"CWE-ID: 142Improper Neutralization of Value Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component.Guidelines:",{"point":"a0","priority":"6","details":"a1"},"CWE-ID: 143Improper Neutralization of Record Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component.Guidelines:",{"point":"a3","priority":"6","details":"a4"},"CWE-ID: 144Improper Neutralization of Line Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as line delimiters when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:Depending on the language and syntax being used, this could be the same as the record delimiter (CWE-143).::",{"point":"a6","priority":"6","details":"a7"},"CWE-ID: 145Improper Neutralization of Section Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as section delimiters when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:Depending on the language and syntax being used, this could be the same as the record delimiter (CWE-143).::",{"point":"a9","priority":"6","details":"aa"},"CWE-ID: 146Improper Neutralization of Expression/Command Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:A shell metacharacter (covered in CWE-150) is one example of a potential delimiter that may need to be neutralized.::",{"point":"ac","priority":"6","details":"ad"},"CWE-ID: 147Improper Neutralization of Input Terminators","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as input terminators when they are sent to a downstream component.Guidelines:",{"point":"af","priority":"6","details":"ag"},"CWE-ID: 148Improper Neutralization of Input Leaders","The product does not properly handle when a leading character or sequence (leader) is missing or malformed, or if multiple leaders are used when only one should be allowed.Guidelines:",{"point":"ai","priority":"6","details":"aj"},"CWE-ID: 149Improper Neutralization of Quoting Syntax","Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.Guidelines:",{"point":"al","priority":"6","details":"am"},"CWE-ID: 150Improper Neutralization of Escape, Meta, or Control Sequences","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.Guidelines:",{"point":"ao","priority":"6","details":"ap"},"CWE-ID: 151Improper Neutralization of Comment Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as comment delimiters when they are sent to a downstream component.Guidelines:",{"point":"ar","priority":"6","details":"as"},"CWE-ID: 152Improper Neutralization of Macro Symbols","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as macro symbols when they are sent to a downstream component.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"au","priority":"6","details":"av"},"CWE-ID: 153Improper Neutralization of Substitution Characters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as substitution characters when they are sent to a downstream component.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"ax","priority":"6","details":"ay"},"CWE-ID: 154Improper Neutralization of Variable Name Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as variable name delimiters when they are sent to a downstream component.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"b0","priority":"6","details":"b1"},"CWE-ID: 155Improper Neutralization of Wildcards or Matching Symbols","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as wildcards or matching symbols when they are sent to a downstream component.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"b3","priority":"6","details":"b4"},"CWE-ID: 156Improper Neutralization of Whitespace","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as whitespace when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:Can overlap other separator characters or delimiters.::",{"point":"b6","priority":"6","details":"b7"},"CWE-ID: 157Failure to Sanitize Paired Delimiters","The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"b9","priority":"6","details":"ba"},"CWE-ID: 158Improper Neutralization of Null Byte or NUL Character","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:This can be a factor in multiple interpretation errors, other interaction errors, filename equivalence, etc.::",{"point":"bc","priority":"6","details":"bd"},"CWE-ID: 159Improper Handling of Invalid Use of Special Elements","The product does not properly filter, remove, quote, or otherwise manage the invalid use of special elements in user-controlled input, which could cause adverse effect on its behavior and integrity.Guidelines:::TYPE:Maintenance:NOTE:The list of children for this entry is far from complete. However, the types of special elements might be too precise for use within CWE.::TYPE:Terminology:NOTE:Precise terminology for the underlying weaknesses does not exist. Therefore, these weaknesses use the terminology associated with the manipulation.::TYPE:Research Gap:NOTE:Customized languages and grammars, even those that are specific to a particular product, are potential sources of weaknesses that are related to special elements. However, most researchers concentrate on the most commonly used representations for data transmission, such as HTML and SQL. Any representation that is commonly used is likely to be a rich source of weaknesses; researchers are encouraged to investigate previously unexplored representations.::",{"point":"bf","priority":"6","details":"bg"},"CWE-ID: 160Improper Neutralization of Leading Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes leading special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bi","priority":"6","details":"bj"},"CWE-ID: 161Improper Neutralization of Multiple Leading Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple leading special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bl","priority":"6","details":"bm"},"CWE-ID: 162Improper Neutralization of Trailing Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes trailing special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bo","priority":"6","details":"bp"},"CWE-ID: 163Improper Neutralization of Multiple Trailing Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple trailing special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"br","priority":"6","details":"bs"},"CWE-ID: 164Improper Neutralization of Internal Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes internal special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bu","priority":"6","details":"bv"},"CWE-ID: 165Improper Neutralization of Multiple Internal Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple internal special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bx","priority":"6","details":"by"},"CWE-ID: 166Improper Handling of Missing Special Element","The product receives input from an upstream component, but it does not handle or incorrectly handles when an expected special element is missing.Guidelines:",{"point":"c0","priority":"6","details":"c1"},"CWE-ID: 167Improper Handling of Additional Special Element","The product receives input from an upstream component, but it does not handle or incorrectly handles when an additional unexpected special element is provided.Guidelines:",{"point":"c3","priority":"6","details":"c4"},"CWE-ID: 168Improper Handling of Inconsistent Special Elements","The product does not properly handle input in which an inconsistency exists between two or more special characters or reserved words.Guidelines:",{"point":"c6","priority":"6","details":"c7"},"CWE-ID: 170Improper Null Termination","The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.Guidelines:::TYPE:Relationship:NOTE:Factors: this is usually resultant from other weaknesses such as off-by-one errors, but it can be primary to boundary condition violations such as buffer overflows. In buffer overflows, it can act as an expander for assumed-immutable data.::TYPE:Relationship:NOTE:Overlaps missing input terminator.::TYPE:Applicable Platform:NOTE:Conceptually, this does not just apply to the C language; any language or representation that involves a terminator could have this type of problem.::TYPE:Maintenance:NOTE:As currently described, this entry is more like a category than a weakness.::",{"point":"c9","priority":"6","details":"ca"},"CWE-ID: 172Encoding Error","The product does not properly encode or decode the data, resulting in unexpected values.Guidelines:::TYPE:Relationship:NOTE:Partially overlaps path traversal and equivalence weaknesses.::TYPE:Maintenance:NOTE:This is more like a category than a weakness.::TYPE:Maintenance:NOTE:Many other types of encodings should be listed in this category.::",{"point":"cc","priority":"6","details":"cd"},"CWE-ID: 173Improper Handling of Alternate Encoding","The product does not properly handle when an input uses an alternate encoding that is valid for the control sphere to which the input is being sent.Guidelines:",{"point":"cf","priority":"6","details":"cg"},"CWE-ID: 174Double Decoding of the Same Data","The product decodes the same input twice, which can limit the effectiveness of any protection mechanism that occurs in between the decoding operations.Guidelines:::TYPE:Research Gap:NOTE:Probably under-studied.::",{"point":"ci","priority":"6","details":"cj"},"CWE-ID: 175Improper Handling of Mixed Encoding","The product does not properly handle when the same input uses several different (mixed) encodings.Guidelines:",{"point":"cl","priority":"6","details":"cm"},"CWE-ID: 176Improper Handling of Unicode Encoding","The product does not properly handle when an input contains Unicode encoding.Guidelines:",{"point":"co","priority":"6","details":"cp"},"CWE-ID: 177Improper Handling of URL Encoding (Hex Encoding)","The product does not properly handle when all or part of an input has been URL encoded.Guidelines:",{"point":"cr","priority":"6","details":"cs"},"CWE-ID: 178Improper Handling of Case Sensitivity","The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.Guidelines:::TYPE:Research Gap:NOTE:These are probably under-studied in Windows and Mac environments, where file names are case-insensitive and thus are subject to equivalence manipulations involving case.::",{"point":"cu","priority":"6","details":"cv"},"CWE-ID: 179Incorrect Behavior Order: Early Validation","The product validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous inputs that only arise after the modification.Guidelines:::TYPE:Research Gap:NOTE:These errors are mostly reported in path traversal vulnerabilities, but the concept applies whenever validation occurs.::",{"point":"cx","priority":"6","details":"cy"},"CWE-ID: 180Incorrect Behavior Order: Validate Before Canonicalize","The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step.Guidelines:::TYPE:Relationship:NOTE:This overlaps other categories.::",{"point":"d0","priority":"6","details":"d1"},"CWE-ID: 181Incorrect Behavior Order: Validate Before Filter","The product validates data before it has been filtered, which prevents the product from detecting data that becomes invalid after the filtering step.Guidelines:::TYPE:Research Gap:NOTE:This category is probably under-studied.::",{"point":"d3","priority":"6","details":"d4"},"CWE-ID: 182Collapse of Data into Unsafe Value","The product filters data in a way that causes it to be reduced or collapsed into an unsafe value that violates an expected security property.Guidelines:::TYPE:Relationship:NOTE:Overlaps regular expressions, although an implementation might not necessarily use regexp's.::",{"point":"d6","priority":"6","details":"d7"},"CWE-ID: 183Permissive List of Allowed Inputs","The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.Guidelines:",{"point":"d9","priority":"6","details":"da"},"CWE-ID: 184Incomplete List of Disallowed Inputs","The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses.Guidelines:::TYPE:Relationship:NOTE:Multiple interpretation errors can indirectly introduce inputs that should be disallowed. For example, a list of dangerous shell metacharacters might not include a metacharacter that only has meaning in one particular shell, not all of them; or a check for XSS manipulations might ignore an unusual construct that is supported by one web browser, but not others.::",{"point":"dc","priority":"6","details":"dd"},"CWE-ID: 185Incorrect Regular Expression","The product specifies a regular expression in a way that causes data to be improperly matched or compared.Guidelines:::TYPE:Relationship:NOTE:While there is some overlap with allowlist/denylist problems, this entry is intended to deal with incorrectly written regular expressions, regardless of their intended use. Not every regular expression is intended for use as an allowlist or denylist. In addition, allowlists and denylists can be implemented using other mechanisms besides regular expressions.::TYPE:Research Gap:NOTE:Regexp errors are likely a primary factor in many MFVs, especially those that require multiple manipulations to exploit. However, they are rarely diagnosed at this level of detail.::",{"point":"df","priority":"6","details":"dg"},"CWE-ID: 186Overly Restrictive Regular Expression","A regular expression is overly restrictive, which prevents dangerous values from being detected.Guidelines:::TYPE:Relationship:NOTE:Can overlap allowlist/denylist errors (CWE-183/CWE-184)::",{"point":"di","priority":"6","details":"dj"},"CWE-ID: 187Partial String Comparison","The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.Guidelines:::TYPE:Relationship:NOTE:This is conceptually similar to other weaknesses, such as insufficient verification and regular expression errors. It is primary to some weaknesses.::",{"point":"dl","priority":"6","details":"dm"},"CWE-ID: 188Reliance on Data/Memory Layout","The product makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior.Guidelines:",{"point":"do","priority":"6","details":"dp"},"CWE-ID: 190Integer Overflow or Wraparound","The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.Guidelines:::TYPE:Relationship:NOTE:Integer overflows can be primary to buffer overflows.::TYPE:Terminology:NOTE:Integer overflow is sometimes used to cover several types of errors, including signedness errors, or buffer overflows that involve manipulation of integer data types instead of characters. Part of the confusion results from the fact that 0xffffffff is -1 in a signed context. Other confusion also arises because of the role that integer overflows have in chains.::",{"point":"dr","priority":"6","details":"ds"},"CWE-ID: 191Integer Underflow (Wrap or Wraparound)","The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.Guidelines:",{"point":"du","priority":"6","details":"dv"},"CWE-ID: 192Integer Coercion Error","Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types.Guidelines:::TYPE:Maintenance:NOTE:Within C, it might be that coercion is semantically different than casting, possibly depending on whether the programmer directly specifies the conversion, or if the compiler does it implicitly. This has implications for the presentation of this entry and others, such as CWE-681, and whether there is enough of a difference for these entries to be split.::",{"point":"dx","priority":"6","details":"dy"},"CWE-ID: 193Off-by-one Error","A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.Guidelines:::TYPE:Relationship:NOTE:This is not always a buffer overflow. For example, an off-by-one error could be a factor in a partial comparison, a read from the wrong memory location, an incorrect conditional, etc.::",{"point":"e0","priority":"6","details":"e1"},"CWE-ID: 194Unexpected Sign Extension","The product performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses.Guidelines:::TYPE:Relationship:NOTE:Sign extension errors can lead to buffer overflows and other memory-based problems. They are also likely to be factors in other weaknesses that are not based on memory operations, but rely on numeric calculation.::TYPE:Maintenance:NOTE:This entry is closely associated with signed-to-unsigned conversion errors (CWE-195) and other numeric errors. These relationships need to be more closely examined within CWE.::",{"point":"e3","priority":"6","details":"e4"},"CWE-ID: 195Signed to Unsigned Conversion Error","The product uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive.Guidelines:",{"point":"e6","priority":"6","details":"e7"},"CWE-ID: 196Unsigned to Signed Conversion Error","The product uses an unsigned primitive and performs a cast to a signed primitive, which can produce an unexpected value if the value of the unsigned primitive can not be represented using a signed primitive.Guidelines:",{"point":"e9","priority":"6","details":"ea"},"CWE-ID: 197Numeric Truncation Error","Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion.Guidelines:::TYPE:Research Gap:NOTE:This weakness has traditionally been under-studied and under-reported, although vulnerabilities in popular software have been published in 2008 and 2009.::",{"point":"ec","priority":"6","details":"ed"},"CWE-ID: 198Use of Incorrect Byte Ordering","The product receives input from an upstream component, but it does not account for byte ordering (e.g. big-endian and little-endian) when processing the input, causing an incorrect number or value to be used.Guidelines:::TYPE:Research Gap:NOTE:Under-reported.::",{"point":"ef","priority":"6","details":"eg"},"CWE-ID: 200Exposure of Sensitive Information to an Unauthorized Actor","The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Guidelines:::TYPE:Maintenance:NOTE:As a result of mapping analysis in the 2020 Top 25 and more recent versions, this weakness is under review, since it is frequently misused in mapping to cover many problems that lead to loss of confidentiality. See Mapping Notes, Extended Description, and Alternate Terms.::",{"point":"ei","priority":"6","details":"ej"},"CWE-ID: 201Insertion of Sensitive Information Into Sent Data","The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.Guidelines:",{"point":"el","priority":"6","details":"em"},"CWE-ID: 202Exposure of Sensitive Information Through Data Queries","When trying to keep information confidential, an attacker can often infer some of the information by using statistics.Guidelines:::TYPE:Maintenance:NOTE:The relationship between CWE-202 and CWE-612 needs to be investigated more closely, as they may be different descriptions of the same kind of problem. CWE-202 is also being considered for deprecation, as it is not clearly described and may have been misunderstood by CWE users. It could be argued that this issue is better covered by CAPEC; an attacker can utilize their data-query privileges to perform this kind of operation, and if the attacker should not be allowed to perform the operation - or if the sensitive data should not have been made accessible at all - then that is more appropriately classified as a separate CWE related to authorization (see the parent, CWE-1230).::",{"point":"eo","priority":"6","details":"ep"},"CWE-ID: 203Observable Discrepancy","The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.Guidelines:",{"point":"er","priority":"6","details":"es"},"CWE-ID: 204Observable Response Discrepancy","The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.Guidelines:::TYPE:Relationship:NOTE:can overlap errors related to escalated privileges::",{"point":"eu","priority":"6","details":"ev"},"CWE-ID: 205Observable Behavioral Discrepancy","The product's behaviors indicate important differences that may be observed by unauthorized actors in a way that reveals (1) its internal state or decision process, or (2) differences from other products with equivalent functionality.Guidelines:",{"point":"ex","priority":"6","details":"ey"},"CWE-ID: 206Observable Internal Behavioral Discrepancy","The product performs multiple behaviors that are combined to produce a single result, but the individual behaviors are observable separately in a way that allows attackers to reveal internal state or internal decision points.Guidelines:",{"point":"f0","priority":"6","details":"f1"},"CWE-ID: 207Observable Behavioral Discrepancy With Equivalent Products","The product operates in an environment in which its existence or specific identity should not be known, but it behaves differently than other products with equivalent functionality, in a way that is observable to an attacker.Guidelines:",{"point":"f3","priority":"6","details":"f4"},"CWE-ID: 208Observable Timing Discrepancy","Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.Guidelines:::TYPE:Relationship:NOTE:Often primary in cryptographic applications and algorithms.::",{"point":"f6","priority":"6","details":"f7"},"CWE-ID: 209Generation of Error Message Containing Sensitive Information","The product generates an error message that includes sensitive information about its environment, users, or associated data.Guidelines:",{"point":"f9","priority":"6","details":"fa"},"CWE-ID: 210Self-generated Error Message Containing Sensitive Information","The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.Guidelines:",{"point":"fc","priority":"6","details":"fd"},"CWE-ID: 211Externally-Generated Error Message Containing Sensitive Information","The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information.Guidelines:::TYPE:Relationship:NOTE:This is inherently a resultant vulnerability from a weakness within the product or an interaction error.::",{"point":"ff","priority":"6","details":"fg"},"CWE-ID: 212Improper Removal of Sensitive Information Before Storage or Transfer","The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.Guidelines:::TYPE:Relationship:NOTE:This entry is intended to be different from resultant information leaks, including those that occur from improper buffer initialization and reuse, improper encryption, interaction errors, and multiple interpretation errors. This entry could be regarded as a privacy leak, depending on the type of information that is leaked.::TYPE:Relationship:NOTE:There is a close association between CWE-226 and CWE-212. The difference is partially that of perspective. CWE-226 is geared towards the final stage of the resource lifecycle, in which the resource is deleted, eliminated, expired, or otherwise released for reuse. Technically, this involves a transfer to a different control sphere, in which the original contents of the resource are no longer relevant. CWE-212, however, is intended for sensitive data in resources that are intentionally shared with others, so they are still active. This distinction is useful from the perspective of the CWE research view (CWE-1000).::TYPE:Terminology:NOTE:The terms cleansing and scrubbing have multiple uses within computing. In information security, these are used for the removal of sensitive data, but they are also used for the modification of incoming/outgoing data so that it conforms to specifications.::",{"point":"fi","priority":"6","details":"fj"},"CWE-ID: 213Exposure of Sensitive Information Due to Incompatible Policies","The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product's administrator, users, or others whose information is being processed.Guidelines:::TYPE:Maintenance:NOTE:This entry is being considered for deprecation. It overlaps many other entries related to information exposures. It might not be essential to preserve this entry, since other key stakeholder policies are covered elsewhere, e.g. personal privacy leaks (CWE-359) and system-level exposures that are important to system administrators (CWE-497).::TYPE:Theoretical:NOTE:In vulnerability theory terms, this covers cases in which the developer's Intended Policy allows the information to be made available, but the information might be in violation of a Universal Policy in which the product's administrator should have control over which information is considered sensitive and therefore should not be exposed.::",{"point":"fl","priority":"6","details":"fm"},"CWE-ID: 214Invocation of Process Using Visible Sensitive Information","A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system.Guidelines:::TYPE:Research Gap:NOTE:Under-studied, especially environment variables.::",{"point":"fo","priority":"6","details":"fp"},"CWE-ID: 215Insertion of Sensitive Information Into Debugging Code","The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.Guidelines:::TYPE:Relationship:NOTE:This overlaps other categories.::",{"point":"fr","priority":"6","details":"fs"},"CWE-ID: 219Storage of File with Sensitive Data Under Web Root","The product stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties.Guidelines:",{"point":"fu","priority":"6","details":"fv"},"CWE-ID: 220Storage of File With Sensitive Data Under FTP Root","The product stores sensitive data under the FTP server root with insufficient access control, which might make it accessible to untrusted parties.Guidelines:",{"point":"fx","priority":"6","details":"fy"},"CWE-ID: 221Information Loss or Omission","The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.Guidelines:",{"point":"g0","priority":"6","details":"g1"},"CWE-ID: 222Truncation of Security-relevant Information","The product truncates the display, recording, or processing of security-relevant information in a way that can obscure the source or nature of an attack.Guidelines:",{"point":"g3","priority":"6","details":"g4"},"CWE-ID: 223Omission of Security-relevant Information","The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.Guidelines:",{"point":"g6","priority":"6","details":"g7"},"CWE-ID: 224Obscured Security-relevant Information by Alternate Name","The product records security-relevant information according to an alternate name of the affected entity, instead of the canonical name.Guidelines:",{"point":"g9","priority":"6","details":"ga"},"CWE-ID: 226Sensitive Information in Resource Not Removed Before Reuse","The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or zeroize the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.Guidelines:::TYPE:Relationship:NOTE:There is a close association between CWE-226 and CWE-212. The difference is partially that of perspective. CWE-226 is geared towards the final stage of the resource lifecycle, in which the resource is deleted, eliminated, expired, or otherwise released for reuse. Technically, this involves a transfer to a different control sphere, in which the original contents of the resource are no longer relevant. CWE-212, however, is intended for sensitive data in resources that are intentionally shared with others, so they are still active. This distinction is useful from the perspective of the CWE research view (CWE-1000).::TYPE:Maintenance:NOTE:This entry needs modification to clarify the differences with CWE-212. The description also combines two problems that are distinct from the CWE research perspective: the inadvertent transfer of information to another sphere, and improper initialization/shutdown. Some of the associated taxonomy mappings reflect these different uses.::TYPE:Research Gap:NOTE:This is frequently found for network packets, but it can also exist in local memory allocation, files, etc.::",{"point":"gc","priority":"6","details":"gd"},"CWE-ID: 228Improper Handling of Syntactically Invalid Structure","The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification.Guidelines:::TYPE:Maintenance:NOTE:This entry needs more investigation. Public vulnerability research generally focuses on the manipulations that generate invalid structure, instead of the weaknesses that are exploited by those manipulations. For example, a common attack involves making a request that omits a required field, which can trigger a crash in some cases. The crash could be due to a named chain such as CWE-690 (Unchecked Return Value to NULL Pointer Dereference), but public reports rarely cover this aspect of a vulnerability.::TYPE:Theoretical:NOTE:The validity of input could be roughly classified along syntactic, semantic, and lexical dimensions. If the specification requires that an input value should be delimited with the [ and ] square brackets, then any input that does not follow this specification would be syntactically invalid. If the input between the brackets is expected to be a number, but the letters aaa are provided, then the input is syntactically invalid. If the input is a number and enclosed in brackets, but the number is outside of the allowable range, then it is semantically invalid. The inter-relationships between these properties - and their associated weaknesses- need further exploration.::",{"point":"gf","priority":"6","details":"gg"},"CWE-ID: 229Improper Handling of Values","The product does not properly handle when the expected number of values for parameters, fields, or arguments is not provided in input, or if those values are undefined.Guidelines:",{"point":"gi","priority":"6","details":"gj"},"CWE-ID: 230Improper Handling of Missing Values","The product does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empty, blank, or null.Guidelines:::TYPE:Research Gap:NOTE:Some crash by port scan bugs are probably due to this, but lack of diagnosis makes it difficult to be certain.::",{"point":"gl","priority":"6","details":"gm"},"CWE-ID: 231Improper Handling of Extra Values","The product does not handle or incorrectly handles when more values are provided than expected.Guidelines:::TYPE:Relationship:NOTE:This can overlap buffer overflows.::",{"point":"go","priority":"6","details":"gp"},"CWE-ID: 232Improper Handling of Undefined Values","The product does not handle or incorrectly handles when a value is not defined or supported for the associated parameter, field, or argument name.Guidelines:",{"point":"gr","priority":"6","details":"gs"},"CWE-ID: 233Improper Handling of Parameters","The product does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined.Guidelines:",{"point":"gu","priority":"6","details":"gv"},"CWE-ID: 234Failure to Handle Missing Parameter","If too few arguments are sent to a function, the function will still pop the expected number of arguments from the stack. Potentially, a variable number of arguments could be exhausted in a function as well.Guidelines:::TYPE:Maintenance:NOTE:This entry will be deprecated in a future version of CWE. The term missing parameter was used in both PLOVER and CLASP, with completely different meanings. However, data from both taxonomies was merged into this entry. In PLOVER, it was meant to cover malformed inputs that do not contain required parameters, such as a missing parameter in a CGI request. This entry's observed examples and classification came from PLOVER. However, the description, demonstrative example, and other information are derived from CLASP. They are related to an incorrect number of function arguments, which is already covered by CWE-685.::",{"point":"gx","priority":"6","details":"gy"},"CWE-ID: 235Improper Handling of Extra Parameters","The product does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount.Guidelines:::TYPE:Relationship:NOTE:This type of problem has a big role in multiple interpretation vulnerabilities and various HTTP attacks.::",{"point":"h0","priority":"6","details":"h1"},"CWE-ID: 236Improper Handling of Undefined Parameters","The product does not handle or incorrectly handles when a particular parameter, field, or argument name is not defined or supported by the product.Guidelines:",{"point":"h3","priority":"6","details":"h4"},"CWE-ID: 237Improper Handling of Structural Elements","The product does not handle or incorrectly handles inputs that are related to complex structures.Guidelines:",{"point":"h6","priority":"6","details":"h7"},"CWE-ID: 238Improper Handling of Incomplete Structural Elements","The product does not handle or incorrectly handles when a particular structural element is not completely specified.Guidelines:::TYPE:Relationship:NOTE:Can be primary to other problems.::",{"point":"h9","priority":"6","details":"ha"},"CWE-ID: 239Failure to Handle Incomplete Element","The product does not properly handle when a particular element is not completely specified.Guidelines:",{"point":"hc","priority":"6","details":"hd"},"CWE-ID: 240Improper Handling of Inconsistent Structural Elements","The product does not handle or incorrectly handles when two or more structural elements should be consistent, but are not.Guidelines:",{"point":"hf","priority":"6","details":"hg"},"CWE-ID: 241Improper Handling of Unexpected Data Type","The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).Guidelines:::TYPE:Research Gap:NOTE:Probably under-studied.::",{"point":"hi","priority":"6","details":"hj"},"CWE-ID: 242Use of Inherently Dangerous Function","The product calls a function that can never be guaranteed to work safely.Guidelines:",{"point":"hl","priority":"6","details":"hm"},"CWE-ID: 243Creation of chroot Jail Without Changing Working Directory","The product uses the chroot() system call to create a jail, but does not change the working directory afterward. This does not prevent access to files outside of the jail.Guidelines:",{"point":"ho","priority":"6","details":"hp"},"CWE-ID: 244Improper Clearing of Heap Memory Before Release ('Heap Inspection')","Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory.Guidelines:",{"point":"hr","priority":"6","details":"hs"},"CWE-ID: 245J2EE Bad Practices: Direct Management of Connections","The J2EE application directly manages connections, instead of using the container's connection management facilities.Guidelines:",{"point":"hu","priority":"6","details":"hv"},"CWE-ID: 246J2EE Bad Practices: Direct Use of Sockets","The J2EE application directly uses sockets instead of using framework method calls.Guidelines:",{"point":"hx","priority":"6","details":"hy"},"CWE-ID: 248Uncaught Exception","An exception is thrown from a function, but it is not caught.Guidelines:",{"point":"i0","priority":"6","details":"i1"},"CWE-ID: 250Execution with Unnecessary Privileges","The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.Guidelines:::TYPE:Relationship:NOTE:There is a close association with CWE-653 (Insufficient Separation of Privileges). CWE-653 is about providing separate components for each privilege; CWE-250 is about ensuring that each component has the least amount of privileges possible.::TYPE:Maintenance:NOTE:CWE-271, CWE-272, and CWE-250 are all closely related and possibly overlapping. CWE-271 is probably better suited as a category. Both CWE-272 and CWE-250 are in active use by the community. The least privilege phrase has multiple interpretations.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"i3","priority":"6","details":"i4"},"CWE-ID: 252Unchecked Return Value","The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.Guidelines:",{"point":"i6","priority":"6","details":"i7"},"CWE-ID: 253Incorrect Check of Function Return Value","The product incorrectly checks a return value from a function, which prevents it from detecting errors or exceptional conditions.Guidelines:",{"point":"i9","priority":"6","details":"ia"},"CWE-ID: 256Plaintext Storage of a Password","Storing a password in plaintext may result in a system compromise.Guidelines:",{"point":"ic","priority":"6","details":"id"},"CWE-ID: 257Storing Passwords in a Recoverable Format","The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.Guidelines:::TYPE:Maintenance:NOTE:The meaning of this entry needs to be investigated more closely, especially with respect to what is meant by recoverable.::",{"point":"if","priority":"6","details":"ig"},"CWE-ID: 258Empty Password in Configuration File","Using an empty string as a password is insecure.Guidelines:",{"point":"ii","priority":"6","details":"ij"},"CWE-ID: 259Use of Hard-coded Password","The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.Guidelines:::TYPE:Maintenance:NOTE:This entry could be split into multiple variants: an inbound variant (as seen in the second demonstrative example) and an outbound variant (as seen in the first demonstrative example). These variants are likely to have different consequences, detectability, etc. More importantly, from a vulnerability theory perspective, they could be characterized as different behaviors.::",{"point":"il","priority":"6","details":"im"},"CWE-ID: 260Password in Configuration File","The product stores a password in a configuration file that might be accessible to actors who do not know the password.Guidelines:",{"point":"io","priority":"6","details":"ip"},"CWE-ID: 261Weak Encoding for Password","Obscuring a password with a trivial encoding does not protect the password.Guidelines:::TYPE:Other:NOTE:The crypt family of functions uses weak cryptographic algorithms and should be avoided. It may be present in some projects for compatibility.::",{"point":"ir","priority":"6","details":"is"},"CWE-ID: 262Not Using Password Aging","The product does not have a mechanism in place for managing password aging.Guidelines:",{"point":"iu","priority":"6","details":"iv"},"CWE-ID: 263Password Aging with Long Expiration","The product supports password aging, but the expiration period is too long.Guidelines:",{"point":"ix","priority":"6","details":"iy"},"CWE-ID: 266Incorrect Privilege Assignment","A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.Guidelines:",{"point":"j0","priority":"6","details":"j1"},"CWE-ID: 267Privilege Defined With Unsafe Actions","A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity.Guidelines:::TYPE:Maintenance:NOTE:Note: there are 2 separate sub-categories here: - privilege incorrectly allows entities to perform certain actions - object is incorrectly accessible to entities with a given privilege::",{"point":"j3","priority":"6","details":"j4"},"CWE-ID: 268Privilege Chaining","Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination.Guidelines:::TYPE:Relationship:NOTE:There is some conceptual overlap with Unsafe Privilege.::",{"point":"j6","priority":"6","details":"j7"},"CWE-ID: 269Improper Privilege Management","The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.Guidelines:::TYPE:Maintenance:NOTE:The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693).::",{"point":"j9","priority":"6","details":"ja"},"CWE-ID: 270Privilege Context Switching Error","The product does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control.Guidelines:::TYPE:Research Gap:NOTE:This concept needs more study.::",{"point":"jc","priority":"6","details":"jd"},"CWE-ID: 271Privilege Dropping / Lowering Errors","The product does not drop privileges before passing control of a resource to an actor that does not have those privileges.Guidelines:::TYPE:Maintenance:NOTE:CWE-271, CWE-272, and CWE-250 are all closely related and possibly overlapping. CWE-271 is probably better suited as a category.::",{"point":"jf","priority":"6","details":"jg"},"CWE-ID: 272Least Privilege Violation","The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.Guidelines:::TYPE:Maintenance:NOTE:CWE-271, CWE-272, and CWE-250 are all closely related and possibly overlapping. CWE-271 is probably better suited as a category.::TYPE:Other:NOTE:If system privileges are not dropped when it is reasonable to do so, this is not a vulnerability by itself. According to the principle of least privilege, access should be allowed only when it is absolutely necessary to the function of a given system, and only for the minimal necessary amount of time. Any further allowance of privilege widens the window of time during which a successful exploitation of the system will provide an attacker with that same privilege. If at all possible, limit the allowance of system privilege to small, simple sections of code that may be called atomically. When a program calls a privileged function, such as chroot(), it must first acquire root privilege. As soon as the privileged operation has completed, the program should drop root privilege and return to the privilege level of the invoking user.::",{"point":"ji","priority":"6","details":"jj"},"CWE-ID: 273Improper Check for Dropped Privileges","The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.Guidelines:",{"point":"jl","priority":"6","details":"jm"},"CWE-ID: 274Improper Handling of Insufficient Privileges","The product does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses.Guidelines:::TYPE:Maintenance:NOTE:CWE-280 and CWE-274 are too similar. It is likely that CWE-274 will be deprecated in the future.::TYPE:Relationship:NOTE:Overlaps dropped privileges, insufficient permissions.::TYPE:Theoretical:NOTE:This has a layering relationship with Unchecked Error Condition and Unchecked Return Value.::TYPE:Theoretical:NOTE:Within the context of vulnerability theory, privileges and permissions are two sides of the same coin. Privileges are associated with actors, and permissions are associated with resources. To perform access control, at some point the product makes a decision about whether the actor (and the privileges that have been assigned to that actor) is allowed to access the resource (based on the permissions that have been specified for that resource).::",{"point":"jo","priority":"6","details":"jp"},"CWE-ID: 276Incorrect Default Permissions","During installation, installed file permissions are set to allow anyone to modify those files.Guidelines:",{"point":"jr","priority":"6","details":"js"},"CWE-ID: 277Insecure Inherited Permissions","A product defines a set of insecure permissions that are inherited by objects that are created by the program.Guidelines:",{"point":"ju","priority":"6","details":"jv"},"CWE-ID: 278Insecure Preserved Inherited Permissions","A product inherits a set of insecure permissions for an object, e.g. when copying from an archive file, without user awareness or involvement.Guidelines:",{"point":"jx","priority":"6","details":"jy"},"CWE-ID: 279Incorrect Execution-Assigned Permissions","While it is executing, the product sets the permissions of an object in a way that violates the intended permissions that have been specified by the user.Guidelines:",{"point":"k0","priority":"6","details":"k1"},"CWE-ID: 280Improper Handling of Insufficient Permissions or Privileges","The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.Guidelines:::TYPE:Maintenance:NOTE:CWE-280 and CWE-274 are too similar. It is likely that CWE-274 will be deprecated in the future.::TYPE:Relationship:NOTE:This can be both primary and resultant. When primary, it can expose a variety of weaknesses because a resource might not have the expected state, and subsequent operations might fail. It is often resultant from Unchecked Error Condition (CWE-391).::TYPE:Theoretical:NOTE:Within the context of vulnerability theory, privileges and permissions are two sides of the same coin. Privileges are associated with actors, and permissions are associated with resources. To perform access control, at some point the software makes a decision about whether the actor (and the privileges that have been assigned to that actor) is allowed to access the resource (based on the permissions that have been specified for that resource).::TYPE:Research Gap:NOTE:This type of issue is under-studied, since researchers often concentrate on whether an object has too many permissions, instead of not enough. These weaknesses are likely to appear in environments with fine-grained models for permissions and privileges, which can include operating systems and other large-scale software packages. However, even highly simplistic permission/privilege models are likely to contain these issues if the developer has not considered the possibility of access failure.::",{"point":"k3","priority":"6","details":"k4"},"CWE-ID: 281Improper Preservation of Permissions","The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.Guidelines:",{"point":"k6","priority":"6","details":"k7"},"CWE-ID: 282Improper Ownership Management","The product assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.Guidelines:::TYPE:Maintenance:NOTE:The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693).::",{"point":"k9","priority":"6","details":"ka"},"CWE-ID: 283Unverified Ownership","The product does not properly verify that a critical resource is owned by the proper entity.Guidelines:::TYPE:Relationship:NOTE:This overlaps insufficient comparison, verification errors, permissions, and privileges.::",{"point":"kc","priority":"6","details":"kd"},"CWE-ID: 284Improper Access Control","The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.Guidelines:::TYPE:Maintenance:NOTE:This entry needs more work. Possible sub-categories include: Trusted group includes undesired entities (partially covered by CWE-286) Group can perform undesired actions ACL parse error does not fail closed::",{"point":"kf","priority":"6","details":"kg"},"CWE-ID: 285Improper Authorization","The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.Guidelines:",{"point":"ki","priority":"6","details":"kj"},"CWE-ID: 286Incorrect User Management","The product does not properly manage a user within its environment.Guidelines:::TYPE:Maintenance:NOTE:The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693).::TYPE:Maintenance:NOTE:This item needs more work. Possible sub-categories include: user in wrong group, and user with insecure profile or configuration. It also might be better expressed as a category than a weakness.::",{"point":"kl","priority":"6","details":"km"},"CWE-ID: 287Improper Authentication","When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Guidelines:::TYPE:Relationship:NOTE:This can be resultant from SQL injection vulnerabilities and other issues.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"ko","priority":"6","details":"kp"},"CWE-ID: 288Authentication Bypass Using an Alternate Path or Channel","A product requires authentication, but the product has an alternate path or channel that does not require authentication.Guidelines:::TYPE:Relationship:NOTE:overlaps Unprotected Alternate Channel::",{"point":"kr","priority":"6","details":"ks"},"CWE-ID: 289Authentication Bypass by Alternate Name","The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.Guidelines:::TYPE:Relationship:NOTE:Overlaps equivalent encodings, canonicalization, authorization, multiple trailing slash, trailing space, mixed case, and other equivalence issues.::TYPE:Theoretical:NOTE:Alternate names are useful in data driven manipulation attacks, not just for authentication.::",{"point":"ku","priority":"6","details":"kv"},"CWE-ID: 290Authentication Bypass by Spoofing","This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.Guidelines:::TYPE:Relationship:NOTE:This can be resultant from insufficient verification.::",{"point":"kx","priority":"6","details":"ky"},"CWE-ID: 291Reliance on IP Address for Authentication","The product uses an IP address for authentication.Guidelines:",{"point":"l0","priority":"6","details":"l1"},"CWE-ID: 293Using Referer Field for Authentication","The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking.Guidelines:",{"point":"l3","priority":"6","details":"l4"},"CWE-ID: 294Authentication Bypass by Capture-replay","A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).Guidelines:",{"point":"l6","priority":"6","details":"l7"},"CWE-ID: 295Improper Certificate Validation","The product does not validate, or incorrectly validates, a certificate.Guidelines:",{"point":"l9","priority":"6","details":"la"},"CWE-ID: 296Improper Following of a Certificate's Chain of Trust","The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.Guidelines:",{"point":"lc","priority":"6","details":"ld"},"CWE-ID: 297Improper Validation of Certificate with Host Mismatch","The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.Guidelines:",{"point":"lf","priority":"6","details":"lg"},"CWE-ID: 298Improper Validation of Certificate Expiration","A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age.Guidelines:",{"point":"li","priority":"6","details":"lj"},"CWE-ID: 299Improper Check for Certificate Revocation","The product does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised.Guidelines:",{"point":"ll","priority":"6","details":"lm"},"CWE-ID: 300Channel Accessible by Non-Endpoint","The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.Guidelines:::TYPE:Maintenance:NOTE:The summary identifies multiple distinct possibilities, suggesting that this is a category that must be broken into more specific weaknesses.::",{"point":"lo","priority":"6","details":"lp"},"CWE-ID: 301Reflection Attack in an Authentication Protocol","Simple authentication protocols are subject to reflection attacks if a malicious user can use the target machine to impersonate a trusted user.Guidelines:::TYPE:Maintenance:NOTE:The term reflection is used in multiple ways within CWE and the community, so its usage should be reviewed.::",{"point":"lr","priority":"6","details":"ls"},"CWE-ID: 302Authentication Bypass by Assumed-Immutable Data","The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.Guidelines:",{"point":"lu","priority":"6","details":"lv"},"CWE-ID: 303Incorrect Implementation of Authentication Algorithm","The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.Guidelines:",{"point":"lx","priority":"6","details":"ly"},"CWE-ID: 304Missing Critical Step in Authentication","The product implements an authentication technique, but it skips a step that weakens the technique.Guidelines:",{"point":"m0","priority":"6","details":"m1"},"CWE-ID: 305Authentication Bypass by Primary Weakness","The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.Guidelines:::TYPE:Relationship:NOTE:Most authentication bypass errors are resultant, not primary.::",{"point":"m3","priority":"6","details":"m4"},"CWE-ID: 306Missing Authentication for Critical Function","The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.Guidelines:",{"point":"m6","priority":"6","details":"m7"},"CWE-ID: 307Improper Restriction of Excessive Authentication Attempts","The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.Guidelines:",{"point":"m9","priority":"6","details":"ma"},"CWE-ID: 308Use of Single-factor Authentication","The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme.Guidelines:",{"point":"mc","priority":"6","details":"md"},"CWE-ID: 309Use of Password System for Primary Authentication","The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.Guidelines:",{"point":"mf","priority":"6","details":"mg"},"CWE-ID: 311Missing Encryption of Sensitive Data","The product does not encrypt sensitive or critical information before storage or transmission.Guidelines:::TYPE:Relationship:NOTE:There is an overlapping relationship between insecure storage of sensitive information (CWE-922) and missing encryption of sensitive information (CWE-311). Encryption is often used to prevent an attacker from reading the sensitive data. However, encryption does not prevent the attacker from erasing or overwriting the data.::",{"point":"mi","priority":"6","details":"mj"},"CWE-ID: 312Cleartext Storage of Sensitive Information","The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"ml","priority":"6","details":"mm"},"CWE-ID: 313Cleartext Storage in a File or on Disk","The product stores sensitive information in cleartext in a file, or on disk.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"mo","priority":"6","details":"mp"},"CWE-ID: 314Cleartext Storage in the Registry","The product stores sensitive information in cleartext in the registry.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"mr","priority":"6","details":"ms"},"CWE-ID: 315Cleartext Storage of Sensitive Information in a Cookie","The product stores sensitive information in cleartext in a cookie.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"mu","priority":"6","details":"mv"},"CWE-ID: 316Cleartext Storage of Sensitive Information in Memory","The product stores sensitive information in cleartext in memory.Guidelines:::TYPE:Relationship:NOTE:This could be a resultant weakness, e.g. if the compiler removes code that was intended to wipe memory.::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"mx","priority":"6","details":"my"},"CWE-ID: 317Cleartext Storage of Sensitive Information in GUI","The product stores sensitive information in cleartext within the GUI.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"n0","priority":"6","details":"n1"},"CWE-ID: 318Cleartext Storage of Sensitive Information in Executable","The product stores sensitive information in cleartext in an executable.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"n3","priority":"6","details":"n4"},"CWE-ID: 319Cleartext Transmission of Sensitive Information","The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.Guidelines:::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"n6","priority":"6","details":"n7"},"CWE-ID: 321Use of Hard-coded Cryptographic Key","The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.Guidelines:::TYPE:Other:NOTE:The main difference between the use of hard-coded passwords and the use of hard-coded cryptographic keys is the false sense of security that the former conveys. Many people believe that simply hashing a hard-coded password before storage will protect the information from malicious users. However, many hashes are reversible (or at least vulnerable to brute force attacks) -- and further, many authentication protocols simply request the hash itself, making it no better than a password.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"n9","priority":"6","details":"na"},"CWE-ID: 322Key Exchange without Entity Authentication","The product performs a key exchange with an actor without verifying the identity of that actor.Guidelines:",{"point":"nc","priority":"6","details":"nd"},"CWE-ID: 323Reusing a Nonce, Key Pair in Encryption","Nonces should be used for the present occasion and only once.Guidelines:",{"point":"nf","priority":"6","details":"ng"},"CWE-ID: 324Use of a Key Past its Expiration Date","The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.Guidelines:",{"point":"ni","priority":"6","details":"nj"},"CWE-ID: 325Missing Cryptographic Step","The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.Guidelines:::TYPE:Relationship:NOTE:Overlaps incomplete/missing security check.::TYPE:Relationship:NOTE:Can be resultant.::",{"point":"nl","priority":"6","details":"nm"},"CWE-ID: 326Inadequate Encryption Strength","The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.Guidelines:",{"point":"no","priority":"6","details":"np"},"CWE-ID: 327Use of a Broken or Risky Cryptographic Algorithm","The product uses a broken or risky cryptographic algorithm or protocol.Guidelines:::TYPE:Maintenance:NOTE:Since CWE 4.4, various cryptography-related entries, including CWE-327 and CWE-1240, have been slated for extensive research, analysis, and community consultation to define consistent terminology, improve relationships, and reduce overlap or duplication. As of CWE 4.6, this work is still ongoing.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"nr","priority":"6","details":"ns"},"CWE-ID: 328Use of Weak Hash","The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).Guidelines:::TYPE:Maintenance:NOTE:Since CWE 4.4, various cryptography-related entries including CWE-328 have been slated for extensive research, analysis, and community consultation to define consistent terminology, improve relationships, and reduce overlap or duplication. As of CWE 4.6, this work is still ongoing.::",{"point":"nu","priority":"6","details":"nv"},"CWE-ID: 329Generation of Predictable IV with CBC Mode","The product generates and uses a predictable initialization Vector (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible to dictionary attacks when they are encrypted under the same key.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"nx","priority":"6","details":"ny"},"CWE-ID: 330Use of Insufficiently Random Values","The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.Guidelines:::TYPE:Relationship:NOTE:This can be primary to many other weaknesses such as cryptographic errors, authentication errors, symlink following, information leaks, and others.::TYPE:Maintenance:NOTE:As of CWE 4.3, CWE-330 and its descendants are being investigated by the CWE crypto team to identify gaps related to randomness and unpredictability, as well as the relationships between randomness and cryptographic primitives. This subtree analysis might result in the addition or deprecation of existing entries; the reorganization of relationships in some views, e.g. the research view (CWE-1000); more consistent use of terminology; and/or significant modifications to related entries.::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"o0","priority":"6","details":"o1"},"CWE-ID: 331Insufficient Entropy","The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"o3","priority":"6","details":"o4"},"CWE-ID: 332Insufficient Entropy in PRNG","The lack of entropy available for, or used by, a Pseudo-Random Number Generator (PRNG) can be a stability and security threat.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"o6","priority":"6","details":"o7"},"CWE-ID: 333Improper Handling of Insufficient Entropy in TRNG","True random number generators (TRNG) generally have a limited source of entropy and therefore can fail or block.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"o9","priority":"6","details":"oa"},"CWE-ID: 334Small Space of Random Values","The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"oc","priority":"6","details":"od"},"CWE-ID: 335Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)","The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"of","priority":"6","details":"og"},"CWE-ID: 336Same Seed in Pseudo-Random Number Generator (PRNG)","A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"oi","priority":"6","details":"oj"},"CWE-ID: 337Predictable Seed in Pseudo-Random Number Generator (PRNG)","A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"ol","priority":"6","details":"om"},"CWE-ID: 338Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)","The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"oo","priority":"6","details":"op"},"CWE-ID: 339Small Seed Space in PRNG","A Pseudo-Random Number Generator (PRNG) uses a relatively small seed space, which makes it more susceptible to brute force attacks.Guidelines:::TYPE:Maintenance:NOTE:This entry may have a chaining relationship with predictable from observable state (CWE-341).::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"or","priority":"6","details":"os"},"CWE-ID: 340Generation of Predictable Numbers or Identifiers","The product uses a scheme that generates numbers or identifiers that are more predictable than required.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"ou","priority":"6","details":"ov"},"CWE-ID: 341Predictable from Observable State","A number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"ox","priority":"6","details":"oy"},"CWE-ID: 342Predictable Exact Value from Previous Values","An exact value or random number can be precisely predicted by observing previous values.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"p0","priority":"6","details":"p1"},"CWE-ID: 343Predictable Value Range from Previous Values","The product's random number generator produces a series of values which, when observed, can be used to infer a relatively small range of possibilities for the next value that could be generated.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"p3","priority":"6","details":"p4"},"CWE-ID: 344Use of Invariant Value in Dynamically Changing Context","The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.Guidelines:::TYPE:Relationship:NOTE:overlaps default configuration.::",{"point":"p6","priority":"6","details":"p7"},"CWE-ID: 345Insufficient Verification of Data Authenticity","The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.Guidelines:::TYPE:Relationship:NOTE:origin validation could fall under this.::TYPE:Maintenance:NOTE:The specific ways in which the origin is not properly identified should be laid out as separate weaknesses. In some sense, this is more like a category.::",{"point":"p9","priority":"6","details":"pa"},"CWE-ID: 346Origin Validation Error","The product does not properly verify that the source of data or communication is valid.Guidelines:::TYPE:Maintenance:NOTE:This entry has some significant overlap with other CWE entries and may need some clarification. See terminology notes.::TYPE:Terminology:NOTE:The Origin Validation Error term was originally used in a 1995 thesis [REF-324]. Although not formally defined, an issue is considered to be an origin validation error if either (1) an object [accepts] input from an unauthorized subject, or (2) the system [fails] to properly or completely authenticate a subject. A later section says that an origin validation error can occur when the system (1) does not properly authenticate a user or process or (2) does not properly authenticate the shared data or libraries. The only example provided in the thesis (covered by OSVDB:57615) involves a setuid program running command-line arguments without dropping privileges. So, this definition (and its examples in the thesis) effectively cover other weaknesses such as CWE-287 (Improper Authentication), CWE-285 (Improper Authorization), and CWE-250 (Execution with Unnecessary Privileges). There appears to be little usage of this term today, except in the SecurityFocus vulnerability database, where the term is used for a variety of issues, including web-browser problems that allow violation of the Same Origin Policy and improper validation of the source of an incoming message.::",{"point":"pc","priority":"6","details":"pd"},"CWE-ID: 347Improper Verification of Cryptographic Signature","The product does not verify, or incorrectly verifies, the cryptographic signature for data.Guidelines:",{"point":"pf","priority":"6","details":"pg"},"CWE-ID: 348Use of Less Trusted Source","The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.Guidelines:",{"point":"pi","priority":"6","details":"pj"},"CWE-ID: 349Acceptance of Extraneous Untrusted Data With Trusted Data","The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.Guidelines:",{"point":"pl","priority":"6","details":"pm"},"CWE-ID: 350Reliance on Reverse DNS Resolution for a Security-Critical Action","The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.Guidelines:::TYPE:Maintenance:NOTE:CWE-350, CWE-247, and CWE-292 were merged into CWE-350 in CWE 2.5. CWE-247 was originally derived from Seven Pernicious Kingdoms, CWE-350 from PLOVER, and CWE-292 from CLASP. All taxonomies focused closely on the use of reverse DNS for authentication of incoming requests.::",{"point":"po","priority":"6","details":"pp"},"CWE-ID: 351Insufficient Type Distinction","The product does not properly distinguish between different types of elements in a way that leads to insecure behavior.Guidelines:::TYPE:Relationship:NOTE:Overlaps others, e.g. Multiple Interpretation Errors.::",{"point":"pr","priority":"6","details":"ps"},"CWE-ID: 352Cross-Site Request Forgery (CSRF)","The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.Guidelines:::TYPE:Relationship:NOTE:There can be a close relationship between XSS and CSRF (CWE-352). An attacker might use CSRF in order to trick the victim into submitting requests to the server in which the requests contain an XSS payload. A well-known example of this was the Samy worm on MySpace [REF-956]. The worm used XSS to insert malicious HTML sequences into a user's profile and add the attacker as a MySpace friend. MySpace friends of that victim would then execute the payload to modify their own profiles, causing the worm to propagate exponentially. Since the victims did not intentionally insert the malicious script themselves, CSRF was a root cause.::TYPE:Theoretical:NOTE:The CSRF topology is multi-channel: Attacker (as outsider) to intermediary (as user). The interaction point is either an external or internal channel. Intermediary (as user) to server (as victim). The activation point is an internal channel.::",{"point":"pu","priority":"6","details":"pv"},"CWE-ID: 353Missing Support for Integrity Check","The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.Guidelines:",{"point":"px","priority":"6","details":"py"},"CWE-ID: 354Improper Validation of Integrity Check Value","The product does not validate or incorrectly validates the integrity check values or checksums of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.Guidelines:",{"point":"q0","priority":"6","details":"q1"},"CWE-ID: 356Product UI does not Warn User of Unsafe Actions","The product's user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick users into inflicting damage to their system.Guidelines:::TYPE:Relationship:NOTE:Often resultant, e.g. in unhandled error conditions.::TYPE:Relationship:NOTE:Can overlap privilege errors, conceptually at least.::",{"point":"q3","priority":"6","details":"q4"},"CWE-ID: 357Insufficient UI Warning of Dangerous Operations","The user interface provides a warning to a user regarding dangerous or sensitive operations, but the warning is not noticeable enough to warrant attention.Guidelines:",{"point":"q6","priority":"6","details":"q7"},"CWE-ID: 358Improperly Implemented Security Check for Standard","The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.Guidelines:::TYPE:Relationship:NOTE:This is a missing step error on the product side, which can overlap weaknesses such as insufficient verification and spoofing. It is frequently found in cryptographic and authentication errors. It is sometimes resultant.::",{"point":"q9","priority":"6","details":"qa"},"CWE-ID: 359Exposure of Private Personal Information to an Unauthorized Actor","The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.Guidelines:::TYPE:Maintenance:NOTE:This entry overlaps many other entries that are not organized around the kind of sensitive information that is exposed. However, because privacy is treated with such importance due to regulations and other factors, and it may be useful for weakness-finding tools to highlight capabilities that detect personal private information instead of system information, it is not clear whether - and how - this entry should be deprecated.::",{"point":"qc","priority":"6","details":"qd"},"CWE-ID: 360Trust of System Event Data","Security based on event locations are insecure and can be spoofed.Guidelines:",{"point":"qf","priority":"6","details":"qg"},"CWE-ID: 362Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')","The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.Guidelines:::TYPE:Maintenance:NOTE:The relationship between race conditions and synchronization problems (CWE-662) needs to be further developed. They are not necessarily two perspectives of the same core concept, since synchronization is only one technique for avoiding race conditions, and synchronization can be used for other purposes besides race condition prevention.::TYPE:Research Gap:NOTE:Race conditions in web applications are under-studied and probably under-reported. However, in 2008 there has been growing interest in this area.::TYPE:Research Gap:NOTE:Much of the focus of race condition research has been in Time-of-check Time-of-use (TOCTOU) variants (CWE-367), but many race conditions are related to synchronization problems that do not necessarily require a time-of-check.::TYPE:Research Gap:NOTE:From a classification/taxonomy perspective, the relationships between concurrency and program state need closer investigation and may be useful in organizing related issues.::",{"point":"qi","priority":"6","details":"qj"},"CWE-ID: 363Race Condition Enabling Link Following","The product checks the status of a file or directory before accessing it, which produces a race condition in which the file can be replaced with a link before the access is performed, causing the product to access the wrong file.Guidelines:::TYPE:Relationship:NOTE:This is already covered by the Link Following weakness (CWE-59). It is included here because so many people associate race conditions with link problems; however, not all link following issues involve race conditions.::",{"point":"ql","priority":"6","details":"qm"},"CWE-ID: 364Signal Handler Race Condition","The product uses a signal handler that introduces a race condition.Guidelines:",{"point":"qo","priority":"6","details":"qp"},"CWE-ID: 366Race Condition within a Thread","If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.Guidelines:",{"point":"qr","priority":"6","details":"qs"},"CWE-ID: 367Time-of-check Time-of-use (TOCTOU) Race Condition","The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.Guidelines:::TYPE:Relationship:NOTE:TOCTOU issues do not always involve symlinks, and not every symlink issue is a TOCTOU problem.::TYPE:Research Gap:NOTE:Non-symlink TOCTOU issues are not reported frequently, but they are likely to occur in code that attempts to be secure.::",{"point":"qu","priority":"6","details":"qv"},"CWE-ID: 368Context Switching Race Condition","A product performs a series of non-atomic actions to switch between contexts that cross privilege or other security boundaries, but a race condition allows an attacker to modify or misrepresent the product's behavior during the switch.Guidelines:::TYPE:Relationship:NOTE:Can overlap signal handler race conditions.::TYPE:Research Gap:NOTE:Under-studied as a concept. Frequency unknown; few vulnerability reports give enough detail to know when a context switching race condition is a factor.::",{"point":"qx","priority":"6","details":"qy"},"CWE-ID: 369Divide By Zero","The product divides a value by zero.Guidelines:",{"point":"r0","priority":"6","details":"r1"},"CWE-ID: 370Missing Check for Certificate Revocation after Initial Check","The product does not check the revocation status of a certificate after its initial revocation check, which can cause the product to perform privileged actions even after the certificate is revoked at a later time.Guidelines:",{"point":"r3","priority":"6","details":"r4"},"CWE-ID: 372Incomplete Internal State Distinction","The product does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect operations in a security-relevant manner.Guidelines:::TYPE:Relationship:NOTE:This conceptually overlaps other categories such as insufficient verification, but this entry refers to the product's incorrect perception of its own state.::TYPE:Relationship:NOTE:This is probably resultant from other weaknesses such as unhandled error conditions, inability to handle out-of-order steps, multiple interpretation errors, etc.::TYPE:Maintenance:NOTE:This entry is being considered for deprecation. It was poorly-defined in PLOVER and is not easily described using the behavior/resource/property model of vulnerability theory.::",{"point":"r6","priority":"6","details":"r7"},"CWE-ID: 374Passing Mutable Objects to an Untrusted Method","The product sends non-cloned mutable data as an argument to a method or function.Guidelines:",{"point":"r9","priority":"6","details":"ra"},"CWE-ID: 375Returning a Mutable Object to an Untrusted Caller","Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function.Guidelines:",{"point":"rc","priority":"6","details":"rd"},"CWE-ID: 377Insecure Temporary File","Creating and using insecure temporary files can leave application and system data vulnerable to attack.Guidelines:::TYPE:Other:NOTE:Applications require temporary files so frequently that many different mechanisms exist for creating them in the C Library and Windows(R) API. Most of these functions are vulnerable to various forms of attacks. The functions designed to aid in the creation of temporary files can be broken into two groups based whether they simply provide a filename or actually open a new file. - Group 1: Unique Filenames: The first group of C Library and WinAPI functions designed to help with the process of creating temporary files do so by generating a unique file name for a new temporary file, which the program is then supposed to open. This group includes C Library functions like tmpnam(), tempnam(), mktemp() and their C++ equivalents prefaced with an _ (underscore) as well as the GetTempFileName() function from the Windows API. This group of functions suffers from an underlying race condition on the filename chosen. Although the functions guarantee that the filename is unique at the time it is selected, there is no mechanism to prevent another process or an attacker from creating a file with the same name after it is selected but before the application attempts to open the file. Beyond the risk of a legitimate collision caused by another call to the same function, there is a high probability that an attacker will be able to create a malicious collision because the filenames generated by these functions are not sufficiently randomized to make them difficult to guess. If a file with the selected name is created, then depending on how the file is opened the existing contents or access permissions of the file may remain intact. If the existing contents of the file are malicious in nature, an attacker may be able to inject dangerous data into the application when it reads data back from the temporary file. If an attacker pre-creates the file with relaxed access permissions, then data stored in the temporary file by the application may be accessed, modified or corrupted by an attacker. On Unix based systems an even more insidious attack is possible if the attacker pre-creates the file as a link to another important file. Then, if the application truncates or writes data to the file, it may unwittingly perform damaging operations for the attacker. This is an especially serious threat if the program operates with elevated permissions. Finally, in the best case the file will be opened with the a call to open() using the O_CREAT and O_EXCL flags or to CreateFile() using the CREATE_NEW attribute, which will fail if the file already exists and therefore prevent the types of attacks described above. However, if an attacker is able to accurately predict a sequence of temporary file names, then the application may be prevented from opening necessary temporary storage causing a denial of service (DoS) attack. This type of attack would not be difficult to mount given the small amount of randomness used in the selection of the filenames generated by these functions. - Group 2: Unique Files: The second group of C Library functions attempts to resolve some of the security problems related to temporary files by not only generating a unique file name, but also opening the file. This group includes C Library functions like tmpfile() and its C++ equivalents prefaced with an _ (underscore), as well as the slightly better-behaved C Library function mkstemp(). The tmpfile() style functions construct a unique filename and open it in the same way that fopen() would if passed the flags wb+, that is, as a binary file in read/write mode. If the file already exists, tmpfile() will truncate it to size zero, possibly in an attempt to assuage the security concerns mentioned earlier regarding the race condition that exists between the selection of a supposedly unique filename and the subsequent opening of the selected file. However, this behavior clearly does not solve the function's security problems. First, an attacker can pre-create the file with relaxed access-permissions that will likely be retained by the file opened by tmpfile(). Furthermore, on Unix based systems if the attacker pre-creates the file as a link to another important file, the application may use its possibly elevated permissions to truncate that file, thereby doing damage on behalf of the attacker. Finally, if tmpfile() does create a new file, the access permissions applied to that file will vary from one operating system to another, which can leave application data vulnerable even if an attacker is unable to predict the filename to be used in advance. Finally, mkstemp() is a reasonably safe way create temporary files. It will attempt to create and open a unique file based on a filename template provided by the user combined with a series of randomly generated characters. If it is unable to create such a file, it will fail and return -1. On modern systems the file is opened using mode 0600, which means the file will be secure from tampering unless the user explicitly changes its access permissions. However, mkstemp() still suffers from the use of predictable file names and can leave an application vulnerable to denial of service attacks if an attacker causes mkstemp() to fail by predicting and pre-creating the filenames to be used.::",{"point":"rf","priority":"6","details":"rg"},"CWE-ID: 378Creation of Temporary File With Insecure Permissions","Opening temporary files without appropriate measures or controls can leave the file, its contents and any function that it impacts vulnerable to attack.Guidelines:",{"point":"ri","priority":"6","details":"rj"},"CWE-ID: 379Creation of Temporary File in Directory with Insecure Permissions","The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.Guidelines:",{"point":"rl","priority":"6","details":"rm"},"CWE-ID: 382J2EE Bad Practices: Use of System.exit()","A J2EE application uses System.exit(), which also shuts down its container.Guidelines:",{"point":"ro","priority":"6","details":"rp"},"CWE-ID: 383J2EE Bad Practices: Direct Use of Threads","Thread management in a Web application is forbidden in some circumstances and is always highly error prone.Guidelines:",{"point":"rr","priority":"6","details":"rs"},"CWE-ID: 384Session Fixation","Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.Guidelines:::TYPE:Other:NOTE:Other attack vectors include DNS poisoning and related network based attacks where an attacker causes the user to visit a malicious site by redirecting a request for a valid site. Network based attacks typically involve a physical presence on the victim's network or control of a compromised machine on the network, which makes them harder to exploit remotely, but their significance should not be overlooked. Less secure session management mechanisms, such as the default implementation in Apache Tomcat, allow session identifiers normally expected in a cookie to be specified on the URL as well, which enables an attacker to cause a victim to use a fixed session identifier simply by emailing a malicious URL.::",{"point":"ru","priority":"6","details":"rv"},"CWE-ID: 385Covert Timing Channel","Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are working to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks that create or exploit covert channels. As a result of that work, this entry might change in CWE 4.10.::",{"point":"rx","priority":"6","details":"ry"},"CWE-ID: 386Symbolic Name not Mapping to Correct Object","A constant symbolic reference to an object is used, even though the reference can resolve to a different object over time.Guidelines:",{"point":"s0","priority":"6","details":"s1"},"CWE-ID: 390Detection of Error Condition Without Action","The product detects a specific error, but takes no actions to handle the error.Guidelines:",{"point":"s3","priority":"6","details":"s4"},"CWE-ID: 391Unchecked Error Condition","[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.Guidelines:::TYPE:Maintenance:NOTE:This entry is slated for deprecation; it has multiple widespread interpretations by CWE analysts. It currently combines information from three different taxonomies, but each taxonomy is talking about a slightly different issue. CWE analysts might map to this entry based on any of these issues. 7PK has Empty Catch Block which has an association with empty exception block (CWE-1069); in this case, the exception has performed the check, but does not handle. In PLOVER there is Unchecked Return Value which is CWE-252, but unlike Empty Catch Block there isn't even a check of the issue - and Unchecked Error Condition implies lack of a check. For CLASP, Uncaught Exception (CWE-248) is associated with incorrect error propagation - uncovered in CWE 3.2 and earlier, at least. There are other issues related to error handling and checks.::TYPE:Other:NOTE:When a programmer ignores an exception, they implicitly state that they are operating under one of two assumptions: This method call can never fail. It doesn't matter if this call fails.::",{"point":"s6","priority":"6","details":"s7"},"CWE-ID: 392Missing Report of Error Condition","The product encounters an error but does not provide a status code or return value to indicate that an error has occurred.Guidelines:",{"point":"s9","priority":"6","details":"sa"},"CWE-ID: 393Return of Wrong Status Code","A function or operation returns an incorrect return value or status code that does not indicate an error, but causes the product to modify its behavior based on the incorrect result.Guidelines:::TYPE:Relationship:NOTE:This can be primary or resultant, but it is probably most often primary to other issues.::",{"point":"sc","priority":"6","details":"sd"},"CWE-ID: 394Unexpected Status Code or Return Value","The product does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the product.Guidelines:::TYPE:Relationship:NOTE:Usually primary, but can be resultant from issues such as behavioral change or API abuse. This can produce resultant vulnerabilities.::",{"point":"sf","priority":"6","details":"sg"},"CWE-ID: 395Use of NullPointerException Catch to Detect NULL Pointer Dereference","Catching NullPointerException should not be used as an alternative to programmatic checks to prevent dereferencing a null pointer.Guidelines:",{"point":"si","priority":"6","details":"sj"},"CWE-ID: 396Declaration of Catch for Generic Exception","Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.Guidelines:",{"point":"sl","priority":"6","details":"sm"},"CWE-ID: 397Declaration of Throws for Generic Exception","Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.Guidelines:::TYPE:Applicable Platform:NOTE:For C++, this weakness only applies to C++98, C++03, and C++11. It relies on a feature known as Dynamic Exception Specification, which was part of early versions of C++ but was deprecated in C++11. It has been removed for C++17 and later.::",{"point":"so","priority":"6","details":"sp"},"CWE-ID: 400Uncontrolled Resource Consumption","The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Guidelines:::TYPE:Maintenance:NOTE:Resource consumption could be interpreted as a consequence instead of an insecure behavior, so this entry is being considered for modification. It appears to be referenced too frequently when more precise mappings are available. Some of its children, such as CWE-771, might be better considered as a chain.::TYPE:Theoretical:NOTE:Vulnerability theory is largely about how behaviors and resources interact. Resource exhaustion can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect the underlying weaknesses that enable these attacks (or consequences) to take place.::TYPE:Other:NOTE:Database queries that take a long time to process are good DoS targets. An attacker would have to write a few lines of Perl code to generate enough traffic to exceed the site's ability to keep up. This would effectively prevent authorized users from using the site at all. Resources can be exploited simply by ensuring that the target machine must do much more work and consume more resources in order to service a request than the attacker must do to initiate a request. A prime example of this can be found in old switches that were vulnerable to macof attacks (so named for a tool developed by Dugsong). These attacks flooded a switch with random IP and MAC address combinations, therefore exhausting the switch's cache, which held the information of which port corresponded to which MAC addresses. Once this cache was exhausted, the switch would fail in an insecure way and would begin to act simply as a hub, broadcasting all traffic on all ports and allowing for basic sniffing attacks.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"sr","priority":"6","details":"ss"},"CWE-ID: 401Missing Release of Memory after Effective Lifetime","The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.Guidelines:::TYPE:Relationship:NOTE:This is often a resultant weakness due to improper handling of malformed data or early termination of sessions.::TYPE:Terminology:NOTE:memory leak has sometimes been used to describe other kinds of issues, e.g. for information leaks in which the contents of memory are inadvertently leaked (CVE-2003-0400 is one such example of this terminology conflict).::",{"point":"su","priority":"6","details":"sv"},"CWE-ID: 402Transmission of Private Resources into a New Sphere ('Resource Leak')","The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product.Guidelines:",{"point":"sx","priority":"6","details":"sy"},"CWE-ID: 403Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')","A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors.Guidelines:",{"point":"t0","priority":"6","details":"t1"},"CWE-ID: 404Improper Resource Shutdown or Release","The product does not release or incorrectly releases a resource before it is made available for re-use.Guidelines:::TYPE:Relationship:NOTE:Overlaps memory leaks, asymmetric resource consumption, malformed input errors.::",{"point":"t3","priority":"6","details":"t4"},"CWE-ID: 405Asymmetric Resource Consumption (Amplification)","The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is asymmetric.Guidelines:",{"point":"t6","priority":"6","details":"t7"},"CWE-ID: 406Insufficient Control of Network Message Volume (Network Amplification)","The product does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the product to transmit more traffic than should be allowed for that actor.Guidelines:::TYPE:Relationship:NOTE:This can be resultant from weaknesses that simplify spoofing attacks.::TYPE:Theoretical:NOTE:Network amplification, when performed with spoofing, is normally a multi-channel attack from attacker (acting as user) to amplifier, and amplifier to victim.::",{"point":"t9","priority":"6","details":"ta"},"CWE-ID: 407Inefficient Algorithmic Complexity","An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.Guidelines:",{"point":"tc","priority":"6","details":"td"},"CWE-ID: 408Incorrect Behavior Order: Early Amplification","The product allows an entity to perform a legitimate but expensive operation before authentication or authorization has taken place.Guidelines:::TYPE:Relationship:NOTE:Overlaps authentication errors.::",{"point":"tf","priority":"6","details":"tg"},"CWE-ID: 409Improper Handling of Highly Compressed Data (Data Amplification)","The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.Guidelines:",{"point":"ti","priority":"6","details":"tj"},"CWE-ID: 410Insufficient Resource Pool","The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.Guidelines:",{"point":"tl","priority":"6","details":"tm"},"CWE-ID: 412Unrestricted Externally Accessible Lock","The product properly checks for the existence of a lock, but the lock can be externally controlled or influenced by an actor that is outside of the intended sphere of control.Guidelines:::TYPE:Relationship:NOTE:This overlaps Insufficient Resource Pool when the pool is of size 1. It can also be resultant from race conditions, although the timing window could be quite large in some cases.::",{"point":"to","priority":"6","details":"tp"},"CWE-ID: 413Improper Resource Locking","The product does not lock or does not correctly lock a resource when the product must have exclusive access to the resource.Guidelines:",{"point":"tr","priority":"6","details":"ts"},"CWE-ID: 414Missing Lock Check","A product does not check to see if a lock is present before performing sensitive operations on a resource.Guidelines:",{"point":"tu","priority":"6","details":"tv"},"CWE-ID: 415Double Free","The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.Guidelines:::TYPE:Relationship:NOTE:This is usually resultant from another weakness, such as an unhandled error or race condition between threads. It could also be primary to weaknesses such as buffer overflows.::TYPE:Theoretical:NOTE:It could be argued that Double Free would be most appropriately located as a child of Use after Free, but Use and Release are considered to be distinct operations within vulnerability theory, therefore this is more accurately Release of a Resource after Expiration or Release, which doesn't exist yet.::",{"point":"tx","priority":"6","details":"ty"},"CWE-ID: 416Use After Free","Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.Guidelines:",{"point":"u0","priority":"6","details":"u1"},"CWE-ID: 419Unprotected Primary Channel","The product uses a primary channel for administration or restricted functionality, but it does not properly protect the channel.Guidelines:",{"point":"u3","priority":"6","details":"u4"},"CWE-ID: 420Unprotected Alternate Channel","The product protects a primary channel, but it does not use the same level of protection for an alternate channel.Guidelines:::TYPE:Relationship:NOTE:This can be primary to authentication errors, and resultant from unhandled error conditions.::",{"point":"u6","priority":"6","details":"u7"},"CWE-ID: 421Race Condition During Access to Alternate Channel","The product opens an alternate channel to communicate with an authorized user, but the channel is accessible to other actors.Guidelines:",{"point":"u9","priority":"6","details":"ua"},"CWE-ID: 422Unprotected Windows Messaging Channel ('Shatter')","The product does not properly verify the source of a message in the Windows Messaging System while running at elevated privileges, creating an alternate channel through which an attacker can directly send a message to the product.Guidelines:::TYPE:Relationship:NOTE:Overlaps privilege errors and UI errors.::TYPE:Research Gap:NOTE:Possibly under-reported, probably under-studied. It is suspected that a number of publicized vulnerabilities that involve local privilege escalation on Windows systems may be related to Shatter attacks, but they are not labeled as such. Alternate channel attacks likely exist in other operating systems and messaging models, e.g. in privileged X Windows applications, but examples are not readily available.::",{"point":"uc","priority":"6","details":"ud"},"CWE-ID: 424Improper Protection of Alternate Path","The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.Guidelines:",{"point":"uf","priority":"6","details":"ug"},"CWE-ID: 425Direct Request ('Forced Browsing')","The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.Guidelines:::TYPE:Relationship:NOTE:Overlaps Modification of Assumed-Immutable Data (MAID), authorization errors, container errors; often primary to other weaknesses such as XSS and SQL injection.::TYPE:Theoretical:NOTE:Forced browsing is a step-based manipulation involving the omission of one or more steps, whose order is assumed to be immutable. The application does not verify that the first step was performed successfully before the second step. The consequence is typically authentication bypass or path disclosure, although it can be primary to all kinds of weaknesses, especially in languages such as PHP, which allow external modification of assumed-immutable variables.::",{"point":"ui","priority":"6","details":"uj"},"CWE-ID: 426Untrusted Search Path","The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.Guidelines:",{"point":"ul","priority":"6","details":"um"},"CWE-ID: 427Uncontrolled Search Path Element","The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.Guidelines:::TYPE:Relationship:NOTE:Unlike untrusted search path (CWE-426), which inherently involves control over the definition of a control sphere (i.e., modification of a search path), this entry concerns a fixed control sphere in which some part of the sphere may be under attacker control (i.e., the search path cannot be modified by an attacker, but one element of the path can be under attacker control).::TYPE:Theoretical:NOTE:This weakness is not a clean fit under CWE-668 or CWE-610, which suggests that the control sphere model might need enhancement or clarification.::",{"point":"uo","priority":"6","details":"up"},"CWE-ID: 428Unquoted Search Path or Element","The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.Guidelines:::TYPE:Applicable Platform:NOTE:This weakness could apply to any OS that supports spaces in filenames, especially any OS that make it easy for a user to insert spaces into filenames or folders, such as Windows. While spaces are technically supported in Unix, the practice is generally avoided. .::TYPE:Maintenance:NOTE:This weakness primarily involves the lack of quoting, which is not explicitly stated as a part of CWE-116. CWE-116 also describes output in light of structured messages, but the generation of a filename or search path (as in this weakness) might not be considered a structured message. An additional complication is the relationship to control spheres. Unlike untrusted search path (CWE-426), which inherently involves control over the definition of a control sphere, this entry concerns a fixed control sphere in which some part of the sphere may be under attacker control. This is not a clean fit under CWE-668 or CWE-610, which suggests that the control sphere model needs enhancement or clarification.::",{"point":"ur","priority":"6","details":"us"},"CWE-ID: 430Deployment of Wrong Handler","The wrong handler is assigned to process an object.Guidelines:",{"point":"uu","priority":"6","details":"uv"},"CWE-ID: 431Missing Handler","A handler is not available or implemented.Guidelines:",{"point":"ux","priority":"6","details":"uy"},"CWE-ID: 432Dangerous Signal Handler not Disabled During Sensitive Operations","The product uses a signal handler that shares state with other signal handlers, but it does not properly mask or prevent those signal handlers from being invoked while the original signal handler is still running.Guidelines:",{"point":"v0","priority":"6","details":"v1"},"CWE-ID: 433Unparsed Raw Web Content Delivery","The product stores raw content or supporting code under the web document root with an extension that is not specifically handled by the server.Guidelines:::TYPE:Relationship:NOTE:This overlaps direct requests (CWE-425), alternate path (CWE-424), permissions (CWE-275), and sensitive file under web root (CWE-219).::",{"point":"v3","priority":"6","details":"v4"},"CWE-ID: 434Unrestricted Upload of File with Dangerous Type","The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.Guidelines:::TYPE:Relationship:NOTE:This can have a chaining relationship with incomplete denylist / permissive allowlist errors when the product tries, but fails, to properly limit which types of files are allowed (CWE-183, CWE-184). This can also overlap multiple interpretation errors for intermediaries, e.g. anti-virus products that do not remove or quarantine attachments with certain file extensions that can be processed by client systems.::",{"point":"v6","priority":"6","details":"v7"},"CWE-ID: 435Improper Interaction Between Multiple Correctly-Behaving Entities","An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses.Guidelines:::TYPE:Research Gap:NOTE:Weaknesses related to this Pillar appear to be under-studied, especially with respect to classification schemes. Input from academic and other communities could help identify and resolve gaps or organizational difficulties within CWE.::TYPE:Relationship:NOTE:The Interaction Error term, in CWE and elsewhere, is only intended to describe products that behave according to specification. When one or more of the products do not comply with specifications, then it is more likely to be API Abuse (CWE-227) or an interpretation conflict (CWE-436). This distinction can be blurred in real world scenarios, especially when de facto standards do not comply with specifications, or when there are no standards but there is widespread adoption. As a result, it can be difficult to distinguish these weaknesses during mapping and classification.::",{"point":"v9","priority":"6","details":"va"},"CWE-ID: 436Interpretation Conflict","Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.Guidelines:",{"point":"vc","priority":"6","details":"vd"},"CWE-ID: 437Incomplete Model of Endpoint Features","A product acts as an intermediary or monitor between two or more endpoints, but it does not have a complete model of an endpoint's features, behaviors, or state, potentially causing the product to perform incorrect actions based on this incomplete model.Guidelines:::TYPE:Relationship:NOTE:This can be related to interaction errors, although in some cases, one of the endpoints is not performing correctly according to specification.::",{"point":"vf","priority":"6","details":"vg"},"CWE-ID: 439Behavioral Change in New Version or Environment","A's behavior or functionality changes with a new version of A, or a new environment, which is not known (or manageable) by B.Guidelines:",{"point":"vi","priority":"6","details":"vj"},"CWE-ID: 440Expected Behavior Violation","A feature, API, or function does not perform according to its specification.Guidelines:::TYPE:Theoretical:NOTE:The behavior of an application that is not consistent with the expectations of the developer may lead to incorrect use of the software.::",{"point":"vl","priority":"6","details":"vm"},"CWE-ID: 441Unintended Proxy or Intermediary ('Confused Deputy')","The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.Guidelines:::TYPE:Relationship:NOTE:This weakness has a chaining relationship with CWE-668 (Exposure of Resource to Wrong Sphere) because the proxy effectively provides the attacker with access to the target's resources that the attacker cannot directly obtain.::TYPE:Maintenance:NOTE:This could possibly be considered as an emergent resource.::TYPE:Theoretical:NOTE:It could be argued that the confused deputy is a fundamental aspect of most vulnerabilities that require an active attacker. Even for common implementation issues such as buffer overflows, SQL injection, OS command injection, and path traversal, the vulnerable program already has the authorization to run code or access files. The vulnerability arises when the attacker causes the program to run unexpected code or access unexpected files.::",{"point":"vo","priority":"6","details":"vp"},"CWE-ID: 444Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')","The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.Guidelines:::TYPE:Theoretical:NOTE:Request smuggling can be performed due to a multiple interpretation error, where the target is an intermediary or monitor, via a consistency manipulation (Transfer-Encoding and Content-Length headers).::",{"point":"vr","priority":"6","details":"vs"},"CWE-ID: 446UI Discrepancy for Security Feature","The user interface does not correctly enable or configure a security feature, but the interface provides feedback that causes the user to believe that the feature is in a secure state.Guidelines:::TYPE:Maintenance:NOTE:This entry is likely a loose composite that could be broken down into the different types of errors that cause the user interface to have incorrect interactions with the underlying security feature.::",{"point":"vu","priority":"6","details":"vv"},"CWE-ID: 447Unimplemented or Unsupported Feature in UI","A UI function for a security feature appears to be supported and gives feedback to the user that suggests that it is supported, but the underlying functionality is not implemented.Guidelines:::TYPE:Research Gap:NOTE:This issue needs more study, as there are not many examples. It is not clear whether it is primary or resultant.::",{"point":"vx","priority":"6","details":"vy"},"CWE-ID: 448Obsolete Feature in UI","A UI function is obsolete and the product does not warn the user.Guidelines:",{"point":"w0","priority":"6","details":"w1"},"CWE-ID: 449The UI Performs the Wrong Action","The UI performs the wrong action with respect to the user's request.Guidelines:",{"point":"w3","priority":"6","details":"w4"},"CWE-ID: 450Multiple Interpretations of UI Input","The UI has multiple interpretations of user input but does not prompt the user when it selects the less secure interpretation.Guidelines:",{"point":"w6","priority":"6","details":"w7"},"CWE-ID: 451User Interface (UI) Misrepresentation of Critical Information","The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks.Guidelines:::TYPE:Maintenance:NOTE:This entry should be broken down into more precise entries. See extended description.::TYPE:Research Gap:NOTE:Misrepresentation problems are frequently studied in web browsers, but there are no known efforts for classifying these kinds of problems in terms of the shortcomings of the interface. In addition, many misrepresentation issues are resultant.::",{"point":"w9","priority":"6","details":"wa"},"CWE-ID: 453Insecure Default Variable Initialization","The product, by default, initializes an internal variable with an insecure or less secure value than is possible.Guidelines:::TYPE:Maintenance:NOTE:This overlaps other categories, probably should be split into separate items.::",{"point":"wc","priority":"6","details":"wd"},"CWE-ID: 454External Initialization of Trusted Variables or Data Stores","The product initializes critical internal variables or data stores using inputs that can be modified by untrusted actors.Guidelines:::TYPE:Relationship:NOTE:Overlaps Missing variable initialization, especially in PHP.::TYPE:Applicable Platform:NOTE:This is often found in PHP due to register_globals and the common practice of storing library/include files under the web document root so that they are available using a direct request.::",{"point":"wf","priority":"6","details":"wg"},"CWE-ID: 455Non-exit on Failed Initialization","The product does not exit or otherwise modify its operation when security-relevant errors occur during initialization, such as when a configuration file has a format error or a hardware security module (HSM) cannot be activated, which can cause the product to execute in a less secure fashion than intended by the administrator.Guidelines:::TYPE:Research Gap:NOTE:Under-studied. These issues are not frequently reported, and it is difficult to find published examples.::",{"point":"wi","priority":"6","details":"wj"},"CWE-ID: 456Missing Initialization of a Variable","The product does not initialize critical variables, which causes the execution environment to use unexpected values.Guidelines:::TYPE:Relationship:NOTE:This weakness is a major factor in a number of resultant weaknesses, especially in web applications that allow global variable initialization (such as PHP) with libraries that can be directly requested.::TYPE:Research Gap:NOTE:It is highly likely that a large number of resultant weaknesses have missing initialization as a primary factor, but researcher reports generally do not provide this level of detail.::",{"point":"wl","priority":"6","details":"wm"},"CWE-ID: 457Use of Uninitialized Variable","The code uses a variable that has not been initialized, leading to unpredictable or unintended results.Guidelines:",{"point":"wo","priority":"6","details":"wp"},"CWE-ID: 459Incomplete Cleanup","The product does not properly clean up and remove temporary or supporting resources after they have been used.Guidelines:::TYPE:Relationship:NOTE:CWE-459 is a child of CWE-404 because, while CWE-404 covers any type of improper shutdown or release of a resource, CWE-459 deals specifically with a multi-step shutdown process in which a crucial step for proper cleanup is omitted or impossible. That is, CWE-459 deals specifically with a cleanup or shutdown process that does not successfully remove all potentially sensitive data.::TYPE:Relationship:NOTE:Overlaps other categories such as permissions and containment. Concept needs further development. This could be primary (e.g. leading to infoleak) or resultant (e.g. resulting from unhandled error conditions or early termination).::",{"point":"wr","priority":"6","details":"ws"},"CWE-ID: 460Improper Cleanup on Thrown Exception","The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow.Guidelines:",{"point":"wu","priority":"6","details":"wv"},"CWE-ID: 462Duplicate Key in Associative List (Alist)","Duplicate keys in associative lists can lead to non-unique keys being mistaken for an error.Guidelines:",{"point":"wx","priority":"6","details":"wy"},"CWE-ID: 463Deletion of Data Structure Sentinel","The accidental deletion of a data-structure sentinel can cause serious programming logic problems.Guidelines:",{"point":"x0","priority":"6","details":"x1"},"CWE-ID: 464Addition of Data Structure Sentinel","The accidental addition of a data-structure sentinel can cause serious programming logic problems.Guidelines:",{"point":"x3","priority":"6","details":"x4"},"CWE-ID: 466Return of Pointer Value Outside of Expected Range","A function can return a pointer to memory that is outside of the buffer that the pointer is expected to reference.Guidelines:::TYPE:Maintenance:NOTE:This entry should have a chaining relationship with CWE-119 instead of a parent / child relationship, however the focus of this weakness does not map cleanly to any existing entries in CWE. A new parent is being considered which covers the more generic problem of incorrect return values. There is also an abstract relationship to weaknesses in which one component sends incorrect messages to another component; in this case, one routine is sending an incorrect value to another.::",{"point":"x6","priority":"6","details":"x7"},"CWE-ID: 467Use of sizeof() on a Pointer Type","The code calls sizeof() on a malloced pointer type, which always returns the wordsize/8. This can produce an unexpected result if the programmer intended to determine how much memory has been allocated.Guidelines:",{"point":"x9","priority":"6","details":"xa"},"CWE-ID: 468Incorrect Pointer Scaling","In C and C++, one may often accidentally refer to the wrong memory due to the semantics of when math operations are implicitly scaled.Guidelines:",{"point":"xc","priority":"6","details":"xd"},"CWE-ID: 469Use of Pointer Subtraction to Determine Size","The product subtracts one pointer from another in order to determine size, but this calculation can be incorrect if the pointers do not exist in the same memory chunk.Guidelines:",{"point":"xf","priority":"6","details":"xg"},"CWE-ID: 470Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')","The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.Guidelines:",{"point":"xi","priority":"6","details":"xj"},"CWE-ID: 471Modification of Assumed-Immutable Data (MAID)","The product does not properly protect an assumed-immutable element from being modified by an attacker.Guidelines:::TYPE:Relationship:NOTE:MAID issues can be primary to many other weaknesses, and they are a major factor in languages that provide easy access to internal program constructs, such as PHP's register_globals and similar features. However, MAID issues can also be resultant from weaknesses that modify internal state; for example, a program might validate some data and store it in memory, but a buffer overflow could overwrite that validated data, leading to a change in program logic.::TYPE:Theoretical:NOTE:There are many examples where the MUTABILITY property is a major factor in a vulnerability.::",{"point":"xl","priority":"6","details":"xm"},"CWE-ID: 472External Control of Assumed-Immutable Web Parameter","The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.Guidelines:::TYPE:Relationship:NOTE:This is a primary weakness for many other weaknesses and functional consequences, including XSS, SQL injection, path disclosure, and file inclusion.::TYPE:Theoretical:NOTE:This is a technology-specific MAID problem.::",{"point":"xo","priority":"6","details":"xp"},"CWE-ID: 473PHP External Variable Modification","A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies. This can expose the application to numerous weaknesses that would not exist otherwise.Guidelines:::TYPE:Relationship:NOTE:This is a language-specific instance of Modification of Assumed-Immutable Data (MAID). This can be resultant from direct request (alternate path) issues. It can be primary to weaknesses such as PHP file inclusion, SQL injection, XSS, authentication bypass, and others.::",{"point":"xr","priority":"6","details":"xs"},"CWE-ID: 474Use of Function with Inconsistent Implementations","The code uses a function that has inconsistent implementations across operating systems and versions.Guidelines:",{"point":"xu","priority":"6","details":"xv"},"CWE-ID: 475Undefined Behavior for Input to API","The behavior of this function is undefined unless its control parameter is set to a specific value.Guidelines:::TYPE:Other:NOTE:The Linux Standard Base Specification 2.0.1 for libc places constraints on the arguments to some internal functions [21]. If the constraints are not met, the behavior of the functions is not defined. It is unusual for this function to be called directly. It is almost always invoked through a macro defined in a system header file, and the macro ensures that the following constraints are met: The value 1 must be passed to the third parameter (the version number) of the following file system function: __xmknod The value 2 must be passed to the third parameter (the group argument) of the following wide character string functions: __wcstod_internal __wcstof_internal __wcstol_internal __wcstold_internal __wcstoul_internal The value 3 must be passed as the first parameter (the version number) of the following file system functions: __xstat __lxstat __fxstat __xstat64 __lxstat64 __fxstat64::",{"point":"xx","priority":"6","details":"xy"},"CWE-ID: 476NULL Pointer Dereference","A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.Guidelines:",{"point":"y0","priority":"6","details":"y1"},"CWE-ID: 477Use of Obsolete Function","The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained.Guidelines:",{"point":"y3","priority":"6","details":"y4"},"CWE-ID: 478Missing Default Case in Multiple Condition Expression","The code does not have a default case in an expression with multiple conditions, such as a switch statement.Guidelines:",{"point":"y6","priority":"6","details":"y7"},"CWE-ID: 479Signal Handler Use of a Non-reentrant Function","The product defines a signal handler that calls a non-reentrant function.Guidelines:",{"point":"y9","priority":"6","details":"ya"},"CWE-ID: 480Use of Incorrect Operator","The product accidentally uses the wrong operator, which changes the logic in security-relevant ways.Guidelines:",{"point":"yc","priority":"6","details":"yd"},"CWE-ID: 481Assigning instead of Comparing","The code uses an operator for assignment when the intention was to perform a comparison.Guidelines:",{"point":"yf","priority":"6","details":"yg"},"CWE-ID: 482Comparing instead of Assigning","The code uses an operator for comparison when the intention was to perform an assignment.Guidelines:",{"point":"yi","priority":"6","details":"yj"},"CWE-ID: 483Incorrect Block Delimitation","The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.Guidelines:",{"point":"yl","priority":"6","details":"ym"},"CWE-ID: 484Omitted Break Statement in Switch","The product omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition.Guidelines:",{"point":"yo","priority":"6","details":"yp"},"CWE-ID: 486Comparison of Classes by Name","The product compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name.Guidelines:",{"point":"yr","priority":"6","details":"ys"},"CWE-ID: 487Reliance on Package-level Scope","Java packages are not inherently closed; therefore, relying on them for code security is not a good practice.Guidelines:",{"point":"yu","priority":"6","details":"yv"},"CWE-ID: 488Exposure of Data Element to Wrong Session","The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.Guidelines:",{"point":"yx","priority":"6","details":"yy"},"CWE-ID: 489Active Debug Code","The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.Guidelines:::TYPE:Other:NOTE:In J2EE a main method may be a good indicator that debug code has been left in the application, although there may not be any direct security impact.::",{"point":"z0","priority":"6","details":"z1"},"CWE-ID: 491Public cloneable() Method Without Final ('Object Hijack')","A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state.Guidelines:",{"point":"z3","priority":"6","details":"z4"},"CWE-ID: 492Use of Inner Class Containing Sensitive Data","Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers.Guidelines:::TYPE:Other:NOTE:Mobile code, in this case a Java Applet, is code that is transmitted across a network and executed on a remote machine. Because mobile code developers have little if any control of the environment in which their code will execute, special security concerns become relevant. One of the biggest environmental threats results from the risk that the mobile code will run side-by-side with other, potentially malicious, mobile code. Because all of the popular web browsers execute code from multiple sources together in the same JVM, many of the security guidelines for mobile code are focused on preventing manipulation of your objects' state and behavior by adversaries who have access to the same virtual machine where your program is running.::",{"point":"z6","priority":"6","details":"z7"},"CWE-ID: 493Critical Public Variable Without Final Modifier","The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.Guidelines:",{"point":"z9","priority":"6","details":"za"},"CWE-ID: 494Download of Code Without Integrity Check","The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.Guidelines:::TYPE:Research Gap:NOTE:This is critical for mobile code, but it is likely to become more and more common as developers continue to adopt automated, network-based product distributions and upgrades. Software-as-a-Service (SaaS) might introduce additional subtleties. Common exploitation scenarios may include ad server compromises and bad upgrades.::",{"point":"zc","priority":"6","details":"zd"},"CWE-ID: 495Private Data Structure Returned From A Public Method","The product has a method that is declared public, but returns a reference to a private data structure, which could then be modified in unexpected ways.Guidelines:",{"point":"zf","priority":"6","details":"zg"},"CWE-ID: 496Public Data Assigned to Private Array-Typed Field","Assigning public data to a private array is equivalent to giving public access to the array.Guidelines:",{"point":"zi","priority":"6","details":"zj"},"CWE-ID: 497Exposure of Sensitive System Information to an Unauthorized Control Sphere","The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.Guidelines:",{"point":"zl","priority":"6","details":"zm"},"CWE-ID: 498Cloneable Class Containing Sensitive Information","The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class.Guidelines:",{"point":"zo","priority":"6","details":"zp"},"CWE-ID: 499Serializable Class Containing Sensitive Data","The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another class.Guidelines:",{"point":"zr","priority":"6","details":"zs"},"CWE-ID: 500Public Static Field Not Marked Final","An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways.Guidelines:",{"point":"zu","priority":"6","details":"zv"},"CWE-ID: 501Trust Boundary Violation","The product mixes trusted and untrusted data in the same data structure or structured message.Guidelines:",{"point":"zx","priority":"6","details":"zy"},"CWE-ID: 502Deserialization of Untrusted Data","The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.Guidelines:::TYPE:Maintenance:NOTE:The relationships between CWE-502 and CWE-915 need further exploration. CWE-915 is more narrowly scoped to object modification, and is not necessarily used for deserialization.::",{"point":"100","priority":"6","details":"101"},"CWE-ID: 506Embedded Malicious Code","The product contains code that appears to be malicious in nature.Guidelines:::TYPE:Terminology:NOTE:The term Trojan horse was introduced by Dan Edwards and recorded by James Anderson [18] to characterize a particular computer security threat; it has been redefined many times [4,18-20].::",{"point":"103","priority":"6","details":"104"},"CWE-ID: 507Trojan Horse","The product appears to contain benign or useful functionality, but it also contains code that is hidden from normal operation that violates the intended security policy of the user or the system administrator.Guidelines:::TYPE:Other:NOTE:Potentially malicious dynamic code compiled at runtime can conceal any number of attacks that will not appear in the baseline. The use of dynamically compiled code could also allow the injection of attacks on post-deployed applications.::TYPE:Terminology:NOTE:Definitions of Trojan horse and related terms have varied widely over the years, but common usage in 2008 generally refers to software that performs a legitimate function, but also contains malicious code. Almost any malicious code can be called a Trojan horse, since the author of malicious code needs to disguise it somehow so that it will be invoked by a nonmalicious user (unless the author means also to invoke the code, in which case they presumably already possess the authorization to perform the intended sabotage). A Trojan horse that replicates itself by copying its code into other program files (see case MA1) is commonly referred to as a virus. One that replicates itself by creating new processes or files to contain its code, instead of modifying existing storage entities, is often called a worm. Denning provides a general discussion of these terms; differences of opinion about the term applicable to a particular flaw or its exploitations sometimes occur.::",{"point":"106","priority":"6","details":"107"},"CWE-ID: 508Non-Replicating Malicious Code","Non-replicating malicious code only resides on the target system or product that is attacked; it does not attempt to spread to other systems.Guidelines:",{"point":"109","priority":"6","details":"10a"},"CWE-ID: 509Replicating Malicious Code (Virus or Worm)","Replicating malicious code, including viruses and worms, will attempt to attack other systems once it has successfully compromised the target system or the product.Guidelines:",{"point":"10c","priority":"6","details":"10d"},"CWE-ID: 510Trapdoor","A trapdoor is a hidden piece of code that responds to a special input, allowing its user access to resources without passing through the normal security enforcement mechanism.Guidelines:",{"point":"10f","priority":"6","details":"10g"},"CWE-ID: 511Logic/Time Bomb","The product contains code that is designed to disrupt the legitimate operation of the product (or its environment) when a certain time passes, or when a certain logical condition is met.Guidelines:",{"point":"10i","priority":"6","details":"10j"},"CWE-ID: 512Spyware","The product collects personally identifiable information about a human user or the user's activities, but the product accesses this information using other resources besides itself, and it does not require that user's explicit approval or direct input into the product.Guidelines:",{"point":"10l","priority":"6","details":"10m"},"CWE-ID: 514Covert Channel","A covert channel is a path that can be used to transfer information in a way not intended by the system's designers.Guidelines:::TYPE:Theoretical:NOTE:A covert channel can be thought of as an emergent resource, meaning that it was not an originally intended resource, however it exists due the application's behaviors.::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are working to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks that create or exploit covert channels. As a result of that work, this entry might change in CWE 4.10.::",{"point":"10o","priority":"6","details":"10p"},"CWE-ID: 515Covert Storage Channel","A covert storage channel transfers information through the setting of bits by one program and the reading of those bits by another. What distinguishes this case from that of ordinary operation is that the bits are used to convey encoded information.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are working to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks that create or exploit covert channels. As a result of that work, this entry might change in CWE 4.10.::",{"point":"10r","priority":"6","details":"10s"},"CWE-ID: 520.NET Misconfiguration: Use of Impersonation","Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms of attacks.Guidelines:",{"point":"10u","priority":"6","details":"10v"},"CWE-ID: 521Weak Password Requirements","The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.Guidelines:",{"point":"10x","priority":"6","details":"10y"},"CWE-ID: 522Insufficiently Protected Credentials","The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.Guidelines:",{"point":"110","priority":"6","details":"111"},"CWE-ID: 523Unprotected Transport of Credentials","Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.Guidelines:",{"point":"113","priority":"6","details":"114"},"CWE-ID: 524Use of Cache Containing Sensitive Information","The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.Guidelines:",{"point":"116","priority":"6","details":"117"},"CWE-ID: 525Use of Web Browser Cache Containing Sensitive Information","The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.Guidelines:",{"point":"119","priority":"6","details":"11a"},"CWE-ID: 526Cleartext Storage of Sensitive Information in an Environment Variable","The product uses an environment variable to store unencrypted sensitive information.Guidelines:",{"point":"11c","priority":"6","details":"11d"},"CWE-ID: 527Exposure of Version-Control Repository to an Unauthorized Control Sphere","The product stores a CVS, git, or other repository in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.Guidelines:",{"point":"11f","priority":"6","details":"11g"},"CWE-ID: 528Exposure of Core Dump File to an Unauthorized Control Sphere","The product generates a core dump file in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.Guidelines:",{"point":"11i","priority":"6","details":"11j"},"CWE-ID: 529Exposure of Access Control List Files to an Unauthorized Control Sphere","The product stores access control list files in a directory or other container that is accessible to actors outside of the intended control sphere.Guidelines:",{"point":"11l","priority":"6","details":"11m"},"CWE-ID: 530Exposure of Backup File to an Unauthorized Control Sphere","A backup file is stored in a directory or archive that is made accessible to unauthorized actors.Guidelines:",{"point":"11o","priority":"6","details":"11p"},"CWE-ID: 531Inclusion of Sensitive Information in Test Code","Accessible test applications can pose a variety of security risks. Since developers or administrators rarely consider that someone besides themselves would even know about the existence of these applications, it is common for them to contain sensitive information or functions.Guidelines:",{"point":"11r","priority":"6","details":"11s"},"CWE-ID: 532Insertion of Sensitive Information into Log File","Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.Guidelines:",{"point":"11u","priority":"6","details":"11v"},"CWE-ID: 535Exposure of Information Through Shell Error Message","A command shell error message indicates that there exists an unhandled exception in the web application code. In many cases, an attacker can leverage the conditions that cause these errors in order to gain unauthorized access to the system.Guidelines:",{"point":"11x","priority":"6","details":"11y"},"CWE-ID: 536Servlet Runtime Error Message Containing Sensitive Information","A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker.Guidelines:",{"point":"120","priority":"6","details":"121"},"CWE-ID: 537Java Runtime Error Message Containing Sensitive Information","In many cases, an attacker can leverage the conditions that cause unhandled exception errors in order to gain unauthorized access to the system.Guidelines:",{"point":"123","priority":"6","details":"124"},"CWE-ID: 538Insertion of Sensitive Information into Externally-Accessible File or Directory","The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.Guidelines:::TYPE:Maintenance:NOTE:Depending on usage, this could be a weakness or a category. Further study of all its children is needed, and the entire sub-tree may need to be clarified. The current organization is based primarily on the exposure of sensitive information as a consequence, instead of as a primary weakness.::TYPE:Maintenance:NOTE:There is a close relationship with CWE-552, which is more focused on weaknesses. As a result, it may be more appropriate to convert CWE-538 to a category.::",{"point":"126","priority":"6","details":"127"},"CWE-ID: 539Use of Persistent Cookies Containing Sensitive Information","The web application uses persistent cookies, but the cookies contain sensitive information.Guidelines:",{"point":"129","priority":"6","details":"12a"},"CWE-ID: 540Inclusion of Sensitive Information in Source Code","Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.Guidelines:",{"point":"12c","priority":"6","details":"12d"},"CWE-ID: 541Inclusion of Sensitive Information in an Include File","If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system.Guidelines:",{"point":"12f","priority":"6","details":"12g"},"CWE-ID: 543Use of Singleton Pattern Without Synchronization in a Multithreaded Context","The product uses the singleton pattern when creating a resource within a multithreaded environment.Guidelines:",{"point":"12i","priority":"6","details":"12j"},"CWE-ID: 544Missing Standardized Error Handling Mechanism","The product does not use a standardized method for handling errors throughout the code, which might introduce inconsistent error handling and resultant weaknesses.Guidelines:",{"point":"12l","priority":"6","details":"12m"},"CWE-ID: 546Suspicious Comment","The code contains comments that suggest the presence of bugs, incomplete functionality, or weaknesses.Guidelines:",{"point":"12o","priority":"6","details":"12p"},"CWE-ID: 547Use of Hard-coded, Security-relevant Constants","The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change.Guidelines:",{"point":"12r","priority":"6","details":"12s"},"CWE-ID: 548Exposure of Information Through Directory Listing","A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers.Guidelines:",{"point":"12u","priority":"6","details":"12v"},"CWE-ID: 549Missing Password Field Masking","The product does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords.Guidelines:",{"point":"12x","priority":"6","details":"12y"},"CWE-ID: 550Server-generated Error Message Containing Sensitive Information","Certain conditions, such as network failure, will cause a server error message to be displayed.Guidelines:",{"point":"130","priority":"6","details":"131"},"CWE-ID: 551Incorrect Behavior Order: Authorization Before Parsing and Canonicalization","If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.Guidelines:",{"point":"133","priority":"6","details":"134"},"CWE-ID: 552Files or Directories Accessible to External Parties","The product makes files or directories accessible to unauthorized actors, even though they should not be.Guidelines:",{"point":"136","priority":"6","details":"137"},"CWE-ID: 553Command Shell in Externally Accessible Directory","A possible shell file exists in /cgi-bin/ or other accessible directories. This is extremely dangerous and can be used by an attacker to execute commands on the web server.Guidelines:",{"point":"139","priority":"6","details":"13a"},"CWE-ID: 554ASP.NET Misconfiguration: Not Using Input Validation Framework","The ASP.NET application does not use an input validation framework.Guidelines:",{"point":"13c","priority":"6","details":"13d"},"CWE-ID: 555J2EE Misconfiguration: Plaintext Password in Configuration File","The J2EE application stores a plaintext password in a configuration file.Guidelines:",{"point":"13f","priority":"6","details":"13g"},"CWE-ID: 556ASP.NET Misconfiguration: Use of Identity Impersonation","Configuring an ASP.NET application to run with impersonated credentials may give the application unnecessary privileges.Guidelines:",{"point":"13i","priority":"6","details":"13j"},"CWE-ID: 558Use of getlogin() in Multithreaded Application","The product uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values.Guidelines:",{"point":"13l","priority":"6","details":"13m"},"CWE-ID: 560Use of umask() with chmod-style Argument","The product calls umask() with an incorrect argument that is specified as if it is an argument to chmod().Guidelines:::TYPE:Other:NOTE:Some umask() manual pages begin with the false statement: umask sets the umask to mask & 0777 Although this behavior would better align with the usage of chmod(), where the user provided argument specifies the bits to enable on the specified file, the behavior of umask() is in fact opposite: umask() sets the umask to ~mask & 0777. The documentation goes on to describe the correct usage of umask(): The umask is used by open() to set initial file permissions on a newly-created file. Specifically, permissions in the umask are turned off from the mode argument to open(2) (so, for example, the common umask default value of 022 results in new files being created with permissions 0666 & ~022 = 0644 = rw-r--r-- in the usual case where the mode is specified as 0666).::",{"point":"13o","priority":"6","details":"13p"},"CWE-ID: 561Dead Code","The product contains dead code, which can never be executed.Guidelines:",{"point":"13r","priority":"6","details":"13s"},"CWE-ID: 562Return of Stack Variable Address","A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.Guidelines:",{"point":"13u","priority":"6","details":"13v"},"CWE-ID: 563Assignment to Variable without Use","The variable's value is assigned but never used, making it a dead store.Guidelines:",{"point":"13x","priority":"6","details":"13y"},"CWE-ID: 564SQL Injection: Hibernate","Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.Guidelines:",{"point":"140","priority":"6","details":"141"},"CWE-ID: 565Reliance on Cookies without Validation and Integrity Checking","The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.Guidelines:::TYPE:Relationship:NOTE:This problem can be primary to many types of weaknesses in web applications. A developer may perform proper validation against URL parameters while assuming that attackers cannot modify cookies. As a result, the program might skip basic input validation to enable cross-site scripting, SQL injection, price tampering, and other attacks..::",{"point":"143","priority":"6","details":"144"},"CWE-ID: 566Authorization Bypass Through User-Controlled SQL Primary Key","The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.Guidelines:",{"point":"146","priority":"6","details":"147"},"CWE-ID: 567Unsynchronized Access to Shared Data in a Multithreaded Context","The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.Guidelines:",{"point":"149","priority":"6","details":"14a"},"CWE-ID: 568finalize() Method Without super.finalize()","The product contains a finalize() method that does not call super.finalize().Guidelines:",{"point":"14c","priority":"6","details":"14d"},"CWE-ID: 570Expression is Always False","The product contains an expression that will always evaluate to false.Guidelines:",{"point":"14f","priority":"6","details":"14g"},"CWE-ID: 571Expression is Always True","The product contains an expression that will always evaluate to true.Guidelines:",{"point":"14i","priority":"6","details":"14j"},"CWE-ID: 572Call to Thread run() instead of start()","The product calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee.Guidelines:",{"point":"14l","priority":"6","details":"14m"},"CWE-ID: 573Improper Following of Specification by Caller","The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.Guidelines:",{"point":"14o","priority":"6","details":"14p"},"CWE-ID: 574EJB Bad Practices: Use of Synchronization Primitives","The product violates the Enterprise JavaBeans (EJB) specification by using thread synchronization primitives.Guidelines:",{"point":"14r","priority":"6","details":"14s"},"CWE-ID: 575EJB Bad Practices: Use of AWT Swing","The product violates the Enterprise JavaBeans (EJB) specification by using AWT/Swing.Guidelines:",{"point":"14u","priority":"6","details":"14v"},"CWE-ID: 576EJB Bad Practices: Use of Java I/O","The product violates the Enterprise JavaBeans (EJB) specification by using the java.io package.Guidelines:",{"point":"14x","priority":"6","details":"14y"},"CWE-ID: 577EJB Bad Practices: Use of Sockets","The product violates the Enterprise JavaBeans (EJB) specification by using sockets.Guidelines:",{"point":"150","priority":"6","details":"151"},"CWE-ID: 578EJB Bad Practices: Use of Class Loader","The product violates the Enterprise JavaBeans (EJB) specification by using the class loader.Guidelines:",{"point":"153","priority":"6","details":"154"},"CWE-ID: 579J2EE Bad Practices: Non-serializable Object Stored in Session","The product stores a non-serializable object as an HttpSession attribute, which can hurt reliability.Guidelines:",{"point":"156","priority":"6","details":"157"},"CWE-ID: 580clone() Method Without super.clone()","The product contains a clone() method that does not call super.clone() to obtain the new object.Guidelines:",{"point":"159","priority":"6","details":"15a"},"CWE-ID: 581Object Model Violation: Just One of Equals and Hashcode Defined","The product does not maintain equal hashcodes for equal objects.Guidelines:",{"point":"15c","priority":"6","details":"15d"},"CWE-ID: 582Array Declared Public, Final, and Static","The product declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified.Guidelines:",{"point":"15f","priority":"6","details":"15g"},"CWE-ID: 583finalize() Method Declared Public","The product violates secure coding principles for mobile code by declaring a finalize() method public.Guidelines:",{"point":"15i","priority":"6","details":"15j"},"CWE-ID: 584Return Inside Finally Block","The code has a return statement inside a finally block, which will cause any thrown exception in the try block to be discarded.Guidelines:",{"point":"15l","priority":"6","details":"15m"},"CWE-ID: 585Empty Synchronized Block","The product contains an empty synchronized block.Guidelines:",{"point":"15o","priority":"6","details":"15p"},"CWE-ID: 586Explicit Call to Finalize()","The product makes an explicit call to the finalize() method from outside the finalizer.Guidelines:",{"point":"15r","priority":"6","details":"15s"},"CWE-ID: 587Assignment of a Fixed Address to a Pointer","The product sets a pointer to a specific address other than NULL or 0.Guidelines:",{"point":"15u","priority":"6","details":"15v"},"CWE-ID: 588Attempt to Access Child of a Non-structure Pointer","Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption.Guidelines:",{"point":"15x","priority":"6","details":"15y"},"CWE-ID: 589Call to Non-ubiquitous API","The product uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allow denial of service or other consequences.Guidelines:",{"point":"160","priority":"6","details":"161"},"CWE-ID: 590Free of Memory not on the Heap","The product calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc().Guidelines:::TYPE:Other:NOTE:In C++, if the new operator was used to allocate the memory, it may be allocated with the malloc(), calloc() or realloc() family of functions in the implementation. Someone aware of this behavior might choose to map this problem to CWE-590 or to its parent, CWE-762, depending on their perspective.::",{"point":"163","priority":"6","details":"164"},"CWE-ID: 591Sensitive Data Storage in Improperly Locked Memory","The product stores sensitive data in memory that is not locked, or that has been incorrectly locked, which might cause the memory to be written to swap files on disk by the virtual memory manager. This can make the data more accessible to external actors.Guidelines:",{"point":"166","priority":"6","details":"167"},"CWE-ID: 593Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created","The product modifies the SSL context after connection creation has begun.Guidelines:",{"point":"169","priority":"6","details":"16a"},"CWE-ID: 594J2EE Framework: Saving Unserializable Objects to Disk","When the J2EE container attempts to write unserializable objects to disk there is no guarantee that the process will complete successfully.Guidelines:",{"point":"16c","priority":"6","details":"16d"},"CWE-ID: 595Comparison of Object References Instead of Object Contents","The product compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects.Guidelines:",{"point":"16f","priority":"6","details":"16g"},"CWE-ID: 597Use of Wrong Operator in String Comparison","The product uses the wrong operator when comparing a string, such as using == when the .equals() method should be used instead.Guidelines:",{"point":"16i","priority":"6","details":"16j"},"CWE-ID: 598Use of GET Request Method With Sensitive Query Strings","The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.Guidelines:",{"point":"16l","priority":"6","details":"16m"},"CWE-ID: 599Missing Validation of OpenSSL Certificate","The product uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all necessary security requirements.Guidelines:::TYPE:Relationship:NOTE:CWE-295 and CWE-599 are very similar, although CWE-599 has a more narrow scope that is only applied to OpenSSL certificates. As a result, other children of CWE-295 can be regarded as children of CWE-599 as well. CWE's use of one-dimensional hierarchical relationships is not well-suited to handle different kinds of abstraction relationships based on concepts like types of resources (OpenSSL certificate as a child of any certificate) and types of behaviors (not validating expiration as a child of improper validation).::",{"point":"16o","priority":"6","details":"16p"},"CWE-ID: 600Uncaught Exception in Servlet","The Servlet does not catch all exceptions, which may reveal sensitive debugging information.Guidelines:::TYPE:Maintenance:NOTE:The Missing Catch Block concept is probably broader than just Servlets, but the broader concept is not sufficiently covered in CWE.::",{"point":"16r","priority":"6","details":"16s"},"CWE-ID: 601URL Redirection to Untrusted Site ('Open Redirect')","A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.Guidelines:",{"point":"16u","priority":"6","details":"16v"},"CWE-ID: 602Client-Side Enforcement of Server-Side Security","The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.Guidelines:",{"point":"16x","priority":"6","details":"16y"},"CWE-ID: 603Use of Client-Side Authentication","A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check.Guidelines:",{"point":"170","priority":"6","details":"171"},"CWE-ID: 605Multiple Binds to the Same Port","When multiple sockets are allowed to bind to the same port, other services on that port may be stolen or spoofed.Guidelines:",{"point":"173","priority":"6","details":"174"},"CWE-ID: 606Unchecked Input for Loop Condition","The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping.Guidelines:",{"point":"176","priority":"6","details":"177"},"CWE-ID: 607Public Static Final Field References Mutable Object","A public or protected static final field references a mutable object, which allows the object to be changed by malicious code, or accidentally from another package.Guidelines:",{"point":"179","priority":"6","details":"17a"},"CWE-ID: 608Struts: Non-private Field in ActionForm Class","An ActionForm class contains a field that has not been declared private, which can be accessed without using a setter or getter.Guidelines:",{"point":"17c","priority":"6","details":"17d"},"CWE-ID: 609Double-Checked Locking","The product uses double-checked locking to access a resource without the overhead of explicit synchronization, but the locking is insufficient.Guidelines:",{"point":"17f","priority":"6","details":"17g"},"CWE-ID: 610Externally Controlled Reference to a Resource in Another Sphere","The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.Guidelines:::TYPE:Relationship:NOTE:This is a general class of weakness, but most research is focused on more specialized cases, such as path traversal (CWE-22) and symlink following (CWE-61). A symbolic link has a name; in general, it appears like any other file in the file system. However, the link includes a reference to another file, often in another directory - perhaps in another sphere of control. Many common library functions that accept filenames will follow a symbolic link and use the link's target instead.::TYPE:Maintenance:NOTE:The relationship between CWE-99 and CWE-610 needs further investigation and clarification. They might be duplicates. CWE-99 Resource Injection, as originally defined in Seven Pernicious Kingdoms taxonomy, emphasizes the identifier used to access a system resource such as a file name or port number, yet it explicitly states that the resource injection term does not apply to path manipulation, which effectively identifies the path at which a resource can be found and could be considered to be one aspect of a resource identifier. Also, CWE-610 effectively covers any type of resource, whether that resource is at the system layer, the application layer, or the code layer.::",{"point":"17i","priority":"6","details":"17j"},"CWE-ID: 611Improper Restriction of XML External Entity Reference","The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.Guidelines:::TYPE:Relationship:NOTE:CWE-918 (SSRF) and CWE-611 (XXE) are closely related, because they both involve web-related technologies and can launch outbound requests to unexpected destinations. However, XXE can be performed client-side, or in other contexts in which the software is not acting directly as a server, so the Server portion of the SSRF acronym does not necessarily apply.::",{"point":"17l","priority":"6","details":"17m"},"CWE-ID: 612Improper Authorization of Index Containing Sensitive Information","The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the original information.Guidelines:::TYPE:Research Gap:NOTE:This weakness is probably under-studied and under-reported.::",{"point":"17o","priority":"6","details":"17p"},"CWE-ID: 613Insufficient Session Expiration","According to WASC, Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.Guidelines:::TYPE:Other:NOTE:The lack of proper session expiration may improve the likely success of certain attacks. For example, an attacker may intercept a session ID, possibly via a network sniffer or Cross-site Scripting attack. Although short session expiration times do not help if a stolen token is immediately used, they will protect against ongoing replaying of the session ID. In another scenario, a user might access a web site from a shared computer (such as at a library, Internet cafe, or open work environment). Insufficient Session Expiration could allow an attacker to use the browser's back button to access web pages previously accessed by the victim.::",{"point":"17r","priority":"6","details":"17s"},"CWE-ID: 614Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.Guidelines:",{"point":"17u","priority":"6","details":"17v"},"CWE-ID: 615Inclusion of Sensitive Information in Source Code Comments","While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc.Guidelines:",{"point":"17x","priority":"6","details":"17y"},"CWE-ID: 616Incomplete Identification of Uploaded File Variables (PHP)","The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files.Guidelines:",{"point":"180","priority":"6","details":"181"},"CWE-ID: 617Reachable Assertion","The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.Guidelines:",{"point":"183","priority":"6","details":"184"},"CWE-ID: 618Exposed Unsafe ActiveX Method","An ActiveX control is intended for use in a web browser, but it exposes dangerous methods that perform actions that are outside of the browser's security model (e.g. the zone or domain).Guidelines:",{"point":"186","priority":"6","details":"187"},"CWE-ID: 619Dangling Database Cursor ('Cursor Injection')","If a database cursor is not closed properly, then it could become accessible to other users while retaining the same privileges that were originally assigned, leaving the cursor dangling.Guidelines:",{"point":"189","priority":"6","details":"18a"},"CWE-ID: 620Unverified Password Change","When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.Guidelines:",{"point":"18c","priority":"6","details":"18d"},"CWE-ID: 621Variable Extraction Error","The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables.Guidelines:::TYPE:Research Gap:NOTE:Probably under-reported for PHP. Seems under-studied for other interpreted languages.::",{"point":"18f","priority":"6","details":"18g"},"CWE-ID: 622Improper Validation of Function Hook Arguments","The product adds hooks to user-accessible API functions, but it does not properly validate the arguments. This could lead to resultant vulnerabilities.Guidelines:",{"point":"18i","priority":"6","details":"18j"},"CWE-ID: 623Unsafe ActiveX Control Marked Safe For Scripting","An ActiveX control is intended for restricted use, but it has been marked as safe-for-scripting.Guidelines:",{"point":"18l","priority":"6","details":"18m"},"CWE-ID: 624Executable Regular Expression Error","The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.Guidelines:::TYPE:Research Gap:NOTE:Under-studied. The existing PHP reports are limited to highly skilled researchers, but there are few examples for other languages. It is suspected that this is under-reported for all languages. Usability factors might make it more prevalent in PHP, but this theory has not been investigated.::",{"point":"18o","priority":"6","details":"18p"},"CWE-ID: 625Permissive Regular Expression","The product uses a regular expression that does not sufficiently restrict the set of allowed values.Guidelines:",{"point":"18r","priority":"6","details":"18s"},"CWE-ID: 626Null Byte Interaction Error (Poison Null Byte)","The product does not properly handle null bytes or NUL characters when passing data between different representations or components.Guidelines:::TYPE:Terminology:NOTE:Current usage of poison null byte is typically related to this C/Perl/PHP interaction error, but the original term in 1998 was applied to an off-by-one buffer overflow involving a null byte.::TYPE:Research Gap:NOTE:There are not many CVE examples, because the poison NULL byte is a design limitation, which typically is not included in CVE by itself. It is typically used as a facilitator manipulation to widen the scope of potential attacks against other vulnerabilities.::",{"point":"18u","priority":"6","details":"18v"},"CWE-ID: 627Dynamic Variable Evaluation","In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions.Guidelines:::TYPE:Research Gap:NOTE:Under-studied, probably under-reported. Few researchers look for this issue; most public reports are for PHP, although other languages are affected. This issue is likely to grow in PHP as developers begin to implement functionality in place of register_globals.::",{"point":"18x","priority":"6","details":"18y"},"CWE-ID: 628Function Call with Incorrectly Specified Arguments","The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.Guidelines:",{"point":"190","priority":"6","details":"191"},"CWE-ID: 636Not Failing Securely ('Failing Open')","When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.Guidelines:::TYPE:Research Gap:NOTE:Since design issues are hard to fix, they are rarely publicly reported, so there are few CVE examples of this problem as of January 2008. Most publicly reported issues occur as the result of an implementation error instead of design, such as CVE-2005-3177 (Improper handling of large numbers of resources) or CVE-2005-2969 (inadvertently disabling a verification step, leading to selection of a weaker protocol).::",{"point":"193","priority":"6","details":"194"},"CWE-ID: 637Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')","The product uses a more complex mechanism than necessary, which could lead to resultant weaknesses when the mechanism is not correctly understood, modeled, configured, implemented, or used.Guidelines:",{"point":"196","priority":"6","details":"197"},"CWE-ID: 638Not Using Complete Mediation","The product does not perform access checks on a resource every time the resource is accessed by an entity, which can create resultant weaknesses if that entity's rights or privileges change over time.Guidelines:",{"point":"199","priority":"6","details":"19a"},"CWE-ID: 639Authorization Bypass Through User-Controlled Key","The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.Guidelines:",{"point":"19c","priority":"6","details":"19d"},"CWE-ID: 640Weak Password Recovery Mechanism for Forgotten Password","The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.Guidelines:::TYPE:Maintenance:NOTE:This entry might be reclassified as a category or loose composite, since it lists multiple specific errors that can make the mechanism weak. However, under view 1000, it could be a weakness under protection mechanism failure, although it is different from most PMF issues since it is related to a feature that is designed to bypass a protection mechanism (specifically, the lack of knowledge of a password).::TYPE:Maintenance:NOTE:This entry probably needs to be split; see extended description.::",{"point":"19f","priority":"6","details":"19g"},"CWE-ID: 641Improper Restriction of Names for Files and Other Resources","The product constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name.Guidelines:",{"point":"19i","priority":"6","details":"19j"},"CWE-ID: 642External Control of Critical State Data","The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.Guidelines:",{"point":"19l","priority":"6","details":"19m"},"CWE-ID: 643Improper Neutralization of Data within XPath Expressions ('XPath Injection')","The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.Guidelines:::TYPE:Relationship:NOTE:This weakness is similar to other weaknesses that enable injection style attacks, such as SQL injection, command injection and LDAP injection. The main difference is that the target of attack here is the XML database.::",{"point":"19o","priority":"6","details":"19p"},"CWE-ID: 644Improper Neutralization of HTTP Headers for Scripting Syntax","The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.Guidelines:",{"point":"19r","priority":"6","details":"19s"},"CWE-ID: 645Overly Restrictive Account Lockout Mechanism","The product contains an account lockout protection mechanism, but the mechanism is too restrictive and can be triggered too easily, which allows attackers to deny service to legitimate users by causing their accounts to be locked out.Guidelines:",{"point":"19u","priority":"6","details":"19v"},"CWE-ID: 646Reliance on File Name or Extension of Externally-Supplied File","The product allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attackers to cause the file to be misclassified and processed in a dangerous fashion.Guidelines:",{"point":"19x","priority":"6","details":"19y"},"CWE-ID: 647Use of Non-Canonical URL Paths for Authorization Decisions","The product defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization.Guidelines:",{"point":"1a0","priority":"6","details":"1a1"},"CWE-ID: 648Incorrect Use of Privileged APIs","The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.Guidelines:",{"point":"1a3","priority":"6","details":"1a4"},"CWE-ID: 649Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking","The product uses obfuscation or encryption of inputs that should not be mutable by an external actor, but the product does not use integrity checks to detect if those inputs have been modified.Guidelines:",{"point":"1a6","priority":"6","details":"1a7"},"CWE-ID: 650Trusting HTTP Permission Methods on the Server Side","The server contains a protection mechanism that assumes that any URI that is accessed using HTTP GET will not cause a state change to the associated resource. This might allow attackers to bypass intended access restrictions and conduct resource modification and deletion attacks, since some applications allow GET to modify state.Guidelines:",{"point":"1a9","priority":"6","details":"1aa"},"CWE-ID: 651Exposure of WSDL File Containing Sensitive Information","The Web services architecture may require exposing a Web Service Definition Language (WSDL) file that contains information on the publicly accessible services and how callers of these services should interact with them (e.g. what parameters they expect and what types they return).Guidelines:",{"point":"1ac","priority":"6","details":"1ad"},"CWE-ID: 652Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')","The product uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.Guidelines:::TYPE:Relationship:NOTE:This weakness is similar to other weaknesses that enable injection style attacks, such as SQL injection, command injection and LDAP injection. The main difference is that the target of attack here is the XML database.::",{"point":"1af","priority":"6","details":"1ag"},"CWE-ID: 653Improper Isolation or Compartmentalization","The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.Guidelines:::TYPE:Relationship:NOTE:There is a close association with CWE-250 (Execution with Unnecessary Privileges). CWE-653 is about providing separate components for each privilege; CWE-250 is about ensuring that each component has the least amount of privileges possible. In this fashion, compartmentalization becomes one mechanism for reducing privileges.::TYPE:Terminology:NOTE:The term Separation of Privilege is used in several different ways in the industry, but they generally combine two closely related principles: compartmentalization (this node) and using only one factor in a security decision (CWE-654). Proper compartmentalization implicitly introduces multiple factors into a security decision, but there can be cases in which multiple factors are required for authentication or other mechanisms that do not involve compartmentalization, such as performing all required checks on a submitted certificate. It is likely that CWE-653 and CWE-654 will provoke further discussion.::",{"point":"1ai","priority":"6","details":"1aj"},"CWE-ID: 654Reliance on a Single Factor in a Security Decision","A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality.Guidelines:::TYPE:Maintenance:NOTE:This entry is closely associated with the term Separation of Privilege. This term is used in several different ways in the industry, but they generally combine two closely related principles: compartmentalization (CWE-653) and using only one factor in a security decision (this entry). Proper compartmentalization implicitly introduces multiple factors into a security decision, but there can be cases in which multiple factors are required for authentication or other mechanisms that do not involve compartmentalization, such as performing all required checks on a submitted certificate. It is likely that CWE-653 and CWE-654 will provoke further discussion.::",{"point":"1al","priority":"6","details":"1am"},"CWE-ID: 655Insufficient Psychological Acceptability","The product has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose.Guidelines:::TYPE:Other:NOTE:This weakness covers many security measures causing user inconvenience, requiring effort or causing frustration, that are disproportionate to the risks or value of the protected assets, or that are perceived to be ineffective.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"1ao","priority":"6","details":"1ap"},"CWE-ID: 656Reliance on Security Through Obscurity","The product uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism.Guidelines:::TYPE:Relationship:NOTE:Note that there is a close relationship between this weakness and CWE-603 (Use of Client-Side Authentication). If developers do not believe that a user can reverse engineer a client, then they are more likely to choose client-side authentication in the belief that it is safe.::",{"point":"1ar","priority":"6","details":"1as"},"CWE-ID: 657Violation of Secure Design Principles","The product violates well-established principles for secure design.Guidelines:::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"1au","priority":"6","details":"1av"},"CWE-ID: 662Improper Synchronization","The product utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.Guidelines:::TYPE:Maintenance:NOTE:Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships.::",{"point":"1ax","priority":"6","details":"1ay"},"CWE-ID: 663Use of a Non-reentrant Function in a Concurrent Context","The product calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity to call the same function or otherwise influence its state.Guidelines:",{"point":"1b0","priority":"6","details":"1b1"},"CWE-ID: 664Improper Control of a Resource Through its Lifetime","The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.Guidelines:::TYPE:Maintenance:NOTE:More work is needed on this entry and its children. There are perspective/layering issues; for example, one breakdown is based on lifecycle phase (CWE-404, CWE-665), while other children are independent of lifecycle, such as CWE-400. Others do not specify as many bases or variants, such as CWE-704, which primarily covers numbers at this stage.::",{"point":"1b3","priority":"6","details":"1b4"},"CWE-ID: 665Improper Initialization","The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.Guidelines:",{"point":"1b6","priority":"6","details":"1b7"},"CWE-ID: 666Operation on Resource in Wrong Phase of Lifetime","The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors.Guidelines:",{"point":"1b9","priority":"6","details":"1ba"},"CWE-ID: 667Improper Locking","The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.Guidelines:::TYPE:Maintenance:NOTE:Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships.::",{"point":"1bc","priority":"6","details":"1bd"},"CWE-ID: 668Exposure of Resource to Wrong Sphere","The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.Guidelines:::TYPE:Theoretical:NOTE:A control sphere is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product's security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for administrators who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be users who are authenticated to the operating system on which the product is installed. Each sphere has different sets of actors and allowable behaviors.::",{"point":"1bf","priority":"6","details":"1bg"},"CWE-ID: 669Incorrect Resource Transfer Between Spheres","The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.Guidelines:",{"point":"1bi","priority":"6","details":"1bj"},"CWE-ID: 670Always-Incorrect Control Flow Implementation","The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.Guidelines:::TYPE:Maintenance:NOTE:This node could possibly be split into lower-level nodes. Early Return is for returning control to the caller too soon (e.g., CWE-584). Excess Return is when control is returned too far up the call stack (CWE-600, CWE-395). Improper control limitation occurs when the product maintains control at a lower level of execution, when control should be returned further up the call stack (CWE-455). Incorrect syntax covers code that's just plain wrong such as CWE-484 and CWE-483.::",{"point":"1bl","priority":"6","details":"1bm"},"CWE-ID: 671Lack of Administrator Control over Security","The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.Guidelines:",{"point":"1bo","priority":"6","details":"1bp"},"CWE-ID: 672Operation on a Resource after Expiration or Release","The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.Guidelines:",{"point":"1br","priority":"6","details":"1bs"},"CWE-ID: 673External Influence of Sphere Definition","The product does not prevent the definition of control spheres from external actors.Guidelines:::TYPE:Theoretical:NOTE:A control sphere is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product's security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for administrators who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be users who are authenticated to the operating system on which the product is installed. Each sphere has different sets of actors and allowable behaviors.::",{"point":"1bu","priority":"6","details":"1bv"},"CWE-ID: 674Uncontrolled Recursion","The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.Guidelines:",{"point":"1bx","priority":"6","details":"1by"},"CWE-ID: 675Multiple Operations on Resource in Single-Operation Context","The product performs the same operation on a resource two or more times, when the operation should only be applied once.Guidelines:::TYPE:Relationship:NOTE:This weakness is probably closely associated with other issues related to doubling, such as CWE-462 (duplicate key in alist) or CWE-102 (Struts duplicate validation forms). It's usually a case of an API contract violation (CWE-227).::",{"point":"1c0","priority":"6","details":"1c1"},"CWE-ID: 676Use of Potentially Dangerous Function","The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.Guidelines:::TYPE:Relationship:NOTE:This weakness is different than CWE-242 (Use of Inherently Dangerous Function). CWE-242 covers functions with such significant security problems that they can never be guaranteed to be safe. Some functions, if used properly, do not directly pose a security risk, but can introduce a weakness if not called correctly. These are regarded as potentially dangerous. A well-known example is the strcpy() function. When provided with a destination buffer that is larger than its source, strcpy() will not overflow. However, it is so often misused that some developers prohibit strcpy() entirely.::",{"point":"1c3","priority":"6","details":"1c4"},"CWE-ID: 680Integer Overflow to Buffer Overflow","The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow.Guidelines:",{"point":"1c6","priority":"6","details":"1c7"},"CWE-ID: 681Incorrect Conversion between Numeric Types","When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.Guidelines:",{"point":"1c9","priority":"6","details":"1ca"},"CWE-ID: 682Incorrect Calculation","The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.Guidelines:::TYPE:Research Gap:NOTE:Weaknesses related to this Pillar appear to be under-studied, especially with respect to classification schemes. Input from academic and other communities could help identify and resolve gaps or organizational difficulties within CWE.::",{"point":"1cc","priority":"6","details":"1cd"},"CWE-ID: 683Function Call With Incorrect Order of Arguments","The product calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses.Guidelines:",{"point":"1cf","priority":"6","details":"1cg"},"CWE-ID: 684Incorrect Provision of Specified Functionality","The code does not function according to its published specifications, potentially leading to incorrect usage.Guidelines:",{"point":"1ci","priority":"6","details":"1cj"},"CWE-ID: 685Function Call With Incorrect Number of Arguments","The product calls a function, procedure, or routine, but the caller specifies too many arguments, or too few arguments, which may lead to undefined behavior and resultant weaknesses.Guidelines:",{"point":"1cl","priority":"6","details":"1cm"},"CWE-ID: 686Function Call With Incorrect Argument Type","The product calls a function, procedure, or routine, but the caller specifies an argument that is the wrong data type, which may lead to resultant weaknesses.Guidelines:",{"point":"1co","priority":"6","details":"1cp"},"CWE-ID: 687Function Call With Incorrectly Specified Argument Value","The product calls a function, procedure, or routine, but the caller specifies an argument that contains the wrong value, which may lead to resultant weaknesses.Guidelines:::TYPE:Relationship:NOTE:When primary, this weakness is most likely to occur in rarely-tested code, since the wrong value can change the semantic meaning of the program's execution and lead to obviously-incorrect behavior. It can also be resultant from issues in which the program assigns the wrong value to a variable, and that variable is later used in a function call. In that sense, this issue could be argued as having chaining relationships with many implementation errors in CWE.::",{"point":"1cr","priority":"6","details":"1cs"},"CWE-ID: 688Function Call With Incorrect Variable or Reference as Argument","The product calls a function, procedure, or routine, but the caller specifies the wrong variable or reference as one of the arguments, which may lead to undefined behavior and resultant weaknesses.Guidelines:",{"point":"1cu","priority":"6","details":"1cv"},"CWE-ID: 689Permission Race Condition During Resource Copy","The product, while copying or cloning a resource, does not set the resource's permissions or access control until the copy is complete, leaving the resource exposed to other spheres while the copy is taking place.Guidelines:::TYPE:Research Gap:NOTE:Under-studied. It seems likely that this weakness could occur in any situation in which a complex or large copy operation occurs, when the resource can be made available to other spheres as soon as it is created, but before its initialization is complete.::",{"point":"1cx","priority":"6","details":"1cy"},"CWE-ID: 690Unchecked Return Value to NULL Pointer Dereference","The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference.Guidelines:",{"point":"1d0","priority":"6","details":"1d1"},"CWE-ID: 691Insufficient Control Flow Management","The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.Guidelines:",{"point":"1d3","priority":"6","details":"1d4"},"CWE-ID: 692Incomplete Denylist to Cross-Site Scripting","The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.Guidelines:",{"point":"1d6","priority":"6","details":"1d7"},"CWE-ID: 693Protection Mechanism Failure","The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.Guidelines:::TYPE:Research Gap:NOTE:The concept of protection mechanisms is well established, but protection mechanism failures have not been studied comprehensively. It is suspected that protection mechanisms can have significantly different types of weaknesses than the weaknesses that they are intended to prevent.::",{"point":"1d9","priority":"6","details":"1da"},"CWE-ID: 694Use of Multiple Resources with Duplicate Identifier","The product uses multiple resources that can have the same identifier, in a context in which unique identifiers are required.Guidelines:::TYPE:Relationship:NOTE:This weakness is probably closely associated with other issues related to doubling, such as CWE-675 (Duplicate Operations on Resource). It's often a case of an API contract violation (CWE-227).::",{"point":"1dc","priority":"6","details":"1dd"},"CWE-ID: 695Use of Low-Level Functionality","The product uses low-level functionality that is explicitly prohibited by the framework or specification under which the product is supposed to operate.Guidelines:",{"point":"1df","priority":"6","details":"1dg"},"CWE-ID: 696Incorrect Behavior Order","The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses.Guidelines:",{"point":"1di","priority":"6","details":"1dj"},"CWE-ID: 697Incorrect Comparison","The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.Guidelines:::TYPE:Research Gap:NOTE:Weaknesses related to this Pillar appear to be under-studied, especially with respect to classification schemes. Input from academic and other communities could help identify and resolve gaps or organizational difficulties within CWE.::TYPE:Maintenance:NOTE:This entry likely has some relationships with case sensitivity (CWE-178), but case sensitivity is a factor in other types of weaknesses besides comparison. Also, in cryptography, certain attacks are possible when certain comparison operations do not take place in constant time, causing a timing-related information leak (CWE-208).::",{"point":"1dl","priority":"6","details":"1dm"},"CWE-ID: 698Execution After Redirect (EAR)","The web application sends a redirect to another location, but instead of exiting, it executes additional code.Guidelines:",{"point":"1do","priority":"6","details":"1dp"},"CWE-ID: 703Improper Check or Handling of Exceptional Conditions","The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.Guidelines:::TYPE:Relationship:NOTE:This is a high-level class that might have some overlap with other classes. It could be argued that even normal weaknesses such as buffer overflows involve unusual or exceptional conditions. In that sense, this might be an inherent aspect of most other weaknesses within CWE, similar to API Abuse (CWE-227) and Indicator of Poor Code Quality (CWE-398). However, this entry is currently intended to unify disparate concepts that do not have other places within the Research Concepts view (CWE-1000).::",{"point":"1dr","priority":"6","details":"1ds"},"CWE-ID: 704Incorrect Type Conversion or Cast","The product does not correctly convert an object, resource, or structure from one type to a different type.Guidelines:",{"point":"1du","priority":"6","details":"1dv"},"CWE-ID: 705Incorrect Control Flow Scoping","The product does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.Guidelines:",{"point":"1dx","priority":"6","details":"1dy"},"CWE-ID: 706Use of Incorrectly-Resolved Name or Reference","The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.Guidelines:",{"point":"1e0","priority":"6","details":"1e1"},"CWE-ID: 707Improper Neutralization","The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.Guidelines:::TYPE:Maintenance:NOTE:Concepts such as validation, data transformation, and neutralization are being refined, so relationships between CWE-20 and other entries such as CWE-707 may change in future versions, along with an update to the Vulnerability Theory document.::",{"point":"1e3","priority":"6","details":"1e4"},"CWE-ID: 708Incorrect Ownership Assignment","The product assigns an owner to a resource, but the owner is outside of the intended control sphere.Guidelines:::TYPE:Maintenance:NOTE:This overlaps verification errors, permissions, and privileges. A closely related weakness is the incorrect assignment of groups to a resource. It is not clear whether it would fall under this entry or require a different entry.::",{"point":"1e6","priority":"6","details":"1e7"},"CWE-ID: 710Improper Adherence to Coding Standards","The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.Guidelines:",{"point":"1e9","priority":"6","details":"1ea"},"CWE-ID: 732Incorrect Permission Assignment for Critical Resource","The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.Guidelines:::TYPE:Maintenance:NOTE:The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693).::",{"point":"1ec","priority":"6","details":"1ed"},"CWE-ID: 733Compiler Optimization Removal or Modification of Security-critical Code","The developer builds a security-critical protection mechanism into the software, but the compiler optimizes the program such that the mechanism is removed or modified.Guidelines:",{"point":"1ef","priority":"6","details":"1eg"},"CWE-ID: 749Exposed Dangerous Method or Function","The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.Guidelines:::TYPE:Research Gap:NOTE:Under-reported and under-studied. This weakness could appear in any technology, language, or framework that allows the programmer to provide a functional interface to external parties, but it is not heavily reported. In 2007, CVE began showing a notable increase in reports of exposed method vulnerabilities in ActiveX applications, as well as IOCTL access to OS-level resources. These weaknesses have been documented for Java applications in various secure programming sources, but there are few reports in CVE, which suggests limited awareness in most parts of the vulnerability research community.::",{"point":"1ei","priority":"6","details":"1ej"},"CWE-ID: 754Improper Check for Unusual or Exceptional Conditions","The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.Guidelines:::TYPE:Relationship:NOTE:Sometimes, when a return value can be used to indicate an error, an unchecked return value is a code-layer instance of a missing application-layer check for exceptional conditions. However, return values are not always needed to communicate exceptional conditions. For example, expiration of resources, values passed by reference, asynchronously modified data, sockets, etc. may indicate exceptional conditions without the use of a return value.::",{"point":"1el","priority":"6","details":"1em"},"CWE-ID: 755Improper Handling of Exceptional Conditions","The product does not handle or incorrectly handles an exceptional condition.Guidelines:",{"point":"1eo","priority":"6","details":"1ep"},"CWE-ID: 756Missing Custom Error Page","The product does not return custom error pages to the user, possibly exposing sensitive information.Guidelines:",{"point":"1er","priority":"6","details":"1es"},"CWE-ID: 757Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')","A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties.Guidelines:::TYPE:Relationship:NOTE:This is related to CWE-300, although not all downgrade attacks necessarily require an entity that redirects or interferes with the network. See examples.::",{"point":"1eu","priority":"6","details":"1ev"},"CWE-ID: 758Reliance on Undefined, Unspecified, or Implementation-Defined Behavior","The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity.Guidelines:",{"point":"1ex","priority":"6","details":"1ey"},"CWE-ID: 759Use of a One-Way Hash without a Salt","The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.Guidelines:",{"point":"1f0","priority":"6","details":"1f1"},"CWE-ID: 760Use of a One-Way Hash with a Predictable Salt","The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"1f3","priority":"6","details":"1f4"},"CWE-ID: 761Free of Pointer not at Start of Buffer","The product calls free() on a pointer to a memory resource that was allocated on the heap, but the pointer is not at the start of the buffer.Guidelines:::TYPE:Maintenance:NOTE:Currently, CWE-763 is the parent, however it may be desirable to have an intermediate parent which is not function-specific, similar to how CWE-762 is an intermediate parent between CWE-763 and CWE-590.::",{"point":"1f6","priority":"6","details":"1f7"},"CWE-ID: 762Mismatched Memory Management Routines","The product attempts to return a memory resource to the system, but it calls a release function that is not compatible with the function that was originally used to allocate that resource.Guidelines:::TYPE:Applicable Platform:NOTE:This weakness is possible in any programming language that allows manual management of memory.::",{"point":"1f9","priority":"6","details":"1fa"},"CWE-ID: 763Release of Invalid Pointer or Reference","The product attempts to return a memory resource to the system, but it calls the wrong release function or calls the appropriate release function incorrectly.Guidelines:::TYPE:Maintenance:NOTE:The view-1000 subtree that is associated with this weakness needs additional work. Several entries will likely be created in this branch. Currently the focus is on free() of memory, but delete and other related release routines may require the creation of intermediate entries that are not specific to a particular function. In addition, the role of other types of invalid pointers, such as an expired pointer, i.e. CWE-415 Double Free and release of uninitialized pointers, related to CWE-457.::",{"point":"1fc","priority":"6","details":"1fd"},"CWE-ID: 764Multiple Locks of a Critical Resource","The product locks a critical resource more times than intended, leading to an unexpected state in the system.Guidelines:::TYPE:Maintenance:NOTE:An alternate way to think about this weakness is as an imbalance between the number of locks / unlocks in the control flow. Over the course of execution, if each lock call is not followed by a subsequent call to unlock in a reasonable amount of time, then system performance may be degraded or at least operating at less than peak levels if there is competition for the locks. This entry may need to be modified to reflect these concepts in the future.::",{"point":"1ff","priority":"6","details":"1fg"},"CWE-ID: 765Multiple Unlocks of a Critical Resource","The product unlocks a critical resource more times than intended, leading to an unexpected state in the system.Guidelines:::TYPE:Maintenance:NOTE:An alternate way to think about this weakness is as an imbalance between the number of locks / unlocks in the control flow. Over the course of execution, if each lock call is not followed by a subsequent call to unlock in a reasonable amount of time, then system performance may be degraded or at least operating at less than peak levels if there is competition for the locks. This entry may need to be modified to reflect these concepts in the future.::",{"point":"1fi","priority":"6","details":"1fj"},"CWE-ID: 766Critical Data Element Declared Public","The product declares a critical variable, field, or member to be public when intended security policy requires it to be private.Guidelines:",{"point":"1fl","priority":"6","details":"1fm"},"CWE-ID: 767Access to Critical Private Variable via Public Method","The product defines a public method that reads or modifies a private variable.Guidelines:::TYPE:Maintenance:NOTE:This entry is closely associated with access control for public methods. If the public methods are restricted with proper access controls, then the information in the private variable will not be exposed to unexpected parties. There may be chaining or composite relationships between improper access controls and this weakness.::",{"point":"1fo","priority":"6","details":"1fp"},"CWE-ID: 768Incorrect Short Circuit Evaluation","The product contains a conditional statement with multiple logical expressions in which one of the non-leading expressions may produce side effects. This may lead to an unexpected state in the program after the execution of the conditional, because short-circuiting logic may prevent the side effects from occurring.Guidelines:",{"point":"1fr","priority":"6","details":"1fs"},"CWE-ID: 770Allocation of Resources Without Limits or Throttling","The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.Guidelines:::TYPE:Relationship:NOTE:This entry is different from uncontrolled resource consumption (CWE-400) in that there are other weaknesses that are related to inability to control resource consumption, such as holding on to a resource too long after use, or not correctly keeping track of active resources so that they can be managed and released when they are finished (CWE-771).::TYPE:Theoretical:NOTE:Vulnerability theory is largely about how behaviors and resources interact. Resource exhaustion can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect one of the underlying weaknesses that enable these attacks (or consequences) to take place.::",{"point":"1fu","priority":"6","details":"1fv"},"CWE-ID: 771Missing Reference to Active Allocated Resource","The product does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed.Guidelines:",{"point":"1fx","priority":"6","details":"1fy"},"CWE-ID: 772Missing Release of Resource after Effective Lifetime","The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.Guidelines:::TYPE:Maintenance:NOTE:Resource exhaustion (CWE-400) is currently treated as a weakness, although it is more like a category of weaknesses that all have the same type of consequence. While this entry treats CWE-400 as a parent in view 1000, the relationship is probably more appropriately described as a chain.::TYPE:Theoretical:NOTE:Vulnerability theory is largely about how behaviors and resources interact. Resource exhaustion can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect one of the underlying weaknesses that enable these attacks (or consequences) to take place.::",{"point":"1g0","priority":"6","details":"1g1"},"CWE-ID: 773Missing Reference to Active File Descriptor or Handle","The product does not properly maintain references to a file descriptor or handle, which prevents that file descriptor/handle from being reclaimed.Guidelines:",{"point":"1g3","priority":"6","details":"1g4"},"CWE-ID: 774Allocation of File Descriptors or Handles Without Limits or Throttling","The product allocates file descriptors or handles on behalf of an actor without imposing any restrictions on how many descriptors can be allocated, in violation of the intended security policy for that actor.Guidelines:",{"point":"1g6","priority":"6","details":"1g7"},"CWE-ID: 775Missing Release of File Descriptor or Handle after Effective Lifetime","The product does not release a file descriptor or handle after its effective lifetime has ended, i.e., after the file descriptor/handle is no longer needed.Guidelines:",{"point":"1g9","priority":"6","details":"1ga"},"CWE-ID: 776Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.Guidelines:",{"point":"1gc","priority":"6","details":"1gd"},"CWE-ID: 777Regular Expression without Anchors","The product uses a regular expression to perform neutralization, but the regular expression is not anchored and may allow malicious or malformed data to slip through.Guidelines:",{"point":"1gf","priority":"6","details":"1gg"},"CWE-ID: 778Insufficient Logging","When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.Guidelines:",{"point":"1gi","priority":"6","details":"1gj"},"CWE-ID: 779Logging of Excessive Data","The product logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack.Guidelines:",{"point":"1gl","priority":"6","details":"1gm"},"CWE-ID: 780Use of RSA Algorithm without OAEP","The product uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption.Guidelines:::TYPE:Maintenance:NOTE:This entry could probably have a new parent related to improper padding, however the role of padding in cryptographic algorithms can vary, such as hiding the length of the plaintext and providing additional random bits for the cipher. In general, cryptographic problems in CWE are not well organized and further research is needed.::",{"point":"1go","priority":"6","details":"1gp"},"CWE-ID: 781Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code","The product defines an IOCTL that uses METHOD_NEITHER for I/O, but it does not validate or incorrectly validates the addresses that are provided.Guidelines:::TYPE:Applicable Platform:NOTE:Because IOCTL functionality is typically performing low-level actions and closely interacts with the operating system, this weakness may only appear in code that is written in low-level languages.::TYPE:Research Gap:NOTE:While this type of issue has been known since 2006, it is probably still under-studied and under-reported. Most of the focus has been on high-profile software and security products, but other kinds of system software also use drivers. Since exploitation requires the development of custom code, it requires some skill to find this weakness. Because exploitation typically requires local privileges, it might not be a priority for active attackers. However, remote exploitation may be possible for software such as device drivers. Even when remote vectors are not available, it may be useful as the final privilege-escalation step in multi-stage remote attacks against application-layer software, or as the primary attack by a local user on a multi-user system.::",{"point":"1gr","priority":"6","details":"1gs"},"CWE-ID: 782Exposed IOCTL with Insufficient Access Control","The product implements an IOCTL with functionality that should be restricted, but it does not properly enforce access control for the IOCTL.Guidelines:::TYPE:Relationship:NOTE:This can be primary to many other weaknesses when the programmer assumes that the IOCTL can only be accessed by trusted parties. For example, a program or driver might not validate incoming addresses in METHOD_NEITHER IOCTLs in Windows environments (CWE-781), which could allow buffer overflow and similar attacks to take place, even when the attacker never should have been able to access the IOCTL at all.::TYPE:Applicable Platform:NOTE:Because IOCTL functionality is typically performing low-level actions and closely interacts with the operating system, this weakness may only appear in code that is written in low-level languages.::",{"point":"1gu","priority":"6","details":"1gv"},"CWE-ID: 783Operator Precedence Logic Error","The product uses an expression in which operator precedence causes incorrect logic to be used.Guidelines:",{"point":"1gx","priority":"6","details":"1gy"},"CWE-ID: 784Reliance on Cookies without Validation and Integrity Checking in a Security Decision","The product uses a protection mechanism that relies on the existence or values of a cookie, but it does not properly ensure that the cookie is valid for the associated user.Guidelines:::TYPE:Maintenance:NOTE:A new parent might need to be defined for this entry. This entry is specific to cookies, which reflects the significant number of vulnerabilities being reported for cookie-based authentication in CVE during 2008 and 2009. However, other types of inputs - such as parameters or headers - could also be used for similar authentication or authorization. Similar issues (under the Research view) include CWE-247 and CWE-472.::",{"point":"1h0","priority":"6","details":"1h1"},"CWE-ID: 785Use of Path Manipulation Function without Maximum-sized Buffer","The product invokes a function for normalizing paths or file names, but it provides an output buffer that is smaller than the maximum possible size, such as PATH_MAX.Guidelines:::TYPE:Maintenance:NOTE:This entry is at a much lower level of abstraction than most entries because it is function-specific. It also has significant overlap with other entries that can vary depending on the perspective. For example, incorrect usage could trigger either a stack-based overflow (CWE-121) or a heap-based overflow (CWE-122). The CWE team has not decided how to handle such entries.::",{"point":"1h3","priority":"6","details":"1h4"},"CWE-ID: 786Access of Memory Location Before Start of Buffer","The product reads or writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.Guidelines:",{"point":"1h6","priority":"6","details":"1h7"},"CWE-ID: 787Out-of-bounds Write","The product writes data past the end, or before the beginning, of the intended buffer.Guidelines:",{"point":"1h9","priority":"6","details":"1ha"},"CWE-ID: 788Access of Memory Location After End of Buffer","The product reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer.Guidelines:",{"point":"1hc","priority":"6","details":"1hd"},"CWE-ID: 789Memory Allocation with Excessive Size Value","The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.Guidelines:::TYPE:Relationship:NOTE:This weakness can be closely associated with integer overflows (CWE-190). Integer overflow attacks would concentrate on providing an extremely large number that triggers an overflow that causes less memory to be allocated than expected. By providing a large value that does not trigger an integer overflow, the attacker could still cause excessive amounts of memory to be allocated.::TYPE:Applicable Platform:NOTE:Uncontrolled memory allocation is possible in many languages, such as dynamic array allocation in perl or initial size parameters in Collections in Java. However, languages like C and C++ where programmers have the power to more directly control memory management will be more susceptible.::",{"point":"1hf","priority":"6","details":"1hg"},"CWE-ID: 790Improper Filtering of Special Elements","The product receives data from an upstream component, but does not filter or incorrectly filters special elements before sending it to a downstream component.Guidelines:",{"point":"1hi","priority":"6","details":"1hj"},"CWE-ID: 791Incomplete Filtering of Special Elements","The product receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component.Guidelines:",{"point":"1hl","priority":"6","details":"1hm"},"CWE-ID: 792Incomplete Filtering of One or More Instances of Special Elements","The product receives data from an upstream component, but does not completely filter one or more instances of special elements before sending it to a downstream component.Guidelines:",{"point":"1ho","priority":"6","details":"1hp"},"CWE-ID: 793Only Filtering One Instance of a Special Element","The product receives data from an upstream component, but only filters a single instance of a special element before sending it to a downstream component.Guidelines:",{"point":"1hr","priority":"6","details":"1hs"},"CWE-ID: 794Incomplete Filtering of Multiple Instances of Special Elements","The product receives data from an upstream component, but does not filter all instances of a special element before sending it to a downstream component.Guidelines:",{"point":"1hu","priority":"6","details":"1hv"},"CWE-ID: 795Only Filtering Special Elements at a Specified Location","The product receives data from an upstream component, but only accounts for special elements at a specified location, thereby missing remaining special elements that may exist before sending it to a downstream component.Guidelines:",{"point":"1hx","priority":"6","details":"1hy"},"CWE-ID: 796Only Filtering Special Elements Relative to a Marker","The product receives data from an upstream component, but only accounts for special elements positioned relative to a marker (e.g. at the beginning/end of a string; the second argument), thereby missing remaining special elements that may exist before sending it to a downstream component.Guidelines:",{"point":"1i0","priority":"6","details":"1i1"},"CWE-ID: 797Only Filtering Special Elements at an Absolute Position","The product receives data from an upstream component, but only accounts for special elements at an absolute position (e.g. byte number 10), thereby missing remaining special elements that may exist before sending it to a downstream component.Guidelines:",{"point":"1i3","priority":"6","details":"1i4"},"CWE-ID: 798Use of Hard-coded Credentials","The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.Guidelines:::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"1i6","priority":"6","details":"1i7"},"CWE-ID: 799Improper Control of Interaction Frequency","The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.Guidelines:",{"point":"1i9","priority":"6","details":"1ia"},"CWE-ID: 804Guessable CAPTCHA","The product uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.Guidelines:",{"point":"1ic","priority":"6","details":"1id"},"CWE-ID: 805Buffer Access with Incorrect Length Value","The product uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer.Guidelines:",{"point":"1if","priority":"6","details":"1ig"},"CWE-ID: 806Buffer Access Using Size of Source Buffer","The product uses the size of a source buffer when reading from or writing to a destination buffer, which may cause it to access memory that is outside of the bounds of the buffer.Guidelines:",{"point":"1ii","priority":"6","details":"1ij"},"CWE-ID: 807Reliance on Untrusted Inputs in a Security Decision","The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.Guidelines:",{"point":"1il","priority":"6","details":"1im"},"CWE-ID: 820Missing Synchronization","The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.Guidelines:::TYPE:Maintenance:NOTE:Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships.::",{"point":"1io","priority":"6","details":"1ip"},"CWE-ID: 821Incorrect Synchronization","The product utilizes a shared resource in a concurrent manner, but it does not correctly synchronize access to the resource.Guidelines:::TYPE:Maintenance:NOTE:Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships.::",{"point":"1ir","priority":"6","details":"1is"},"CWE-ID: 822Untrusted Pointer Dereference","The product obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer.Guidelines:::TYPE:Maintenance:NOTE:There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.::TYPE:Terminology:NOTE:Many weaknesses related to pointer dereferences fall under the general term of memory corruption or memory safety. As of September 2010, there is no commonly-used terminology that covers the lower-level variants.::",{"point":"1iu","priority":"6","details":"1iv"},"CWE-ID: 823Use of Out-of-range Pointer Offset","The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.Guidelines:::TYPE:Maintenance:NOTE:There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.::TYPE:Terminology:NOTE:Many weaknesses related to pointer dereferences fall under the general term of memory corruption or memory safety. As of September 2010, there is no commonly-used terminology that covers the lower-level variants.::",{"point":"1ix","priority":"6","details":"1iy"},"CWE-ID: 824Access of Uninitialized Pointer","The product accesses or uses a pointer that has not been initialized.Guidelines:::TYPE:Maintenance:NOTE:There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.::TYPE:Terminology:NOTE:Many weaknesses related to pointer dereferences fall under the general term of memory corruption or memory safety. As of September 2010, there is no commonly-used terminology that covers the lower-level variants.::",{"point":"1j0","priority":"6","details":"1j1"},"CWE-ID: 825Expired Pointer Dereference","The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.Guidelines:::TYPE:Maintenance:NOTE:There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.::TYPE:Terminology:NOTE:Many weaknesses related to pointer dereferences fall under the general term of memory corruption or memory safety. As of September 2010, there is no commonly-used terminology that covers the lower-level variants.::",{"point":"1j3","priority":"6","details":"1j4"},"CWE-ID: 826Premature Release of Resource During Expected Lifetime","The product releases a resource that is still intended to be used by itself or another actor.Guidelines:::TYPE:Research Gap:NOTE:Under-studied and under-reported as of September 2010. This weakness has been reported in high-visibility software, although the focus has been primarily on memory allocation and de-allocation. There are very few examples of this weakness that are not directly related to memory management, although such weaknesses are likely to occur in real-world software for other types of resources.::",{"point":"1j6","priority":"6","details":"1j7"},"CWE-ID: 827Improper Control of Document Type Definition","The product does not restrict a reference to a Document Type Definition (DTD) to the intended control sphere. This might allow attackers to reference arbitrary DTDs, possibly causing the product to expose files, consume excessive system resources, or execute arbitrary http requests on behalf of the attacker.Guidelines:",{"point":"1j9","priority":"6","details":"1ja"},"CWE-ID: 828Signal Handler with Functionality that is not Asynchronous-Safe","The product defines a signal handler that contains code sequences that are not asynchronous-safe, i.e., the functionality is not reentrant, or it can be interrupted.Guidelines:",{"point":"1jc","priority":"6","details":"1jd"},"CWE-ID: 829Inclusion of Functionality from Untrusted Control Sphere","The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.Guidelines:",{"point":"1jf","priority":"6","details":"1jg"},"CWE-ID: 830Inclusion of Web Functionality from an Untrusted Source","The product includes web functionality (such as a web widget) from another domain, which causes it to operate within the domain of the product, potentially granting total access and control of the product to the untrusted source.Guidelines:",{"point":"1ji","priority":"6","details":"1jj"},"CWE-ID: 831Signal Handler Function Associated with Multiple Signals","The product defines a function that is used as a handler for more than one signal.Guidelines:",{"point":"1jl","priority":"6","details":"1jm"},"CWE-ID: 832Unlock of a Resource that is not Locked","The product attempts to unlock a resource that is not locked.Guidelines:",{"point":"1jo","priority":"6","details":"1jp"},"CWE-ID: 833Deadlock","The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.Guidelines:",{"point":"1jr","priority":"6","details":"1js"},"CWE-ID: 834Excessive Iteration","The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.Guidelines:",{"point":"1ju","priority":"6","details":"1jv"},"CWE-ID: 835Loop with Unreachable Exit Condition ('Infinite Loop')","The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.Guidelines:",{"point":"1jx","priority":"6","details":"1jy"},"CWE-ID: 836Use of Password Hash Instead of Password for Authentication","The product records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store.Guidelines:",{"point":"1k0","priority":"6","details":"1k1"},"CWE-ID: 837Improper Enforcement of a Single, Unique Action","The product requires that an actor should only be able to perform an action once, or to have only one unique action, but the product does not enforce or improperly enforces this restriction.Guidelines:",{"point":"1k3","priority":"6","details":"1k4"},"CWE-ID: 838Inappropriate Encoding for Output Context","The product uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is expected by the downstream component.Guidelines:",{"point":"1k6","priority":"6","details":"1k7"},"CWE-ID: 839Numeric Range Comparison Without Minimum Check","The product checks a value to ensure that it is less than or equal to a maximum, but it does not also verify that the value is greater than or equal to the minimum.Guidelines:",{"point":"1k9","priority":"6","details":"1ka"},"CWE-ID: 841Improper Enforcement of Behavioral Workflow","The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.Guidelines:::TYPE:Research Gap:NOTE:This weakness is typically associated with business logic flaws, except when it produces resultant weaknesses. The classification of business logic flaws has been under-studied, although exploitation of business flaws frequently happens in real-world systems, and many applied vulnerability researchers investigate them. The greatest focus is in web applications. There is debate within the community about whether these problems represent particularly new concepts, or if they are variations of well-known principles. Many business logic flaws appear to be oriented toward business processes, application flows, and sequences of behaviors, which are not as well-represented in CWE as weaknesses related to input validation, memory management, etc.::",{"point":"1kc","priority":"6","details":"1kd"},"CWE-ID: 842Placement of User into Incorrect Group","The product or the administrator places a user into an incorrect group.Guidelines:",{"point":"1kf","priority":"6","details":"1kg"},"CWE-ID: 843Access of Resource Using Incompatible Type ('Type Confusion')","The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.Guidelines:::TYPE:Applicable Platform:NOTE:This weakness is possible in any type-unsafe programming language.::TYPE:Research Gap:NOTE:Type confusion weaknesses have received some attention by applied researchers and major software vendors for C and C++ code. Some publicly-reported vulnerabilities probably have type confusion as a root-cause weakness, but these may be described as memory corruption instead. For other languages, there are very few public reports of type confusion weaknesses. These are probably under-studied. Since many programs rely directly or indirectly on loose typing, a potential type confusion behavior might be intentional, possibly requiring more manual analysis.::",{"point":"1ki","priority":"6","details":"1kj"},"CWE-ID: 862Missing Authorization","The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Guidelines:",{"point":"1kl","priority":"6","details":"1km"},"CWE-ID: 863Incorrect Authorization","The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.Guidelines:",{"point":"1ko","priority":"6","details":"1kp"},"CWE-ID: 908Use of Uninitialized Resource","The product uses or accesses a resource that has not been initialized.Guidelines:",{"point":"1kr","priority":"6","details":"1ks"},"CWE-ID: 909Missing Initialization of Resource","The product does not initialize a critical resource.Guidelines:",{"point":"1ku","priority":"6","details":"1kv"},"CWE-ID: 910Use of Expired File Descriptor","The product uses or accesses a file descriptor after it has been closed.Guidelines:",{"point":"1kx","priority":"6","details":"1ky"},"CWE-ID: 911Improper Update of Reference Count","The product uses a reference count to manage a resource, but it does not update or incorrectly updates the reference count.Guidelines:",{"point":"1l0","priority":"6","details":"1l1"},"CWE-ID: 912Hidden Functionality","The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the product's users or administrators.Guidelines:",{"point":"1l3","priority":"6","details":"1l4"},"CWE-ID: 913Improper Control of Dynamically-Managed Code Resources","The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.Guidelines:",{"point":"1l6","priority":"6","details":"1l7"},"CWE-ID: 914Improper Control of Dynamically-Identified Variables","The product does not properly restrict reading from or writing to dynamically-identified variables.Guidelines:",{"point":"1l9","priority":"6","details":"1la"},"CWE-ID: 915Improperly Controlled Modification of Dynamically-Determined Object Attributes","The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.Guidelines:::TYPE:Maintenance:NOTE:The relationships between CWE-502 and CWE-915 need further exploration. CWE-915 is more narrowly scoped to object modification, and is not necessarily used for deserialization.::",{"point":"1lc","priority":"6","details":"1ld"},"CWE-ID: 916Use of Password Hash With Insufficient Computational Effort","The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.Guidelines:",{"point":"1lf","priority":"6","details":"1lg"},"CWE-ID: 917Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')","The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.Guidelines:::TYPE:Maintenance:NOTE:The interrelationships and differences between CWE-917 and CWE-1336 need to be further clarified.::TYPE:Relationship:NOTE:In certain versions of Spring 3.0.5 and earlier, there was a vulnerability (CVE-2011-2730) in which Expression Language tags would be evaluated twice, which effectively exposed any application to EL injection. However, even for later versions, this weakness is still possible depending on configuration.::",{"point":"1li","priority":"6","details":"1lj"},"CWE-ID: 918Server-Side Request Forgery (SSRF)","The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.Guidelines:::TYPE:Relationship:NOTE:CWE-918 (SSRF) and CWE-611 (XXE) are closely related, because they both involve web-related technologies and can launch outbound requests to unexpected destinations. However, XXE can be performed client-side, or in other contexts in which the software is not acting directly as a server, so the Server portion of the SSRF acronym does not necessarily apply.::",{"point":"1ll","priority":"6","details":"1lm"},"CWE-ID: 920Improper Restriction of Power Consumption","The product operates in an environment in which power is a limited resource that cannot be automatically replenished, but the product does not properly restrict the amount of power that its operation consumes.Guidelines:",{"point":"1lo","priority":"6","details":"1lp"},"CWE-ID: 921Storage of Sensitive Data in a Mechanism without Access Control","The product stores sensitive information in a file system or device that does not have built-in access control.Guidelines:",{"point":"1lr","priority":"6","details":"1ls"},"CWE-ID: 922Insecure Storage of Sensitive Information","The product stores sensitive information without properly limiting read or write access by unauthorized actors.Guidelines:::TYPE:Relationship:NOTE:There is an overlapping relationship between insecure storage of sensitive information (CWE-922) and missing encryption of sensitive information (CWE-311). Encryption is often used to prevent an attacker from reading the sensitive data. However, encryption does not prevent the attacker from erasing or overwriting the data. While data tampering would be visible upon inspection, the integrity and availability of the data is compromised prior to the audit.::TYPE:Maintenance:NOTE:This is a high-level entry that includes children from various parts of the CWE research view (CWE-1000). Currently, most of the information is in these child entries. This entry will be made more comprehensive in later CWE versions.::",{"point":"1lu","priority":"6","details":"1lv"},"CWE-ID: 923Improper Restriction of Communication Channel to Intended Endpoints","The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.Guidelines:",{"point":"1lx","priority":"6","details":"1ly"},"CWE-ID: 924Improper Enforcement of Message Integrity During Transmission in a Communication Channel","The product establishes a communication channel with an endpoint and receives a message from that endpoint, but it does not sufficiently ensure that the message was not modified during transmission.Guidelines:::TYPE:Maintenance:NOTE:This entry should be made more comprehensive in later CWE versions, as it is likely an important design flaw that underlies (or chains to) other weaknesses.::",{"point":"1m0","priority":"6","details":"1m1"},"CWE-ID: 925Improper Verification of Intent by Broadcast Receiver","The Android application uses a Broadcast Receiver that receives an Intent but does not properly verify that the Intent came from an authorized source.Guidelines:::TYPE:Maintenance:NOTE:This entry will be made more comprehensive in later CWE versions.::",{"point":"1m3","priority":"6","details":"1m4"},"CWE-ID: 926Improper Export of Android Application Components","The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.Guidelines:",{"point":"1m6","priority":"6","details":"1m7"},"CWE-ID: 927Use of Implicit Intent for Sensitive Communication","The Android application uses an implicit intent for transmitting sensitive data to other applications.Guidelines:",{"point":"1m9","priority":"6","details":"1ma"},"CWE-ID: 939Improper Authorization in Handler for Custom URL Scheme","The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.Guidelines:",{"point":"1mc","priority":"6","details":"1md"},"CWE-ID: 940Improper Verification of Source of a Communication Channel","The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin.Guidelines:::TYPE:Relationship:NOTE:While many access control issues involve authenticating the user, this weakness is more about authenticating the actual source of the communication channel itself; there might not be any user in such cases.::",{"point":"1mf","priority":"6","details":"1mg"},"CWE-ID: 941Incorrectly Specified Destination in a Communication Channel","The product creates a communication channel to initiate an outgoing request to an actor, but it does not correctly specify the intended destination for that actor.Guidelines:",{"point":"1mi","priority":"6","details":"1mj"},"CWE-ID: 942Permissive Cross-domain Policy with Untrusted Domains","The product uses a cross-domain policy file that includes domains that should not be trusted.Guidelines:",{"point":"1ml","priority":"6","details":"1mm"},"CWE-ID: 943Improper Neutralization of Special Elements in Data Query Logic","The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.Guidelines:::TYPE:Relationship:NOTE:It could be argued that data query languages are effectively a command language - albeit with a limited set of commands - and thus any query-language injection issue could be treated as a child of CWE-74. However, CWE-943 is intended to better organize query-oriented issues to separate them from fully-functioning programming languages, and also to provide a more precise identifier for the many query languages that do not have their own CWE identifier.::",{"point":"1mo","priority":"6","details":"1mp"},"CWE-ID: 1004Sensitive Cookie Without 'HttpOnly' Flag","The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.Guidelines:",{"point":"1mr","priority":"6","details":"1ms"},"CWE-ID: 1007Insufficient Visual Distinction of Homoglyphs Presented to User","The product displays information or identifiers to a user, but the display mechanism does not make it easy for the user to distinguish between visually similar or identical glyphs (homoglyphs), which may cause the user to misinterpret a glyph and perform an unintended, insecure action.Guidelines:",{"point":"1mu","priority":"6","details":"1mv"},"CWE-ID: 1021Improper Restriction of Rendered UI Layers or Frames","The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.Guidelines:",{"point":"1mx","priority":"6","details":"1my"},"CWE-ID: 1022Use of Web Link to Untrusted Target with window.opener Access","The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property.Guidelines:",{"point":"1n0","priority":"6","details":"1n1"},"CWE-ID: 1023Incomplete Comparison with Missing Factors","The product performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors.Guidelines:",{"point":"1n3","priority":"6","details":"1n4"},"CWE-ID: 1024Comparison of Incompatible Types","The product performs a comparison between two entities, but the entities are of different, incompatible types that cannot be guaranteed to provide correct results when they are directly compared.Guidelines:",{"point":"1n6","priority":"6","details":"1n7"},"CWE-ID: 1025Comparison Using Wrong Factors","The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.Guidelines:",{"point":"1n9","priority":"6","details":"1na"},"CWE-ID: 1037Processor Optimization Removal or Modification of Security-critical Code","The developer builds a security-critical protection mechanism into the software, but the processor optimizes the execution of the program such that the mechanism is removed or modified.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. As a result, this entry might change significantly in CWE 4.10.::",{"point":"1nc","priority":"6","details":"1nd"},"CWE-ID: 1038Insecure Automated Optimizations","The product uses a mechanism that automatically optimizes code, e.g. to improve a characteristic such as performance, but the optimizations can have an unintended side effect that might violate an intended security assumption.Guidelines:",{"point":"1nf","priority":"6","details":"1ng"},"CWE-ID: 1039Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations","The product uses an automated mechanism such as machine learning to recognize complex data inputs (e.g. image or audio) as a particular concept or category, but it does not properly detect or handle inputs that have been modified or constructed in a way that causes the mechanism to detect a different, incorrect concept.Guidelines:::TYPE:Relationship:NOTE:Further investigation is needed to determine if better relationships exist or if additional organizational entries need to be created. For example, this issue might be better related to recognition of input as an incorrect type, which might place it as a sibling of CWE-704 (incorrect type conversion).::",{"point":"1ni","priority":"6","details":"1nj"},"CWE-ID: 1041Use of Redundant Code","The product has multiple functions, methods, procedures, macros, etc. that contain the same code.Guidelines:",{"point":"1nl","priority":"6","details":"1nm"},"CWE-ID: 1042Static Member Data Element outside of a Singleton Class Element","The code contains a member element that is declared as static (but not final), in which its parent class element is not a singleton class - that is, a class element that can be used only once in the 'to' association of a Create action.Guidelines:",{"point":"1no","priority":"6","details":"1np"},"CWE-ID: 1043Data Element Aggregating an Excessively Large Number of Non-Primitive Elements","The product uses a data element that has an excessively large number of sub-elements with non-primitive data types such as structures or aggregated objects.Guidelines:",{"point":"1nr","priority":"6","details":"1ns"},"CWE-ID: 1044Architecture with Number of Horizontal Layers Outside of Expected Range","The product's architecture contains too many - or too few - horizontal layers.Guidelines:",{"point":"1nu","priority":"6","details":"1nv"},"CWE-ID: 1045Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor","A parent class has a virtual destructor method, but the parent has a child class that does not have a virtual destructor.Guidelines:",{"point":"1nx","priority":"6","details":"1ny"},"CWE-ID: 1046Creation of Immutable Text Using String Concatenation","The product creates an immutable text string using string concatenation operations.Guidelines:",{"point":"1o0","priority":"6","details":"1o1"},"CWE-ID: 1047Modules with Circular Dependencies","The product contains modules in which one module has references that cycle back to itself, i.e., there are circular dependencies.Guidelines:",{"point":"1o3","priority":"6","details":"1o4"},"CWE-ID: 1048Invokable Control Element with Large Number of Outward Calls","The code contains callable control elements that contain an excessively large number of references to other application objects external to the context of the callable, i.e. a Fan-Out value that is excessively large.Guidelines:",{"point":"1o6","priority":"6","details":"1o7"},"CWE-ID: 1049Excessive Data Query Operations in a Large Data Table","The product performs a data query with a large number of joins and sub-queries on a large data table.Guidelines:",{"point":"1o9","priority":"6","details":"1oa"},"CWE-ID: 1050Excessive Platform Resource Consumption within a Loop","The product has a loop body or loop condition that contains a control element that directly or indirectly consumes platform resources, e.g. messaging, sessions, locks, or file descriptors.Guidelines:",{"point":"1oc","priority":"6","details":"1od"},"CWE-ID: 1051Initialization with Hard-Coded Network Resource Configuration Data","The product initializes data using hard-coded values that act as network resource identifiers.Guidelines:",{"point":"1of","priority":"6","details":"1og"},"CWE-ID: 1052Excessive Use of Hard-Coded Literals in Initialization","The product initializes a data element using a hard-coded literal that is not a simple integer or static constant element.Guidelines:",{"point":"1oi","priority":"6","details":"1oj"},"CWE-ID: 1053Missing Documentation for Design","The product does not have documentation that represents how it is designed.Guidelines:",{"point":"1ol","priority":"6","details":"1om"},"CWE-ID: 1054Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer","The code at one architectural layer invokes code that resides at a deeper layer than the adjacent layer, i.e., the invocation skips at least one layer, and the invoked code is not part of a vertical utility layer that can be referenced from any horizontal layer.Guidelines:",{"point":"1oo","priority":"6","details":"1op"},"CWE-ID: 1055Multiple Inheritance from Concrete Classes","The product contains a class with inheritance from more than one concrete class.Guidelines:",{"point":"1or","priority":"6","details":"1os"},"CWE-ID: 1056Invokable Control Element with Variadic Parameters","A named-callable or method control element has a signature that supports a variable (variadic) number of parameters or arguments.Guidelines:",{"point":"1ou","priority":"6","details":"1ov"},"CWE-ID: 1057Data Access Operations Outside of Expected Data Manager Component","The product uses a dedicated, central data manager component as required by design, but it contains code that performs data-access operations that do not use this data manager.Guidelines:",{"point":"1ox","priority":"6","details":"1oy"},"CWE-ID: 1058Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element","The code contains a function or method that operates in a multi-threaded environment but owns an unsafe non-final static storable or member data element.Guidelines:",{"point":"1p0","priority":"6","details":"1p1"},"CWE-ID: 1059Insufficient Technical Documentation","The product does not contain sufficient technical or engineering documentation (whether on paper or in electronic form) that contains descriptions of all the relevant software/hardware elements of the product, such as its usage, structure, architectural components, interfaces, design, implementation, configuration, operation, etc.Guidelines:",{"point":"1p3","priority":"6","details":"1p4"},"CWE-ID: 1060Excessive Number of Inefficient Server-Side Data Accesses","The product performs too many data queries without using efficient data processing functionality such as stored procedures.Guidelines:",{"point":"1p6","priority":"6","details":"1p7"},"CWE-ID: 1061Insufficient Encapsulation","The product does not sufficiently hide the internal representation and implementation details of data or methods, which might allow external components or modules to modify data unexpectedly, invoke unexpected functionality, or introduce dependencies that the programmer did not intend.Guidelines:",{"point":"1p9","priority":"6","details":"1pa"},"CWE-ID: 1062Parent Class with References to Child Class","The code has a parent class that contains references to a child class, its methods, or its members.Guidelines:",{"point":"1pc","priority":"6","details":"1pd"},"CWE-ID: 1063Creation of Class Instance within a Static Code Block","A static code block creates an instance of a class.Guidelines:",{"point":"1pf","priority":"6","details":"1pg"},"CWE-ID: 1064Invokable Control Element with Signature Containing an Excessive Number of Parameters","The product contains a function, subroutine, or method whose signature has an unnecessarily large number of parameters/arguments.Guidelines:",{"point":"1pi","priority":"6","details":"1pj"},"CWE-ID: 1065Runtime Resource Management Control Element in a Component Built to Run on Application Servers","The product uses deployed components from application servers, but it also uses low-level functions/methods for management of resources, instead of the API provided by the application server.Guidelines:",{"point":"1pl","priority":"6","details":"1pm"},"CWE-ID: 1066Missing Serialization Control Element","The product contains a serializable data element that does not have an associated serialization method.Guidelines:",{"point":"1po","priority":"6","details":"1pp"},"CWE-ID: 1067Excessive Execution of Sequential Searches of Data Resource","The product contains a data query against an SQL table or view that is configured in a way that does not utilize an index and may cause sequential searches to be performed.Guidelines:",{"point":"1pr","priority":"6","details":"1ps"},"CWE-ID: 1068Inconsistency Between Implementation and Documented Design","The implementation of the product is not consistent with the design as described within the relevant documentation.Guidelines:",{"point":"1pu","priority":"6","details":"1pv"},"CWE-ID: 1069Empty Exception Block","An invokable code block contains an exception handling block that does not contain any code, i.e. is empty.Guidelines:",{"point":"1px","priority":"6","details":"1py"},"CWE-ID: 1070Serializable Data Element Containing non-Serializable Item Elements","The product contains a serializable, storable data element such as a field or member, but the data element contains member elements that are not serializable.Guidelines:",{"point":"1q0","priority":"6","details":"1q1"},"CWE-ID: 1071Empty Code Block","The source code contains a block that does not contain any code, i.e., the block is empty.Guidelines:",{"point":"1q3","priority":"6","details":"1q4"},"CWE-ID: 1072Data Resource Access without Use of Connection Pooling","The product accesses a data resource through a database without using a connection pooling capability.Guidelines:",{"point":"1q6","priority":"6","details":"1q7"},"CWE-ID: 1073Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses","The product contains a client with a function or method that contains a large number of data accesses/queries that are sent through a data manager, i.e., does not use efficient database capabilities.Guidelines:",{"point":"1q9","priority":"6","details":"1qa"},"CWE-ID: 1074Class with Excessively Deep Inheritance","A class has an inheritance level that is too high, i.e., it has a large number of parent classes.Guidelines:",{"point":"1qc","priority":"6","details":"1qd"},"CWE-ID: 1075Unconditional Control Flow Transfer outside of Switch Block","The product performs unconditional control transfer (such as a goto) in code outside of a branching structure such as a switch block.Guidelines:",{"point":"1qf","priority":"6","details":"1qg"},"CWE-ID: 1076Insufficient Adherence to Expected Conventions","The product's architecture, source code, design, documentation, or other artifact does not follow required conventions.Guidelines:",{"point":"1qi","priority":"6","details":"1qj"},"CWE-ID: 1077Floating Point Comparison with Incorrect Operator","The code performs a comparison such as an equality test between two float (floating point) values, but it uses comparison operators that do not account for the possibility of loss of precision.Guidelines:",{"point":"1ql","priority":"6","details":"1qm"},"CWE-ID: 1078Inappropriate Source Code Style or Formatting","The source code does not follow desired style or formatting for indentation, white space, comments, etc.Guidelines:",{"point":"1qo","priority":"6","details":"1qp"},"CWE-ID: 1079Parent Class without Virtual Destructor Method","A parent class contains one or more child classes, but the parent class does not have a virtual destructor method.Guidelines:",{"point":"1qr","priority":"6","details":"1qs"},"CWE-ID: 1080Source Code File with Excessive Number of Lines of Code","A source code file has too many lines of code.Guidelines:",{"point":"1qu","priority":"6","details":"1qv"},"CWE-ID: 1082Class Instance Self Destruction Control Element","The code contains a class instance that calls the method or function to delete or destroy itself.Guidelines:",{"point":"1qx","priority":"6","details":"1qy"},"CWE-ID: 1083Data Access from Outside Expected Data Manager Component","The product is intended to manage data access through a particular data manager component such as a relational or non-SQL database, but it contains code that performs data access operations without using that component.Guidelines:",{"point":"1r0","priority":"6","details":"1r1"},"CWE-ID: 1084Invokable Control Element with Excessive File or Data Access Operations","A function or method contains too many operations that utilize a data manager or file resource.Guidelines:",{"point":"1r3","priority":"6","details":"1r4"},"CWE-ID: 1085Invokable Control Element with Excessive Volume of Commented-out Code","A function, method, procedure, etc. contains an excessive amount of code that has been commented out within its body.Guidelines:",{"point":"1r6","priority":"6","details":"1r7"},"CWE-ID: 1086Class with Excessive Number of Child Classes","A class contains an unnecessarily large number of children.Guidelines:",{"point":"1r9","priority":"6","details":"1ra"},"CWE-ID: 1087Class with Virtual Method without a Virtual Destructor","A class contains a virtual method, but the method does not have an associated virtual destructor.Guidelines:",{"point":"1rc","priority":"6","details":"1rd"},"CWE-ID: 1088Synchronous Access of Remote Resource without Timeout","The code has a synchronous call to a remote resource, but there is no timeout for the call, or the timeout is set to infinite.Guidelines:",{"point":"1rf","priority":"6","details":"1rg"},"CWE-ID: 1089Large Data Table with Excessive Number of Indices","The product uses a large data table that contains an excessively large number of indices.Guidelines:",{"point":"1ri","priority":"6","details":"1rj"},"CWE-ID: 1090Method Containing Access of a Member Element from Another Class","A method for a class performs an operation that directly accesses a member element from another class.Guidelines:",{"point":"1rl","priority":"6","details":"1rm"},"CWE-ID: 1091Use of Object without Invoking Destructor Method","The product contains a method that accesses an object but does not later invoke the element's associated finalize/destructor method.Guidelines:",{"point":"1ro","priority":"6","details":"1rp"},"CWE-ID: 1092Use of Same Invokable Control Element in Multiple Architectural Layers","The product uses the same control element across multiple architectural layers.Guidelines:",{"point":"1rr","priority":"6","details":"1rs"},"CWE-ID: 1093Excessively Complex Data Representation","The product uses an unnecessarily complex internal representation for its data structures or interrelationships between those structures.Guidelines:",{"point":"1ru","priority":"6","details":"1rv"},"CWE-ID: 1094Excessive Index Range Scan for a Data Resource","The product contains an index range scan for a large data table, but the scan can cover a large number of rows.Guidelines:",{"point":"1rx","priority":"6","details":"1ry"},"CWE-ID: 1095Loop Condition Value Update within the Loop","The product uses a loop with a control flow condition based on a value that is updated within the body of the loop.Guidelines:",{"point":"1s0","priority":"6","details":"1s1"},"CWE-ID: 1096Singleton Class Instance Creation without Proper Locking or Synchronization","The product implements a Singleton design pattern but does not use appropriate locking or other synchronization mechanism to ensure that the singleton class is only instantiated once.Guidelines:",{"point":"1s3","priority":"6","details":"1s4"},"CWE-ID: 1097Persistent Storable Data Element without Associated Comparison Control Element","The product uses a storable data element that does not have all of the associated functions or methods that are necessary to support comparison.Guidelines:",{"point":"1s6","priority":"6","details":"1s7"},"CWE-ID: 1098Data Element containing Pointer Item without Proper Copy Control Element","The code contains a data element with a pointer that does not have an associated copy or constructor method.Guidelines:",{"point":"1s9","priority":"6","details":"1sa"},"CWE-ID: 1099Inconsistent Naming Conventions for Identifiers","The product's code, documentation, or other artifacts do not consistently use the same naming conventions for variables, callables, groups of related callables, I/O capabilities, data types, file names, or similar types of elements.Guidelines:",{"point":"1sc","priority":"6","details":"1sd"},"CWE-ID: 1100Insufficient Isolation of System-Dependent Functions","The product or code does not isolate system-dependent functionality into separate standalone modules.Guidelines:",{"point":"1sf","priority":"6","details":"1sg"},"CWE-ID: 1101Reliance on Runtime Component in Generated Code","The product uses automatically-generated code that cannot be executed without a specific runtime support component.Guidelines:",{"point":"1si","priority":"6","details":"1sj"},"CWE-ID: 1102Reliance on Machine-Dependent Data Representation","The code uses a data representation that relies on low-level data representation or constructs that may vary across different processors, physical machines, OSes, or other physical components.Guidelines:",{"point":"1sl","priority":"6","details":"1sm"},"CWE-ID: 1103Use of Platform-Dependent Third Party Components","The product relies on third-party components that do not provide equivalent functionality across all desirable platforms.Guidelines:",{"point":"1so","priority":"6","details":"1sp"},"CWE-ID: 1104Use of Unmaintained Third Party Components","The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer.Guidelines:",{"point":"1sr","priority":"6","details":"1ss"},"CWE-ID: 1105Insufficient Encapsulation of Machine-Dependent Functionality","The product or code uses machine-dependent functionality, but it does not sufficiently encapsulate or isolate this functionality from the rest of the code.Guidelines:",{"point":"1su","priority":"6","details":"1sv"},"CWE-ID: 1106Insufficient Use of Symbolic Constants","The source code uses literal constants that may need to change or evolve over time, instead of using symbolic constants.Guidelines:",{"point":"1sx","priority":"6","details":"1sy"},"CWE-ID: 1107Insufficient Isolation of Symbolic Constant Definitions","The source code uses symbolic constants, but it does not sufficiently place the definitions of these constants into a more centralized or isolated location.Guidelines:",{"point":"1t0","priority":"6","details":"1t1"},"CWE-ID: 1108Excessive Reliance on Global Variables","The code is structured in a way that relies too much on using or setting global variables throughout various points in the code, instead of preserving the associated information in a narrower, more local context.Guidelines:",{"point":"1t3","priority":"6","details":"1t4"},"CWE-ID: 1109Use of Same Variable for Multiple Purposes","The code contains a callable, block, or other code element in which the same variable is used to control more than one unique task or store more than one instance of data.Guidelines:",{"point":"1t6","priority":"6","details":"1t7"},"CWE-ID: 1110Incomplete Design Documentation","The product's design documentation does not adequately describe control flow, data flow, system initialization, relationships between tasks, components, rationales, or other important aspects of the design.Guidelines:",{"point":"1t9","priority":"6","details":"1ta"},"CWE-ID: 1111Incomplete I/O Documentation","The product's documentation does not adequately define inputs, outputs, or system/software interfaces.Guidelines:",{"point":"1tc","priority":"6","details":"1td"},"CWE-ID: 1112Incomplete Documentation of Program Execution","The document does not fully define all mechanisms that are used to control or influence how product-specific programs are executed.Guidelines:",{"point":"1tf","priority":"6","details":"1tg"},"CWE-ID: 1113Inappropriate Comment Style","The source code uses comment styles or formats that are inconsistent or do not follow expected standards for the product.Guidelines:",{"point":"1ti","priority":"6","details":"1tj"},"CWE-ID: 1114Inappropriate Whitespace Style","The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product.Guidelines:",{"point":"1tl","priority":"6","details":"1tm"},"CWE-ID: 1115Source Code Element without Standard Prologue","The source code contains elements such as source files that do not consistently provide a prologue or header that has been standardized for the project.Guidelines:",{"point":"1to","priority":"6","details":"1tp"},"CWE-ID: 1116Inaccurate Comments","The source code contains comments that do not accurately describe or explain aspects of the portion of the code with which the comment is associated.Guidelines:",{"point":"1tr","priority":"6","details":"1ts"},"CWE-ID: 1117Callable with Insufficient Behavioral Summary","The code contains a function or method whose signature and/or associated inline documentation does not sufficiently describe the callable's inputs, outputs, side effects, assumptions, or return codes.Guidelines:",{"point":"1tu","priority":"6","details":"1tv"},"CWE-ID: 1118Insufficient Documentation of Error Handling Techniques","The documentation does not sufficiently describe the techniques that are used for error handling, exception processing, or similar mechanisms.Guidelines:",{"point":"1tx","priority":"6","details":"1ty"},"CWE-ID: 1119Excessive Use of Unconditional Branching","The code uses too many unconditional branches (such as goto).Guidelines:",{"point":"1u0","priority":"6","details":"1u1"},"CWE-ID: 1120Excessive Code Complexity","The code is too complex, as calculated using a well-defined, quantitative measure.Guidelines:",{"point":"1u3","priority":"6","details":"1u4"},"CWE-ID: 1121Excessive McCabe Cyclomatic Complexity","The code contains McCabe cyclomatic complexity that exceeds a desirable maximum.Guidelines:",{"point":"1u6","priority":"6","details":"1u7"},"CWE-ID: 1122Excessive Halstead Complexity","The code is structured in a way that a Halstead complexity measure exceeds a desirable maximum.Guidelines:",{"point":"1u9","priority":"6","details":"1ua"},"CWE-ID: 1123Excessive Use of Self-Modifying Code","The product uses too much self-modifying code.Guidelines:",{"point":"1uc","priority":"6","details":"1ud"},"CWE-ID: 1124Excessively Deep Nesting","The code contains a callable or other code grouping in which the nesting / branching is too deep.Guidelines:",{"point":"1uf","priority":"6","details":"1ug"},"CWE-ID: 1125Excessive Attack Surface","The product has an attack surface whose quantitative measurement exceeds a desirable maximum.Guidelines:",{"point":"1ui","priority":"6","details":"1uj"},"CWE-ID: 1126Declaration of Variable with Unnecessarily Wide Scope","The source code declares a variable in one scope, but the variable is only used within a narrower scope.Guidelines:",{"point":"1ul","priority":"6","details":"1um"},"CWE-ID: 1127Compilation with Insufficient Warnings or Errors","The code is compiled without sufficient warnings enabled, which may prevent the detection of subtle bugs or quality issues.Guidelines:",{"point":"1uo","priority":"6","details":"1up"},"CWE-ID: 1164Irrelevant Code","The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness.Guidelines:",{"point":"1ur","priority":"6","details":"1us"},"CWE-ID: 1173Improper Use of Validation Framework","The product does not use, or incorrectly uses, an input validation framework that is provided by the source language or an independent library.Guidelines:",{"point":"1uu","priority":"6","details":"1uv"},"CWE-ID: 1174ASP.NET Misconfiguration: Improper Model Validation","The ASP.NET application does not use, or incorrectly uses, the model validation framework.Guidelines:",{"point":"1ux","priority":"6","details":"1uy"},"CWE-ID: 1176Inefficient CPU Computation","The product performs CPU computations using algorithms that are not as efficient as they could be for the needs of the developer, i.e., the computations can be optimized further.Guidelines:",{"point":"1v0","priority":"6","details":"1v1"},"CWE-ID: 1177Use of Prohibited Code","The product uses a function, library, or third party component that has been explicitly prohibited, whether by the developer or the customer.Guidelines:",{"point":"1v3","priority":"6","details":"1v4"},"CWE-ID: 1188Initialization of a Resource with an Insecure Default","The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.Guidelines:::TYPE:Maintenance:NOTE:This entry improves organization of concepts under initialization. The typical CWE model is to cover Missing and Incorrect behaviors. Arguably, this entry could be named as Incorrect instead of Insecure. This might be changed in the near future.::",{"point":"1v6","priority":"6","details":"1v7"},"CWE-ID: 1189Improper Isolation of Shared Resources on System-on-a-Chip (SoC)","The System-On-a-Chip (SoC) does not properly isolate shared resources between trusted and untrusted agents.Guidelines:",{"point":"1v9","priority":"6","details":"1va"},"CWE-ID: 1190DMA Device Enabled Too Early in Boot Phase","The product enables a Direct Memory Access (DMA) capable device before the security configuration settings are established, which allows an attacker to extract data from or gain privileges on the product.Guidelines:",{"point":"1vc","priority":"6","details":"1vd"},"CWE-ID: 1191On-Chip Debug and Test Interface With Improper Access Control","The chip does not implement or does not correctly perform access control to check whether users are authorized to access internal registers and test modes through the physical debug/test interface.Guidelines:::TYPE:Relationship:NOTE:CWE-1191 and CWE-1244 both involve physical debug access, but the weaknesses are different. CWE-1191 is effectively about missing authorization for a debug interface, i.e. JTAG. CWE-1244 is about providing internal assets with the wrong debug access level, exposing the asset to untrusted debug agents.::",{"point":"1vf","priority":"6","details":"1vg"},"CWE-ID: 1192Improper Identifier for IP Block used in System-On-Chip (SOC)","The System-on-Chip (SoC) does not have unique, immutable identifiers for each of its components.Guidelines:",{"point":"1vi","priority":"6","details":"1vj"},"CWE-ID: 1193Power-On of Untrusted Execution Core Before Enabling Fabric Access Control","The product enables components that contain untrusted firmware before memory and fabric access controls have been enabled.Guidelines:",{"point":"1vl","priority":"6","details":"1vm"},"CWE-ID: 1204Generation of Weak Initialization Vector (IV)","The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or unique according to the expected cryptographic requirements for that primitive.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"1vo","priority":"6","details":"1vp"},"CWE-ID: 1209Failure to Disable Reserved Bits","The reserved bits in a hardware design are not disabled prior to production. Typically, reserved bits are used for future capabilities and should not support any functional logic in the design. However, designers might covertly use these bits to debug or further develop new capabilities in production hardware. Adversaries with access to these bits will write to them in hopes of compromising hardware state.Guidelines:",{"point":"1vr","priority":"6","details":"1vs"},"CWE-ID: 1220Insufficient Granularity of Access Control","The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.Guidelines:",{"point":"1vu","priority":"6","details":"1vv"},"CWE-ID: 1221Incorrect Register Defaults or Module Parameters","Hardware description language code incorrectly defines register defaults or hardware Intellectual Property (IP) parameters to insecure values.Guidelines:",{"point":"1vx","priority":"6","details":"1vy"},"CWE-ID: 1222Insufficient Granularity of Address Regions Protected by Register Locks","The product defines a large address region protected from modification by the same register lock control bit. This results in a conflict between the functional requirement that some addresses need to be writable by software during operation and the security requirement that the system configuration lock bit must be set during the boot process.Guidelines:",{"point":"1w0","priority":"6","details":"1w1"},"CWE-ID: 1223Race Condition for Write-Once Attributes","A write-once register in hardware design is programmable by an untrusted software component earlier than the trusted software component, resulting in a race condition issue.Guidelines:",{"point":"1w3","priority":"6","details":"1w4"},"CWE-ID: 1224Improper Restriction of Write-Once Bit Fields","The hardware design control register sticky bits or write-once bit fields are improperly implemented, such that they can be reprogrammed by software.Guidelines:",{"point":"1w6","priority":"6","details":"1w7"},"CWE-ID: 1229Creation of Emergent Resource","The product manages resources or behaves in a way that indirectly creates a new, distinct resource that can be used by attackers in violation of the intended policy.Guidelines:",{"point":"1w9","priority":"6","details":"1wa"},"CWE-ID: 1230Exposure of Sensitive Information Through Metadata","The product prevents direct access to a resource containing sensitive information, but it does not sufficiently limit access to metadata that is derived from the original, sensitive information.Guidelines:",{"point":"1wc","priority":"6","details":"1wd"},"CWE-ID: 1231Improper Prevention of Lock Bit Modification","The product uses a trusted lock bit for restricting access to registers, address regions, or other resources, but the product does not prevent the value of the lock bit from being modified after it has been set.Guidelines:",{"point":"1wf","priority":"6","details":"1wg"},"CWE-ID: 1232Improper Lock Behavior After Power State Transition","Register lock bit protection disables changes to system configuration once the bit is set. Some of the protected registers or lock bits become programmable after power state transitions (e.g., Entry and wake from low power sleep modes) causing the system configuration to be changeable.Guidelines:",{"point":"1wi","priority":"6","details":"1wj"},"CWE-ID: 1233Security-Sensitive Hardware Controls with Missing Lock Bit Protection","The product uses a register lock bit protection mechanism, but it does not ensure that the lock bit prevents modification of system registers or controls that perform changes to important hardware system configuration.Guidelines:",{"point":"1wl","priority":"6","details":"1wm"},"CWE-ID: 1234Hardware Internal or Debug Modes Allow Override of Locks","System configuration protection may be bypassed during debug mode.Guidelines:",{"point":"1wo","priority":"6","details":"1wp"},"CWE-ID: 1235Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations","The code uses boxed primitives, which may introduce inefficiencies into performance-critical operations.Guidelines:",{"point":"1wr","priority":"6","details":"1ws"},"CWE-ID: 1236Improper Neutralization of Formula Elements in a CSV File","The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.Guidelines:",{"point":"1wu","priority":"6","details":"1wv"},"CWE-ID: 1239Improper Zeroization of Hardware Register","The hardware product does not properly clear sensitive information from built-in registers when the user of the hardware block changes.Guidelines:",{"point":"1wx","priority":"6","details":"1wy"},"CWE-ID: 1240Use of a Cryptographic Primitive with a Risky Implementation","To fulfill the need for a cryptographic primitive, the product implements a cryptographic algorithm using a non-standard, unproven, or disallowed/non-compliant cryptographic implementation.Guidelines:::TYPE:Terminology:NOTE:Terminology for cryptography varies widely, from informal and colloquial to mathematically-defined, with different precision and formalism depending on whether the stakeholder is a developer, cryptologist, etc. Yet there is a need for CWE to be self-consistent while remaining understandable and acceptable to multiple audiences. As of CWE 4.6, CWE terminology around primitives and algorithms is emerging as shown by the following example, subject to future consultation and agreement within the CWE and cryptography communities. Suppose one wishes to send encrypted data using a CLI tool such as OpenSSL. One might choose to use AES with a 256-bit key and require tamper protection (GCM mode, for instance). For compatibility's sake, one might also choose the ciphertext to be formatted to the PKCS#5 standard. In this case, the cryptographic system would be AES-256-GCM with PKCS#5 formatting. The cryptographic function would be AES-256 in the GCM mode of operation, and the algorithm would be AES. Colloquially, one would say that AES (and sometimes AES-256) is the cryptographic primitive, because it is the algorithm that realizes the concept of symmetric encryption (without modes of operation or other protocol related modifications). In practice, developers and architects typically refer to base cryptographic algorithms (AES, SHA, etc.) as cryptographic primitives.::TYPE:Maintenance:NOTE:Since CWE 4.4, various cryptography-related entries, including CWE-327 and CWE-1240, have been slated for extensive research, analysis, and community consultation to define consistent terminology, improve relationships, and reduce overlap or duplication. As of CWE 4.6, this work is still ongoing.::",{"point":"1x0","priority":"6","details":"1x1"},"CWE-ID: 1241Use of Predictable Algorithm in Random Number Generator","The device uses an algorithm that is predictable and generates a pseudo-random number.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"1x3","priority":"6","details":"1x4"},"CWE-ID: 1242Inclusion of Undocumented Features or Chicken Bits","The device includes chicken bits or undocumented features that can create entry points for unauthorized actors.Guidelines:",{"point":"1x6","priority":"6","details":"1x7"},"CWE-ID: 1243Sensitive Non-Volatile Information Not Protected During Debug","Access to security-sensitive information stored in fuses is not limited during debug.Guidelines:",{"point":"1x9","priority":"6","details":"1xa"},"CWE-ID: 1244Internal Asset Exposed to Unsafe Debug Access Level or State","The product uses physical debug or test interfaces with support for multiple access levels, but it assigns the wrong debug access level to an internal asset, providing unintended access to the asset from untrusted debug agents.Guidelines:::TYPE:Relationship:NOTE:CWE-1191 and CWE-1244 both involve physical debug access, but the weaknesses are different. CWE-1191 is effectively about missing authorization for a debug interface, i.e. JTAG. CWE-1244 is about providing internal assets with the wrong debug access level, exposing the asset to untrusted debug agents.::",{"point":"1xc","priority":"6","details":"1xd"},"CWE-ID: 1245Improper Finite State Machines (FSMs) in Hardware Logic","Faulty finite state machines (FSMs) in the hardware logic allow an attacker to put the system in an undefined state, to cause a denial of service (DoS) or gain privileges on the victim's system.Guidelines:",{"point":"1xf","priority":"6","details":"1xg"},"CWE-ID: 1246Improper Write Handling in Limited-write Non-Volatile Memories","The product does not implement or incorrectly implements wear leveling operations in limited-write non-volatile memories.Guidelines:",{"point":"1xi","priority":"6","details":"1xj"},"CWE-ID: 1247Improper Protection Against Voltage and Clock Glitches","The device does not contain or contains incorrectly implemented circuitry or sensors to detect and mitigate voltage and clock glitches and protect sensitive information or software contained on the device.Guidelines:",{"point":"1xl","priority":"6","details":"1xm"},"CWE-ID: 1248Semiconductor Defects in Hardware Logic with Security-Sensitive Implications","The security-sensitive hardware module contains semiconductor defects.Guidelines:",{"point":"1xo","priority":"6","details":"1xp"},"CWE-ID: 1249Application-Level Admin Tool with Inconsistent View of Underlying Operating System","The product provides an application for administrators to manage parts of the underlying operating system, but the application does not accurately identify all of the relevant entities or resources that exist in the OS; that is, the application's model of the OS's state is inconsistent with the OS's actual state.Guidelines:",{"point":"1xr","priority":"6","details":"1xs"},"CWE-ID: 1250Improper Preservation of Consistency Between Independent Representations of Shared State","The product has or supports multiple distributed components or sub-systems that are each required to keep their own local copy of shared data - such as state or cache - but the product does not ensure that all local copies remain consistent with each other.Guidelines:::TYPE:Research Gap:NOTE:Issues related to state and cache - creation, preservation, and update - are a significant gap in CWE that is expected to be addressed in future versions. It likely has relationships to concurrency and synchronization, incorrect behavior order, and other areas that already have some coverage in CWE, although the focus has typically been on independent processes on the same operating system - not on independent systems that are all a part of a larger system-of-systems.::",{"point":"1xu","priority":"6","details":"1xv"},"CWE-ID: 1251Mirrored Regions with Different Values","The product's architecture mirrors regions without ensuring that their contents always stay in sync.Guidelines:::TYPE:Research Gap:NOTE:Issues related to state and cache - creation, preservation, and update - are a significant gap in CWE that is expected to be addressed in future versions. It has relationships to concurrency and synchronization, incorrect behavior order, and other areas that already have some coverage in CWE, although the focus has typically been on independent processes on the same operating system - not on independent systems that are all a part of a larger system-of-systems.::",{"point":"1xx","priority":"6","details":"1xy"},"CWE-ID: 1252CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations","The CPU is not configured to provide hardware support for exclusivity of write and execute operations on memory. This allows an attacker to execute data from all of memory.Guidelines:",{"point":"1y0","priority":"6","details":"1y1"},"CWE-ID: 1253Incorrect Selection of Fuse Values","The logic level used to set a system to a secure state relies on a fuse being unblown. An attacker can set the system to an insecure state merely by blowing the fuse.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1y3","priority":"6","details":"1y4"},"CWE-ID: 1254Incorrect Comparison Logic Granularity","The product's comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failure on one of these steps, the operation may be vulnerable to a timing attack that can result in the interception of the process for nefarious purposes.Guidelines:",{"point":"1y6","priority":"6","details":"1y7"},"CWE-ID: 1255Comparison Logic is Vulnerable to Power Side-Channel Attacks","A device's real time power consumption may be monitored during security token evaluation and the information gleaned may be used to determine the value of the reference token.Guidelines:",{"point":"1y9","priority":"6","details":"1ya"},"CWE-ID: 1256Improper Restriction of Software Interfaces to Hardware Features","The product provides software-controllable device functionality for capabilities such as power and clock management, but it does not properly limit functionality that can lead to modification of hardware memory or register bits, or the ability to observe physical side channels.Guidelines:",{"point":"1yc","priority":"6","details":"1yd"},"CWE-ID: 1257Improper Access Control Applied to Mirrored or Aliased Memory Regions","Aliased or mirrored memory regions in hardware designs may have inconsistent read/write permissions enforced by the hardware. A possible result is that an untrusted agent is blocked from accessing a memory region but is not blocked from accessing the corresponding aliased memory region.Guidelines:",{"point":"1yf","priority":"6","details":"1yg"},"CWE-ID: 1258Exposure of Sensitive System Information Due to Uncleared Debug Information","The hardware does not fully clear security-sensitive values, such as keys and intermediate values in cryptographic operations, when debug mode is entered.Guidelines:",{"point":"1yi","priority":"6","details":"1yj"},"CWE-ID: 1259Improper Restriction of Security Token Assignment","The System-On-A-Chip (SoC) implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens are improperly protected.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements. Currently it is expressed as a general absence of a protection mechanism as opposed to a specific mistake, and the entry's name and description could be interpreted as applying to software.::",{"point":"1yl","priority":"6","details":"1ym"},"CWE-ID: 1260Improper Handling of Overlap Between Protected Memory Ranges","The product allows address regions to overlap, which can result in the bypassing of intended memory protection.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.6, CWE-1260 and CWE-1316 are siblings under view 1000, but CWE-1260 might be a parent of CWE-1316. More analysis is warranted.::",{"point":"1yo","priority":"6","details":"1yp"},"CWE-ID: 1261Improper Handling of Single Event Upsets","The hardware logic does not effectively handle when single-event upsets (SEUs) occur.Guidelines:",{"point":"1yr","priority":"6","details":"1ys"},"CWE-ID: 1262Improper Access Control for Register Interface","The product uses memory-mapped I/O registers that act as an interface to hardware functionality from software, but there is improper access control to those registers.Guidelines:",{"point":"1yu","priority":"6","details":"1yv"},"CWE-ID: 1263Improper Physical Access Control","The product is designed with access restricted to certain information, but it does not sufficiently protect against an unauthorized actor with physical access to these areas.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1yx","priority":"6","details":"1yy"},"CWE-ID: 1264Hardware Logic with Insecure De-Synchronization between Control and Data Channels","The hardware logic for error handling and security checks can incorrectly forward data before the security check is complete.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. As a result, this entry might change significantly in CWE 4.10.::",{"point":"1z0","priority":"6","details":"1z1"},"CWE-ID: 1265Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls","During execution of non-reentrant code, the product performs a call that unintentionally produces a nested invocation of the non-reentrant code.Guidelines:",{"point":"1z3","priority":"6","details":"1z4"},"CWE-ID: 1266Improper Scrubbing of Sensitive Data from Decommissioned Device","The product does not properly provide a capability for the product administrator to remove sensitive data at the time the product is decommissioned. A scrubbing capability could be missing, insufficient, or incorrect.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1z6","priority":"6","details":"1z7"},"CWE-ID: 1267Policy Uses Obsolete Encoding","The product uses an obsolete encoding mechanism to implement access controls.Guidelines:",{"point":"1z9","priority":"6","details":"1za"},"CWE-ID: 1268Policy Privileges are not Assigned Consistently Between Control and Data Agents","The product's hardware-enforced access control for a particular resource improperly accounts for privilege discrepancies between control and write policies.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1zc","priority":"6","details":"1zd"},"CWE-ID: 1269Product Released in Non-Release Configuration","The product released to market is released in pre-production or manufacturing configuration.Guidelines:",{"point":"1zf","priority":"6","details":"1zg"},"CWE-ID: 1270Generation of Incorrect Security Tokens","The product implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens generated in the system are incorrect.Guidelines:",{"point":"1zi","priority":"6","details":"1zj"},"CWE-ID: 1271Uninitialized Value on Reset for Registers Holding Security Settings","Security-critical logic is not set to a known value on reset.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1zl","priority":"6","details":"1zm"},"CWE-ID: 1272Sensitive Information Uncleared Before Debug/Power State Transition","The product performs a power or debug state transition, but it does not clear sensitive information that should no longer be accessible due to changes to information access restrictions.Guidelines:",{"point":"1zo","priority":"6","details":"1zp"},"CWE-ID: 1273Device Unlock Credential Sharing","The credentials necessary for unlocking a device are shared across multiple parties and may expose sensitive information.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1zr","priority":"6","details":"1zs"},"CWE-ID: 1274Improper Access Control for Volatile Memory Containing Boot Code","The product conducts a secure-boot process that transfers bootloader code from Non-Volatile Memory (NVM) into Volatile Memory (VM), but it does not have sufficient access control or other protections for the Volatile Memory.Guidelines:",{"point":"1zu","priority":"6","details":"1zv"},"CWE-ID: 1275Sensitive Cookie with Improper SameSite Attribute","The SameSite attribute for sensitive cookies is not set, or an insecure value is used.Guidelines:",{"point":"1zx","priority":"6","details":"1zy"},"CWE-ID: 1276Hardware Child Block Incorrectly Connected to Parent System","Signals between a hardware IP and the parent system design are incorrectly connected causing security risks.Guidelines:",{"point":"200","priority":"6","details":"201"},"CWE-ID: 1277Firmware Not Updateable","The product does not provide its users with the ability to update or patch its firmware to address any vulnerabilities or weaknesses that may be present.Guidelines:::TYPE:Terminology:NOTE:The firmware term does not have a single commonly-shared definition, so there may be variations in how this CWE entry is interpreted during mapping.::",{"point":"203","priority":"6","details":"204"},"CWE-ID: 1278Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques","Information stored in hardware may be recovered by an attacker with the capability to capture and analyze images of the integrated circuit using techniques such as scanning electron microscopy.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements. It is more attack-oriented, so it might be more suited for CAPEC.::",{"point":"206","priority":"6","details":"207"},"CWE-ID: 1279Cryptographic Operations are run Before Supporting Units are Ready","Performing cryptographic operations without ensuring that the supporting inputs are ready to supply valid data may compromise the cryptographic result.Guidelines:",{"point":"209","priority":"6","details":"20a"},"CWE-ID: 1280Access Control Check Implemented After Asset is Accessed","A product's hardware-based access control check occurs after the asset has been accessed.Guidelines:",{"point":"20c","priority":"6","details":"20d"},"CWE-ID: 1281Sequence of Processor Instructions Leads to Unexpected Behavior","Specific combinations of processor instructions lead to undesirable behavior such as locking the processor until a hard reset performed.Guidelines:",{"point":"20f","priority":"6","details":"20g"},"CWE-ID: 1282Assumed-Immutable Data is Stored in Writable Memory","Immutable data, such as a first-stage bootloader, device identifiers, and write-once configuration settings are stored in writable memory that can be re-programmed or updated in the field.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::TYPE:Maintenance:NOTE:As of CWE 4.3, CWE-1282 and CWE-1233 are being investigated for potential duplication or overlap.::",{"point":"20i","priority":"6","details":"20j"},"CWE-ID: 1283Mutable Attestation or Measurement Reporting Data","The register contents used for attestation or measurement reporting data to verify boot flow are modifiable by an adversary.Guidelines:::TYPE:Maintenance:NOTE:This entry is still in development and will continue to see updates and content improvements.::",{"point":"20l","priority":"6","details":"20m"},"CWE-ID: 1284Improper Validation of Specified Quantity in Input","The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"20o","priority":"6","details":"20p"},"CWE-ID: 1285Improper Validation of Specified Index, Position, or Offset in Input","The product receives input that is expected to specify an index, position, or offset into an indexable resource such as a buffer or file, but it does not validate or incorrectly validates that the specified index/position/offset has the required properties.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"20r","priority":"6","details":"20s"},"CWE-ID: 1286Improper Validation of Syntactic Correctness of Input","The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"20u","priority":"6","details":"20v"},"CWE-ID: 1287Improper Validation of Specified Type of Input","The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"20x","priority":"6","details":"20y"},"CWE-ID: 1288Improper Validation of Consistency within Input","The product receives a complex input with multiple elements or fields that must be consistent with each other, but it does not validate or incorrectly validates that the input is actually consistent.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"210","priority":"6","details":"211"},"CWE-ID: 1289Improper Validation of Unsafe Equivalence in Input","The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"213","priority":"6","details":"214"},"CWE-ID: 1290Incorrect Decoding of Security Identifiers","The product implements a decoding mechanism to decode certain bus-transaction signals to security identifiers. If the decoding is implemented incorrectly, then untrusted agents can now gain unauthorized access to the asset.Guidelines:",{"point":"216","priority":"6","details":"217"},"CWE-ID: 1291Public Key Re-Use for Signing both Debug and Production Code","The same public key is used for signing both debug and production code.Guidelines:",{"point":"219","priority":"6","details":"21a"},"CWE-ID: 1292Incorrect Conversion of Security Identifiers","The product implements a conversion mechanism to map certain bus-transaction signals to security identifiers. However, if the conversion is incorrectly implemented, untrusted agents can gain unauthorized access to the asset.Guidelines:",{"point":"21c","priority":"6","details":"21d"},"CWE-ID: 1293Missing Source Correlation of Multiple Independent Data","The product relies on one source of data, preventing the ability to detect if an adversary has compromised a data source.Guidelines:",{"point":"21f","priority":"6","details":"21g"},"CWE-ID: 1294Insecure Security Identifier Mechanism","The System-on-Chip (SoC) implements a Security Identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Identifiers are not correctly implemented.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"21i","priority":"6","details":"21j"},"CWE-ID: 1295Debug Messages Revealing Unnecessary Information","The product fails to adequately prevent the revealing of unnecessary and potentially sensitive system information within debugging messages.Guidelines:",{"point":"21l","priority":"6","details":"21m"},"CWE-ID: 1296Incorrect Chaining or Granularity of Debug Components","The product's debug components contain incorrect chaining or granularity of debug components.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"21o","priority":"6","details":"21p"},"CWE-ID: 1297Unprotected Confidential Information on Device is Accessible by OSAT Vendors","The product does not adequately protect confidential information on the device from being accessed by Outsourced Semiconductor Assembly and Test (OSAT) vendors.Guidelines:::TYPE:Maintenance:NOTE:This entry might be subject to CWE Scope Exclusion SCOPE.SITUATIONS (Focus on situations in which weaknesses may appear); SCOPE.HUMANPROC (Human/organizational process; and/or SCOPE.CUSTREL (Not customer-relevant).::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"21r","priority":"6","details":"21s"},"CWE-ID: 1298Hardware Logic Contains Race Conditions","A race condition in the hardware logic results in undermining security guarantees of the system.Guidelines:",{"point":"21u","priority":"6","details":"21v"},"CWE-ID: 1299Missing Protection Mechanism for Alternate Hardware Interface","The lack of protections on alternate paths to access control-protected assets (such as unprotected shadow registers and other external facing unguarded interfaces) allows an attacker to bypass existing protections to the asset that are only performed against the primary path.Guidelines:",{"point":"21x","priority":"6","details":"21y"},"CWE-ID: 1300Improper Protection of Physical Side Channels","The device does not contain sufficient protection mechanisms to prevent physical side channels from exposing sensitive information due to patterns in physically observable phenomena such as variations in power consumption, electromagnetic emissions (EME), or acoustic emissions.Guidelines:",{"point":"220","priority":"6","details":"221"},"CWE-ID: 1301Insufficient or Incomplete Data Removal within Hardware Component","The product's data removal process does not completely delete all data and potentially sensitive information within hardware components.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"223","priority":"6","details":"224"},"CWE-ID: 1302Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)","The product implements a security identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. A transaction is sent without a security identifier.Guidelines:",{"point":"226","priority":"6","details":"227"},"CWE-ID: 1303Non-Transparent Sharing of Microarchitectural Resources","Hardware structures shared across execution contexts (e.g., caches and branch predictors) can violate the expected architecture isolation between contexts.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. Finally, this entry's demonstrative example might not be appropriate. As a result, this entry might change significantly in CWE 4.10.::",{"point":"229","priority":"6","details":"22a"},"CWE-ID: 1304Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation","The product performs a power save/restore operation, but it does not ensure that the integrity of the configuration state is maintained and/or verified between the beginning and ending of the operation.Guidelines:",{"point":"22c","priority":"6","details":"22d"},"CWE-ID: 1310Missing Ability to Patch ROM Code","Missing an ability to patch ROM code may leave a System or System-on-Chip (SoC) in a vulnerable state.Guidelines:",{"point":"22f","priority":"6","details":"22g"},"CWE-ID: 1311Improper Translation of Security Attributes by Fabric Bridge","The bridge incorrectly translates security attributes from either trusted to untrusted or from untrusted to trusted when converting from one fabric protocol to another.Guidelines:",{"point":"22i","priority":"6","details":"22j"},"CWE-ID: 1312Missing Protection for Mirrored Regions in On-Chip Fabric Firewall","The firewall in an on-chip fabric protects the main addressed region, but it does not protect any mirrored memory or memory-mapped-IO (MMIO) regions.Guidelines:",{"point":"22l","priority":"6","details":"22m"},"CWE-ID: 1313Hardware Allows Activation of Test or Debug Logic at Runtime","During runtime, the hardware allows for test or debug logic (feature) to be activated, which allows for changing the state of the hardware. This feature can alter the intended behavior of the system and allow for alteration and leakage of sensitive data by an adversary.Guidelines:",{"point":"22o","priority":"6","details":"22p"},"CWE-ID: 1314Missing Write Protection for Parametric Data Values","The device does not write-protect the parametric data values for sensors that scale the sensor value, allowing untrusted software to manipulate the apparent result and potentially damage hardware or cause operational failure.Guidelines:",{"point":"22r","priority":"6","details":"22s"},"CWE-ID: 1315Improper Setting of Bus Controlling Capability in Fabric End-point","The bus controller enables bits in the fabric end-point to allow responder devices to control transactions on the fabric.Guidelines:",{"point":"22u","priority":"6","details":"22v"},"CWE-ID: 1316Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges","The address map of the on-chip fabric has protected and unprotected regions overlapping, allowing an attacker to bypass access control to the overlapping portion of the protected region.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.6, CWE-1260 and CWE-1316 are siblings under view 1000, but CWE-1260 might be a parent of CWE-1316. More analysis is warranted.::",{"point":"22x","priority":"6","details":"22y"},"CWE-ID: 1317Improper Access Control in Fabric Bridge","The product uses a fabric bridge for transactions between two Intellectual Property (IP) blocks, but the bridge does not properly perform the expected privilege, identity, or other access control checks between those IP blocks.Guidelines:",{"point":"230","priority":"6","details":"231"},"CWE-ID: 1318Missing Support for Security Features in On-chip Fabrics or Buses","On-chip fabrics or buses either do not support or are not configured to support privilege separation or other security features, such as access control.Guidelines:",{"point":"233","priority":"6","details":"234"},"CWE-ID: 1319Improper Protection against Electromagnetic Fault Injection (EM-FI)","The device is susceptible to electromagnetic fault injection attacks, causing device internal information to be compromised or security mechanisms to be bypassed.Guidelines:::TYPE:Maintenance:NOTE:This entry is attack-oriented and may require significant modification in future versions, or even deprecation. It is not clear whether there is really a design mistake that enables such attacks, so this is not necessarily a weakness and may be more appropriate for CAPEC.::",{"point":"236","priority":"6","details":"237"},"CWE-ID: 1320Improper Protection for Outbound Error Messages and Alert Signals","Untrusted agents can disable alerts about signal conditions exceeding limits or the response mechanism that handles such alerts.Guidelines:",{"point":"239","priority":"6","details":"23a"},"CWE-ID: 1321Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')","The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.Guidelines:",{"point":"23c","priority":"6","details":"23d"},"CWE-ID: 1322Use of Blocking Code in Single-threaded, Non-blocking Context","The product uses a non-blocking model that relies on a single threaded process for features such as scalability, but it contains code that can block when it is invoked.Guidelines:",{"point":"23f","priority":"6","details":"23g"},"CWE-ID: 1323Improper Management of Sensitive Trace Data","Trace data collected from several sources on the System-on-Chip (SoC) is stored in unprotected locations or transported to untrusted agents.Guidelines:",{"point":"23i","priority":"6","details":"23j"},"CWE-ID: 1325Improperly Controlled Sequential Memory Allocation","The product manages a group of objects or resources and performs a separate memory allocation for each object, but it does not properly limit the total amount of memory that is consumed by all of the combined objects.Guidelines:",{"point":"23l","priority":"6","details":"23m"},"CWE-ID: 1326Missing Immutable Root of Trust in Hardware","A missing immutable root of trust in the hardware results in the ability to bypass secure boot or execute untrusted or adversarial boot code.Guidelines:",{"point":"23o","priority":"6","details":"23p"},"CWE-ID: 1327Binding to an Unrestricted IP Address","The product assigns the address 0.0.0.0 for a database server, a cloud service/instance, or any computing resource that communicates remotely.Guidelines:",{"point":"23r","priority":"6","details":"23s"},"CWE-ID: 1328Security Version Number Mutable to Older Versions","Security-version number in hardware is mutable, resulting in the ability to downgrade (roll-back) the boot firmware to vulnerable code versions.Guidelines:",{"point":"23u","priority":"6","details":"23v"},"CWE-ID: 1329Reliance on Component That is Not Updateable","The product contains a component that cannot be updated or patched in order to remove vulnerabilities or significant bugs.Guidelines:",{"point":"23x","priority":"6","details":"23y"},"CWE-ID: 1330Remanent Data Readable after Memory Erase","Confidential information stored in memory circuits is readable or recoverable after being cleared or erased.Guidelines:",{"point":"240","priority":"6","details":"241"},"CWE-ID: 1331Improper Isolation of Shared Resources in Network On Chip (NoC)","The Network On Chip (NoC) does not isolate or incorrectly isolates its on-chip-fabric and internal resources such that they are shared between trusted and untrusted agents, creating timing channels.Guidelines:",{"point":"243","priority":"6","details":"244"},"CWE-ID: 1332Improper Handling of Faults that Lead to Instruction Skips","The device is missing or incorrectly implements circuitry or sensors that detect and mitigate the skipping of security-critical CPU instructions when they occur.Guidelines:",{"point":"246","priority":"6","details":"247"},"CWE-ID: 1333Inefficient Regular Expression Complexity","The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.Guidelines:",{"point":"249","priority":"6","details":"24a"},"CWE-ID: 1334Unauthorized Error Injection Can Degrade Hardware Redundancy","An unauthorized agent can inject errors into a redundant block to deprive the system of redundancy or put the system in a degraded operating mode.Guidelines:",{"point":"24c","priority":"6","details":"24d"},"CWE-ID: 1335Incorrect Bitwise Shift of Integer","An integer value is specified to be shifted by a negative amount or an amount greater than or equal to the number of bits contained in the value causing an unexpected or indeterminate result.Guidelines:",{"point":"24f","priority":"6","details":"24g"},"CWE-ID: 1336Improper Neutralization of Special Elements Used in a Template Engine","The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.Guidelines:::TYPE:Relationship:NOTE:Since expression languages are often used in templating languages, there may be some overlap with CWE-917 (Expression Language Injection). XSS (CWE-79) is also co-located with template injection.::TYPE:Maintenance:NOTE:The interrelationships and differences between CWE-917 and CWE-1336 need to be further clarified.::",{"point":"24i","priority":"6","details":"24j"},"CWE-ID: 1338Improper Protections Against Hardware Overheating","A hardware device is missing or has inadequate protection features to prevent overheating.Guidelines:",{"point":"24l","priority":"6","details":"24m"},"CWE-ID: 1339Insufficient Precision or Accuracy of a Real Number","The product processes a real number with an implementation in which the number's representation does not preserve required accuracy and precision in its fractional part, causing an incorrect result.Guidelines:",{"point":"24o","priority":"6","details":"24p"},"CWE-ID: 1341Multiple Releases of Same Resource or Handle","The product attempts to close or release a resource or handle more than once, without any successful open between the close operations.Guidelines:::TYPE:Terminology:NOTE:The terms related to release may vary depending on the type of resource, programming language, specification, or framework. Close has been used synonymously for the release of resources like file descriptors and file handles. Return is sometimes used instead of Release. Free is typically used when releasing memory or buffers back into the system for reuse.::",{"point":"24r","priority":"6","details":"24s"},"CWE-ID: 1342Information Exposure through Microarchitectural State after Transient Execution","The processor does not properly clear microarchitectural state after incorrect microcode assists or speculative execution, resulting in transient execution.Guidelines:::TYPE:Relationship:NOTE:CWE-1342 differs from CWE-1303, which is related to misprediction and biasing microarchitectural components, while CWE-1342 addresses illegal data flows and retention. For example, Spectre is an instance of CWE-1303 biasing branch prediction to steer the transient execution indirectly.::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. As a result, this entry might change significantly in CWE 4.10.::",{"point":"24u","priority":"6","details":"24v"},"CWE-ID: 1351Improper Handling of Hardware Behavior in Exceptionally Cold Environments","A hardware device, or the firmware running on it, is missing or has incorrect protection features to maintain goals of security primitives when the device is cooled below standard operating temperatures.Guidelines:",{"point":"24x","priority":"6","details":"24y"},"CWE-ID: 1357Reliance on Insufficiently Trustworthy Component","The product is built from multiple separate components, but it uses a component that is not sufficiently trusted to meet expectations for security, reliability, updateability, and maintainability.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.10, the name and description for this entry has undergone significant change and is still under public discussion, especially by members of the HW SIG.::",{"point":"250","priority":"6","details":"251"},"CWE-ID: 1384Improper Handling of Physical or Environmental Conditions","The product does not properly handle unexpected physical or environmental conditions that occur naturally or are artificially induced.Guidelines:",{"point":"253","priority":"6","details":"254"},"CWE-ID: 1385Missing Origin Validation in WebSockets","The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid.Guidelines:",{"point":"256","priority":"6","details":"257"},"CWE-ID: 1386Insecure Operation on Windows Junction / Mount Point","The product opens a file or directory, but it does not properly prevent the name from being associated with a junction or mount point to a destination that is outside of the intended control sphere.Guidelines:::TYPE:Terminology:NOTE:Symbolic links, hard links, junctions, and mount points can be confusing terminology, as there are differences in how they operate between UNIX-based systems and Windows, and there are interactions between them.::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"259","priority":"6","details":"25a"},"CWE-ID: 1389Incorrect Parsing of Numbers with Different Radices","The product parses numeric input assuming base 10 (decimal) values, but it does not account for inputs that use a different base number (radix).Guidelines:",{"point":"25c","priority":"6","details":"25d"},"CWE-ID: 1390Weak Authentication","The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.Guidelines:",{"point":"25f","priority":"6","details":"25g"},"CWE-ID: 1391Use of Weak Credentials","The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker.Guidelines:",{"point":"25i","priority":"6","details":"25j"},"CWE-ID: 1392Use of Default Credentials","The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality.Guidelines:",{"point":"25l","priority":"6","details":"25m"},"CWE-ID: 1393Use of Default Password","The product uses default passwords for potentially critical functionality.Guidelines:",{"point":"25o","priority":"6","details":"25p"},"CWE-ID: 1394Use of Default Cryptographic Key","The product uses a default cryptographic key for potentially critical functionality.Guidelines:",{"point":"25r","priority":"6","details":"25s"},"CWE-ID: 1395Dependency on Vulnerable Third-Party Component","The product has a dependency on a third-party component that contains one or more known vulnerabilities.Guidelines:",{"point":"25u","priority":"6","details":"25v"},"CWE-ID: 1419Incorrect Initialization of Resource","The product attempts to initialize a resource but does not correctly do so, which might leave the resource in an unexpected, incorrect, or insecure state when it is accessed.Guidelines:",{"point":"25x","priority":"6","details":"25y"},"CWE-ID: 1420Exposure of Sensitive Information during Transient Execution","A processor event or prediction may allow incorrect operations (or correct operations with incorrect data) to execute transiently, potentially exposing data over a covert channel.Guidelines:",{"point":"260","priority":"6","details":"261"},"CWE-ID: 1421Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution","A processor event may allow transient operations to access architecturally restricted data (for example, in another address space) in a shared microarchitectural structure (for example, a CPU cache), potentially exposing the data over a covert channel.Guidelines:",{"point":"263","priority":"6","details":"264"},"CWE-ID: 1422Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution","A processor event or prediction may allow incorrect or stale data to be forwarded to transient operations, potentially exposing data over a covert channel.Guidelines:",{"point":"266","priority":"6","details":"267"},"CWE-ID: 1423Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution","Shared microarchitectural predictor state may allow code to influence transient execution across a hardware boundary, potentially exposing data that is accessible beyond the boundary over a covert channel.Guidelines:",{"point":"269","priority":"6","details":"26a"},["8","b","e","h","k","n","q","t","w","z","12","15","18","1b","1e","1h","1k","1n","1q","1t","1w","1z","22","25","28","2b","2e","2h","2k","2n","2q","2t","2w","2z","32","35","38","3b","3e","3h","3k","3n","3q","3t","3w","3z","42","45","48","4b","4e","4h","4k","4n","4q","4t","4w","4z","52","55","58","5b","5e","5h","5k","5n","5q","5t","5w","5z","62","65","68","6b","6e","6h","6k","6n","6q","6t","6w","6z","72","75","78","7b","7e","7h","7k","7n","7q","7t","7w","7z","82","85","88","8b","8e","8h","8k","8n","8q","8t","8w","8z","92","95","98","9b","9e","9h","9k","9n","9q","9t","9w","9z","a2","a5","a8","ab","ae","ah","ak","an","aq","at","aw","az","b2","b5","b8","bb","be","bh","bk","bn","bq","bt","bw","bz","c2","c5","c8","cb","ce","ch","ck","cn","cq","ct","cw","cz","d2","d5","d8","db","de","dh","dk","dn","dq","dt","dw","dz","e2","e5","e8","eb","ee","eh","ek","en","eq","et","ew","ez","f2","f5","f8","fb","fe","fh","fk","fn","fq","ft","fw","fz","g2","g5","g8","gb","ge","gh","gk","gn","gq","gt","gw","gz","h2","h5","h8","hb","he","hh","hk","hn","hq","ht","hw","hz","i2","i5","i8","ib","ie","ih","ik","in","iq","it","iw","iz","j2","j5","j8","jb","je","jh","jk","jn","jq","jt","jw","jz","k2","k5","k8","kb","ke","kh","kk","kn","kq","kt","kw","kz","l2","l5","l8","lb","le","lh","lk","ln","lq","lt","lw","lz","m2","m5","m8","mb","me","mh","mk","mn","mq","mt","mw","mz","n2","n5","n8","nb","ne","nh","nk","nn","nq","nt","nw","nz","o2","o5","o8","ob","oe","oh","ok","on","oq","ot","ow","oz","p2","p5","p8","pb","pe","ph","pk","pn","pq","pt","pw","pz","q2","q5","q8","qb","qe","qh","qk","qn","qq","qt","qw","qz","r2","r5","r8","rb","re","rh","rk","rn","rq","rt","rw","rz","s2","s5","s8","sb","se","sh","sk","sn","sq","st","sw","sz","t2","t5","t8","tb","te","th","tk","tn","tq","tt","tw","tz","u2","u5","u8","ub","ue","uh","uk","un","uq","ut","uw","uz","v2","v5","v8","vb","ve","vh","vk","vn","vq","vt","vw","vz","w2","w5","w8","wb","we","wh","wk","wn","wq","wt","ww","wz","x2","x5","x8","xb","xe","xh","xk","xn","xq","xt","xw","xz","y2","y5","y8","yb","ye","yh","yk","yn","yq","yt","yw","yz","z2","z5","z8","zb","ze","zh","zk","zn","zq","zt","zw","zz","102","105","108","10b","10e","10h","10k","10n","10q","10t","10w","10z","112","115","118","11b","11e","11h","11k","11n","11q","11t","11w","11z","122","125","128","12b","12e","12h","12k","12n","12q","12t","12w","12z","132","135","138","13b","13e","13h","13k","13n","13q","13t","13w","13z","142","145","148","14b","14e","14h","14k","14n","14q","14t","14w","14z","152","155","158","15b","15e","15h","15k","15n","15q","15t","15w","15z","162","165","168","16b","16e","16h","16k","16n","16q","16t","16w","16z","172","175","178","17b","17e","17h","17k","17n","17q","17t","17w","17z","182","185","188","18b","18e","18h","18k","18n","18q","18t","18w","18z","192","195","198","19b","19e","19h","19k","19n","19q","19t","19w","19z","1a2","1a5","1a8","1ab","1ae","1ah","1ak","1an","1aq","1at","1aw","1az","1b2","1b5","1b8","1bb","1be","1bh","1bk","1bn","1bq","1bt","1bw","1bz","1c2","1c5","1c8","1cb","1ce","1ch","1ck","1cn","1cq","1ct","1cw","1cz","1d2","1d5","1d8","1db","1de","1dh","1dk","1dn","1dq","1dt","1dw","1dz","1e2","1e5","1e8","1eb","1ee","1eh","1ek","1en","1eq","1et","1ew","1ez","1f2","1f5","1f8","1fb","1fe","1fh","1fk","1fn","1fq","1ft","1fw","1fz","1g2","1g5","1g8","1gb","1ge","1gh","1gk","1gn","1gq","1gt","1gw","1gz","1h2","1h5","1h8","1hb","1he","1hh","1hk","1hn","1hq","1ht","1hw","1hz","1i2","1i5","1i8","1ib","1ie","1ih","1ik","1in","1iq","1it","1iw","1iz","1j2","1j5","1j8","1jb","1je","1jh","1jk","1jn","1jq","1jt","1jw","1jz","1k2","1k5","1k8","1kb","1ke","1kh","1kk","1kn","1kq","1kt","1kw","1kz","1l2","1l5","1l8","1lb","1le","1lh","1lk","1ln","1lq","1lt","1lw","1lz","1m2","1m5","1m8","1mb","1me","1mh","1mk","1mn","1mq","1mt","1mw","1mz","1n2","1n5","1n8","1nb","1ne","1nh","1nk","1nn","1nq","1nt","1nw","1nz","1o2","1o5","1o8","1ob","1oe","1oh","1ok","1on","1oq","1ot","1ow","1oz","1p2","1p5","1p8","1pb","1pe","1ph","1pk","1pn","1pq","1pt","1pw","1pz","1q2","1q5","1q8","1qb","1qe","1qh","1qk","1qn","1qq","1qt","1qw","1qz","1r2","1r5","1r8","1rb","1re","1rh","1rk","1rn","1rq","1rt","1rw","1rz","1s2","1s5","1s8","1sb","1se","1sh","1sk","1sn","1sq","1st","1sw","1sz","1t2","1t5","1t8","1tb","1te","1th","1tk","1tn","1tq","1tt","1tw","1tz","1u2","1u5","1u8","1ub","1ue","1uh","1uk","1un","1uq","1ut","1uw","1uz","1v2","1v5","1v8","1vb","1ve","1vh","1vk","1vn","1vq","1vt","1vw","1vz","1w2","1w5","1w8","1wb","1we","1wh","1wk","1wn","1wq","1wt","1ww","1wz","1x2","1x5","1x8","1xb","1xe","1xh","1xk","1xn","1xq","1xt","1xw","1xz","1y2","1y5","1y8","1yb","1ye","1yh","1yk","1yn","1yq","1yt","1yw","1yz","1z2","1z5","1z8","1zb","1ze","1zh","1zk","1zn","1zq","1zt","1zw","1zz","202","205","208","20b","20e","20h","20k","20n","20q","20t","20w","20z","212","215","218","21b","21e","21h","21k","21n","21q","21t","21w","21z","222","225","228","22b","22e","22h","22k","22n","22q","22t","22w","22z","232","235","238","23b","23e","23h","23k","23n","23q","23t","23w","23z","242","245","248","24b","24e","24h","24k","24n","24q","24t","24w","24z","252","255","258","25b","25e","25h","25k","25n","25q","25t","25w","25z","262","265","268","26b"],"red",{"title":"0","slug":"1","description":"2","icon":"3","intro":"4","checklist":"26c","color":"26d"},"CWE: Weaknesses During Design","cwe-design","This view (slice) lists weaknesses that can be introduced during design.","physical","This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities.","CWE-ID:20 Improper Input Validation","::METHOD:Automated Static Analysis:DESCRIPTION:Some instances of improper input validation can be detected using automated static analysis. A static analysis tool might allow the user to specify which application-specific methods or functions perform input validation; the tool might also have built-in knowledge of validation frameworks such as Struts. The tool may then suppress or de-prioritize any associated warnings. This allows the analyst to focus on areas of the software in which input validation does not appear to be present. Except in the cases described in the previous paragraph, automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes.::METHOD:Manual Static Analysis:DESCRIPTION:When custom input validation is required, such as when enforcing business rules, manual analysis is necessary to ensure that the validation is properly implemented.::METHOD:Fuzzing:DESCRIPTION:Fuzzing techniques can be useful for detecting input validation errors. When unexpected inputs are provided to the software, the software should not crash or otherwise become unstable, and it should generate application-controlled error messages. If exceptions or interpreter-generated error messages occur, this indicates that the input was not detected and handled within the application logic itself.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer Cost effective for partial coverage: Host Application Interface Scanner Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"26k","priority":"6","details":"11","howto":"26l"},"CWE-ID:73 External Control of File Name or Path","::METHOD:Automated Static Analysis:DESCRIPTION:The external control or influence of filenames can often be detected using automated static analysis that models data flow within the product. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes.::",{"point":"26n","priority":"6","details":"4y","howto":"26o"},"CWE-ID:99 Improper Control of Resource Identifiers ('Resource Injection')","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"26q","priority":"6","details":"71","howto":"26r"},"CWE-ID:115 Misinterpretation of Input","::METHOD:Fuzzing:DESCRIPTION:Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.:EFFECTIVENESS:High::",{"point":"26t","priority":"6","details":"87","howto":"26u"},"CWE-ID:184 Incomplete List of Disallowed Inputs","::METHOD:Black Box:DESCRIPTION:Exploitation of a vulnerability with commonly-used manipulations might fail, but minor variations might succeed.::",{"point":"26w","priority":"6","details":"dd","howto":"26x"},"CWE-ID:200 Exposure of Sensitive Information to an Unauthorized Actor","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Inter-application Flow Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Source code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"26z","priority":"6","details":"ej","howto":"270"},"CWE-ID:201 Insertion of Sensitive Information Into Sent Data",{"point":"272","priority":"6","details":"em","howto":"26r"},"CWE-ID:202 Exposure of Sensitive Information Through Data Queries","",{"point":"274","priority":"6","details":"ep","howto":"275"},"CWE-ID:203 Observable Discrepancy",{"point":"277","priority":"6","details":"es","howto":"275"},"CWE-ID:204 Observable Response Discrepancy",{"point":"279","priority":"6","details":"ev","howto":"275"},"CWE-ID:205 Observable Behavioral Discrepancy",{"point":"27b","priority":"6","details":"ey","howto":"275"},"CWE-ID:208 Observable Timing Discrepancy",{"point":"27d","priority":"6","details":"f7","howto":"275"},"CWE-ID:209 Generation of Error Message Containing Sensitive Information","::METHOD:Manual Analysis:DESCRIPTION:This weakness generally requires domain-specific interpretation using manual analysis. However, the number of potential error conditions may be too large to cover completely within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Analysis:DESCRIPTION:Automated methods may be able to detect certain idioms automatically, such as exposed stack traces or pathnames, but violation of business rules or privacy requirements is not typically feasible.:EFFECTIVENESS:Moderate::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Error conditions may be triggered with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.)::",{"point":"27f","priority":"6","details":"fa","howto":"27g"},"CWE-ID:210 Self-generated Error Message Containing Sensitive Information",{"point":"27i","priority":"6","details":"fd","howto":"275"},"CWE-ID:211 Externally-Generated Error Message Containing Sensitive Information",{"point":"27k","priority":"6","details":"fg","howto":"275"},"CWE-ID:212 Improper Removal of Sensitive Information Before Storage or Transfer",{"point":"27m","priority":"6","details":"fj","howto":"275"},"CWE-ID:213 Exposure of Sensitive Information Due to Incompatible Policies",{"point":"27o","priority":"6","details":"fm","howto":"275"},"CWE-ID:214 Invocation of Process Using Visible Sensitive Information",{"point":"27q","priority":"6","details":"fp","howto":"275"},"CWE-ID:221 Information Loss or Omission",{"point":"27s","priority":"6","details":"g1","howto":"275"},"CWE-ID:223 Omission of Security-relevant Information",{"point":"27u","priority":"6","details":"g7","howto":"275"},"CWE-ID:250 Execution with Unnecessary Privileges","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and perform a login. Look for library functions and system calls that indicate when privileges are being raised or dropped. Look for accesses of resources that are restricted to normal users.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Compare binary / bytecode to application permission manifest Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker Permission Manifest Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"27w","priority":"6","details":"i4","howto":"27x"},"CWE-ID:256 Plaintext Storage of a Password",{"point":"27z","priority":"6","details":"id","howto":"26r"},"CWE-ID:257 Storing Passwords in a Recoverable Format",{"point":"281","priority":"6","details":"ig","howto":"26r"},"CWE-ID:260 Password in Configuration File",{"point":"283","priority":"6","details":"ip","howto":"26r"},"CWE-ID:261 Weak Encoding for Password",{"point":"285","priority":"6","details":"is","howto":"26r"},"CWE-ID:262 Not Using Password Aging",{"point":"287","priority":"6","details":"iv","howto":"275"},"CWE-ID:263 Password Aging with Long Expiration",{"point":"289","priority":"6","details":"iy","howto":"275"},"CWE-ID:267 Privilege Defined With Unsafe Actions",{"point":"28b","priority":"6","details":"j4","howto":"275"},"CWE-ID:268 Privilege Chaining",{"point":"28d","priority":"6","details":"j7","howto":"275"},"CWE-ID:269 Improper Privilege Management",{"point":"28f","priority":"6","details":"ja","howto":"26r"},"CWE-ID:270 Privilege Context Switching Error",{"point":"28h","priority":"6","details":"jd","howto":"275"},"CWE-ID:271 Privilege Dropping / Lowering Errors",{"point":"28j","priority":"6","details":"jg","howto":"275"},"CWE-ID:276 Incorrect Default Permissions","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Inter-application Flow Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Host Application Interface Scanner Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Forced Path Execution:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"28l","priority":"6","details":"js","howto":"28m"},"CWE-ID:282 Improper Ownership Management",{"point":"28o","priority":"6","details":"ka","howto":"26r"},"CWE-ID:283 Unverified Ownership",{"point":"28q","priority":"6","details":"kd","howto":"275"},"CWE-ID:285 Improper Authorization","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries. Generally, automated static analysis tools have difficulty detecting custom authorization schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an authorization check; an automated technique that detects the absence of authorization may report false positives.:EFFECTIVENESS:Limited::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated dynamic analysis may find many or all possible interfaces that do not require authorization, but manual analysis is required to determine if the lack of authorization violates business logic::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer Forced Path Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"28s","priority":"6","details":"kj","howto":"28t"},"CWE-ID:286 Incorrect User Management",{"point":"28v","priority":"6","details":"km","howto":"275"},"CWE-ID:287 Improper Authentication","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting certain types of authentication. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authentication libraries. Generally, automated static analysis tools have difficulty detecting custom authentication schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an established identity; an automated technique that detects the absence of authentication may report false positives.:EFFECTIVENESS:Limited::METHOD:Manual Static Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Manual static analysis is useful for evaluating the correctness of custom authentication mechanisms.:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"28x","priority":"6","details":"kp","howto":"28y"},"CWE-ID:288 Authentication Bypass Using an Alternate Path or Channel",{"point":"290","priority":"6","details":"ks","howto":"275"},"CWE-ID:289 Authentication Bypass by Alternate Name",{"point":"292","priority":"6","details":"kv","howto":"275"},"CWE-ID:294 Authentication Bypass by Capture-replay",{"point":"294","priority":"6","details":"l7","howto":"275"},"CWE-ID:295 Improper Certificate Validation","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Man-in-the-middle attack tool:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"296","priority":"6","details":"la","howto":"297"},"CWE-ID:300 Channel Accessible by Non-Endpoint",{"point":"299","priority":"6","details":"lp","howto":"26r"},"CWE-ID:301 Reflection Attack in an Authentication Protocol",{"point":"29b","priority":"6","details":"ls","howto":"275"},"CWE-ID:302 Authentication Bypass by Assumed-Immutable Data",{"point":"29d","priority":"6","details":"lv","howto":"275"},"CWE-ID:306 Missing Authentication for Critical Function","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authentication mechanisms.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting commonly-used idioms for authentication. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authentication libraries. Generally, automated static analysis tools have difficulty detecting custom authentication schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an established identity; an automated technique that detects the absence of authentication may report false positives.:EFFECTIVENESS:Limited::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"29f","priority":"6","details":"m7","howto":"29g"},"CWE-ID:307 Improper Restriction of Excessive Authentication Attempts","::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer Cost effective for partial coverage: Forced Path Execution:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"29i","priority":"6","details":"ma","howto":"29j"},"CWE-ID:308 Use of Single-factor Authentication",{"point":"29l","priority":"6","details":"md","howto":"275"},"CWE-ID:309 Use of Password System for Primary Authentication",{"point":"29n","priority":"6","details":"mg","howto":"275"},"CWE-ID:311 Missing Encryption of Sensitive Data","::METHOD:Manual Analysis:DESCRIPTION:The characterizaton of sensitive data often requires domain-specific understanding, so manual methods are useful. However, manual efforts might not achieve desired code coverage within limited time constraints. Black box methods may produce artifacts (e.g. stored data or unencrypted network transfer) that require manual evaluation.:EFFECTIVENESS:High::METHOD:Automated Analysis:DESCRIPTION:Automated measurement of the entropy of an input/output source may indicate the use or lack of encryption, but human analysis is still required to distinguish intentionally-unencrypted data (e.g. metadata) from sensitive data.::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Network Sniffer Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Man-in-the-middle attack tool:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"29p","priority":"6","details":"mj","howto":"29q"},"CWE-ID:312 Cleartext Storage of Sensitive Information",{"point":"29s","priority":"6","details":"mm","howto":"26r"},"CWE-ID:319 Cleartext Transmission of Sensitive Information","::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process, trigger the feature that sends the data, and look for the presence or absence of common cryptographic functions in the call tree. Monitor the network and determine if the data packets contain readable commands. Tools exist for detecting if certain encodings are in use. If the traffic contains high entropy, this might indicate the usage of encryption.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"29u","priority":"6","details":"n7","howto":"29v"},"CWE-ID:322 Key Exchange without Entity Authentication",{"point":"29x","priority":"6","details":"nd","howto":"275"},"CWE-ID:323 Reusing a Nonce, Key Pair in Encryption",{"point":"29z","priority":"6","details":"ng","howto":"275"},"CWE-ID:324 Use of a Key Past its Expiration Date",{"point":"2a1","priority":"6","details":"nj","howto":"275"},"CWE-ID:326 Inadequate Encryption Strength",{"point":"2a3","priority":"6","details":"np","howto":"26r"},"CWE-ID:327 Use of a Broken or Risky Cryptographic Algorithm","::METHOD:Automated Analysis:DESCRIPTION:Automated methods may be useful for recognizing commonly-used libraries or features that have become obsolete.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis Binary / Bytecode simple extractor - strings, ELF readers, etc.:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Man-in-the-middle attack tool Cost effective for partial coverage: Framework-based Fuzzer Automated Monitored Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2a5","priority":"6","details":"ns","howto":"2a6"},"CWE-ID:328 Use of Weak Hash",{"point":"2a8","priority":"6","details":"nv","howto":"26r"},"CWE-ID:330 Use of Insufficiently Random Values","::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and look for library functions that indicate when randomness is being used. Run the process multiple times to see if the seed changes. Look for accesses of devices or equivalent resources that are commonly used for strong (or weak) randomness, such as /dev/urandom on Linux. Look for library or system calls that access predictable information such as process IDs and system time.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Man-in-the-middle attack tool:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2aa","priority":"6","details":"o1","howto":"2ab"},"CWE-ID:331 Insufficient Entropy",{"point":"2ad","priority":"6","details":"o4","howto":"275"},"CWE-ID:334 Small Space of Random Values",{"point":"2af","priority":"6","details":"od","howto":"275"},"CWE-ID:338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",{"point":"2ah","priority":"6","details":"op","howto":"26r"},"CWE-ID:340 Generation of Predictable Numbers or Identifiers",{"point":"2aj","priority":"6","details":"ov","howto":"275"},"CWE-ID:341 Predictable from Observable State",{"point":"2al","priority":"6","details":"oy","howto":"275"},"CWE-ID:342 Predictable Exact Value from Previous Values",{"point":"2an","priority":"6","details":"p1","howto":"275"},"CWE-ID:343 Predictable Value Range from Previous Values",{"point":"2ap","priority":"6","details":"p4","howto":"275"},"CWE-ID:344 Use of Invariant Value in Dynamically Changing Context",{"point":"2ar","priority":"6","details":"p7","howto":"275"},"CWE-ID:345 Insufficient Verification of Data Authenticity",{"point":"2at","priority":"6","details":"pa","howto":"26r"},"CWE-ID:346 Origin Validation Error",{"point":"2av","priority":"6","details":"pd","howto":"275"},"CWE-ID:347 Improper Verification of Cryptographic Signature",{"point":"2ax","priority":"6","details":"pg","howto":"26r"},"CWE-ID:348 Use of Less Trusted Source",{"point":"2az","priority":"6","details":"pj","howto":"275"},"CWE-ID:353 Missing Support for Integrity Check",{"point":"2b1","priority":"6","details":"py","howto":"275"},"CWE-ID:354 Improper Validation of Integrity Check Value",{"point":"2b3","priority":"6","details":"q1","howto":"275"},"CWE-ID:356 Product UI does not Warn User of Unsafe Actions",{"point":"2b5","priority":"6","details":"q4","howto":"275"},"CWE-ID:357 Insufficient UI Warning of Dangerous Operations",{"point":"2b7","priority":"6","details":"q7","howto":"275"},"CWE-ID:358 Improperly Implemented Security Check for Standard",{"point":"2b9","priority":"6","details":"qa","howto":"275"},"CWE-ID:359 Exposure of Private Personal Information to an Unauthorized Actor","::METHOD:Architecture or Design Review:DESCRIPTION:Private personal data can enter a program in a variety of ways: Directly from the user in the form of a password or personal information Accessed from a database or other data store by the application Indirectly from a partner or other third party If the data is written to an external location - such as the console, file system, or network - a privacy violation may occur.:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2bb","priority":"6","details":"qd","howto":"2bc"},"CWE-ID:360 Trust of System Event Data",{"point":"2be","priority":"6","details":"qg","howto":"275"},"CWE-ID:362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')","::METHOD:Black Box:DESCRIPTION:Black box methods may be able to identify evidence of race conditions via methods such as multiple simultaneous connections, which may cause the software to become instable or crash. However, race conditions with very narrow timing windows would not be detectable.::METHOD:White Box:DESCRIPTION:Common idioms are detectable in white box analysis, such as time-of-check-time-of-use (TOCTOU) file operations (CWE-367), or double-checked locking (CWE-609).::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Race conditions may be detected with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior. Insert breakpoints or delays in between relevant code statements to artificially expand the race window so that it will be easier to detect.:EFFECTIVENESS:Moderate::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Framework-based Fuzzer Cost effective for partial coverage: Fuzz Tester Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2bg","priority":"6","details":"qj","howto":"2bh"},"CWE-ID:363 Race Condition Enabling Link Following",{"point":"2bj","priority":"6","details":"qm","howto":"275"},"CWE-ID:368 Context Switching Race Condition",{"point":"2bl","priority":"6","details":"qy","howto":"275"},"CWE-ID:385 Covert Timing Channel",{"point":"2bn","priority":"6","details":"ry","howto":"275"},"CWE-ID:386 Symbolic Name not Mapping to Correct Object",{"point":"2bp","priority":"6","details":"s1","howto":"275"},"CWE-ID:400 Uncontrolled Resource Consumption","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis typically has limited utility in recognizing resource exhaustion problems, except for program-independent system resources such as files, sockets, and processes. For system resources, automated static analysis may be able to detect circumstances in which resources are not released after they have expired. Automated analysis of configuration files may be able to detect settings that do not specify a maximum value. Automated static analysis tools will not be appropriate for detecting exhaustion of custom resources, such as an intended security policy in which a bulletin board user is only allowed to make a limited number of posts per day.:EFFECTIVENESS:Limited::METHOD:Automated Dynamic Analysis:DESCRIPTION:Certain automated dynamic analysis techniques may be effective in spotting resource exhaustion problems, especially with resources such as processes, memory, and connections. The technique may involve generating a large number of requests to the product within a short time frame.:EFFECTIVENESS:Moderate::METHOD:Fuzzing:DESCRIPTION:While fuzzing is typically geared toward finding low-level implementation bugs, it can inadvertently find resource exhaustion problems. This can occur when the fuzzer generates a large number of test cases but does not restart the targeted product in between test cases. If an individual test case produces a crash, but it does not do so reliably, then an inability to handle resource exhaustion may be the cause.:EFFECTIVENESS:Opportunistic::",{"point":"2br","priority":"6","details":"ss","howto":"2bs"},"CWE-ID:402 Transmission of Private Resources into a New Sphere ('Resource Leak')",{"point":"2bu","priority":"6","details":"sy","howto":"26r"},"CWE-ID:405 Asymmetric Resource Consumption (Amplification)",{"point":"2bw","priority":"6","details":"t7","howto":"275"},"CWE-ID:406 Insufficient Control of Network Message Volume (Network Amplification)",{"point":"2by","priority":"6","details":"ta","howto":"275"},"CWE-ID:407 Inefficient Algorithmic Complexity",{"point":"2c0","priority":"6","details":"td","howto":"275"},"CWE-ID:408 Incorrect Behavior Order: Early Amplification",{"point":"2c2","priority":"6","details":"tg","howto":"275"},"CWE-ID:409 Improper Handling of Highly Compressed Data (Data Amplification)",{"point":"2c4","priority":"6","details":"tj","howto":"275"},"CWE-ID:410 Insufficient Resource Pool",{"point":"2c6","priority":"6","details":"tm","howto":"275"},"CWE-ID:412 Unrestricted Externally Accessible Lock","::METHOD:White Box:DESCRIPTION:Automated code analysis techniques might not be able to reliably detect this weakness, since the application's behavior and general security model dictate which resource locks are critical. Interpretation of the weakness might require knowledge of the environment, e.g. if the existence of a file is used as a lock, but the file is created in a world-writable directory.::",{"point":"2c8","priority":"6","details":"tp","howto":"2c9"},"CWE-ID:413 Improper Resource Locking",{"point":"2cb","priority":"6","details":"ts","howto":"26r"},"CWE-ID:414 Missing Lock Check",{"point":"2cd","priority":"6","details":"tv","howto":"275"},"CWE-ID:419 Unprotected Primary Channel",{"point":"2cf","priority":"6","details":"u4","howto":"275"},"CWE-ID:420 Unprotected Alternate Channel",{"point":"2ch","priority":"6","details":"u7","howto":"275"},"CWE-ID:421 Race Condition During Access to Alternate Channel",{"point":"2cj","priority":"6","details":"ua","howto":"275"},"CWE-ID:424 Improper Protection of Alternate Path",{"point":"2cl","priority":"6","details":"ug","howto":"275"},"CWE-ID:434 Unrestricted Upload of File with Dangerous Type","::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2cn","priority":"6","details":"v7","howto":"2co"},"CWE-ID:436 Interpretation Conflict",{"point":"2cq","priority":"6","details":"vd","howto":"275"},"CWE-ID:437 Incomplete Model of Endpoint Features",{"point":"2cs","priority":"6","details":"vg","howto":"275"},"CWE-ID:439 Behavioral Change in New Version or Environment",{"point":"2cu","priority":"6","details":"vj","howto":"275"},"CWE-ID:440 Expected Behavior Violation",{"point":"2cw","priority":"6","details":"vm","howto":"275"},"CWE-ID:441 Unintended Proxy or Intermediary ('Confused Deputy')",{"point":"2cy","priority":"6","details":"vp","howto":"26r"},"CWE-ID:446 UI Discrepancy for Security Feature",{"point":"2d0","priority":"6","details":"vv","howto":"275"},"CWE-ID:451 User Interface (UI) Misrepresentation of Critical Information",{"point":"2d2","priority":"6","details":"wa","howto":"275"},"CWE-ID:454 External Initialization of Trusted Variables or Data Stores",{"point":"2d4","priority":"6","details":"wg","howto":"275"},"CWE-ID:470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')",{"point":"2d6","priority":"6","details":"xj","howto":"26r"},"CWE-ID:471 Modification of Assumed-Immutable Data (MAID)",{"point":"2d8","priority":"6","details":"xm","howto":"275"},"CWE-ID:475 Undefined Behavior for Input to API",{"point":"2da","priority":"6","details":"xy","howto":"26r"},"CWE-ID:494 Download of Code Without Integrity Check","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is typically required to find the behavior that triggers the download of code, and to determine whether integrity-checking methods are in use.::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and also sniff the network connection. Trigger features related to product updates or plugin installation, which is likely to force a code download. Monitor when files are downloaded and separately executed, or if they are otherwise read back into the process. Look for evidence of cryptographic library calls that use integrity checking.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2dc","priority":"6","details":"zd","howto":"2dd"},"CWE-ID:501 Trust Boundary Violation",{"point":"2df","priority":"6","details":"zy","howto":"26r"},"CWE-ID:502 Deserialization of Untrusted Data",{"point":"2dh","priority":"6","details":"101","howto":"26r"},"CWE-ID:510 Trapdoor","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Inter-application Flow Analysis Binary / Bytecode simple extractor - strings, ELF readers, etc.:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies Generated Code Inspection:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Automated Monitored Execution Forced Path Execution Debugger Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Cost effective for partial coverage: Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"2dj","priority":"6","details":"10g","howto":"2dk"},"CWE-ID:511 Logic/Time Bomb",{"point":"2dm","priority":"6","details":"10j","howto":"275"},"CWE-ID:512 Spyware",{"point":"2do","priority":"6","details":"10m","howto":"275"},"CWE-ID:521 Weak Password Requirements",{"point":"2dq","priority":"6","details":"10y","howto":"26r"},"CWE-ID:522 Insufficiently Protected Credentials",{"point":"2ds","priority":"6","details":"111","howto":"26r"},"CWE-ID:523 Unprotected Transport of Credentials",{"point":"2du","priority":"6","details":"114","howto":"26r"},"CWE-ID:532 Insertion of Sensitive Information into Log File",{"point":"2dw","priority":"6","details":"11v","howto":"26r"},"CWE-ID:544 Missing Standardized Error Handling Mechanism",{"point":"2dy","priority":"6","details":"12m","howto":"275"},"CWE-ID:552 Files or Directories Accessible to External Parties",{"point":"2e0","priority":"6","details":"137","howto":"26r"},"CWE-ID:565 Reliance on Cookies without Validation and Integrity Checking",{"point":"2e2","priority":"6","details":"144","howto":"26r"},"CWE-ID:601 URL Redirection to Untrusted Site ('Open Redirect')","::METHOD:Manual Static Analysis:DESCRIPTION:Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated black box tools that supply URLs to every input may be able to spot Location header modifications, but test case coverage is a factor, and custom redirects may not be detected.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis tools may not be able to determine whether input influences the beginning of a URL, which is important for reducing false positives.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2e4","priority":"6","details":"16v","howto":"2e5"},"CWE-ID:602 Client-Side Enforcement of Server-Side Security",{"point":"2e7","priority":"6","details":"16y","howto":"275"},"CWE-ID:603 Use of Client-Side Authentication",{"point":"2e9","priority":"6","details":"171","howto":"275"},"CWE-ID:610 Externally Controlled Reference to a Resource in Another Sphere",{"point":"2eb","priority":"6","details":"17j","howto":"275"},"CWE-ID:612 Improper Authorization of Index Containing Sensitive Information",{"point":"2ed","priority":"6","details":"17p","howto":"275"},"CWE-ID:613 Insufficient Session Expiration",{"point":"2ef","priority":"6","details":"17s","howto":"26r"},"CWE-ID:620 Unverified Password Change",{"point":"2eh","priority":"6","details":"18d","howto":"275"},"CWE-ID:636 Not Failing Securely ('Failing Open')",{"point":"2ej","priority":"6","details":"194","howto":"275"},"CWE-ID:637 Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')",{"point":"2el","priority":"6","details":"197","howto":"275"},"CWE-ID:639 Authorization Bypass Through User-Controlled Key",{"point":"2en","priority":"6","details":"19d","howto":"26r"},"CWE-ID:640 Weak Password Recovery Mechanism for Forgotten Password",{"point":"2ep","priority":"6","details":"19g","howto":"275"},"CWE-ID:641 Improper Restriction of Names for Files and Other Resources",{"point":"2er","priority":"6","details":"19j","howto":"275"},"CWE-ID:642 External Control of Critical State Data",{"point":"2et","priority":"6","details":"19m","howto":"26r"},"CWE-ID:645 Overly Restrictive Account Lockout Mechanism",{"point":"2ev","priority":"6","details":"19v","howto":"275"},"CWE-ID:648 Incorrect Use of Privileged APIs",{"point":"2ex","priority":"6","details":"1a4","howto":"275"},"CWE-ID:649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking",{"point":"2ez","priority":"6","details":"1a7","howto":"275"},"CWE-ID:653 Improper Isolation or Compartmentalization","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Compare binary / bytecode to application permission manifest:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"2f1","priority":"6","details":"1aj","howto":"2f2"},"CWE-ID:654 Reliance on a Single Factor in a Security Decision",{"point":"2f4","priority":"6","details":"1am","howto":"275"},"CWE-ID:655 Insufficient Psychological Acceptability",{"point":"2f6","priority":"6","details":"1ap","howto":"275"},"CWE-ID:656 Reliance on Security Through Obscurity",{"point":"2f8","priority":"6","details":"1as","howto":"275"},"CWE-ID:657 Violation of Secure Design Principles",{"point":"2fa","priority":"6","details":"1av","howto":"275"},"CWE-ID:662 Improper Synchronization",{"point":"2fc","priority":"6","details":"1ay","howto":"275"},"CWE-ID:667 Improper Locking",{"point":"2fe","priority":"6","details":"1bd","howto":"26r"},"CWE-ID:668 Exposure of Resource to Wrong Sphere",{"point":"2fg","priority":"6","details":"1bg","howto":"275"},"CWE-ID:669 Incorrect Resource Transfer Between Spheres",{"point":"2fi","priority":"6","details":"1bj","howto":"275"},"CWE-ID:671 Lack of Administrator Control over Security",{"point":"2fk","priority":"6","details":"1bp","howto":"275"},"CWE-ID:673 External Influence of Sphere Definition",{"point":"2fm","priority":"6","details":"1bv","howto":"275"},"CWE-ID:694 Use of Multiple Resources with Duplicate Identifier",{"point":"2fo","priority":"6","details":"1dd","howto":"275"},"CWE-ID:696 Incorrect Behavior Order",{"point":"2fq","priority":"6","details":"1dj","howto":"275"},"CWE-ID:706 Use of Incorrectly-Resolved Name or Reference",{"point":"2fs","priority":"6","details":"1e1","howto":"275"},"CWE-ID:708 Incorrect Ownership Assignment",{"point":"2fu","priority":"6","details":"1e7","howto":"275"},"CWE-ID:732 Incorrect Permission Assignment for Critical Resource","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis may be effective in detecting permission problems for system resources such as files, directories, shared memory, device interfaces, etc. Automated techniques may be able to detect the use of library functions that modify permissions, then analyze function calls for arguments that contain potentially insecure values. However, since the software's intended security policy might allow loose permissions for certain operations (such as publishing a file on a web server), automated static analysis may produce some false positives - i.e., warnings that do not have any security consequences or require any code changes. When custom permissions models are used - such as defining who can read messages in a particular forum in a bulletin board system - these can be difficult to detect using automated static analysis. It may be possible to define custom signatures that identify any custom functions that implement the permission checks and assignments.::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated dynamic analysis may be effective in detecting permission problems for system resources such as files, directories, shared memory, device interfaces, etc. However, since the software's intended security policy might allow loose permissions for certain operations (such as publishing a file on a web server), automated dynamic analysis may produce some false positives - i.e., warnings that do not have any security consequences or require any code changes. When custom permissions models are used - such as defining who can read messages in a particular forum in a bulletin board system - these can be difficult to detect using automated dynamic analysis. It may be possible to define custom signatures that identify any custom functions that implement the permission checks and assignments.::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.::METHOD:Manual Static Analysis:DESCRIPTION:Manual static analysis may be effective in detecting the use of custom permissions models and functions. The code could then be examined to identifying usage of the related functions. Then the human analyst could evaluate permission assignments in the context of the intended security model of the software.::METHOD:Manual Dynamic Analysis:DESCRIPTION:Manual dynamic analysis may be effective in detecting the use of custom permissions models and functions. The program could then be executed with a focus on exercising code paths that are related to the custom permissions. Then the human analyst could evaluate permission assignments in the context of the intended security model of the software.::METHOD:Fuzzing:DESCRIPTION:Fuzzing is not effective in detecting this weakness.::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and watch for library functions or system calls on OS resources such as files, directories, and shared memory. Examine the arguments to these calls to infer which permissions are being used.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Inter-application Flow Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Host Application Interface Scanner Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Forced Path Execution:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2fw","priority":"6","details":"1ed","howto":"2fx"},"CWE-ID:749 Exposed Dangerous Method or Function",{"point":"2fz","priority":"6","details":"1ej","howto":"26r"},"CWE-ID:757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')",{"point":"2g1","priority":"6","details":"1ev","howto":"26r"},"CWE-ID:770 Allocation of Resources Without Limits or Throttling","::METHOD:Manual Static Analysis:DESCRIPTION:Manual static analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. If denial-of-service is not considered a significant risk, or if there is strong emphasis on consequences such as code execution, then manual analysis may not focus on this weakness at all.::METHOD:Fuzzing:DESCRIPTION:While fuzzing is typically geared toward finding low-level implementation bugs, it can inadvertently find uncontrolled resource allocation problems. This can occur when the fuzzer generates a large number of test cases but does not restart the targeted product in between test cases. If an individual test case produces a crash, but it does not do so reliably, then an inability to limit resource allocation may be the cause. When the allocation is directly affected by numeric inputs, then fuzzing may produce indications of this weakness.:EFFECTIVENESS:Opportunistic::METHOD:Automated Dynamic Analysis:DESCRIPTION:Certain automated dynamic analysis techniques may be effective in producing side effects of uncontrolled resource allocation problems, especially with resources such as processes, memory, and connections. The technique may involve generating a large number of requests to the product within a short time frame. Manual analysis is likely required to interpret the results.::METHOD:Automated Static Analysis:DESCRIPTION:Specialized configuration or tuning may be required to train automated tools to recognize this weakness. Automated static analysis typically has limited utility in recognizing unlimited allocation problems, except for the missing release of program-independent system resources such as files, sockets, and processes, or unchecked arguments to memory. For system resources, automated static analysis may be able to detect circumstances in which resources are not released after they have expired, or if too much of a resource is requested at once, as can occur with memory. Automated analysis of configuration files may be able to detect settings that do not specify a maximum value. Automated static analysis tools will not be appropriate for detecting exhaustion of custom resources, such as an intended security policy in which a bulletin board user is only allowed to make a limited number of posts per day.::",{"point":"2g3","priority":"6","details":"1fv","howto":"2g4"},"CWE-ID:798 Use of Hard-coded Credentials","::METHOD:Black Box:DESCRIPTION:Credential storage in configuration files is findable using black box methods, but the use of hard-coded credentials for an incoming authentication routine typically involves an account that is not visible outside of the code.:EFFECTIVENESS:Moderate::METHOD:Automated Static Analysis:DESCRIPTION:Automated white box techniques have been published for detecting hard-coded credentials for incoming authentication, but there is some expert disagreement regarding their effectiveness and applicability to a broad range of methods.::METHOD:Manual Static Analysis:DESCRIPTION:This weakness may be detectable using manual code analysis. Unless authentication is decentralized and applied throughout the product, there can be sufficient time for the analyst to find incoming authentication routines and examine the program logic looking for usage of hard-coded credentials. Configuration files could also be analyzed.::METHOD:Manual Dynamic Analysis:DESCRIPTION:For hard-coded credentials in incoming authentication: use monitoring tools that examine the product's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the product was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and perform a login. Using call trees or similar artifacts from the output, examine the associated behaviors and see if any of them appear to be comparing the input to a fixed string or value.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Network Sniffer Forced Path Execution:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"2g6","priority":"6","details":"1i7","howto":"2g7"},"CWE-ID:799 Improper Control of Interaction Frequency",{"point":"2g9","priority":"6","details":"1ia","howto":"275"},"CWE-ID:804 Guessable CAPTCHA",{"point":"2gb","priority":"6","details":"1id","howto":"275"},"CWE-ID:807 Reliance on Untrusted Inputs in a Security Decision","::METHOD:Manual Static Analysis:DESCRIPTION:Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"2gd","priority":"6","details":"1im","howto":"2ge"},"CWE-ID:862 Missing Authorization","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries. Generally, automated static analysis tools have difficulty detecting custom authorization schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an authorization check; an automated technique that detects the absence of authorization may report false positives.:EFFECTIVENESS:Limited::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated dynamic analysis may find many or all possible interfaces that do not require authorization, but manual analysis is required to determine if the lack of authorization violates business logic.::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"2gg","priority":"6","details":"1km","howto":"2gh"},"CWE-ID:863 Incorrect Authorization","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries. Generally, automated static analysis tools have difficulty detecting custom authorization schemes. Even if they can be customized to recognize these schemes, they might not be able to tell whether the scheme correctly performs the authorization in a way that cannot be bypassed or subverted by an attacker.:EFFECTIVENESS:Limited::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated dynamic analysis may not be able to find interfaces that are protected by authorization checks, even if those checks contain weaknesses.::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer Forced Path Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2gj","priority":"6","details":"1kp","howto":"2gk"},"CWE-ID:912 Hidden Functionality",{"point":"2gm","priority":"6","details":"1l4","howto":"275"},"CWE-ID:913 Improper Control of Dynamically-Managed Code Resources",{"point":"2go","priority":"6","details":"1l7","howto":"26u"},"CWE-ID:915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",{"point":"2gq","priority":"6","details":"1ld","howto":"26r"},"CWE-ID:916 Use of Password Hash With Insufficient Computational Effort","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2gs","priority":"6","details":"1lg","howto":"2gt"},"CWE-ID:917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')",{"point":"2gv","priority":"6","details":"1lj","howto":"26r"},"CWE-ID:918 Server-Side Request Forgery (SSRF)",{"point":"2gx","priority":"6","details":"1lm","howto":"26r"},"CWE-ID:920 Improper Restriction of Power Consumption",{"point":"2gz","priority":"6","details":"1lp","howto":"275"},"CWE-ID:921 Storage of Sensitive Data in a Mechanism without Access Control",{"point":"2h1","priority":"6","details":"1ls","howto":"275"},"CWE-ID:922 Insecure Storage of Sensitive Information",{"point":"2h3","priority":"6","details":"1lv","howto":"26r"},"CWE-ID:923 Improper Restriction of Communication Channel to Intended Endpoints",{"point":"2h5","priority":"6","details":"1ly","howto":"26r"},"CWE-ID:924 Improper Enforcement of Message Integrity During Transmission in a Communication Channel",{"point":"2h7","priority":"6","details":"1m1","howto":"275"},"CWE-ID:940 Improper Verification of Source of a Communication Channel",{"point":"2h9","priority":"6","details":"1mg","howto":"275"},"CWE-ID:941 Incorrectly Specified Destination in a Communication Channel",{"point":"2hb","priority":"6","details":"1mj","howto":"275"},"CWE-ID:1007 Insufficient Visual Distinction of Homoglyphs Presented to User","::METHOD:Manual Dynamic Analysis:DESCRIPTION:If utilizing user accounts, attempt to submit a username that contains homoglyphs. Similarly, check to see if links containing homoglyphs can be sent via email, web browsers, or other mechanisms.:EFFECTIVENESS:Moderate::",{"point":"2hd","priority":"6","details":"1mv","howto":"2he"},"CWE-ID:1037 Processor Optimization Removal or Modification of Security-critical Code","::METHOD:White Box:DESCRIPTION:In theory this weakness can be detected through the use of white box testing techniques where specifically crafted test cases are used in conjunction with debuggers to verify the order of statements being executed.:EFFECTIVENESS:Opportunistic::",{"point":"2hg","priority":"6","details":"1nd","howto":"2hh"},"CWE-ID:1038 Insecure Automated Optimizations",{"point":"2hj","priority":"6","details":"1ng","howto":"275"},"CWE-ID:1039 Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations",{"point":"2hl","priority":"6","details":"1nj","howto":"275"},"CWE-ID:1044 Architecture with Number of Horizontal Layers Outside of Expected Range",{"point":"2hn","priority":"6","details":"1nv","howto":"275"},"CWE-ID:1059 Insufficient Technical Documentation",{"point":"2hp","priority":"6","details":"1p4","howto":"275"},"CWE-ID:1173 Improper Use of Validation Framework","::METHOD:Automated Static Analysis:DESCRIPTION:Some instances of improper input validation can be detected using automated static analysis. A static analysis tool might allow the user to specify which application-specific methods or functions perform input validation; the tool might also have built-in knowledge of validation frameworks such as Struts. The tool may then suppress or de-prioritize any associated warnings. This allows the analyst to focus on areas of the software in which input validation does not appear to be present. Except in the cases described in the previous paragraph, automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes.::",{"point":"2hr","priority":"6","details":"1uv","howto":"2hs"},"CWE-ID:1176 Inefficient CPU Computation",{"point":"2hu","priority":"6","details":"1v1","howto":"275"},"CWE-ID:1189 Improper Isolation of Shared Resources on System-on-a-Chip (SoC)","::METHOD:Automated Dynamic Analysis:DESCRIPTION:Pre-silicon / post-silicon: Test access to shared systems resources (memory ranges, control registers, etc.) from untrusted software to verify that the assets are not incorrectly exposed to untrusted agents. Note that access to shared resources can be dynamically allowed or revoked based on system flows. Security testing should cover such dynamic shared resource allocation and access control modification flows.:EFFECTIVENESS:High::",{"point":"2hw","priority":"6","details":"1va","howto":"2hx"},"CWE-ID:1190 DMA Device Enabled Too Early in Boot Phase",{"point":"2hz","priority":"6","details":"1vd","howto":"275"},"CWE-ID:1191 On-Chip Debug and Test Interface With Improper Access Control","::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Authentication and authorization of debug and test interfaces should be part of the architecture and design review process. Withholding of private register documentation from the debug and test interface public specification (Security by obscurity) should not be considered as sufficient security.::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Dynamic tests should be done in the pre-silicon and post-silicon stages to verify that the debug and test interfaces are not open by default.::METHOD:Fuzzing:DESCRIPTION:Tests that fuzz Debug and Test Interfaces should ensure that no access without appropriate authentication and authorization is possible.:EFFECTIVENESS:Moderate::",{"point":"2i1","priority":"6","details":"1vg","howto":"2i2"},"CWE-ID:1192 Improper Identifier for IP Block used in System-On-Chip (SOC)",{"point":"2i4","priority":"6","details":"1vj","howto":"275"},"CWE-ID:1209 Failure to Disable Reserved Bits",{"point":"2i6","priority":"6","details":"1vs","howto":"275"},"CWE-ID:1220 Insufficient Granularity of Access Control",{"point":"2i8","priority":"6","details":"1vv","howto":"275"},"CWE-ID:1223 Race Condition for Write-Once Attributes",{"point":"2ia","priority":"6","details":"1w4","howto":"275"},"CWE-ID:1224 Improper Restriction of Write-Once Bit Fields",{"point":"2ic","priority":"6","details":"1w7","howto":"275"},"CWE-ID:1230 Exposure of Sensitive Information Through Metadata",{"point":"2ie","priority":"6","details":"1wd","howto":"275"},"CWE-ID:1231 Improper Prevention of Lock Bit Modification","::METHOD:Manual Analysis:DESCRIPTION:Set the lock bit. Power cycle the device. Attempt to clear the lock bit. If the information is changed, implement a design fix. Retest. Also, attempt to indirectly clear the lock bit or bypass it.:EFFECTIVENESS:High::",{"point":"2ig","priority":"6","details":"1wg","howto":"2ih"},"CWE-ID:1232 Improper Lock Behavior After Power State Transition",{"point":"2ij","priority":"6","details":"1wj","howto":"275"},"CWE-ID:1233 Security-Sensitive Hardware Controls with Missing Lock Bit Protection","::METHOD:Manual Analysis:DESCRIPTION:Set the lock bit. Attempt to modify the information protected by the lock bit. If the information is changed, implement a design fix. Retest. Also, attempt to indirectly clear the lock bit or bypass it.:EFFECTIVENESS:High::",{"point":"2il","priority":"6","details":"1wm","howto":"2im"},"CWE-ID:1234 Hardware Internal or Debug Modes Allow Override of Locks",{"point":"2io","priority":"6","details":"1wp","howto":"275"},"CWE-ID:1240 Use of a Cryptographic Primitive with a Risky Implementation","::METHOD:Architecture or Design Review:DESCRIPTION:Review requirements, documentation, and product design to ensure that primitives are consistent with the strongest-available recommendations from trusted parties. If the product appears to be using custom or proprietary implementations that have not had sufficient public review and approval, then this is a significant concern.:EFFECTIVENESS:High::METHOD:Manual Analysis:DESCRIPTION:Analyze the product to ensure that implementations for each primitive do not contain any known vulnerabilities and are not using any known-weak algorithms, including MD4, MD5, SHA1, DES, etc.:EFFECTIVENESS:Moderate::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:For hardware, during the implementation (pre-Silicon / post-Silicon) phase, dynamic tests should be done to ensure that outputs from cryptographic routines are indeed working properly, such as test vectors provided by NIST [REF-1236].:EFFECTIVENESS:Moderate::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:It needs to be determined if the output of a cryptographic primitive is lacking entropy, which is one clear sign that something went wrong with the crypto implementation. There exist many methods of measuring the entropy of a bytestream, from sophisticated ones (like calculating Shannon's entropy of a sequence of characters) to crude ones (by compressing it and comparing the size of the original bytestream vs. the compressed - a truly random byte stream should not be compressible and hence the uncompressed and compressed bytestreams should be nearly identical in size).:EFFECTIVENESS:Moderate::",{"point":"2iq","priority":"6","details":"1x1","howto":"2ir"},"CWE-ID:1241 Use of Predictable Algorithm in Random Number Generator",{"point":"2it","priority":"6","details":"1x4","howto":"275"},"CWE-ID:1242 Inclusion of Undocumented Features or Chicken Bits",{"point":"2iv","priority":"6","details":"1x7","howto":"275"},"CWE-ID:1243 Sensitive Non-Volatile Information Not Protected During Debug",{"point":"2ix","priority":"6","details":"1xa","howto":"275"},"CWE-ID:1244 Internal Asset Exposed to Unsafe Debug Access Level or State","::METHOD:Manual Analysis:DESCRIPTION:Check 2 devices for their passcode to authenticate access to JTAG/debugging ports. If the passcodes are missing or the same, update the design to fix and retest. Check communications over JTAG/debugging ports for encryption. If the communications are not encrypted, fix the design and retest.:EFFECTIVENESS:Moderate::",{"point":"2iz","priority":"6","details":"1xd","howto":"2j0"},"CWE-ID:1245 Improper Finite State Machines (FSMs) in Hardware Logic",{"point":"2j2","priority":"6","details":"1xg","howto":"275"},"CWE-ID:1246 Improper Write Handling in Limited-write Non-Volatile Memories",{"point":"2j4","priority":"6","details":"1xj","howto":"275"},"CWE-ID:1249 Application-Level Admin Tool with Inconsistent View of Underlying Operating System",{"point":"2j6","priority":"6","details":"1xs","howto":"275"},"CWE-ID:1252 CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations",{"point":"2j8","priority":"6","details":"1y1","howto":"275"},"CWE-ID:1253 Incorrect Selection of Fuse Values",{"point":"2ja","priority":"6","details":"1y4","howto":"275"},"CWE-ID:1254 Incorrect Comparison Logic Granularity",{"point":"2jc","priority":"6","details":"1y7","howto":"275"},"CWE-ID:1256 Improper Restriction of Software Interfaces to Hardware Features","::METHOD:Manual Analysis:DESCRIPTION:Perform a security evaluation of system-level architecture and design with software-aided physical attacks in scope.::METHOD:Automated Dynamic Analysis:DESCRIPTION:Use custom software to change registers that control clock settings or power settings to try to bypass security locks, or repeatedly write DRAM to try to change adjacent locations. This can be effective in extracting or changing data. The drawback is that it cannot be run before manufacturing, and it may require specialized software.:EFFECTIVENESS:Moderate::",{"point":"2je","priority":"6","details":"1yd","howto":"2jf"},"CWE-ID:1257 Improper Access Control Applied to Mirrored or Aliased Memory Regions",{"point":"2jh","priority":"6","details":"1yg","howto":"275"},"CWE-ID:1258 Exposure of Sensitive System Information Due to Uncleared Debug Information",{"point":"2jj","priority":"6","details":"1yj","howto":"275"},"CWE-ID:1259 Improper Restriction of Security Token Assignment",{"point":"2jl","priority":"6","details":"1ym","howto":"275"},"CWE-ID:1260 Improper Handling of Overlap Between Protected Memory Ranges","::METHOD:Manual Analysis:DESCRIPTION:Create a high privilege memory block of any arbitrary size. Attempt to create a lower privilege memory block with an overlap of the high privilege memory block. If the creation attempt works, fix the hardware. Repeat the test.:EFFECTIVENESS:High::",{"point":"2jn","priority":"6","details":"1yp","howto":"2jo"},"CWE-ID:1261 Improper Handling of Single Event Upsets",{"point":"2jq","priority":"6","details":"1ys","howto":"275"},"CWE-ID:1262 Improper Access Control for Register Interface","::METHOD:Manual Analysis:DESCRIPTION:This is applicable in the Architecture phase before implementation started. Make sure access policy is specified for the entire memory map. Manual analysis may not ensure the implementation is correct.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Registers controlling hardware should have access control implemented. This access control may be checked manually for correct implementation. Items to check consist of how are trusted parties set, how are trusted parties verified, how are accesses verified, etc. Effectiveness of a manual analysis will vary depending upon how complicated the interface is constructed.:EFFECTIVENESS:Moderate::METHOD:Simulation / Emulation:DESCRIPTION:Functional simulation is applicable during the Implementation Phase. Testcases must be created and executed for memory mapped registers to verify adherence to the access control policy. This method can be effective, since functional verification needs to be performed on the design, and verification for this weakness will be included. There can be difficulty covering the entire memory space during the test.:EFFECTIVENESS:Moderate::METHOD:Formal Verification:DESCRIPTION:Formal verification is applicable during the Implementation phase. Assertions need to be created in order to capture illegal register access scenarios and prove that they cannot occur. Formal methods are exhaustive and can be very effective, but creating the cases for large designs may be complex and difficult.:EFFECTIVENESS:High::METHOD:Automated Analysis:DESCRIPTION:Information flow tracking can be applicable during the Implementation phase. Security sensitive data (assets) - for example, as stored in registers - is automatically tracked over time through the design to verify the data doesn't reach illegal destinations that violate the access policies for the memory map. This method can be very effective when used together with simulation and emulation, since detecting violations doesn't rely on specific scenarios or data values. This method does rely on simulation and emulation, so testcases must exist in order to use this method.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Manual documentation review of the system memory map, register specification, and permissions associated with accessing security-relevant functionality exposed via memory-mapped registers.:EFFECTIVENESS:Moderate::METHOD:Fuzzing:DESCRIPTION:Perform penetration testing (either manual or semi-automated with fuzzing) to verify that access control mechanisms such as the memory protection units or on-chip bus firewall settings adequately protect critical hardware registers from software access.:EFFECTIVENESS:Moderate::",{"point":"2js","priority":"6","details":"1yv","howto":"2jt"},"CWE-ID:1263 Improper Physical Access Control",{"point":"2jv","priority":"6","details":"1yy","howto":"275"},"CWE-ID:1264 Hardware Logic with Insecure De-Synchronization between Control and Data Channels",{"point":"2jx","priority":"6","details":"1z1","howto":"275"},"CWE-ID:1266 Improper Scrubbing of Sensitive Data from Decommissioned Device",{"point":"2jz","priority":"6","details":"1z7","howto":"275"},"CWE-ID:1267 Policy Uses Obsolete Encoding",{"point":"2k1","priority":"6","details":"1za","howto":"275"},"CWE-ID:1268 Policy Privileges are not Assigned Consistently Between Control and Data Agents",{"point":"2k3","priority":"6","details":"1zd","howto":"275"},"CWE-ID:1270 Generation of Incorrect Security Tokens",{"point":"2k5","priority":"6","details":"1zj","howto":"275"},"CWE-ID:1272 Sensitive Information Uncleared Before Debug/Power State Transition","::METHOD:Manual Analysis:DESCRIPTION:Write a known pattern into each sensitive location. Enter the power/debug state in question. Read data back from the sensitive locations. If the reads are successful, and the data is the same as the pattern that was originally written, the test fails and the device needs to be fixed. Note that this test can likely be automated.:EFFECTIVENESS:High::",{"point":"2k7","priority":"6","details":"1zp","howto":"2k8"},"CWE-ID:1274 Improper Access Control for Volatile Memory Containing Boot Code","::METHOD:Manual Analysis:DESCRIPTION:Ensure the volatile memory is lockable or has locks. Ensure the volatile memory is locked for writes from untrusted agents or adversaries. Try modifying the volatile memory from an untrusted agent, and ensure these writes are dropped.:EFFECTIVENESS:High::METHOD:Manual Analysis:DESCRIPTION:Analyze the device using the following steps: Identify all fabric master agents that are active during system Boot Flow when initial code is loaded from Non-volatile storage to volatile memory. Identify the volatile memory regions that are used for storing loaded system executable program. During system boot, test programming the identified memory regions in step 2 from all the masters identified in step 1. Only trusted masters should be allowed to write to the memory regions. For example, pluggable device peripherals should not have write access to program load memory regions.:EFFECTIVENESS:Moderate::",{"point":"2ka","priority":"6","details":"1zv","howto":"2kb"},"CWE-ID:1277 Firmware Not Updateable","::METHOD:Manual Analysis:DESCRIPTION:Create a new installable boot image of the current build with a minor version number change. Use the standard installation method to update the boot image. Verify that the minor version number has changed. Create a fake image. Verify that the boot updater will not install the fake image and generates an invalid image error message or equivalent.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Check the consumer or maintainer documentation, the architecture/design documentation, or the original requirements to ensure that the documentation includes details for how to update the firmware.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Determine if there is a lack of a capability to update read-only memory (ROM) structure. This could manifest as a difference between the latest firmware version and the current version within the device.:EFFECTIVENESS:High::",{"point":"2kd","priority":"6","details":"204","howto":"2ke"},"CWE-ID:1278 Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques",{"point":"2kg","priority":"6","details":"207","howto":"275"},"CWE-ID:1279 Cryptographic Operations are run Before Supporting Units are Ready",{"point":"2ki","priority":"6","details":"20a","howto":"275"},"CWE-ID:1281 Sequence of Processor Instructions Leads to Unexpected Behavior",{"point":"2kk","priority":"6","details":"20g","howto":"275"},"CWE-ID:1283 Mutable Attestation or Measurement Reporting Data",{"point":"2km","priority":"6","details":"20m","howto":"275"},"CWE-ID:1290 Incorrect Decoding of Security Identifiers ",{"point":"2ko","priority":"6","details":"217","howto":"275"},"CWE-ID:1292 Incorrect Conversion of Security Identifiers",{"point":"2kq","priority":"6","details":"21d","howto":"275"},"CWE-ID:1293 Missing Source Correlation of Multiple Independent Data",{"point":"2ks","priority":"6","details":"21g","howto":"275"},"CWE-ID:1294 Insecure Security Identifier Mechanism",{"point":"2ku","priority":"6","details":"21j","howto":"275"},"CWE-ID:1298 Hardware Logic Contains Race Conditions",{"point":"2kw","priority":"6","details":"21v","howto":"275"},"CWE-ID:1299 Missing Protection Mechanism for Alternate Hardware Interface",{"point":"2ky","priority":"6","details":"21y","howto":"275"},"CWE-ID:1302 Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)",{"point":"2l0","priority":"6","details":"227","howto":"275"},"CWE-ID:1303 Non-Transparent Sharing of Microarchitectural Resources",{"point":"2l2","priority":"6","details":"22a","howto":"275"},"CWE-ID:1304 Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation",{"point":"2l4","priority":"6","details":"22d","howto":"275"},"CWE-ID:1310 Missing Ability to Patch ROM Code",{"point":"2l6","priority":"6","details":"22g","howto":"275"},"CWE-ID:1311 Improper Translation of Security Attributes by Fabric Bridge",{"point":"2l8","priority":"6","details":"22j","howto":"275"},"CWE-ID:1312 Missing Protection for Mirrored Regions in On-Chip Fabric Firewall","::METHOD:Manual Dynamic Analysis:DESCRIPTION:Using an external debugger, send write transactions to mirrored regions to test if original, write-protected regions are modified. Similarly, send read transactions to mirrored regions to test if the original, read-protected signals can be read.:EFFECTIVENESS:High::",{"point":"2la","priority":"6","details":"22m","howto":"2lb"},"CWE-ID:1313 Hardware Allows Activation of Test or Debug Logic at Runtime",{"point":"2ld","priority":"6","details":"22p","howto":"275"},"CWE-ID:1314 Missing Write Protection for Parametric Data Values",{"point":"2lf","priority":"6","details":"22s","howto":"275"},"CWE-ID:1315 Improper Setting of Bus Controlling Capability in Fabric End-point",{"point":"2lh","priority":"6","details":"22v","howto":"275"},"CWE-ID:1316 Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges","::METHOD:Automated Dynamic Analysis:DESCRIPTION:Review address map in specification to see if there are any overlapping ranges.:EFFECTIVENESS:High::METHOD:Manual Static Analysis:DESCRIPTION:Negative testing of access control on overlapped ranges.:EFFECTIVENESS:High::",{"point":"2lj","priority":"6","details":"22y","howto":"2lk"},"CWE-ID:1317 Improper Access Control in Fabric Bridge","::METHOD:Simulation / Emulation:DESCRIPTION:RTL simulation to ensure that bridge-access controls are implemented properly.:EFFECTIVENESS:High::METHOD:Formal Verification:DESCRIPTION:Formal verification of bridge RTL to ensure that access control cannot be bypassed.:EFFECTIVENESS:High::",{"point":"2lm","priority":"6","details":"231","howto":"2ln"},"CWE-ID:1318 Missing Support for Security Features in On-chip Fabrics or Buses","::METHOD:Architecture or Design Review:DESCRIPTION:Review the fabric specification and ensure that it contains signals to transfer security-sensitive signals.:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:Lack of security features can also be confirmed through manual RTL review of the fabric RTL.:EFFECTIVENESS:High::",{"point":"2lp","priority":"6","details":"234","howto":"2lq"},"CWE-ID:1319 Improper Protection against Electromagnetic Fault Injection (EM-FI)",{"point":"2ls","priority":"6","details":"237","howto":"275"},"CWE-ID:1320 Improper Protection for Outbound Error Messages and Alert Signals",{"point":"2lu","priority":"6","details":"23a","howto":"275"},"CWE-ID:1323 Improper Management of Sensitive Trace Data",{"point":"2lw","priority":"6","details":"23j","howto":"275"},"CWE-ID:1326 Missing Immutable Root of Trust in Hardware","::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated testing can verify that RoT components are immutable.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Root of trust elements and memory should be part of architecture and design reviews.:EFFECTIVENESS:High::",{"point":"2ly","priority":"6","details":"23p","howto":"2lz"},"CWE-ID:1328 Security Version Number Mutable to Older Versions","::METHOD:Automated Dynamic Analysis:DESCRIPTION:Mutability of stored security version numbers and programming with older firmware images should be part of automated testing.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Anti-roll-back features should be reviewed as part of Architecture or Design review.:EFFECTIVENESS:High::",{"point":"2m1","priority":"6","details":"23v","howto":"2m2"},"CWE-ID:1329 Reliance on Component That is Not Updateable","::METHOD:Architecture or Design Review:DESCRIPTION:Check the consumer or maintainer documentation, the architecture/design documentation, or the original requirements to ensure that the documentation includes details for how to update the firmware.:EFFECTIVENESS:Moderate::",{"point":"2m4","priority":"6","details":"23y","howto":"2m5"},"CWE-ID:1331 Improper Isolation of Shared Resources in Network On Chip (NoC)","::METHOD:Manual Analysis:DESCRIPTION:Providing marker flags to send through the interfaces coupled with examination of which users are able to read or manipulate the flags will help verify that the proper isolation has been achieved and is effective.:EFFECTIVENESS:Moderate::",{"point":"2m7","priority":"6","details":"244","howto":"2m8"},"CWE-ID:1332 Improper Handling of Faults that Lead to Instruction Skips","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can be found using automated static analysis once a developer has indicated which code paths are critical to protect.:EFFECTIVENESS:Moderate::METHOD:Simulation / Emulation:DESCRIPTION:This weakness can be found using automated dynamic analysis. Both emulation of a CPU with instruction skips, as well as RTL simulation of a CPU IP, can indicate parts of the code that are sensitive to faults due to instruction skips.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:This weakness can be found using manual (static) analysis. The analyst has security objectives that are matched against the high-level code. This method is less precise than emulation, especially if the analysis is done at the higher level language rather than at assembly level.:EFFECTIVENESS:Moderate::",{"point":"2ma","priority":"6","details":"247","howto":"2mb"},"CWE-ID:1334 Unauthorized Error Injection Can Degrade Hardware Redundancy",{"point":"2md","priority":"6","details":"24d","howto":"275"},"CWE-ID:1336 Improper Neutralization of Special Elements Used in a Template Engine",{"point":"2mf","priority":"6","details":"24j","howto":"275"},"CWE-ID:1338 Improper Protections Against Hardware Overheating","::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Dynamic tests should be performed to stress-test temperature controls.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Power management controls should be part of Architecture and Design reviews.:EFFECTIVENESS:High::",{"point":"2mh","priority":"6","details":"24m","howto":"2mi"},"CWE-ID:1342 Information Exposure through Microarchitectural State after Transient Execution",{"point":"2mk","priority":"6","details":"24v","howto":"275"},"CWE-ID:1351 Improper Handling of Hardware Behavior in Exceptionally Cold Environments",{"point":"2mm","priority":"6","details":"24y","howto":"275"},"CWE-ID:1357 Reliance on Insufficiently Trustworthy Component",{"point":"2mo","priority":"6","details":"251","howto":"275"},"CWE-ID:1384 Improper Handling of Physical or Environmental Conditions",{"point":"2mq","priority":"6","details":"254","howto":"275"},"CWE-ID:1390 Weak Authentication",{"point":"2ms","priority":"6","details":"25g","howto":"275"},"CWE-ID:1391 Use of Weak Credentials",{"point":"2mu","priority":"6","details":"25j","howto":"275"},"CWE-ID:1392 Use of Default Credentials",{"point":"2mw","priority":"6","details":"25m","howto":"275"},"CWE-ID:1393 Use of Default Password",{"point":"2my","priority":"6","details":"25p","howto":"275"},"CWE-ID:1394 Use of Default Cryptographic Key",{"point":"2n0","priority":"6","details":"25s","howto":"275"},"CWE-ID:1395 Dependency on Vulnerable Third-Party Component","::METHOD:Automated Analysis:DESCRIPTION:For software, use Software Composition Analysis (SCA) tools, which automatically analyze products to identify third-party dependencies. Often, SCA tools can be used to link with known vulnerabilities in the dependencies that they detect. There are commercial and open-source alternatives, such as OWASP Dependency-Check [REF-1312]. Many languages or frameworks have package managers with similar capabilities, such as npm audit for JavaScript, pip-audit for Python, govulncheck for Go, and many others. Dynamic methods can detect loading of third-party components.:EFFECTIVENESS:High::",{"point":"2n2","priority":"6","details":"25v","howto":"2n3"},"CWE-ID:1420 Exposure of Sensitive Information during Transient Execution","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected in hardware by manually inspecting processor specifications. Features that exhibit this weakness may include microarchitectural predictors, access control checks that occur out-of-order, or any other features that can allow operations to execute without committing to architectural state. Academic researchers have demonstrated that new hardware weaknesses can be discovered by exhaustively analyzing a processor's machine clear (or nuke) conditions ([REF-1427]).:EFFECTIVENESS:Moderate::METHOD:Fuzzing:DESCRIPTION:Academic researchers have demonstrated that this weakness can be detected in hardware using software fuzzing tools that treat the underlying hardware as a black box ([REF-1428]).:EFFECTIVENESS:Opportunistic::METHOD:Fuzzing:DESCRIPTION:Academic researchers have demonstrated that this weakness can be detected in software using software fuzzing tools ([REF-1429]).:EFFECTIVENESS:Opportunistic::METHOD:Automated Static Analysis:DESCRIPTION:A variety of automated static analysis tools can identify potentially exploitable code sequences in software. These tools may perform the analysis on source code, on binary code, or on an intermediate code representation (for example, during compilation).:EFFECTIVENESS:Limited::METHOD:Automated Analysis:DESCRIPTION:Software vendors can release tools that detect presence of known weaknesses on a processor. For example, some of these tools can attempt to transiently execute a vulnerable code sequence and detect whether code successfully leaks data in a manner consistent with the weakness under test. Alternatively, some hardware vendors provide enumeration for the presence of a weakness (or lack of a weakness). These enumeration bits can be checked and reported by system software. For example, Linux supports these checks for many commodity processors: $ cat /proc/cpuinfo | grep bugs | head -n 1 bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit srbds mmio_stale_data retbleed:EFFECTIVENESS:High::",{"point":"2n5","priority":"6","details":"261","howto":"2n6"},"CWE-ID:1421 Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected in hardware by manually inspecting processor specifications. Features that exhibit this weakness may include microarchitectural predictors, access control checks that occur out-of-order, or any other features that can allow operations to execute without committing to architectural state. Academic researchers have demonstrated that new hardware weaknesses can be discovered by examining publicly available patent filings, for example [REF-1405] and [REF-1406]. Hardware designers can also scrutinize aspects of the instruction set architecture that have undefined behavior; these can become a focal point when applying other detection methods.:EFFECTIVENESS:Moderate::METHOD:Automated Analysis:DESCRIPTION:This weakness can be detected (pre-discovery) in hardware by employing static or dynamic taint analysis methods [REF-1401]. These methods can label data in one context (for example, kernel data) and perform information flow analysis (or a simulation, etc.) to determine whether tainted data can appear in another context (for example, user mode). Alternatively, stale or invalid data in shared microarchitectural resources can be marked as tainted, and the taint analysis framework can identify when transient operations encounter tainted data.:EFFECTIVENESS:Moderate::METHOD:Automated Analysis:DESCRIPTION:Software vendors can release tools that detect presence of known weaknesses (post-discovery) on a processor. For example, some of these tools can attempt to transiently execute a vulnerable code sequence and detect whether code successfully leaks data in a manner consistent with the weakness under test. Alternatively, some hardware vendors provide enumeration for the presence of a weakness (or lack of a weakness). These enumeration bits can be checked and reported by system software. For example, Linux supports these checks for many commodity processors: $ cat /proc/cpuinfo | grep bugs | head -n 1 bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit srbds mmio_stale_data retbleed:EFFECTIVENESS:High::METHOD:Fuzzing:DESCRIPTION:Academic researchers have demonstrated that this weakness can be detected in hardware using software fuzzing tools that treat the underlying hardware as a black box ([REF-1406], [REF-1430]):EFFECTIVENESS:Opportunistic::",{"point":"2n8","priority":"6","details":"264","howto":"2n9"},"CWE-ID:1422 Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution","::METHOD:Automated Static Analysis:DESCRIPTION:A variety of automated static analysis tools can identify potentially exploitable code sequences in software. These tools may perform the analysis on source code, on binary code, or on an intermediate code representation (for example, during compilation).:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected in hardware by manually inspecting processor specifications. Features that exhibit this weakness may include microarchitectural predictors, access control checks that occur out-of-order, or any other features that can allow operations to execute without committing to architectural state.Hardware designers can also scrutinize aspects of the instruction set architecture that have undefined behavior; these can become a focal point when applying other detection methods.:EFFECTIVENESS:Moderate::METHOD:Automated Analysis:DESCRIPTION:Software vendors can release tools that detect presence of known weaknesses on a processor. For example, some of these tools can attempt to transiently execute a vulnerable code sequence and detect whether code successfully leaks data in a manner consistent with the weakness under test. Alternatively, some hardware vendors provide enumeration for the presence of a weakness (or lack of a weakness). These enumeration bits can be checked and reported by system software. For example, Linux supports these checks for many commodity processors: $ cat /proc/cpuinfo | grep bugs | head -n 1 bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit srbds mmio_stale_data retbleed:EFFECTIVENESS:High::",{"point":"2nb","priority":"6","details":"267","howto":"2nc"},"CWE-ID:1423 Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected in hardware by manually inspecting processor specifications. Features that exhibit this weakness may have microarchitectural predictor state that is shared between hardware threads, execution contexts (for example, user and kernel), or other components that may host mutually distrusting software (or firmware, etc.).:EFFECTIVENESS:Moderate::METHOD:Automated Analysis:DESCRIPTION:Software vendors can release tools that detect presence of known weaknesses on a processor. For example, some of these tools can attempt to transiently execute a vulnerable code sequence and detect whether code successfully leaks data in a manner consistent with the weakness under test. Alternatively, some hardware vendors provide enumeration for the presence of a weakness (or lack of a weakness). These enumeration bits can be checked and reported by system software. For example, Linux supports these checks for many commodity processors: $ cat /proc/cpuinfo | grep bugs | head -n 1 bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit srbds mmio_stale_data retbleed:EFFECTIVENESS:High::METHOD:Automated Analysis:DESCRIPTION:This weakness can be detected in hardware by employing static or dynamic taint analysis methods [REF-1401]. These methods can label each predictor entry (or prediction history, etc.) according to the processor context that created it. Taint analysis or information flow analysis can then be applied to detect when predictor state created in one context can influence predictions made in another context.:EFFECTIVENESS:Moderate::",{"point":"2ne","priority":"6","details":"26a","howto":"2nf"},["26m","26p","26s","26v","26y","271","273","276","278","27a","27c","27e","27h","27j","27l","27n","27p","27r","27t","27v","27y","280","282","284","286","288","28a","28c","28e","28g","28i","28k","28n","28p","28r","28u","28w","28z","291","293","295","298","29a","29c","29e","29h","29k","29m","29o","29r","29t","29w","29y","2a0","2a2","2a4","2a7","2a9","2ac","2ae","2ag","2ai","2ak","2am","2ao","2aq","2as","2au","2aw","2ay","2b0","2b2","2b4","2b6","2b8","2ba","2bd","2bf","2bi","2bk","2bm","2bo","2bq","2bt","2bv","2bx","2bz","2c1","2c3","2c5","2c7","2ca","2cc","2ce","2cg","2ci","2ck","2cm","2cp","2cr","2ct","2cv","2cx","2cz","2d1","2d3","2d5","2d7","2d9","2db","2de","2dg","2di","2dl","2dn","2dp","2dr","2dt","2dv","2dx","2dz","2e1","2e3","2e6","2e8","2ea","2ec","2ee","2eg","2ei","2ek","2em","2eo","2eq","2es","2eu","2ew","2ey","2f0","2f3","2f5","2f7","2f9","2fb","2fd","2ff","2fh","2fj","2fl","2fn","2fp","2fr","2ft","2fv","2fy","2g0","2g2","2g5","2g8","2ga","2gc","2gf","2gi","2gl","2gn","2gp","2gr","2gu","2gw","2gy","2h0","2h2","2h4","2h6","2h8","2ha","2hc","2hf","2hi","2hk","2hm","2ho","2hq","2ht","2hv","2hy","2i0","2i3","2i5","2i7","2i9","2ib","2id","2if","2ii","2ik","2in","2ip","2is","2iu","2iw","2iy","2j1","2j3","2j5","2j7","2j9","2jb","2jd","2jg","2ji","2jk","2jm","2jp","2jr","2ju","2jw","2jy","2k0","2k2","2k4","2k6","2k9","2kc","2kf","2kh","2kj","2kl","2kn","2kp","2kr","2kt","2kv","2kx","2kz","2l1","2l3","2l5","2l7","2l9","2lc","2le","2lg","2li","2ll","2lo","2lr","2lt","2lv","2lx","2m0","2m3","2m6","2m9","2mc","2me","2mg","2mj","2ml","2mn","2mp","2mr","2mt","2mv","2mx","2mz","2n1","2n4","2n7","2na","2nd","2ng"],"magenta",{"title":"26f","slug":"26g","description":"26h","icon":"26i","intro":"26j","checklist":"2nh","color":"2ni"},"CWE :Weaknesses During Implementation","implementation-security","This view (slice) lists weaknesses that can be introduced during implementation.","shield","CWE-ID:5 J2EE Misconfiguration: Data Transmission Without Encryption",{"point":"2no","priority":"6","details":"7","howto":"275"},"CWE-ID:6 J2EE Misconfiguration: Insufficient Session-ID Length",{"point":"2nq","priority":"6","details":"a","howto":"275"},"CWE-ID:7 J2EE Misconfiguration: Missing Custom Error Page",{"point":"2ns","priority":"6","details":"d","howto":"275"},"CWE-ID:8 J2EE Misconfiguration: Entity Bean Declared Remote",{"point":"2nu","priority":"6","details":"g","howto":"275"},"CWE-ID:9 J2EE Misconfiguration: Weak Access Permissions for EJB Methods",{"point":"2nw","priority":"6","details":"j","howto":"275"},"CWE-ID:11 ASP.NET Misconfiguration: Creating Debug Binary",{"point":"2ny","priority":"6","details":"m","howto":"26r"},"CWE-ID:12 ASP.NET Misconfiguration: Missing Custom Error Page",{"point":"2o0","priority":"6","details":"p","howto":"275"},"CWE-ID:13 ASP.NET Misconfiguration: Password in Configuration File",{"point":"2o2","priority":"6","details":"s","howto":"275"},"CWE-ID:14 Compiler Removal of Code to Clear Buffers","::METHOD:Black Box:DESCRIPTION:This specific weakness is impossible to detect using black box methods. While an analyst could examine memory to see that it has not been scrubbed, an analysis of the executable would not be successful. This is because the compiler has already removed the relevant code. Only the source code shows whether the programmer intended to clear the memory or not, so this weakness is indistinguishable from others.::METHOD:White Box:DESCRIPTION:This weakness is only detectable using white box methods (see black box detection factor). Careful analysis is required to determine if the code is likely to be removed by the compiler.::",{"point":"2o4","priority":"6","details":"v","howto":"2o5"},"CWE-ID:15 External Control of System or Configuration Setting",{"point":"2o7","priority":"6","details":"y","howto":"26r"},{"point":"26k","priority":"6","details":"11","howto":"26l"},"CWE-ID:22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","::METHOD:Automated Static Analysis:DESCRIPTION:Automated techniques can find areas where path traversal weaknesses exist. However, tuning or customization may be required to remove or de-prioritize path-traversal problems that are only exploitable by the product's administrator - or other privileged users - and thus potentially valid behavior or, at worst, a bug instead of a vulnerability.:EFFECTIVENESS:High::METHOD:Manual Static Analysis:DESCRIPTION:Manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all file access operations can be assessed within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2oa","priority":"6","details":"14","howto":"2ob"},"CWE-ID:23 Relative Path Traversal",{"point":"2od","priority":"6","details":"17","howto":"26r"},"CWE-ID:24 Path Traversal: '../filedir'",{"point":"2of","priority":"6","details":"1a","howto":"275"},"CWE-ID:25 Path Traversal: '/../filedir'",{"point":"2oh","priority":"6","details":"1d","howto":"275"},"CWE-ID:26 Path Traversal: '/dir/../filename'",{"point":"2oj","priority":"6","details":"1g","howto":"275"},"CWE-ID:27 Path Traversal: 'dir/../../filename'",{"point":"2ol","priority":"6","details":"1j","howto":"275"},"CWE-ID:28 Path Traversal: '..filedir'",{"point":"2on","priority":"6","details":"1m","howto":"275"},"CWE-ID:29 Path Traversal: '..filename'",{"point":"2op","priority":"6","details":"1p","howto":"275"},"CWE-ID:30 Path Traversal: 'dir..filename'",{"point":"2or","priority":"6","details":"1s","howto":"275"},"CWE-ID:31 Path Traversal: 'dir....filename'",{"point":"2ot","priority":"6","details":"1v","howto":"275"},"CWE-ID:32 Path Traversal: '...' (Triple Dot)",{"point":"2ov","priority":"6","details":"1y","howto":"275"},"CWE-ID:33 Path Traversal: '....' (Multiple Dot)",{"point":"2ox","priority":"6","details":"21","howto":"275"},"CWE-ID:34 Path Traversal: '....//'","::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"2oz","priority":"6","details":"24","howto":"2p0"},"CWE-ID:35 Path Traversal: '.../...//'",{"point":"2p2","priority":"6","details":"27","howto":"275"},"CWE-ID:36 Absolute Path Traversal",{"point":"2p4","priority":"6","details":"2a","howto":"26r"},"CWE-ID:37 Path Traversal: '/absolute/pathname/here'",{"point":"2p6","priority":"6","details":"2d","howto":"275"},"CWE-ID:38 Path Traversal: 'absolutepathnamehere'",{"point":"2p8","priority":"6","details":"2g","howto":"275"},"CWE-ID:39 Path Traversal: 'C:dirname'",{"point":"2pa","priority":"6","details":"2j","howto":"275"},"CWE-ID:40 Path Traversal: 'UNCsharename' (Windows UNC Share)",{"point":"2pc","priority":"6","details":"2m","howto":"275"},"CWE-ID:41 Improper Resolution of Path Equivalence","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2pe","priority":"6","details":"2p","howto":"2pf"},"CWE-ID:42 Path Equivalence: 'filename.' (Trailing Dot)",{"point":"2ph","priority":"6","details":"2s","howto":"275"},"CWE-ID:43 Path Equivalence: 'filename....' (Multiple Trailing Dot)",{"point":"2pj","priority":"6","details":"2v","howto":"275"},"CWE-ID:44 Path Equivalence: 'file.name' (Internal Dot)",{"point":"2pl","priority":"6","details":"2y","howto":"275"},"CWE-ID:45 Path Equivalence: 'file...name' (Multiple Internal Dot)",{"point":"2pn","priority":"6","details":"31","howto":"275"},"CWE-ID:46 Path Equivalence: 'filename ' (Trailing Space)",{"point":"2pp","priority":"6","details":"34","howto":"275"},"CWE-ID:47 Path Equivalence: ' filename' (Leading Space)",{"point":"2pr","priority":"6","details":"37","howto":"275"},"CWE-ID:48 Path Equivalence: 'file name' (Internal Whitespace)",{"point":"2pt","priority":"6","details":"3a","howto":"275"},"CWE-ID:49 Path Equivalence: 'filename/' (Trailing Slash)",{"point":"2pv","priority":"6","details":"3d","howto":"275"},"CWE-ID:50 Path Equivalence: '//multiple/leading/slash'",{"point":"2px","priority":"6","details":"3g","howto":"275"},"CWE-ID:51 Path Equivalence: '/multiple//internal/slash'",{"point":"2pz","priority":"6","details":"3j","howto":"275"},"CWE-ID:52 Path Equivalence: '/multiple/trailing/slash//'",{"point":"2q1","priority":"6","details":"3m","howto":"275"},"CWE-ID:53 Path Equivalence: 'multipleinternalbackslash'",{"point":"2q3","priority":"6","details":"3p","howto":"275"},"CWE-ID:54 Path Equivalence: 'filedir' (Trailing Backslash)",{"point":"2q5","priority":"6","details":"3s","howto":"275"},"CWE-ID:55 Path Equivalence: '/./' (Single Dot Directory)",{"point":"2q7","priority":"6","details":"3v","howto":"275"},"CWE-ID:56 Path Equivalence: 'filedir*' (Wildcard)",{"point":"2q9","priority":"6","details":"3y","howto":"275"},"CWE-ID:57 Path Equivalence: 'fakedir/../realdir/filename'",{"point":"2qb","priority":"6","details":"41","howto":"275"},"CWE-ID:58 Path Equivalence: Windows 8.3 Filename",{"point":"2qd","priority":"6","details":"44","howto":"275"},"CWE-ID:59 Improper Link Resolution Before File Access ('Link Following')",{"point":"2qf","priority":"6","details":"47","howto":"2pf"},"CWE-ID:61 UNIX Symbolic Link (Symlink) Following",{"point":"2qh","priority":"6","details":"4a","howto":"275"},"CWE-ID:62 UNIX Hard Link",{"point":"2qj","priority":"6","details":"4d","howto":"275"},"CWE-ID:65 Windows Hard Link",{"point":"2ql","priority":"6","details":"4j","howto":"275"},"CWE-ID:66 Improper Handling of File Names that Identify Virtual Resources",{"point":"2qn","priority":"6","details":"4m","howto":"2pf"},"CWE-ID:67 Improper Handling of Windows Device Names",{"point":"2qp","priority":"6","details":"4p","howto":"275"},"CWE-ID:69 Improper Handling of Windows ::DATA Alternate Data Stream",{"point":"2qr","priority":"6","details":"4s","howto":"275"},"CWE-ID:72 Improper Handling of Apple HFS+ Alternate Data Stream Path",{"point":"2qt","priority":"6","details":"4v","howto":"275"},{"point":"26n","priority":"6","details":"4y","howto":"26o"},"CWE-ID:74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')",{"point":"2qw","priority":"6","details":"51","howto":"26r"},"CWE-ID:75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)",{"point":"2qy","priority":"6","details":"54","howto":"275"},"CWE-ID:76 Improper Neutralization of Equivalent Special Elements",{"point":"2r0","priority":"6","details":"57","howto":"275"},"CWE-ID:77 Improper Neutralization of Special Elements used in a Command ('Command Injection')",{"point":"2r2","priority":"6","details":"5a","howto":"26r"},"CWE-ID:78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes. Automated static analysis might not be able to detect the usage of custom API functions or third-party libraries that indirectly invoke OS commands, leading to false negatives - especially if the API/library code is not available for analysis.::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis:DESCRIPTION:Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2r4","priority":"6","details":"5d","howto":"2r5"},"CWE-ID:79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","::METHOD:Automated Static Analysis:DESCRIPTION:Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible, especially when multiple components are involved.:EFFECTIVENESS:Moderate::METHOD:Black Box:DESCRIPTION:Use the XSS Cheat Sheet [REF-714] or automated test-generation tools to help launch a wide variety of attacks against your web application. The Cheat Sheet contains many subtle XSS variations that are specifically targeted against weak XSS defenses.:EFFECTIVENESS:Moderate::",{"point":"2r7","priority":"6","details":"5g","howto":"2r8"},"CWE-ID:80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",{"point":"2ra","priority":"6","details":"5j","howto":"26r"},"CWE-ID:81 Improper Neutralization of Script in an Error Message Web Page",{"point":"2rc","priority":"6","details":"5m","howto":"275"},"CWE-ID:82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page",{"point":"2re","priority":"6","details":"5p","howto":"275"},"CWE-ID:83 Improper Neutralization of Script in Attributes in a Web Page",{"point":"2rg","priority":"6","details":"5s","howto":"26r"},"CWE-ID:84 Improper Neutralization of Encoded URI Schemes in a Web Page",{"point":"2ri","priority":"6","details":"5v","howto":"275"},"CWE-ID:85 Doubled Character XSS Manipulations",{"point":"2rk","priority":"6","details":"5y","howto":"275"},"CWE-ID:86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages",{"point":"2rm","priority":"6","details":"61","howto":"26r"},"CWE-ID:87 Improper Neutralization of Alternate XSS Syntax",{"point":"2ro","priority":"6","details":"64","howto":"275"},"CWE-ID:88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')",{"point":"2rq","priority":"6","details":"67","howto":"26r"},"CWE-ID:89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or do not require any code changes. Automated static analysis might not be able to detect the usage of custom API functions or third-party libraries that indirectly invoke SQL commands, leading to false negatives - especially if the API/library code is not available for analysis.::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Database Scanners Cost effective for partial coverage: Web Application Scanner Web Services Scanner:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2rs","priority":"6","details":"6a","howto":"2rt"},"CWE-ID:90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')",{"point":"2rv","priority":"6","details":"6d","howto":"26r"},"CWE-ID:91 XML Injection (aka Blind XPath Injection)",{"point":"2rx","priority":"6","details":"6g","howto":"26r"},"CWE-ID:93 Improper Neutralization of CRLF Sequences ('CRLF Injection')",{"point":"2rz","priority":"6","details":"6j","howto":"26r"},"CWE-ID:94 Improper Control of Generation of Code ('Code Injection')",{"point":"2s1","priority":"6","details":"6m","howto":"26r"},"CWE-ID:95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')",{"point":"2s3","priority":"6","details":"6p","howto":"26r"},"CWE-ID:96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')",{"point":"2s5","priority":"6","details":"6s","howto":"275"},"CWE-ID:97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page",{"point":"2s7","priority":"6","details":"6v","howto":"275"},"CWE-ID:98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')","::METHOD:Manual Analysis:DESCRIPTION:Manual white-box analysis can be very effective for finding this issue, since there is typically a relatively small number of include or require statements in each program.:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:The external control or influence of filenames can often be detected using automated static analysis that models data flow within the product. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes. If the program uses a customized input validation library, then some tools may allow the analyst to create custom signatures to detect usage of those routines.::",{"point":"2s9","priority":"6","details":"6y","howto":"2sa"},{"point":"26q","priority":"6","details":"71","howto":"26r"},"CWE-ID:102 Struts: Duplicate Validation Forms",{"point":"2sd","priority":"6","details":"74","howto":"275"},"CWE-ID:103 Struts: Incomplete validate() Method Definition",{"point":"2sf","priority":"6","details":"77","howto":"26r"},"CWE-ID:104 Struts: Form Bean Does Not Extend Validation Class",{"point":"2sh","priority":"6","details":"7a","howto":"26r"},"CWE-ID:105 Struts: Form Field Without Validator",{"point":"2sj","priority":"6","details":"7d","howto":"275"},"CWE-ID:106 Struts: Plug-in Framework not in Use",{"point":"2sl","priority":"6","details":"7g","howto":"275"},"CWE-ID:107 Struts: Unused Validation Form",{"point":"2sn","priority":"6","details":"7j","howto":"275"},"CWE-ID:108 Struts: Unvalidated Action Form",{"point":"2sp","priority":"6","details":"7m","howto":"275"},"CWE-ID:109 Struts: Validator Turned Off",{"point":"2sr","priority":"6","details":"7p","howto":"275"},"CWE-ID:110 Struts: Validator Without Form Field","::METHOD:Automated Static Analysis:DESCRIPTION:To find the issue in the implementation, manual checks or automated static analysis could be applied to the XML configuration files.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis:DESCRIPTION:To find the issue in the implementation, manual checks or automated static analysis could be applied to the XML configuration files.:EFFECTIVENESS:Moderate::",{"point":"2st","priority":"6","details":"7s","howto":"2su"},"CWE-ID:111 Direct Use of Unsafe JNI",{"point":"2sw","priority":"6","details":"7v","howto":"26r"},"CWE-ID:112 Missing XML Validation",{"point":"2sy","priority":"6","details":"7y","howto":"26r"},"CWE-ID:113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')",{"point":"2t0","priority":"6","details":"81","howto":"26r"},"CWE-ID:114 Process Control",{"point":"2t2","priority":"6","details":"84","howto":"26r"},{"point":"26t","priority":"6","details":"87","howto":"26u"},"CWE-ID:116 Improper Encoding or Escaping of Output","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.:EFFECTIVENESS:Moderate::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::",{"point":"2t5","priority":"6","details":"8a","howto":"2t6"},"CWE-ID:117 Improper Output Neutralization for Logs",{"point":"2t8","priority":"6","details":"8d","howto":"26r"},"CWE-ID:118 Incorrect Access of Indexable Resource ('Range Error')",{"point":"2ta","priority":"6","details":"8g","howto":"275"},"CWE-ID:119 Improper Restriction of Operations within the Bounds of a Memory Buffer","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode Quality Analysis Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Source Code Quality Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2tc","priority":"6","details":"8j","howto":"2td"},"CWE-ID:120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::METHOD:Manual Analysis:DESCRIPTION:Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2tf","priority":"6","details":"8m","howto":"2tg"},"CWE-ID:121 Stack-based Buffer Overflow","::METHOD:Fuzzing:DESCRIPTION:Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2ti","priority":"6","details":"8p","howto":"2tj"},"CWE-ID:122 Heap-based Buffer Overflow",{"point":"2tl","priority":"6","details":"8s","howto":"26u"},"CWE-ID:123 Write-what-where Condition",{"point":"2tn","priority":"6","details":"8v","howto":"275"},"CWE-ID:124 Buffer Underwrite ('Buffer Underflow')",{"point":"2tp","priority":"6","details":"8y","howto":"275"},"CWE-ID:125 Out-of-bounds Read",{"point":"2tr","priority":"6","details":"91","howto":"2tj"},"CWE-ID:126 Buffer Over-read",{"point":"2tt","priority":"6","details":"94","howto":"26r"},"CWE-ID:127 Buffer Under-read",{"point":"2tv","priority":"6","details":"97","howto":"275"},"CWE-ID:128 Wrap-around Error",{"point":"2tx","priority":"6","details":"9a","howto":"275"},"CWE-ID:129 Improper Validation of Array Index","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report array index errors that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::METHOD:Black Box:DESCRIPTION:Black box methods might not get the needed code coverage within limited time constraints, and a dynamic test might not produce any noticeable side effects even if it is successful.::",{"point":"2tz","priority":"6","details":"9d","howto":"2u0"},"CWE-ID:130 Improper Handling of Length Parameter Inconsistency",{"point":"2u2","priority":"6","details":"9g","howto":"275"},"CWE-ID:131 Incorrect Calculation of Buffer Size","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting potential errors in buffer calculations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of allocation calculations. This can be useful for detecting overflow conditions (CWE-190) or similar weaknesses that might have serious security impacts on the program.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Source Code Quality Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2u4","priority":"6","details":"9j","howto":"2u5"},"CWE-ID:134 Use of Externally-Controlled Format String","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.::METHOD:Black Box:DESCRIPTION:Since format strings often occur in rarely-occurring erroneous conditions (e.g. for error message logging), they can be difficult to detect using black box methods. It is highly likely that many latent issues exist in executables that do not have associated source code (or equivalent source.:EFFECTIVENESS:Limited::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary / Bytecode simple extractor - strings, ELF readers, etc.:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Warning Flags:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2u7","priority":"6","details":"9m","howto":"2u8"},"CWE-ID:135 Incorrect Calculation of Multi-Byte String Length",{"point":"2ua","priority":"6","details":"9p","howto":"26r"},"CWE-ID:138 Improper Neutralization of Special Elements",{"point":"2uc","priority":"6","details":"9s","howto":"275"},"CWE-ID:140 Improper Neutralization of Delimiters",{"point":"2ue","priority":"6","details":"9v","howto":"275"},"CWE-ID:141 Improper Neutralization of Parameter/Argument Delimiters",{"point":"2ug","priority":"6","details":"9y","howto":"275"},"CWE-ID:142 Improper Neutralization of Value Delimiters",{"point":"2ui","priority":"6","details":"a1","howto":"275"},"CWE-ID:143 Improper Neutralization of Record Delimiters",{"point":"2uk","priority":"6","details":"a4","howto":"275"},"CWE-ID:144 Improper Neutralization of Line Delimiters",{"point":"2um","priority":"6","details":"a7","howto":"275"},"CWE-ID:145 Improper Neutralization of Section Delimiters",{"point":"2uo","priority":"6","details":"aa","howto":"275"},"CWE-ID:146 Improper Neutralization of Expression/Command Delimiters",{"point":"2uq","priority":"6","details":"ad","howto":"275"},"CWE-ID:147 Improper Neutralization of Input Terminators",{"point":"2us","priority":"6","details":"ag","howto":"275"},"CWE-ID:148 Improper Neutralization of Input Leaders",{"point":"2uu","priority":"6","details":"aj","howto":"275"},"CWE-ID:149 Improper Neutralization of Quoting Syntax",{"point":"2uw","priority":"6","details":"am","howto":"275"},"CWE-ID:150 Improper Neutralization of Escape, Meta, or Control Sequences",{"point":"2uy","priority":"6","details":"ap","howto":"275"},"CWE-ID:151 Improper Neutralization of Comment Delimiters",{"point":"2v0","priority":"6","details":"as","howto":"275"},"CWE-ID:152 Improper Neutralization of Macro Symbols",{"point":"2v2","priority":"6","details":"av","howto":"275"},"CWE-ID:153 Improper Neutralization of Substitution Characters",{"point":"2v4","priority":"6","details":"ay","howto":"275"},"CWE-ID:154 Improper Neutralization of Variable Name Delimiters",{"point":"2v6","priority":"6","details":"b1","howto":"275"},"CWE-ID:155 Improper Neutralization of Wildcards or Matching Symbols",{"point":"2v8","priority":"6","details":"b4","howto":"275"},"CWE-ID:156 Improper Neutralization of Whitespace",{"point":"2va","priority":"6","details":"b7","howto":"275"},"CWE-ID:157 Failure to Sanitize Paired Delimiters",{"point":"2vc","priority":"6","details":"ba","howto":"275"},"CWE-ID:158 Improper Neutralization of Null Byte or NUL Character",{"point":"2ve","priority":"6","details":"bd","howto":"275"},"CWE-ID:159 Improper Handling of Invalid Use of Special Elements",{"point":"2vg","priority":"6","details":"bg","howto":"275"},"CWE-ID:160 Improper Neutralization of Leading Special Elements",{"point":"2vi","priority":"6","details":"bj","howto":"275"},"CWE-ID:161 Improper Neutralization of Multiple Leading Special Elements",{"point":"2vk","priority":"6","details":"bm","howto":"275"},"CWE-ID:162 Improper Neutralization of Trailing Special Elements",{"point":"2vm","priority":"6","details":"bp","howto":"275"},"CWE-ID:163 Improper Neutralization of Multiple Trailing Special Elements",{"point":"2vo","priority":"6","details":"bs","howto":"275"},"CWE-ID:164 Improper Neutralization of Internal Special Elements",{"point":"2vq","priority":"6","details":"bv","howto":"275"},"CWE-ID:165 Improper Neutralization of Multiple Internal Special Elements",{"point":"2vs","priority":"6","details":"by","howto":"275"},"CWE-ID:166 Improper Handling of Missing Special Element",{"point":"2vu","priority":"6","details":"c1","howto":"275"},"CWE-ID:167 Improper Handling of Additional Special Element",{"point":"2vw","priority":"6","details":"c4","howto":"275"},"CWE-ID:168 Improper Handling of Inconsistent Special Elements",{"point":"2vy","priority":"6","details":"c7","howto":"275"},"CWE-ID:170 Improper Null Termination",{"point":"2w0","priority":"6","details":"ca","howto":"26r"},"CWE-ID:172 Encoding Error",{"point":"2w2","priority":"6","details":"cd","howto":"275"},"CWE-ID:173 Improper Handling of Alternate Encoding",{"point":"2w4","priority":"6","details":"cg","howto":"275"},"CWE-ID:174 Double Decoding of the Same Data",{"point":"2w6","priority":"6","details":"cj","howto":"275"},"CWE-ID:175 Improper Handling of Mixed Encoding",{"point":"2w8","priority":"6","details":"cm","howto":"275"},"CWE-ID:176 Improper Handling of Unicode Encoding",{"point":"2wa","priority":"6","details":"cp","howto":"275"},"CWE-ID:177 Improper Handling of URL Encoding (Hex Encoding)",{"point":"2wc","priority":"6","details":"cs","howto":"275"},"CWE-ID:178 Improper Handling of Case Sensitivity",{"point":"2we","priority":"6","details":"cv","howto":"275"},"CWE-ID:179 Incorrect Behavior Order: Early Validation",{"point":"2wg","priority":"6","details":"cy","howto":"275"},"CWE-ID:180 Incorrect Behavior Order: Validate Before Canonicalize",{"point":"2wi","priority":"6","details":"d1","howto":"275"},"CWE-ID:181 Incorrect Behavior Order: Validate Before Filter",{"point":"2wk","priority":"6","details":"d4","howto":"275"},"CWE-ID:182 Collapse of Data into Unsafe Value",{"point":"2wm","priority":"6","details":"d7","howto":"26r"},"CWE-ID:183 Permissive List of Allowed Inputs",{"point":"2wo","priority":"6","details":"da","howto":"26r"},{"point":"26w","priority":"6","details":"dd","howto":"26x"},"CWE-ID:185 Incorrect Regular Expression",{"point":"2wr","priority":"6","details":"dg","howto":"26r"},"CWE-ID:186 Overly Restrictive Regular Expression",{"point":"2wt","priority":"6","details":"dj","howto":"275"},"CWE-ID:187 Partial String Comparison",{"point":"2wv","priority":"6","details":"dm","howto":"275"},"CWE-ID:188 Reliance on Data/Memory Layout",{"point":"2wx","priority":"6","details":"dp","howto":"26u"},"CWE-ID:190 Integer Overflow or Wraparound","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.:EFFECTIVENESS:High::METHOD:Black Box:DESCRIPTION:Sometimes, evidence of this weakness can be detected using dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of allocation calculations. This can be useful for detecting overflow conditions (CWE-190) or similar weaknesses that might have serious security impacts on the program.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2wz","priority":"6","details":"ds","howto":"2x0"},"CWE-ID:191 Integer Underflow (Wrap or Wraparound)",{"point":"2x2","priority":"6","details":"dv","howto":"26r"},"CWE-ID:192 Integer Coercion Error",{"point":"2x4","priority":"6","details":"dy","howto":"26r"},"CWE-ID:193 Off-by-one Error",{"point":"2x6","priority":"6","details":"e1","howto":"26r"},"CWE-ID:194 Unexpected Sign Extension",{"point":"2x8","priority":"6","details":"e4","howto":"275"},"CWE-ID:195 Signed to Unsigned Conversion Error",{"point":"2xa","priority":"6","details":"e7","howto":"26r"},"CWE-ID:196 Unsigned to Signed Conversion Error",{"point":"2xc","priority":"6","details":"ea","howto":"275"},"CWE-ID:197 Numeric Truncation Error",{"point":"2xe","priority":"6","details":"ed","howto":"2tj"},"CWE-ID:198 Use of Incorrect Byte Ordering","::METHOD:Black Box:DESCRIPTION:Because byte ordering bugs are usually very noticeable even with normal inputs, this bug is more likely to occur in rarely triggered error conditions, making them difficult to detect using black box methods.::",{"point":"2xg","priority":"6","details":"eg","howto":"2xh"},{"point":"26z","priority":"6","details":"ej","howto":"270"},{"point":"272","priority":"6","details":"em","howto":"26r"},{"point":"274","priority":"6","details":"ep","howto":"275"},{"point":"277","priority":"6","details":"es","howto":"275"},{"point":"279","priority":"6","details":"ev","howto":"275"},{"point":"27b","priority":"6","details":"ey","howto":"275"},"CWE-ID:206 Observable Internal Behavioral Discrepancy",{"point":"2xp","priority":"6","details":"f1","howto":"275"},"CWE-ID:207 Observable Behavioral Discrepancy With Equivalent Products",{"point":"2xr","priority":"6","details":"f4","howto":"275"},{"point":"27d","priority":"6","details":"f7","howto":"275"},{"point":"27f","priority":"6","details":"fa","howto":"27g"},{"point":"27i","priority":"6","details":"fd","howto":"275"},{"point":"27k","priority":"6","details":"fg","howto":"275"},{"point":"27m","priority":"6","details":"fj","howto":"275"},{"point":"27o","priority":"6","details":"fm","howto":"275"},{"point":"27q","priority":"6","details":"fp","howto":"275"},"CWE-ID:215 Insertion of Sensitive Information Into Debugging Code",{"point":"2y0","priority":"6","details":"fs","howto":"26r"},"CWE-ID:219 Storage of File with Sensitive Data Under Web Root",{"point":"2y2","priority":"6","details":"fv","howto":"275"},{"point":"27s","priority":"6","details":"g1","howto":"275"},"CWE-ID:222 Truncation of Security-relevant Information",{"point":"2y5","priority":"6","details":"g4","howto":"275"},{"point":"27u","priority":"6","details":"g7","howto":"275"},"CWE-ID:224 Obscured Security-relevant Information by Alternate Name",{"point":"2y8","priority":"6","details":"ga","howto":"275"},"CWE-ID:226 Sensitive Information in Resource Not Removed Before Reuse","::METHOD:Manual Analysis:DESCRIPTION:Write a known pattern into each sensitive location. Trigger the release of the resource or cause the desired state transition to occur. Read data back from the sensitive locations. If the reads are successful, and the data is the same as the pattern that was originally written, the test fails and the product needs to be fixed. Note that this test can likely be automated.:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2ya","priority":"6","details":"gd","howto":"2yb"},"CWE-ID:228 Improper Handling of Syntactically Invalid Structure",{"point":"2yd","priority":"6","details":"gg","howto":"26r"},"CWE-ID:229 Improper Handling of Values",{"point":"2yf","priority":"6","details":"gj","howto":"275"},"CWE-ID:230 Improper Handling of Missing Values",{"point":"2yh","priority":"6","details":"gm","howto":"275"},"CWE-ID:231 Improper Handling of Extra Values",{"point":"2yj","priority":"6","details":"gp","howto":"275"},"CWE-ID:232 Improper Handling of Undefined Values",{"point":"2yl","priority":"6","details":"gs","howto":"275"},"CWE-ID:233 Improper Handling of Parameters",{"point":"2yn","priority":"6","details":"gv","howto":"2tj"},"CWE-ID:234 Failure to Handle Missing Parameter",{"point":"2yp","priority":"6","details":"gy","howto":"275"},"CWE-ID:235 Improper Handling of Extra Parameters",{"point":"2yr","priority":"6","details":"h1","howto":"275"},"CWE-ID:236 Improper Handling of Undefined Parameters",{"point":"2yt","priority":"6","details":"h4","howto":"275"},"CWE-ID:238 Improper Handling of Incomplete Structural Elements",{"point":"2yv","priority":"6","details":"ha","howto":"275"},"CWE-ID:239 Failure to Handle Incomplete Element",{"point":"2yx","priority":"6","details":"hd","howto":"275"},"CWE-ID:240 Improper Handling of Inconsistent Structural Elements",{"point":"2yz","priority":"6","details":"hg","howto":"275"},"CWE-ID:241 Improper Handling of Unexpected Data Type",{"point":"2z1","priority":"6","details":"hj","howto":"275"},"CWE-ID:242 Use of Inherently Dangerous Function",{"point":"2z3","priority":"6","details":"hm","howto":"26r"},"CWE-ID:243 Creation of chroot Jail Without Changing Working Directory",{"point":"2z5","priority":"6","details":"hp","howto":"26r"},"CWE-ID:244 Improper Clearing of Heap Memory Before Release ('Heap Inspection')",{"point":"2z7","priority":"6","details":"hs","howto":"275"},"CWE-ID:245 J2EE Bad Practices: Direct Management of Connections",{"point":"2z9","priority":"6","details":"hv","howto":"26r"},"CWE-ID:246 J2EE Bad Practices: Direct Use of Sockets",{"point":"2zb","priority":"6","details":"hy","howto":"26r"},"CWE-ID:248 Uncaught Exception",{"point":"2zd","priority":"6","details":"i1","howto":"26r"},{"point":"27w","priority":"6","details":"i4","howto":"27x"},"CWE-ID:252 Unchecked Return Value",{"point":"2zg","priority":"6","details":"i7","howto":"26r"},"CWE-ID:253 Incorrect Check of Function Return Value",{"point":"2zi","priority":"6","details":"ia","howto":"275"},"CWE-ID:258 Empty Password in Configuration File",{"point":"2zk","priority":"6","details":"ij","howto":"275"},"CWE-ID:259 Use of Hard-coded Password","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and perform a login. Using disassembled code, look at the associated instructions and see if any of them appear to be comparing the input to a fixed string or value.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2zm","priority":"6","details":"im","howto":"2zn"},{"point":"283","priority":"6","details":"ip","howto":"26r"},"CWE-ID:266 Incorrect Privilege Assignment",{"point":"2zq","priority":"6","details":"j1","howto":"275"},{"point":"28b","priority":"6","details":"j4","howto":"275"},{"point":"28d","priority":"6","details":"j7","howto":"275"},{"point":"28f","priority":"6","details":"ja","howto":"26r"},{"point":"28h","priority":"6","details":"jd","howto":"275"},{"point":"28j","priority":"6","details":"jg","howto":"275"},"CWE-ID:272 Least Privilege Violation","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Compare binary / bytecode to application permission manifest:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Permission Manifest Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"2zx","priority":"6","details":"jj","howto":"2zy"},"CWE-ID:273 Improper Check for Dropped Privileges",{"point":"300","priority":"6","details":"jm","howto":"26r"},"CWE-ID:274 Improper Handling of Insufficient Privileges",{"point":"302","priority":"6","details":"jp","howto":"26r"},{"point":"28l","priority":"6","details":"js","howto":"28m"},"CWE-ID:277 Insecure Inherited Permissions",{"point":"305","priority":"6","details":"jv","howto":"275"},"CWE-ID:279 Incorrect Execution-Assigned Permissions",{"point":"307","priority":"6","details":"k1","howto":"275"},"CWE-ID:280 Improper Handling of Insufficient Permissions or Privileges ",{"point":"309","priority":"6","details":"k4","howto":"275"},"CWE-ID:281 Improper Preservation of Permissions",{"point":"30b","priority":"6","details":"k7","howto":"275"},"CWE-ID:284 Improper Access Control",{"point":"30d","priority":"6","details":"kg","howto":"275"},{"point":"28s","priority":"6","details":"kj","howto":"28t"},{"point":"28v","priority":"6","details":"km","howto":"275"},{"point":"28x","priority":"6","details":"kp","howto":"28y"},{"point":"292","priority":"6","details":"kv","howto":"275"},"CWE-ID:290 Authentication Bypass by Spoofing",{"point":"30j","priority":"6","details":"ky","howto":"275"},{"point":"296","priority":"6","details":"la","howto":"297"},"CWE-ID:296 Improper Following of a Certificate's Chain of Trust",{"point":"30m","priority":"6","details":"ld","howto":"26r"},"CWE-ID:297 Improper Validation of Certificate with Host Mismatch","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Set up an untrusted endpoint (e.g. a server) with which the product will connect. Create a test certificate that uses an invalid hostname but is signed by a trusted CA and provide this certificate from the untrusted endpoint. If the product performs any operations instead of disconnecting and reporting an error, then this indicates that the hostname is not being checked and the test certificate has been accepted.::METHOD:Black Box:DESCRIPTION:When Certificate Pinning is being used in a mobile application, consider using a tool such as Spinner [REF-955]. This methodology might be extensible to other technologies.::",{"point":"30o","priority":"6","details":"lg","howto":"30p"},"CWE-ID:298 Improper Validation of Certificate Expiration",{"point":"30r","priority":"6","details":"lj","howto":"275"},"CWE-ID:299 Improper Check for Certificate Revocation",{"point":"30t","priority":"6","details":"lm","howto":"26r"},{"point":"29d","priority":"6","details":"lv","howto":"275"},"CWE-ID:303 Incorrect Implementation of Authentication Algorithm",{"point":"30w","priority":"6","details":"ly","howto":"275"},"CWE-ID:304 Missing Critical Step in Authentication",{"point":"30y","priority":"6","details":"m1","howto":"26r"},"CWE-ID:305 Authentication Bypass by Primary Weakness",{"point":"310","priority":"6","details":"m4","howto":"275"},"CWE-ID:318 Cleartext Storage of Sensitive Information in Executable",{"point":"312","priority":"6","details":"n4","howto":"275"},"CWE-ID:325 Missing Cryptographic Step",{"point":"314","priority":"6","details":"nm","howto":"275"},{"point":"2a5","priority":"6","details":"ns","howto":"2a6"},"CWE-ID:329 Generation of Predictable IV with CBC Mode",{"point":"317","priority":"6","details":"ny","howto":"26r"},{"point":"2aa","priority":"6","details":"o1","howto":"2ab"},{"point":"2ad","priority":"6","details":"o4","howto":"275"},"CWE-ID:332 Insufficient Entropy in PRNG",{"point":"31b","priority":"6","details":"o7","howto":"275"},"CWE-ID:333 Improper Handling of Insufficient Entropy in TRNG",{"point":"31d","priority":"6","details":"oa","howto":"275"},{"point":"2af","priority":"6","details":"od","howto":"275"},"CWE-ID:335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)",{"point":"31g","priority":"6","details":"og","howto":"275"},"CWE-ID:336 Same Seed in Pseudo-Random Number Generator (PRNG)",{"point":"31i","priority":"6","details":"oj","howto":"26r"},"CWE-ID:337 Predictable Seed in Pseudo-Random Number Generator (PRNG)",{"point":"31k","priority":"6","details":"om","howto":"275"},{"point":"2ah","priority":"6","details":"op","howto":"26r"},"CWE-ID:339 Small Seed Space in PRNG",{"point":"31n","priority":"6","details":"os","howto":"275"},{"point":"2aj","priority":"6","details":"ov","howto":"275"},{"point":"2al","priority":"6","details":"oy","howto":"275"},{"point":"2an","priority":"6","details":"p1","howto":"275"},{"point":"2ap","priority":"6","details":"p4","howto":"275"},{"point":"2ar","priority":"6","details":"p7","howto":"275"},{"point":"2at","priority":"6","details":"pa","howto":"26r"},{"point":"2av","priority":"6","details":"pd","howto":"275"},{"point":"2ax","priority":"6","details":"pg","howto":"26r"},{"point":"2az","priority":"6","details":"pj","howto":"275"},"CWE-ID:349 Acceptance of Extraneous Untrusted Data With Trusted Data",{"point":"31y","priority":"6","details":"pm","howto":"275"},"CWE-ID:351 Insufficient Type Distinction",{"point":"320","priority":"6","details":"ps","howto":"275"},{"point":"2b1","priority":"6","details":"py","howto":"275"},{"point":"2b3","priority":"6","details":"q1","howto":"275"},{"point":"2b5","priority":"6","details":"q4","howto":"275"},{"point":"2b7","priority":"6","details":"q7","howto":"275"},{"point":"2b9","priority":"6","details":"qa","howto":"275"},{"point":"2bb","priority":"6","details":"qd","howto":"2bc"},{"point":"2be","priority":"6","details":"qg","howto":"275"},{"point":"2bg","priority":"6","details":"qj","howto":"2bh"},{"point":"2bj","priority":"6","details":"qm","howto":"275"},"CWE-ID:364 Signal Handler Race Condition",{"point":"32b","priority":"6","details":"qp","howto":"275"},"CWE-ID:366 Race Condition within a Thread",{"point":"32d","priority":"6","details":"qs","howto":"26r"},"CWE-ID:367 Time-of-check Time-of-use (TOCTOU) Race Condition",{"point":"32f","priority":"6","details":"qv","howto":"26r"},{"point":"2bl","priority":"6","details":"qy","howto":"275"},"CWE-ID:369 Divide By Zero","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::METHOD:Fuzzing:DESCRIPTION:Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.:EFFECTIVENESS:High::",{"point":"32i","priority":"6","details":"r1","howto":"32j"},"CWE-ID:370 Missing Check for Certificate Revocation after Initial Check",{"point":"32l","priority":"6","details":"r4","howto":"275"},"CWE-ID:372 Incomplete Internal State Distinction",{"point":"32n","priority":"6","details":"r7","howto":"275"},"CWE-ID:374 Passing Mutable Objects to an Untrusted Method",{"point":"32p","priority":"6","details":"ra","howto":"275"},"CWE-ID:375 Returning a Mutable Object to an Untrusted Caller",{"point":"32r","priority":"6","details":"rd","howto":"275"},"CWE-ID:377 Insecure Temporary File",{"point":"32t","priority":"6","details":"rg","howto":"26r"},"CWE-ID:378 Creation of Temporary File With Insecure Permissions",{"point":"32v","priority":"6","details":"rj","howto":"275"},"CWE-ID:379 Creation of Temporary File in Directory with Insecure Permissions",{"point":"32x","priority":"6","details":"rm","howto":"26r"},"CWE-ID:382 J2EE Bad Practices: Use of System.exit()",{"point":"32z","priority":"6","details":"rp","howto":"26r"},"CWE-ID:383 J2EE Bad Practices: Direct Use of Threads",{"point":"331","priority":"6","details":"rs","howto":"26r"},"CWE-ID:384 Session Fixation",{"point":"333","priority":"6","details":"rv","howto":"275"},{"point":"2bn","priority":"6","details":"ry","howto":"275"},{"point":"2bp","priority":"6","details":"s1","howto":"275"},"CWE-ID:390 Detection of Error Condition Without Action",{"point":"337","priority":"6","details":"s4","howto":"26r"},"CWE-ID:391 Unchecked Error Condition",{"point":"339","priority":"6","details":"s7","howto":"26r"},"CWE-ID:392 Missing Report of Error Condition",{"point":"33b","priority":"6","details":"sa","howto":"275"},"CWE-ID:393 Return of Wrong Status Code",{"point":"33d","priority":"6","details":"sd","howto":"26u"},"CWE-ID:394 Unexpected Status Code or Return Value",{"point":"33f","priority":"6","details":"sg","howto":"275"},"CWE-ID:395 Use of NullPointerException Catch to Detect NULL Pointer Dereference","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"33h","priority":"6","details":"sj","howto":"33i"},"CWE-ID:396 Declaration of Catch for Generic Exception",{"point":"33k","priority":"6","details":"sm","howto":"26r"},"CWE-ID:397 Declaration of Throws for Generic Exception",{"point":"33m","priority":"6","details":"sp","howto":"26r"},{"point":"2br","priority":"6","details":"ss","howto":"2bs"},"CWE-ID:401 Missing Release of Memory after Effective Lifetime",{"point":"33p","priority":"6","details":"sv","howto":"2tj"},{"point":"2bu","priority":"6","details":"sy","howto":"26r"},"CWE-ID:403 Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')",{"point":"33s","priority":"6","details":"t1","howto":"275"},"CWE-ID:404 Improper Resource Shutdown or Release","::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Resource clean up errors might be detected with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the product under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"33u","priority":"6","details":"t4","howto":"33v"},{"point":"2bw","priority":"6","details":"t7","howto":"275"},{"point":"2by","priority":"6","details":"ta","howto":"275"},{"point":"2c0","priority":"6","details":"td","howto":"275"},{"point":"2c2","priority":"6","details":"tg","howto":"275"},{"point":"2c4","priority":"6","details":"tj","howto":"275"},{"point":"2c6","priority":"6","details":"tm","howto":"275"},{"point":"2c8","priority":"6","details":"tp","howto":"2c9"},{"point":"2cb","priority":"6","details":"ts","howto":"26r"},{"point":"2cd","priority":"6","details":"tv","howto":"275"},"CWE-ID:415 Double Free",{"point":"346","priority":"6","details":"ty","howto":"2tj"},"CWE-ID:416 Use After Free",{"point":"348","priority":"6","details":"u1","howto":"2tj"},{"point":"2cf","priority":"6","details":"u4","howto":"275"},{"point":"2ch","priority":"6","details":"u7","howto":"275"},"CWE-ID:425 Direct Request ('Forced Browsing')",{"point":"34c","priority":"6","details":"uj","howto":"275"},"CWE-ID:426 Untrusted Search Path","::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and look for library functions and system calls that suggest when a search path is being used. One pattern is when the program performs multiple accesses of the same file but in different directories, with repeated failures until the proper filename is found. Library calls such as getenv() or their equivalent can be checked to see if any path-related variables are being accessed.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::METHOD:Manual Analysis:DESCRIPTION:Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.::",{"point":"34e","priority":"6","details":"um","howto":"34f"},"CWE-ID:427 Uncontrolled Search Path Element",{"point":"34h","priority":"6","details":"up","howto":"26r"},"CWE-ID:428 Unquoted Search Path or Element",{"point":"34j","priority":"6","details":"us","howto":"275"},"CWE-ID:430 Deployment of Wrong Handler",{"point":"34l","priority":"6","details":"uv","howto":"275"},"CWE-ID:431 Missing Handler",{"point":"34n","priority":"6","details":"uy","howto":"275"},"CWE-ID:432 Dangerous Signal Handler not Disabled During Sensitive Operations",{"point":"34p","priority":"6","details":"v1","howto":"275"},"CWE-ID:433 Unparsed Raw Web Content Delivery",{"point":"34r","priority":"6","details":"v4","howto":"275"},{"point":"2cn","priority":"6","details":"v7","howto":"2co"},"CWE-ID:435 Improper Interaction Between Multiple Correctly-Behaving Entities",{"point":"34u","priority":"6","details":"va","howto":"275"},{"point":"2cq","priority":"6","details":"vd","howto":"275"},{"point":"2cs","priority":"6","details":"vg","howto":"275"},{"point":"2cu","priority":"6","details":"vj","howto":"275"},{"point":"2cw","priority":"6","details":"vm","howto":"275"},"CWE-ID:444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')",{"point":"350","priority":"6","details":"vs","howto":"275"},{"point":"2d0","priority":"6","details":"vv","howto":"275"},"CWE-ID:447 Unimplemented or Unsupported Feature in UI",{"point":"353","priority":"6","details":"vy","howto":"275"},"CWE-ID:448 Obsolete Feature in UI",{"point":"355","priority":"6","details":"w1","howto":"275"},"CWE-ID:449 The UI Performs the Wrong Action",{"point":"357","priority":"6","details":"w4","howto":"275"},"CWE-ID:450 Multiple Interpretations of UI Input",{"point":"359","priority":"6","details":"w7","howto":"275"},{"point":"2d2","priority":"6","details":"wa","howto":"275"},"CWE-ID:453 Insecure Default Variable Initialization",{"point":"35c","priority":"6","details":"wd","howto":"275"},{"point":"2d4","priority":"6","details":"wg","howto":"275"},"CWE-ID:455 Non-exit on Failed Initialization",{"point":"35f","priority":"6","details":"wj","howto":"275"},"CWE-ID:456 Missing Initialization of a Variable",{"point":"35h","priority":"6","details":"wm","howto":"26r"},"CWE-ID:457 Use of Uninitialized Variable",{"point":"35j","priority":"6","details":"wp","howto":"2tj"},"CWE-ID:459 Incomplete Cleanup",{"point":"35l","priority":"6","details":"ws","howto":"26r"},"CWE-ID:460 Improper Cleanup on Thrown Exception",{"point":"35n","priority":"6","details":"wv","howto":"26r"},"CWE-ID:462 Duplicate Key in Associative List (Alist)",{"point":"35p","priority":"6","details":"wy","howto":"275"},"CWE-ID:463 Deletion of Data Structure Sentinel",{"point":"35r","priority":"6","details":"x1","howto":"275"},"CWE-ID:464 Addition of Data Structure Sentinel",{"point":"35t","priority":"6","details":"x4","howto":"275"},"CWE-ID:466 Return of Pointer Value Outside of Expected Range",{"point":"35v","priority":"6","details":"x7","howto":"275"},"CWE-ID:467 Use of sizeof() on a Pointer Type",{"point":"35x","priority":"6","details":"xa","howto":"26r"},"CWE-ID:468 Incorrect Pointer Scaling",{"point":"35z","priority":"6","details":"xd","howto":"275"},"CWE-ID:469 Use of Pointer Subtraction to Determine Size",{"point":"361","priority":"6","details":"xg","howto":"2tj"},{"point":"2d6","priority":"6","details":"xj","howto":"26r"},{"point":"2d8","priority":"6","details":"xm","howto":"275"},"CWE-ID:472 External Control of Assumed-Immutable Web Parameter",{"point":"365","priority":"6","details":"xp","howto":"26r"},"CWE-ID:473 PHP External Variable Modification",{"point":"367","priority":"6","details":"xs","howto":"275"},"CWE-ID:474 Use of Function with Inconsistent Implementations",{"point":"369","priority":"6","details":"xv","howto":"26r"},{"point":"2da","priority":"6","details":"xy","howto":"26r"},"CWE-ID:476 NULL Pointer Dereference","::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"36c","priority":"6","details":"y1","howto":"36d"},"CWE-ID:477 Use of Obsolete Function","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Binary / Bytecode Quality Analysis Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Debugger:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source Code Quality Analyzer Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Origin Analysis:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"36f","priority":"6","details":"y4","howto":"36g"},"CWE-ID:478 Missing Default Case in Multiple Condition Expression",{"point":"36i","priority":"6","details":"y7","howto":"26r"},"CWE-ID:479 Signal Handler Use of a Non-reentrant Function",{"point":"36k","priority":"6","details":"ya","howto":"26r"},"CWE-ID:480 Use of Incorrect Operator","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can be found easily using static analysis. However in some cases an operator might appear to be incorrect, but is actually correct and reflects unusual logic within the program.::METHOD:Manual Static Analysis:DESCRIPTION:This weakness can be found easily using static analysis. However in some cases an operator might appear to be incorrect, but is actually correct and reflects unusual logic within the program.::",{"point":"36m","priority":"6","details":"yd","howto":"36n"},"CWE-ID:481 Assigning instead of Comparing",{"point":"36p","priority":"6","details":"yg","howto":"26r"},"CWE-ID:482 Comparing instead of Assigning",{"point":"36r","priority":"6","details":"yj","howto":"26r"},"CWE-ID:483 Incorrect Block Delimitation",{"point":"36t","priority":"6","details":"ym","howto":"26r"},"CWE-ID:484 Omitted Break Statement in Switch","::METHOD:White Box:DESCRIPTION:Omission of a break statement might be intentional, in order to support fallthrough. Automated detection methods might therefore be erroneous. Semantic understanding of expected product behavior is required to interpret whether the code is correct.::METHOD:Black Box:DESCRIPTION:Since this weakness is associated with a code construct, it would be indistinguishable from other errors that produce the same behavior.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"36v","priority":"6","details":"yp","howto":"36w"},"CWE-ID:486 Comparison of Classes by Name",{"point":"36y","priority":"6","details":"ys","howto":"26r"},"CWE-ID:487 Reliance on Package-level Scope",{"point":"370","priority":"6","details":"yv","howto":"275"},"CWE-ID:488 Exposure of Data Element to Wrong Session",{"point":"372","priority":"6","details":"yy","howto":"26r"},"CWE-ID:489 Active Debug Code",{"point":"374","priority":"6","details":"z1","howto":"26r"},"CWE-ID:491 Public cloneable() Method Without Final ('Object Hijack')",{"point":"376","priority":"6","details":"z4","howto":"275"},"CWE-ID:492 Use of Inner Class Containing Sensitive Data",{"point":"378","priority":"6","details":"z7","howto":"26r"},"CWE-ID:493 Critical Public Variable Without Final Modifier",{"point":"37a","priority":"6","details":"za","howto":"26r"},{"point":"2dc","priority":"6","details":"zd","howto":"2dd"},"CWE-ID:495 Private Data Structure Returned From A Public Method",{"point":"37d","priority":"6","details":"zg","howto":"26r"},"CWE-ID:496 Public Data Assigned to Private Array-Typed Field",{"point":"37f","priority":"6","details":"zj","howto":"26r"},"CWE-ID:497 Exposure of Sensitive System Information to an Unauthorized Control Sphere",{"point":"37h","priority":"6","details":"zm","howto":"26r"},"CWE-ID:498 Cloneable Class Containing Sensitive Information",{"point":"37j","priority":"6","details":"zp","howto":"275"},"CWE-ID:499 Serializable Class Containing Sensitive Data",{"point":"37l","priority":"6","details":"zs","howto":"26r"},"CWE-ID:500 Public Static Field Not Marked Final",{"point":"37n","priority":"6","details":"zv","howto":"26r"},{"point":"2dh","priority":"6","details":"101","howto":"26r"},"CWE-ID:506 Embedded Malicious Code","::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies Generated Code Inspection:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Automated Monitored Execution:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Origin Analysis:EFFECTIVENESS:SOAR Partial::",{"point":"37q","priority":"6","details":"104","howto":"37r"},"CWE-ID:507 Trojan Horse",{"point":"37t","priority":"6","details":"107","howto":"275"},"CWE-ID:508 Non-Replicating Malicious Code",{"point":"37v","priority":"6","details":"10a","howto":"275"},"CWE-ID:509 Replicating Malicious Code (Virus or Worm)",{"point":"37x","priority":"6","details":"10d","howto":"275"},{"point":"2dj","priority":"6","details":"10g","howto":"2dk"},{"point":"2dm","priority":"6","details":"10j","howto":"275"},{"point":"2do","priority":"6","details":"10m","howto":"275"},"CWE-ID:514 Covert Channel","::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:SOAR Partial::",{"point":"382","priority":"6","details":"10p","howto":"383"},"CWE-ID:515 Covert Storage Channel",{"point":"385","priority":"6","details":"10s","howto":"275"},"CWE-ID:520 .NET Misconfiguration: Use of Impersonation",{"point":"387","priority":"6","details":"10v","howto":"275"},{"point":"2dq","priority":"6","details":"10y","howto":"26r"},{"point":"2ds","priority":"6","details":"111","howto":"26r"},"CWE-ID:524 Use of Cache Containing Sensitive Information",{"point":"38b","priority":"6","details":"117","howto":"26r"},"CWE-ID:525 Use of Web Browser Cache Containing Sensitive Information",{"point":"38d","priority":"6","details":"11a","howto":"275"},"CWE-ID:526 Cleartext Storage of Sensitive Information in an Environment Variable",{"point":"38f","priority":"6","details":"11d","howto":"26r"},{"point":"2dw","priority":"6","details":"11v","howto":"26r"},"CWE-ID:535 Exposure of Information Through Shell Error Message",{"point":"38i","priority":"6","details":"11y","howto":"26r"},"CWE-ID:536 Servlet Runtime Error Message Containing Sensitive Information",{"point":"38k","priority":"6","details":"121","howto":"275"},"CWE-ID:537 Java Runtime Error Message Containing Sensitive Information",{"point":"38m","priority":"6","details":"124","howto":"275"},"CWE-ID:538 Insertion of Sensitive Information into Externally-Accessible File or Directory",{"point":"38o","priority":"6","details":"127","howto":"26r"},"CWE-ID:539 Use of Persistent Cookies Containing Sensitive Information",{"point":"38q","priority":"6","details":"12a","howto":"26r"},"CWE-ID:540 Inclusion of Sensitive Information in Source Code",{"point":"38s","priority":"6","details":"12d","howto":"275"},"CWE-ID:541 Inclusion of Sensitive Information in an Include File",{"point":"38u","priority":"6","details":"12g","howto":"275"},"CWE-ID:543 Use of Singleton Pattern Without Synchronization in a Multithreaded Context",{"point":"38w","priority":"6","details":"12j","howto":"275"},"CWE-ID:546 Suspicious Comment",{"point":"38y","priority":"6","details":"12p","howto":"275"},"CWE-ID:547 Use of Hard-coded, Security-relevant Constants",{"point":"390","priority":"6","details":"12s","howto":"26r"},"CWE-ID:548 Exposure of Information Through Directory Listing",{"point":"392","priority":"6","details":"12v","howto":"26r"},"CWE-ID:549 Missing Password Field Masking",{"point":"394","priority":"6","details":"12y","howto":"26r"},"CWE-ID:550 Server-generated Error Message Containing Sensitive Information",{"point":"396","priority":"6","details":"131","howto":"275"},"CWE-ID:551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization",{"point":"398","priority":"6","details":"134","howto":"275"},{"point":"2e0","priority":"6","details":"137","howto":"26r"},"CWE-ID:553 Command Shell in Externally Accessible Directory",{"point":"39b","priority":"6","details":"13a","howto":"275"},"CWE-ID:554 ASP.NET Misconfiguration: Not Using Input Validation Framework",{"point":"39d","priority":"6","details":"13d","howto":"275"},"CWE-ID:555 J2EE Misconfiguration: Plaintext Password in Configuration File",{"point":"39f","priority":"6","details":"13g","howto":"275"},"CWE-ID:556 ASP.NET Misconfiguration: Use of Identity Impersonation",{"point":"39h","priority":"6","details":"13j","howto":"275"},"CWE-ID:558 Use of getlogin() in Multithreaded Application",{"point":"39j","priority":"6","details":"13m","howto":"275"},"CWE-ID:560 Use of umask() with chmod-style Argument",{"point":"39l","priority":"6","details":"13p","howto":"275"},"CWE-ID:561 Dead Code","::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Binary / Bytecode Quality Analysis Compare binary / bytecode to application permission manifest:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Automated Monitored Execution:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Permission Manifest Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source Code Quality Analyzer Cost effective for partial coverage: Warning Flags Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::",{"point":"39n","priority":"6","details":"13s","howto":"39o"},"CWE-ID:562 Return of Stack Variable Address",{"point":"39q","priority":"6","details":"13v","howto":"2tj"},"CWE-ID:563 Assignment to Variable without Use",{"point":"39s","priority":"6","details":"13y","howto":"26r"},"CWE-ID:564 SQL Injection: Hibernate",{"point":"39u","priority":"6","details":"141","howto":"275"},{"point":"2e2","priority":"6","details":"144","howto":"26r"},"CWE-ID:566 Authorization Bypass Through User-Controlled SQL Primary Key",{"point":"39x","priority":"6","details":"147","howto":"26r"},"CWE-ID:567 Unsynchronized Access to Shared Data in a Multithreaded Context",{"point":"39z","priority":"6","details":"14a","howto":"26r"},"CWE-ID:568 finalize() Method Without super.finalize()",{"point":"3a1","priority":"6","details":"14d","howto":"26r"},"CWE-ID:570 Expression is Always False",{"point":"3a3","priority":"6","details":"14g","howto":"26r"},"CWE-ID:571 Expression is Always True",{"point":"3a5","priority":"6","details":"14j","howto":"26r"},"CWE-ID:572 Call to Thread run() instead of start()",{"point":"3a7","priority":"6","details":"14m","howto":"26r"},"CWE-ID:573 Improper Following of Specification by Caller",{"point":"3a9","priority":"6","details":"14p","howto":"275"},"CWE-ID:574 EJB Bad Practices: Use of Synchronization Primitives",{"point":"3ab","priority":"6","details":"14s","howto":"275"},"CWE-ID:575 EJB Bad Practices: Use of AWT Swing",{"point":"3ad","priority":"6","details":"14v","howto":"275"},"CWE-ID:576 EJB Bad Practices: Use of Java I/O",{"point":"3af","priority":"6","details":"14y","howto":"275"},"CWE-ID:577 EJB Bad Practices: Use of Sockets",{"point":"3ah","priority":"6","details":"151","howto":"275"},"CWE-ID:578 EJB Bad Practices: Use of Class Loader",{"point":"3aj","priority":"6","details":"154","howto":"275"},"CWE-ID:579 J2EE Bad Practices: Non-serializable Object Stored in Session",{"point":"3al","priority":"6","details":"157","howto":"26r"},"CWE-ID:580 clone() Method Without super.clone()",{"point":"3an","priority":"6","details":"15a","howto":"26r"},"CWE-ID:581 Object Model Violation: Just One of Equals and Hashcode Defined",{"point":"3ap","priority":"6","details":"15d","howto":"26r"},"CWE-ID:582 Array Declared Public, Final, and Static",{"point":"3ar","priority":"6","details":"15g","howto":"275"},"CWE-ID:583 finalize() Method Declared Public",{"point":"3at","priority":"6","details":"15j","howto":"26r"},"CWE-ID:584 Return Inside Finally Block",{"point":"3av","priority":"6","details":"15m","howto":"26r"},"CWE-ID:585 Empty Synchronized Block",{"point":"3ax","priority":"6","details":"15p","howto":"26r"},"CWE-ID:586 Explicit Call to Finalize()",{"point":"3az","priority":"6","details":"15s","howto":"26r"},"CWE-ID:587 Assignment of a Fixed Address to a Pointer",{"point":"3b1","priority":"6","details":"15v","howto":"275"},"CWE-ID:588 Attempt to Access Child of a Non-structure Pointer",{"point":"3b3","priority":"6","details":"15y","howto":"275"},"CWE-ID:589 Call to Non-ubiquitous API",{"point":"3b5","priority":"6","details":"161","howto":"26r"},"CWE-ID:590 Free of Memory not on the Heap",{"point":"3b7","priority":"6","details":"164","howto":"2tj"},"CWE-ID:591 Sensitive Data Storage in Improperly Locked Memory",{"point":"3b9","priority":"6","details":"167","howto":"275"},"CWE-ID:593 Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created",{"point":"3bb","priority":"6","details":"16a","howto":"275"},"CWE-ID:594 J2EE Framework: Saving Unserializable Objects to Disk",{"point":"3bd","priority":"6","details":"16d","howto":"275"},"CWE-ID:595 Comparison of Object References Instead of Object Contents",{"point":"3bf","priority":"6","details":"16g","howto":"26r"},"CWE-ID:597 Use of Wrong Operator in String Comparison",{"point":"3bh","priority":"6","details":"16j","howto":"26r"},"CWE-ID:598 Use of GET Request Method With Sensitive Query Strings",{"point":"3bj","priority":"6","details":"16m","howto":"26r"},"CWE-ID:599 Missing Validation of OpenSSL Certificate",{"point":"3bl","priority":"6","details":"16p","howto":"275"},"CWE-ID:600 Uncaught Exception in Servlet ",{"point":"3bn","priority":"6","details":"16s","howto":"275"},{"point":"2e4","priority":"6","details":"16v","howto":"2e5"},{"point":"2e9","priority":"6","details":"171","howto":"275"},"CWE-ID:605 Multiple Binds to the Same Port",{"point":"3br","priority":"6","details":"174","howto":"275"},"CWE-ID:606 Unchecked Input for Loop Condition",{"point":"3bt","priority":"6","details":"177","howto":"26r"},"CWE-ID:607 Public Static Final Field References Mutable Object",{"point":"3bv","priority":"6","details":"17a","howto":"26r"},"CWE-ID:608 Struts: Non-private Field in ActionForm Class",{"point":"3bx","priority":"6","details":"17d","howto":"275"},"CWE-ID:609 Double-Checked Locking",{"point":"3bz","priority":"6","details":"17g","howto":"275"},"CWE-ID:611 Improper Restriction of XML External Entity Reference",{"point":"3c1","priority":"6","details":"17m","howto":"26r"},{"point":"2ed","priority":"6","details":"17p","howto":"275"},{"point":"2ef","priority":"6","details":"17s","howto":"26r"},"CWE-ID:614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute",{"point":"3c5","priority":"6","details":"17v","howto":"26r"},"CWE-ID:615 Inclusion of Sensitive Information in Source Code Comments",{"point":"3c7","priority":"6","details":"17y","howto":"26r"},"CWE-ID:616 Incomplete Identification of Uploaded File Variables (PHP)",{"point":"3c9","priority":"6","details":"181","howto":"275"},"CWE-ID:617 Reachable Assertion",{"point":"3cb","priority":"6","details":"184","howto":"26r"},"CWE-ID:618 Exposed Unsafe ActiveX Method",{"point":"3cd","priority":"6","details":"187","howto":"26r"},"CWE-ID:619 Dangling Database Cursor ('Cursor Injection')",{"point":"3cf","priority":"6","details":"18a","howto":"275"},{"point":"2eh","priority":"6","details":"18d","howto":"275"},"CWE-ID:621 Variable Extraction Error",{"point":"3ci","priority":"6","details":"18g","howto":"275"},"CWE-ID:622 Improper Validation of Function Hook Arguments",{"point":"3ck","priority":"6","details":"18j","howto":"275"},"CWE-ID:623 Unsafe ActiveX Control Marked Safe For Scripting",{"point":"3cm","priority":"6","details":"18m","howto":"275"},"CWE-ID:624 Executable Regular Expression Error",{"point":"3co","priority":"6","details":"18p","howto":"275"},"CWE-ID:625 Permissive Regular Expression",{"point":"3cq","priority":"6","details":"18s","howto":"26r"},"CWE-ID:626 Null Byte Interaction Error (Poison Null Byte)",{"point":"3cs","priority":"6","details":"18v","howto":"275"},"CWE-ID:627 Dynamic Variable Evaluation",{"point":"3cu","priority":"6","details":"18y","howto":"275"},"CWE-ID:628 Function Call with Incorrectly Specified Arguments","::METHOD:Other:DESCRIPTION:Since these bugs typically introduce incorrect behavior that is obvious to users, they are found quickly, unless they occur in rarely-tested code paths. Managing the correct number of arguments can be made more difficult in cases where format strings are used, or when variable numbers of arguments are supported.::",{"point":"3cw","priority":"6","details":"191","howto":"3cx"},{"point":"2ej","priority":"6","details":"194","howto":"275"},{"point":"2el","priority":"6","details":"197","howto":"275"},"CWE-ID:638 Not Using Complete Mediation",{"point":"3d1","priority":"6","details":"19a","howto":"275"},{"point":"2ep","priority":"6","details":"19g","howto":"275"},{"point":"2er","priority":"6","details":"19j","howto":"275"},{"point":"2et","priority":"6","details":"19m","howto":"26r"},"CWE-ID:643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')",{"point":"3d6","priority":"6","details":"19p","howto":"26r"},"CWE-ID:644 Improper Neutralization of HTTP Headers for Scripting Syntax",{"point":"3d8","priority":"6","details":"19s","howto":"275"},"CWE-ID:646 Reliance on File Name or Extension of Externally-Supplied File",{"point":"3da","priority":"6","details":"19y","howto":"275"},"CWE-ID:647 Use of Non-Canonical URL Paths for Authorization Decisions",{"point":"3dc","priority":"6","details":"1a1","howto":"26r"},{"point":"2ex","priority":"6","details":"1a4","howto":"275"},{"point":"2ez","priority":"6","details":"1a7","howto":"275"},"CWE-ID:650 Trusting HTTP Permission Methods on the Server Side",{"point":"3dg","priority":"6","details":"1aa","howto":"275"},"CWE-ID:651 Exposure of WSDL File Containing Sensitive Information",{"point":"3di","priority":"6","details":"1ad","howto":"275"},"CWE-ID:652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')",{"point":"3dk","priority":"6","details":"1ag","howto":"275"},{"point":"2f1","priority":"6","details":"1aj","howto":"2f2"},{"point":"2f4","priority":"6","details":"1am","howto":"275"},{"point":"2f8","priority":"6","details":"1as","howto":"275"},{"point":"2fa","priority":"6","details":"1av","howto":"275"},{"point":"2fc","priority":"6","details":"1ay","howto":"275"},"CWE-ID:663 Use of a Non-reentrant Function in a Concurrent Context",{"point":"3dr","priority":"6","details":"1b1","howto":"275"},"CWE-ID:664 Improper Control of a Resource Through its Lifetime",{"point":"3dt","priority":"6","details":"1b4","howto":"275"},"CWE-ID:665 Improper Initialization","::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Initialization problems may be detected with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"3dv","priority":"6","details":"1b7","howto":"3dw"},"CWE-ID:666 Operation on Resource in Wrong Phase of Lifetime",{"point":"3dy","priority":"6","details":"1ba","howto":"275"},{"point":"2fe","priority":"6","details":"1bd","howto":"26r"},{"point":"2fg","priority":"6","details":"1bg","howto":"275"},{"point":"2fi","priority":"6","details":"1bj","howto":"275"},"CWE-ID:670 Always-Incorrect Control Flow Implementation",{"point":"3e3","priority":"6","details":"1bm","howto":"275"},{"point":"2fk","priority":"6","details":"1bp","howto":"275"},"CWE-ID:672 Operation on a Resource after Expiration or Release",{"point":"3e6","priority":"6","details":"1bs","howto":"275"},{"point":"2fm","priority":"6","details":"1bv","howto":"275"},"CWE-ID:674 Uncontrolled Recursion",{"point":"3e9","priority":"6","details":"1by","howto":"26r"},"CWE-ID:675 Multiple Operations on Resource in Single-Operation Context",{"point":"3eb","priority":"6","details":"1c1","howto":"275"},"CWE-ID:676 Use of Potentially Dangerous Function","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary / Bytecode Quality Analysis Binary / Bytecode simple extractor - strings, ELF readers, etc.:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Debugger Cost effective for partial coverage: Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Warning Flags Source Code Quality Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Origin Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"3ed","priority":"6","details":"1c4","howto":"3ee"},"CWE-ID:681 Incorrect Conversion between Numeric Types",{"point":"3eg","priority":"6","details":"1ca","howto":"275"},"CWE-ID:682 Incorrect Calculation","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of allocation calculations. This can be useful for detecting overflow conditions (CWE-190) or similar weaknesses that might have serious security impacts on the program.:EFFECTIVENESS:High::",{"point":"3ei","priority":"6","details":"1cd","howto":"3ej"},"CWE-ID:683 Function Call With Incorrect Order of Arguments",{"point":"3el","priority":"6","details":"1cg","howto":"275"},"CWE-ID:684 Incorrect Provision of Specified Functionality",{"point":"3en","priority":"6","details":"1cj","howto":"275"},"CWE-ID:685 Function Call With Incorrect Number of Arguments","::METHOD:Other:DESCRIPTION:While this weakness might be caught by the compiler in some languages, it can occur more frequently in cases in which the called function accepts variable numbers of arguments, such as format strings in C. It also can occur in languages or environments that do not require that functions always be called with the correct number of arguments, such as Perl.::",{"point":"3ep","priority":"6","details":"1cm","howto":"3eq"},"CWE-ID:686 Function Call With Incorrect Argument Type",{"point":"3es","priority":"6","details":"1cp","howto":"275"},"CWE-ID:687 Function Call With Incorrectly Specified Argument Value","::METHOD:Manual Static Analysis:DESCRIPTION:This might require an understanding of intended program behavior or design to determine whether the value is incorrect.::",{"point":"3eu","priority":"6","details":"1cs","howto":"3ev"},"CWE-ID:688 Function Call With Incorrect Variable or Reference as Argument","::METHOD:Other:DESCRIPTION:While this weakness might be caught by the compiler in some languages, it can occur more frequently in cases in which the called function accepts variable numbers of arguments, such as format strings in C. It also can occur in loosely typed languages or environments. This might require an understanding of intended program behavior or design to determine whether the value is incorrect.::",{"point":"3ex","priority":"6","details":"1cv","howto":"3ey"},"CWE-ID:689 Permission Race Condition During Resource Copy",{"point":"3f0","priority":"6","details":"1cy","howto":"275"},"CWE-ID:690 Unchecked Return Value to NULL Pointer Dereference","::METHOD:Black Box:DESCRIPTION:This typically occurs in rarely-triggered error conditions, reducing the chances of detection during black box testing.::METHOD:White Box:DESCRIPTION:Code analysis can require knowledge of API behaviors for library functions that might return NULL, reducing the chances of detection when unknown libraries are used.::",{"point":"3f2","priority":"6","details":"1d1","howto":"3f3"},"CWE-ID:691 Insufficient Control Flow Management",{"point":"3f5","priority":"6","details":"1d4","howto":"275"},"CWE-ID:693 Protection Mechanism Failure",{"point":"3f7","priority":"6","details":"1da","howto":"275"},{"point":"2fo","priority":"6","details":"1dd","howto":"275"},"CWE-ID:695 Use of Low-Level Functionality",{"point":"3fa","priority":"6","details":"1dg","howto":"26r"},{"point":"2fq","priority":"6","details":"1dj","howto":"275"},"CWE-ID:697 Incorrect Comparison",{"point":"3fd","priority":"6","details":"1dm","howto":"275"},"CWE-ID:698 Execution After Redirect (EAR)","::METHOD:Black Box:DESCRIPTION:This issue might not be detected if testing is performed using a web browser, because the browser might obey the redirect and move the user to a different page before the application has produced outputs that indicate something is amiss.::",{"point":"3ff","priority":"6","details":"1dp","howto":"3fg"},"CWE-ID:703 Improper Check or Handling of Exceptional Conditions","::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fault Injection - source code Fault Injection - binary Cost effective for partial coverage: Forced Path Execution:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"3fi","priority":"6","details":"1ds","howto":"3fj"},"CWE-ID:704 Incorrect Type Conversion or Cast",{"point":"3fl","priority":"6","details":"1dv","howto":"26u"},"CWE-ID:705 Incorrect Control Flow Scoping",{"point":"3fn","priority":"6","details":"1dy","howto":"275"},{"point":"2fs","priority":"6","details":"1e1","howto":"275"},"CWE-ID:707 Improper Neutralization",{"point":"3fq","priority":"6","details":"1e4","howto":"275"},{"point":"2fu","priority":"6","details":"1e7","howto":"275"},"CWE-ID:710 Improper Adherence to Coding Standards",{"point":"3ft","priority":"6","details":"1ea","howto":"275"},{"point":"2fw","priority":"6","details":"1ed","howto":"2fx"},{"point":"2fz","priority":"6","details":"1ej","howto":"26r"},"CWE-ID:754 Improper Check for Unusual or Exceptional Conditions","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis may be useful for detecting unusual conditions involving system resources or common programming idioms, but not for violations of business rules.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::",{"point":"3fx","priority":"6","details":"1em","howto":"3fy"},"CWE-ID:755 Improper Handling of Exceptional Conditions",{"point":"3g0","priority":"6","details":"1ep","howto":"275"},"CWE-ID:759 Use of a One-Way Hash without a Salt",{"point":"3g2","priority":"6","details":"1f1","howto":"2gt"},"CWE-ID:760 Use of a One-Way Hash with a Predictable Salt",{"point":"3g4","priority":"6","details":"1f4","howto":"26r"},"CWE-ID:761 Free of Pointer not at Start of Buffer",{"point":"3g6","priority":"6","details":"1f7","howto":"275"},"CWE-ID:762 Mismatched Memory Management Routines",{"point":"3g8","priority":"6","details":"1fa","howto":"275"},"CWE-ID:763 Release of Invalid Pointer or Reference",{"point":"3ga","priority":"6","details":"1fd","howto":"26u"},"CWE-ID:764 Multiple Locks of a Critical Resource",{"point":"3gc","priority":"6","details":"1fg","howto":"275"},"CWE-ID:765 Multiple Unlocks of a Critical Resource",{"point":"3ge","priority":"6","details":"1fj","howto":"275"},"CWE-ID:766 Critical Data Element Declared Public",{"point":"3gg","priority":"6","details":"1fm","howto":"26r"},"CWE-ID:767 Access to Critical Private Variable via Public Method",{"point":"3gi","priority":"6","details":"1fp","howto":"275"},"CWE-ID:768 Incorrect Short Circuit Evaluation",{"point":"3gk","priority":"6","details":"1fs","howto":"275"},{"point":"2g3","priority":"6","details":"1fv","howto":"2g4"},"CWE-ID:771 Missing Reference to Active Allocated Resource",{"point":"3gn","priority":"6","details":"1fy","howto":"275"},"CWE-ID:772 Missing Release of Resource after Effective Lifetime",{"point":"3gp","priority":"6","details":"1g1","howto":"275"},"CWE-ID:773 Missing Reference to Active File Descriptor or Handle",{"point":"3gr","priority":"6","details":"1g4","howto":"275"},"CWE-ID:774 Allocation of File Descriptors or Handles Without Limits or Throttling",{"point":"3gt","priority":"6","details":"1g7","howto":"275"},"CWE-ID:775 Missing Release of File Descriptor or Handle after Effective Lifetime",{"point":"3gv","priority":"6","details":"1ga","howto":"275"},"CWE-ID:776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')",{"point":"3gx","priority":"6","details":"1gd","howto":"26r"},"CWE-ID:777 Regular Expression without Anchors",{"point":"3gz","priority":"6","details":"1gg","howto":"275"},"CWE-ID:780 Use of RSA Algorithm without OAEP",{"point":"3h1","priority":"6","details":"1gp","howto":"26r"},"CWE-ID:781 Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code",{"point":"3h3","priority":"6","details":"1gs","howto":"275"},"CWE-ID:782 Exposed IOCTL with Insufficient Access Control",{"point":"3h5","priority":"6","details":"1gv","howto":"275"},"CWE-ID:783 Operator Precedence Logic Error",{"point":"3h7","priority":"6","details":"1gy","howto":"275"},"CWE-ID:784 Reliance on Cookies without Validation and Integrity Checking in a Security Decision",{"point":"3h9","priority":"6","details":"1h1","howto":"275"},"CWE-ID:785 Use of Path Manipulation Function without Maximum-sized Buffer",{"point":"3hb","priority":"6","details":"1h4","howto":"275"},"CWE-ID:787 Out-of-bounds Write","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::",{"point":"3hd","priority":"6","details":"1ha","howto":"3he"},"CWE-ID:789 Memory Allocation with Excessive Size Value",{"point":"3hg","priority":"6","details":"1hg","howto":"2tj"},"CWE-ID:790 Improper Filtering of Special Elements",{"point":"3hi","priority":"6","details":"1hj","howto":"275"},"CWE-ID:791 Incomplete Filtering of Special Elements",{"point":"3hk","priority":"6","details":"1hm","howto":"275"},"CWE-ID:792 Incomplete Filtering of One or More Instances of Special Elements",{"point":"3hm","priority":"6","details":"1hp","howto":"275"},"CWE-ID:793 Only Filtering One Instance of a Special Element",{"point":"3ho","priority":"6","details":"1hs","howto":"275"},"CWE-ID:794 Incomplete Filtering of Multiple Instances of Special Elements",{"point":"3hq","priority":"6","details":"1hv","howto":"275"},"CWE-ID:795 Only Filtering Special Elements at a Specified Location",{"point":"3hs","priority":"6","details":"1hy","howto":"275"},"CWE-ID:796 Only Filtering Special Elements Relative to a Marker",{"point":"3hu","priority":"6","details":"1i1","howto":"275"},"CWE-ID:797 Only Filtering Special Elements at an Absolute Position",{"point":"3hw","priority":"6","details":"1i4","howto":"275"},{"point":"2g9","priority":"6","details":"1ia","howto":"275"},{"point":"2gb","priority":"6","details":"1id","howto":"275"},"CWE-ID:805 Buffer Access with Incorrect Length Value","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.::",{"point":"3i0","priority":"6","details":"1ig","howto":"3i1"},"CWE-ID:806 Buffer Access Using Size of Source Buffer",{"point":"3i3","priority":"6","details":"1ij","howto":"275"},{"point":"2gd","priority":"6","details":"1im","howto":"2ge"},"CWE-ID:827 Improper Control of Document Type Definition",{"point":"3i6","priority":"6","details":"1ja","howto":"275"},"CWE-ID:829 Inclusion of Functionality from Untrusted Control Sphere","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Forced Path Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"3i8","priority":"6","details":"1jg","howto":"3i9"},"CWE-ID:830 Inclusion of Web Functionality from an Untrusted Source",{"point":"3ib","priority":"6","details":"1jj","howto":"275"},"CWE-ID:836 Use of Password Hash Instead of Password for Authentication",{"point":"3id","priority":"6","details":"1k1","howto":"275"},"CWE-ID:841 Improper Enforcement of Behavioral Workflow",{"point":"3if","priority":"6","details":"1kd","howto":"275"},"CWE-ID:842 Placement of User into Incorrect Group",{"point":"3ih","priority":"6","details":"1kg","howto":"275"},"CWE-ID:843 Access of Resource Using Incompatible Type ('Type Confusion')",{"point":"3ij","priority":"6","details":"1kj","howto":"275"},{"point":"2gg","priority":"6","details":"1km","howto":"2gh"},{"point":"2gj","priority":"6","details":"1kp","howto":"2gk"},"CWE-ID:908 Use of Uninitialized Resource",{"point":"3in","priority":"6","details":"1ks","howto":"275"},"CWE-ID:909 Missing Initialization of Resource",{"point":"3ip","priority":"6","details":"1kv","howto":"275"},"CWE-ID:910 Use of Expired File Descriptor",{"point":"3ir","priority":"6","details":"1ky","howto":"275"},"CWE-ID:911 Improper Update of Reference Count",{"point":"3it","priority":"6","details":"1l1","howto":"275"},{"point":"2gm","priority":"6","details":"1l4","howto":"275"},{"point":"2go","priority":"6","details":"1l7","howto":"26u"},"CWE-ID:914 Improper Control of Dynamically-Identified Variables",{"point":"3ix","priority":"6","details":"1la","howto":"275"},{"point":"2gq","priority":"6","details":"1ld","howto":"26r"},{"point":"2gv","priority":"6","details":"1lj","howto":"26r"},{"point":"2gx","priority":"6","details":"1lm","howto":"26r"},{"point":"2h3","priority":"6","details":"1lv","howto":"26r"},"CWE-ID:939 Improper Authorization in Handler for Custom URL Scheme",{"point":"3j3","priority":"6","details":"1md","howto":"275"},{"point":"2h9","priority":"6","details":"1mg","howto":"275"},{"point":"2hb","priority":"6","details":"1mj","howto":"275"},"CWE-ID:942 Permissive Cross-domain Policy with Untrusted Domains",{"point":"3j7","priority":"6","details":"1mm","howto":"26r"},"CWE-ID:943 Improper Neutralization of Special Elements in Data Query Logic",{"point":"3j9","priority":"6","details":"1mp","howto":"26r"},"CWE-ID:1004 Sensitive Cookie Without 'HttpOnly' Flag",{"point":"3jb","priority":"6","details":"1ms","howto":"26r"},{"point":"2hd","priority":"6","details":"1mv","howto":"2he"},"CWE-ID:1021 Improper Restriction of Rendered UI Layers or Frames",{"point":"3je","priority":"6","details":"1my","howto":"26r"},"CWE-ID:1022 Use of Web Link to Untrusted Target with window.opener Access",{"point":"3jg","priority":"6","details":"1n1","howto":"26r"},"CWE-ID:1023 Incomplete Comparison with Missing Factors",{"point":"3ji","priority":"6","details":"1n4","howto":"275"},"CWE-ID:1024 Comparison of Incompatible Types",{"point":"3jk","priority":"6","details":"1n7","howto":"275"},"CWE-ID:1025 Comparison Using Wrong Factors",{"point":"3jm","priority":"6","details":"1na","howto":"275"},"CWE-ID:1068 Inconsistency Between Implementation and Documented Design",{"point":"3jo","priority":"6","details":"1pv","howto":"275"},{"point":"2hr","priority":"6","details":"1uv","howto":"2hs"},"CWE-ID:1174 ASP.NET Misconfiguration: Improper Model Validation",{"point":"3jr","priority":"6","details":"1uy","howto":"275"},{"point":"2hu","priority":"6","details":"1v1","howto":"275"},"CWE-ID:1177 Use of Prohibited Code",{"point":"3ju","priority":"6","details":"1v4","howto":"275"},{"point":"2hw","priority":"6","details":"1va","howto":"2hx"},{"point":"2i1","priority":"6","details":"1vg","howto":"2i2"},{"point":"2i4","priority":"6","details":"1vj","howto":"275"},"CWE-ID:1204 Generation of Weak Initialization Vector (IV)",{"point":"3jz","priority":"6","details":"1vp","howto":"275"},{"point":"2i6","priority":"6","details":"1vs","howto":"275"},{"point":"2i8","priority":"6","details":"1vv","howto":"275"},"CWE-ID:1221 Incorrect Register Defaults or Module Parameters",{"point":"3k3","priority":"6","details":"1vy","howto":"275"},{"point":"2ic","priority":"6","details":"1w7","howto":"275"},{"point":"2ig","priority":"6","details":"1wg","howto":"2ih"},{"point":"2ij","priority":"6","details":"1wj","howto":"275"},{"point":"2il","priority":"6","details":"1wm","howto":"2im"},{"point":"2io","priority":"6","details":"1wp","howto":"275"},"CWE-ID:1235 Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations",{"point":"3ka","priority":"6","details":"1ws","howto":"275"},"CWE-ID:1236 Improper Neutralization of Formula Elements in a CSV File",{"point":"3kc","priority":"6","details":"1wv","howto":"275"},"CWE-ID:1239 Improper Zeroization of Hardware Register",{"point":"3ke","priority":"6","details":"1wy","howto":"275"},{"point":"2iq","priority":"6","details":"1x1","howto":"2ir"},{"point":"2it","priority":"6","details":"1x4","howto":"275"},{"point":"2iv","priority":"6","details":"1x7","howto":"275"},{"point":"2ix","priority":"6","details":"1xa","howto":"275"},{"point":"2iz","priority":"6","details":"1xd","howto":"2j0"},{"point":"2j2","priority":"6","details":"1xg","howto":"275"},{"point":"2j4","priority":"6","details":"1xj","howto":"275"},{"point":"2j6","priority":"6","details":"1xs","howto":"275"},{"point":"2ja","priority":"6","details":"1y4","howto":"275"},{"point":"2jc","priority":"6","details":"1y7","howto":"275"},"CWE-ID:1255 Comparison Logic is Vulnerable to Power Side-Channel Attacks",{"point":"3kq","priority":"6","details":"1ya","howto":"275"},{"point":"2je","priority":"6","details":"1yd","howto":"2jf"},{"point":"2jh","priority":"6","details":"1yg","howto":"275"},{"point":"2jj","priority":"6","details":"1yj","howto":"275"},{"point":"2jl","priority":"6","details":"1ym","howto":"275"},{"point":"2jn","priority":"6","details":"1yp","howto":"2jo"},{"point":"2jq","priority":"6","details":"1ys","howto":"275"},{"point":"2js","priority":"6","details":"1yv","howto":"2jt"},{"point":"2jx","priority":"6","details":"1z1","howto":"275"},{"point":"2jz","priority":"6","details":"1z7","howto":"275"},{"point":"2k1","priority":"6","details":"1za","howto":"275"},{"point":"2k3","priority":"6","details":"1zd","howto":"275"},"CWE-ID:1269 Product Released in Non-Release Configuration",{"point":"3l3","priority":"6","details":"1zg","howto":"275"},{"point":"2k5","priority":"6","details":"1zj","howto":"275"},"CWE-ID:1271 Uninitialized Value on Reset for Registers Holding Security Settings",{"point":"3l6","priority":"6","details":"1zm","howto":"275"},"CWE-ID:1275 Sensitive Cookie with Improper SameSite Attribute",{"point":"3l8","priority":"6","details":"1zy","howto":"26r"},"CWE-ID:1276 Hardware Child Block Incorrectly Connected to Parent System",{"point":"3la","priority":"6","details":"201","howto":"275"},{"point":"2kd","priority":"6","details":"204","howto":"2ke"},{"point":"2ki","priority":"6","details":"20a","howto":"275"},"CWE-ID:1280 Access Control Check Implemented After Asset is Accessed",{"point":"3le","priority":"6","details":"20d","howto":"275"},{"point":"2kk","priority":"6","details":"20g","howto":"275"},"CWE-ID:1282 Assumed-Immutable Data is Stored in Writable Memory",{"point":"3lh","priority":"6","details":"20j","howto":"275"},{"point":"2km","priority":"6","details":"20m","howto":"275"},"CWE-ID:1284 Improper Validation of Specified Quantity in Input",{"point":"3lk","priority":"6","details":"20p","howto":"275"},"CWE-ID:1285 Improper Validation of Specified Index, Position, or Offset in Input",{"point":"3lm","priority":"6","details":"20s","howto":"275"},"CWE-ID:1286 Improper Validation of Syntactic Correctness of Input",{"point":"3lo","priority":"6","details":"20v","howto":"275"},"CWE-ID:1287 Improper Validation of Specified Type of Input",{"point":"3lq","priority":"6","details":"20y","howto":"275"},"CWE-ID:1288 Improper Validation of Consistency within Input",{"point":"3ls","priority":"6","details":"211","howto":"275"},"CWE-ID:1289 Improper Validation of Unsafe Equivalence in Input",{"point":"3lu","priority":"6","details":"214","howto":"275"},{"point":"2ko","priority":"6","details":"217","howto":"275"},"CWE-ID:1291 Public Key Re-Use for Signing both Debug and Production Code","::METHOD:Architecture or Design Review:DESCRIPTION:Compare the debug key with the production key to make sure that they are not the same.:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Compare the debug key with the production key to make sure that they are not the same.:EFFECTIVENESS:High::",{"point":"3lx","priority":"6","details":"21a","howto":"3ly"},{"point":"2kq","priority":"6","details":"21d","howto":"275"},{"point":"2ks","priority":"6","details":"21g","howto":"275"},{"point":"2ku","priority":"6","details":"21j","howto":"275"},"CWE-ID:1295 Debug Messages Revealing Unnecessary Information",{"point":"3m3","priority":"6","details":"21m","howto":"275"},"CWE-ID:1296 Incorrect Chaining or Granularity of Debug Components","::METHOD:Architecture or Design Review:DESCRIPTION:Appropriate Post-Si tests should be carried out at various authorization levels to ensure that debug components are properly chained and accessible only to users with appropriate credentials.:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Appropriate Post-Si tests should be carried out at various authorization levels to ensure that debug components are properly chained and accessible only to users with appropriate credentials.:EFFECTIVENESS:High::",{"point":"3m5","priority":"6","details":"21p","howto":"3m6"},"CWE-ID:1297 Unprotected Confidential Information on Device is Accessible by OSAT Vendors","::METHOD:Architecture or Design Review:DESCRIPTION:Appropriate Post-Si tests should be carried out to ensure that residual confidential information is not left on parts leaving one facility for another facility.:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Appropriate Post-Si tests should be carried out to ensure that residual confidential information is not left on parts leaving one facility for another facility.:EFFECTIVENESS:Moderate::",{"point":"3m8","priority":"6","details":"21s","howto":"3m9"},{"point":"2kw","priority":"6","details":"21v","howto":"275"},{"point":"2ky","priority":"6","details":"21y","howto":"275"},"CWE-ID:1300 Improper Protection of Physical Side Channels","::METHOD:Manual Analysis:DESCRIPTION:Perform a set of leakage detection tests such as the procedure outlined in the Test Vector Leakage Assessment (TVLA) test requirements for AES [REF-1230]. TVLA is the basis for the ISO standard 17825 [REF-1229]. A separate methodology is provided by [REF-1228]. Note that sole reliance on this method might not yield expected results [REF-1239] [REF-1240].:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Post-silicon, perform full side-channel attacks (penetration testing) covering as many known leakage models as possible against test code.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Pre-silicon - while the aforementioned TVLA methods can be performed post-silicon, models of device power consumption or other physical emanations can be built from information present at various stages of the hardware design process before fabrication. TVLA or known side-channel attacks can be applied to these simulated traces and countermeasures applied before tape-out. Academic research in this field includes [REF-1231] [REF-1232] [REF-1233].:EFFECTIVENESS:Moderate::",{"point":"3md","priority":"6","details":"221","howto":"3me"},"CWE-ID:1301 Insufficient or Incomplete Data Removal within Hardware Component",{"point":"3mg","priority":"6","details":"224","howto":"275"},{"point":"2l0","priority":"6","details":"227","howto":"275"},{"point":"2l2","priority":"6","details":"22a","howto":"275"},{"point":"2l6","priority":"6","details":"22g","howto":"275"},{"point":"2l8","priority":"6","details":"22j","howto":"275"},{"point":"2la","priority":"6","details":"22m","howto":"2lb"},{"point":"2ld","priority":"6","details":"22p","howto":"275"},{"point":"2lf","priority":"6","details":"22s","howto":"275"},{"point":"2lh","priority":"6","details":"22v","howto":"275"},{"point":"2lj","priority":"6","details":"22y","howto":"2lk"},{"point":"2lm","priority":"6","details":"231","howto":"2ln"},{"point":"2lp","priority":"6","details":"234","howto":"2lq"},{"point":"2ls","priority":"6","details":"237","howto":"275"},{"point":"2lu","priority":"6","details":"23a","howto":"275"},"CWE-ID:1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')",{"point":"3mv","priority":"6","details":"23d","howto":"275"},"CWE-ID:1322 Use of Blocking Code in Single-threaded, Non-blocking Context",{"point":"3mx","priority":"6","details":"23g","howto":"275"},{"point":"2lw","priority":"6","details":"23j","howto":"275"},"CWE-ID:1325 Improperly Controlled Sequential Memory Allocation",{"point":"3n0","priority":"6","details":"23m","howto":"275"},{"point":"2ly","priority":"6","details":"23p","howto":"2lz"},{"point":"2m1","priority":"6","details":"23v","howto":"2m2"},{"point":"2m4","priority":"6","details":"23y","howto":"2m5"},"CWE-ID:1330 Remanent Data Readable after Memory Erase","::METHOD:Architecture or Design Review:DESCRIPTION:Testing of memory-device contents after clearing or erase commands. Dynamic analysis of memory contents during device operation to detect specific, confidential assets. Architecture and design analysis of memory clear and erase operations.::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Testing of memory-device contents after clearing or erase commands. Dynamic analysis of memory contents during device operation to detect specific, confidential assets. Architecture and design analysis of memory clear and erase operations.::",{"point":"3n5","priority":"6","details":"241","howto":"3n6"},{"point":"2m7","priority":"6","details":"244","howto":"2m8"},{"point":"2ma","priority":"6","details":"247","howto":"2mb"},"CWE-ID:1333 Inefficient Regular Expression Complexity",{"point":"3na","priority":"6","details":"24a","howto":"275"},{"point":"2md","priority":"6","details":"24d","howto":"275"},"CWE-ID:1335 Incorrect Bitwise Shift of Integer",{"point":"3nd","priority":"6","details":"24g","howto":"275"},{"point":"2mf","priority":"6","details":"24j","howto":"275"},{"point":"2mh","priority":"6","details":"24m","howto":"2mi"},"CWE-ID:1339 Insufficient Precision or Accuracy of a Real Number",{"point":"3nh","priority":"6","details":"24p","howto":"275"},"CWE-ID:1341 Multiple Releases of Same Resource or Handle","::METHOD:Automated Static Analysis:DESCRIPTION:For commonly-used APIs and resource types, automated tools often have signatures that can spot this issue.::METHOD:Automated Dynamic Analysis:DESCRIPTION:Some compiler instrumentation tools such as AddressSanitizer (ASan) can indirectly detect some instances of this weakness.::",{"point":"3nj","priority":"6","details":"24s","howto":"3nk"},{"point":"2mm","priority":"6","details":"24y","howto":"275"},"CWE-ID:1385 Missing Origin Validation in WebSockets",{"point":"3nn","priority":"6","details":"257","howto":"275"},"CWE-ID:1386 Insecure Operation on Windows Junction / Mount Point",{"point":"3np","priority":"6","details":"25a","howto":"275"},"CWE-ID:1389 Incorrect Parsing of Numbers with Different Radices",{"point":"3nr","priority":"6","details":"25d","howto":"275"},{"point":"2ms","priority":"6","details":"25g","howto":"275"},{"point":"2n2","priority":"6","details":"25v","howto":"2n3"},"CWE-ID:1419 Incorrect Initialization of Resource",{"point":"3nv","priority":"6","details":"25y","howto":"275"},{"point":"2n5","priority":"6","details":"261","howto":"2n6"},{"point":"2n8","priority":"6","details":"264","howto":"2n9"},{"point":"2ne","priority":"6","details":"26a","howto":"2nf"},["2np","2nr","2nt","2nv","2nx","2nz","2o1","2o3","2o6","2o8","2o9","2oc","2oe","2og","2oi","2ok","2om","2oo","2oq","2os","2ou","2ow","2oy","2p1","2p3","2p5","2p7","2p9","2pb","2pd","2pg","2pi","2pk","2pm","2po","2pq","2ps","2pu","2pw","2py","2q0","2q2","2q4","2q6","2q8","2qa","2qc","2qe","2qg","2qi","2qk","2qm","2qo","2qq","2qs","2qu","2qv","2qx","2qz","2r1","2r3","2r6","2r9","2rb","2rd","2rf","2rh","2rj","2rl","2rn","2rp","2rr","2ru","2rw","2ry","2s0","2s2","2s4","2s6","2s8","2sb","2sc","2se","2sg","2si","2sk","2sm","2so","2sq","2ss","2sv","2sx","2sz","2t1","2t3","2t4","2t7","2t9","2tb","2te","2th","2tk","2tm","2to","2tq","2ts","2tu","2tw","2ty","2u1","2u3","2u6","2u9","2ub","2ud","2uf","2uh","2uj","2ul","2un","2up","2ur","2ut","2uv","2ux","2uz","2v1","2v3","2v5","2v7","2v9","2vb","2vd","2vf","2vh","2vj","2vl","2vn","2vp","2vr","2vt","2vv","2vx","2vz","2w1","2w3","2w5","2w7","2w9","2wb","2wd","2wf","2wh","2wj","2wl","2wn","2wp","2wq","2ws","2wu","2ww","2wy","2x1","2x3","2x5","2x7","2x9","2xb","2xd","2xf","2xi","2xj","2xk","2xl","2xm","2xn","2xo","2xq","2xs","2xt","2xu","2xv","2xw","2xx","2xy","2xz","2y1","2y3","2y4","2y6","2y7","2y9","2yc","2ye","2yg","2yi","2yk","2ym","2yo","2yq","2ys","2yu","2yw","2yy","2z0","2z2","2z4","2z6","2z8","2za","2zc","2ze","2zf","2zh","2zj","2zl","2zo","2zp","2zr","2zs","2zt","2zu","2zv","2zw","2zz","301","303","304","306","308","30a","30c","30e","30f","30g","30h","30i","30k","30l","30n","30q","30s","30u","30v","30x","30z","311","313","315","316","318","319","31a","31c","31e","31f","31h","31j","31l","31m","31o","31p","31q","31r","31s","31t","31u","31v","31w","31x","31z","321","322","323","324","325","326","327","328","329","32a","32c","32e","32g","32h","32k","32m","32o","32q","32s","32u","32w","32y","330","332","334","335","336","338","33a","33c","33e","33g","33j","33l","33n","33o","33q","33r","33t","33w","33x","33y","33z","340","341","342","343","344","345","347","349","34a","34b","34d","34g","34i","34k","34m","34o","34q","34s","34t","34v","34w","34x","34y","34z","351","352","354","356","358","35a","35b","35d","35e","35g","35i","35k","35m","35o","35q","35s","35u","35w","35y","360","362","363","364","366","368","36a","36b","36e","36h","36j","36l","36o","36q","36s","36u","36x","36z","371","373","375","377","379","37b","37c","37e","37g","37i","37k","37m","37o","37p","37s","37u","37w","37y","37z","380","381","384","386","388","389","38a","38c","38e","38g","38h","38j","38l","38n","38p","38r","38t","38v","38x","38z","391","393","395","397","399","39a","39c","39e","39g","39i","39k","39m","39p","39r","39t","39v","39w","39y","3a0","3a2","3a4","3a6","3a8","3aa","3ac","3ae","3ag","3ai","3ak","3am","3ao","3aq","3as","3au","3aw","3ay","3b0","3b2","3b4","3b6","3b8","3ba","3bc","3be","3bg","3bi","3bk","3bm","3bo","3bp","3bq","3bs","3bu","3bw","3by","3c0","3c2","3c3","3c4","3c6","3c8","3ca","3cc","3ce","3cg","3ch","3cj","3cl","3cn","3cp","3cr","3ct","3cv","3cy","3cz","3d0","3d2","3d3","3d4","3d5","3d7","3d9","3db","3dd","3de","3df","3dh","3dj","3dl","3dm","3dn","3do","3dp","3dq","3ds","3du","3dx","3dz","3e0","3e1","3e2","3e4","3e5","3e7","3e8","3ea","3ec","3ef","3eh","3ek","3em","3eo","3er","3et","3ew","3ez","3f1","3f4","3f6","3f8","3f9","3fb","3fc","3fe","3fh","3fk","3fm","3fo","3fp","3fr","3fs","3fu","3fv","3fw","3fz","3g1","3g3","3g5","3g7","3g9","3gb","3gd","3gf","3gh","3gj","3gl","3gm","3go","3gq","3gs","3gu","3gw","3gy","3h0","3h2","3h4","3h6","3h8","3ha","3hc","3hf","3hh","3hj","3hl","3hn","3hp","3hr","3ht","3hv","3hx","3hy","3hz","3i2","3i4","3i5","3i7","3ia","3ic","3ie","3ig","3ii","3ik","3il","3im","3io","3iq","3is","3iu","3iv","3iw","3iy","3iz","3j0","3j1","3j2","3j4","3j5","3j6","3j8","3ja","3jc","3jd","3jf","3jh","3jj","3jl","3jn","3jp","3jq","3js","3jt","3jv","3jw","3jx","3jy","3k0","3k1","3k2","3k4","3k5","3k6","3k7","3k8","3k9","3kb","3kd","3kf","3kg","3kh","3ki","3kj","3kk","3kl","3km","3kn","3ko","3kp","3kr","3ks","3kt","3ku","3kv","3kw","3kx","3ky","3kz","3l0","3l1","3l2","3l4","3l5","3l7","3l9","3lb","3lc","3ld","3lf","3lg","3li","3lj","3ll","3ln","3lp","3lr","3lt","3lv","3lw","3lz","3m0","3m1","3m2","3m4","3m7","3ma","3mb","3mc","3mf","3mh","3mi","3mj","3mk","3ml","3mm","3mn","3mo","3mp","3mq","3mr","3ms","3mt","3mu","3mw","3my","3mz","3n1","3n2","3n3","3n4","3n7","3n8","3n9","3nb","3nc","3ne","3nf","3ng","3ni","3nl","3nm","3no","3nq","3ns","3nt","3nu","3nw","3nx","3ny","3nz"],"pink",{"title":"2nk","slug":"2nl","description":"2nm","icon":"2nn","intro":"2nm","checklist":"3o0","color":"3o1"},["26e","2nj","3o2"],{"uzXTlLKitXg":"3o3"},"\u0001",200,"/framework/",{"loaders":"3o4","action":"3o5","status":"3o6","href":"3o7"}]} \ No newline at end of file +{"_entry":"3o8","_objs":["CWE: Categorization for Assurance","cwe-security","Researchers can use this view to evaluate the breadth and depth of software assurance with respect to mitigating and managing weaknesses before they become vulnerabilities","dev","This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.","CWE-ID: 5J2EE Misconfiguration: Data Transmission Without Encryption","Essential","Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.Guidelines:::TYPE:Other:NOTE:If an application uses SSL to guarantee confidential communication with client browsers, the application configuration should make it impossible to view any access controlled page without SSL. There are three common ways for SSL to be bypassed: A user manually enters URL and types HTTP rather than HTTPS. Attackers intentionally send a user to an insecure URL. A programmer erroneously creates a relative link to a page in the application, which does not switch from HTTP to HTTPS. (This is particularly easy to do when the link moves between public and secured areas on a web site.)::",{"point":"5","priority":"6","details":"7"},"CWE-ID: 6J2EE Misconfiguration: Insufficient Session-ID Length","The J2EE application is configured to use an insufficient session ID length.Guidelines:",{"point":"9","priority":"6","details":"a"},"CWE-ID: 7J2EE Misconfiguration: Missing Custom Error Page","The default error page of a web application should not display sensitive information about the product.Guidelines:",{"point":"c","priority":"6","details":"d"},"CWE-ID: 8J2EE Misconfiguration: Entity Bean Declared Remote","When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean's data. These methods could be leveraged to read sensitive information, or to change data in ways that violate the application's expectations, potentially leading to other vulnerabilities.Guidelines:::TYPE:Other:NOTE:Entity beans that expose a remote interface become part of an application's attack surface. For performance reasons, an application should rarely use remote entity beans, so there is a good chance that a remote entity bean declaration is an error.::",{"point":"f","priority":"6","details":"g"},"CWE-ID: 9J2EE Misconfiguration: Weak Access Permissions for EJB Methods","If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the product.Guidelines:",{"point":"i","priority":"6","details":"j"},"CWE-ID: 11ASP.NET Misconfiguration: Creating Debug Binary","Debugging messages help attackers learn about the system and plan a form of attack.Guidelines:",{"point":"l","priority":"6","details":"m"},"CWE-ID: 12ASP.NET Misconfiguration: Missing Custom Error Page","An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses.Guidelines:",{"point":"o","priority":"6","details":"p"},"CWE-ID: 13ASP.NET Misconfiguration: Password in Configuration File","Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers.Guidelines:",{"point":"r","priority":"6","details":"s"},"CWE-ID: 14Compiler Removal of Code to Clear Buffers","Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka dead store removal.Guidelines:",{"point":"u","priority":"6","details":"v"},"CWE-ID: 15External Control of System or Configuration Setting","One or more system settings or configuration elements can be externally controlled by a user.Guidelines:",{"point":"x","priority":"6","details":"y"},"CWE-ID: 20Improper Input Validation","The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Guidelines:::TYPE:Relationship:NOTE:CWE-116 and CWE-20 have a close association because, depending on the nature of the structured message, proper input validation can indirectly prevent special characters from changing the meaning of a structured message. For example, by validating that a numeric ID field should only contain the 0-9 characters, the programmer effectively prevents injection attacks.::TYPE:Maintenance:NOTE:As of 2020, this entry is used more often than preferred, and it is a source of frequent confusion. It is being actively modified for CWE 4.1 and subsequent versions.::TYPE:Maintenance:NOTE:Concepts such as validation, data transformation, and neutralization are being refined, so relationships between CWE-20 and other entries such as CWE-707 may change in future versions, along with an update to the Vulnerability Theory document.::TYPE:Maintenance:NOTE:Input validation - whether missing or incorrect - is such an essential and widespread part of secure development that it is implicit in many different weaknesses. Traditionally, problems such as buffer overflows and XSS have been classified as input validation problems by many security professionals. However, input validation is not necessarily the only protection mechanism available for avoiding such problems, and in some cases it is not even sufficient. The CWE team has begun capturing these subtleties in chains within the Research Concepts view (CWE-1000), but more work is needed.::TYPE:Terminology:NOTE:The input validation term is extremely common, but it is used in many different ways. In some cases its usage can obscure the real underlying weakness or otherwise hide chaining and composite relationships. Some people use input validation as a general term that covers many different neutralization techniques for ensuring that input is appropriate, such as filtering, canonicalization, and escaping. Others use the term in a more narrow context to simply mean checking if an input conforms to expectations without changing it. CWE uses this more narrow interpretation.::",{"point":"10","priority":"6","details":"11"},"CWE-ID: 22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Guidelines:::TYPE:Relationship:NOTE:Pathname equivalence can be regarded as a type of canonicalization error.::TYPE:Relationship:NOTE:Some pathname equivalence issues are not directly related to directory traversal, rather are used to bypass security-relevant checks for whether a file/directory can be accessed by the attacker (e.g. a trailing / on a filename could bypass access rules that don't expect a trailing /, causing a server to provide the file when it normally would not).::TYPE:Terminology:NOTE:Like other weaknesses, terminology is often based on the types of manipulations used, instead of the underlying weaknesses. Some people use directory traversal only to refer to the injection of .. and equivalent sequences whose specific meaning is to traverse directories. Other variants like absolute pathname and drive letter have the *effect* of directory traversal, but some people may not call it such, since it doesn't involve .. or equivalent.::TYPE:Research Gap:NOTE:Many variants of path traversal attacks are probably under-studied with respect to root cause. CWE-790 and CWE-182 begin to cover part of this gap.::TYPE:Research Gap:NOTE:Incomplete diagnosis or reporting of vulnerabilities can make it difficult to know which variant is affected. For example, a researcher might say that .. is vulnerable, but not test ../ which may also be vulnerable. Any combination of directory separators (/, , etc.) and numbers of . (e.g. ....) can produce unique variants; for example, the //../ variant is not listed (CVE-2004-0325). See this entry's children and lower-level descendants.::",{"point":"13","priority":"6","details":"14"},"CWE-ID: 23Relative Path Traversal","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as .. that can resolve to a location that is outside of that directory.Guidelines:",{"point":"16","priority":"6","details":"17"},"CWE-ID: 24Path Traversal: '../filedir'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize ../ sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"19","priority":"6","details":"1a"},"CWE-ID: 25Path Traversal: '/../filedir'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize /../ sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1c","priority":"6","details":"1d"},"CWE-ID: 26Path Traversal: '/dir/../filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize /dir/../filename sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1f","priority":"6","details":"1g"},"CWE-ID: 27Path Traversal: 'dir/../../filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize multiple internal ../ sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1i","priority":"6","details":"1j"},"CWE-ID: 28Path Traversal: '..filedir'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize .. sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1l","priority":"6","details":"1m"},"CWE-ID: 29Path Traversal: '..filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '..filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1o","priority":"6","details":"1p"},"CWE-ID: 30Path Traversal: 'dir..filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize 'dir..filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1r","priority":"6","details":"1s"},"CWE-ID: 31Path Traversal: 'dir....filename'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize 'dir....filename' (multiple internal backslash dot dot) sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"1u","priority":"6","details":"1v"},"CWE-ID: 32Path Traversal: '...' (Triple Dot)","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '...' (triple dot) sequences that can resolve to a location that is outside of that directory.Guidelines:::TYPE:Maintenance:NOTE:This manipulation-focused entry is currently hiding two distinct weaknesses, so it might need to be split. The manipulation is effective in two different contexts: it is equivalent to .... on Windows, or it can take advantage of incomplete filtering, e.g. if the programmer does a single-pass removal of ./ in a string (collapse of data into unsafe value, CWE-182).::",{"point":"1x","priority":"6","details":"1y"},"CWE-ID: 33Path Traversal: '....' (Multiple Dot)","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....' (multiple dot) sequences that can resolve to a location that is outside of that directory.Guidelines:::TYPE:Maintenance:NOTE:Like the triple-dot CWE-32, this manipulation probably hides multiple weaknesses that should be made more explicit.::",{"point":"20","priority":"6","details":"21"},"CWE-ID: 34Path Traversal: '....//'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....//' (doubled dot dot slash) sequences that can resolve to a location that is outside of that directory.Guidelines:::TYPE:Relationship:NOTE:This could occur due to a cleansing error that removes a single ../ from ....//::",{"point":"23","priority":"6","details":"24"},"CWE-ID: 35Path Traversal: '.../...//'","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.Guidelines:",{"point":"26","priority":"6","details":"27"},"CWE-ID: 36Absolute Path Traversal","The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as /abs/path that can resolve to a location that is outside of that directory.Guidelines:",{"point":"29","priority":"6","details":"2a"},"CWE-ID: 37Path Traversal: '/absolute/pathname/here'","The product accepts input in the form of a slash absolute path ('/absolute/pathname/here') without appropriate validation, which can allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"2c","priority":"6","details":"2d"},"CWE-ID: 38Path Traversal: 'absolutepathnamehere'","The product accepts input in the form of a backslash absolute path ('absolutepathnamehere') without appropriate validation, which can allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"2f","priority":"6","details":"2g"},"CWE-ID: 39Path Traversal: 'C:dirname'","The product accepts input that contains a drive letter or Windows volume letter ('C:dirname') that potentially redirects access to an unintended location or arbitrary file.Guidelines:",{"point":"2i","priority":"6","details":"2j"},"CWE-ID: 40Path Traversal: 'UNCsharename' (Windows UNC Share)","The product accepts input that identifies a Windows UNC share ('UNCsharename') that potentially redirects access to an unintended location or arbitrary file.Guidelines:",{"point":"2l","priority":"6","details":"2m"},"CWE-ID: 41Improper Resolution of Path Equivalence","The product is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object.Guidelines:::TYPE:Relationship:NOTE:Some of these manipulations could be effective in path traversal issues, too.::",{"point":"2o","priority":"6","details":"2p"},"CWE-ID: 42Path Equivalence: 'filename.' (Trailing Dot)","The product accepts path input in the form of trailing dot ('filedir.') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"2r","priority":"6","details":"2s"},"CWE-ID: 43Path Equivalence: 'filename....' (Multiple Trailing Dot)","The product accepts path input in the form of multiple trailing dot ('filedir....') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"2u","priority":"6","details":"2v"},"CWE-ID: 44Path Equivalence: 'file.name' (Internal Dot)","The product accepts path input in the form of internal dot ('file.ordir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:::TYPE:Relationship:NOTE:An improper attempt to remove the internal dots from the string could lead to CWE-181 (Incorrect Behavior Order: Validate Before Filter).::",{"point":"2x","priority":"6","details":"2y"},"CWE-ID: 45Path Equivalence: 'file...name' (Multiple Internal Dot)","The product accepts path input in the form of multiple internal dot ('file...dir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:::TYPE:Relationship:NOTE:An improper attempt to remove the internal dots from the string could lead to CWE-181 (Incorrect Behavior Order: Validate Before Filter).::",{"point":"30","priority":"6","details":"31"},"CWE-ID: 46Path Equivalence: 'filename ' (Trailing Space)","The product accepts path input in the form of trailing space ('filedir ') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"33","priority":"6","details":"34"},"CWE-ID: 47Path Equivalence: ' filename' (Leading Space)","The product accepts path input in the form of leading space (' filedir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"36","priority":"6","details":"37"},"CWE-ID: 48Path Equivalence: 'file name' (Internal Whitespace)","The product accepts path input in the form of internal space ('file(SPACE)name') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:::TYPE:Relationship:NOTE:This weakness is likely to overlap quoting problems, e.g. the Program Files unquoted search path (CWE-428). It also could be an equivalence issue if filtering removes all extraneous spaces.::TYPE:Relationship:NOTE:Whitespace can be a factor in other weaknesses not directly related to equivalence. It can also be used to spoof icons or hide files with dangerous names (see icon manipulation and visual truncation in CWE-451).::",{"point":"39","priority":"6","details":"3a"},"CWE-ID: 49Path Equivalence: 'filename/' (Trailing Slash)","The product accepts path input in the form of trailing slash ('filedir/') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3c","priority":"6","details":"3d"},"CWE-ID: 50Path Equivalence: '//multiple/leading/slash'","The product accepts path input in the form of multiple leading slash ('//multiple/leading/slash') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3f","priority":"6","details":"3g"},"CWE-ID: 51Path Equivalence: '/multiple//internal/slash'","The product accepts path input in the form of multiple internal slash ('/multiple//internal/slash/') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3i","priority":"6","details":"3j"},"CWE-ID: 52Path Equivalence: '/multiple/trailing/slash//'","The product accepts path input in the form of multiple trailing slash ('/multiple/trailing/slash//') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3l","priority":"6","details":"3m"},"CWE-ID: 53Path Equivalence: 'multipleinternalbackslash'","The product accepts path input in the form of multiple internal backslash ('multipletrailingslash') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3o","priority":"6","details":"3p"},"CWE-ID: 54Path Equivalence: 'filedir' (Trailing Backslash)","The product accepts path input in the form of trailing backslash ('filedir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3r","priority":"6","details":"3s"},"CWE-ID: 55Path Equivalence: '/./' (Single Dot Directory)","The product accepts path input in the form of single dot directory exploit ('/./') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3u","priority":"6","details":"3v"},"CWE-ID: 56Path Equivalence: 'filedir*' (Wildcard)","The product accepts path input in the form of asterisk wildcard ('filedir*') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.Guidelines:",{"point":"3x","priority":"6","details":"3y"},"CWE-ID: 57Path Equivalence: 'fakedir/../realdir/filename'","The product contains protection mechanisms to restrict access to 'realdir/filename', but it constructs pathnames using external input in the form of 'fakedir/../realdir/filename' that are not handled by those mechanisms. This allows attackers to perform unauthorized actions against the targeted file.Guidelines:::TYPE:Theoretical:NOTE:This is a manipulation that uses an injection for one consequence (containment violation using relative path) to achieve a different consequence (equivalence by alternate name).::",{"point":"40","priority":"6","details":"41"},"CWE-ID: 58Path Equivalence: Windows 8.3 Filename","The product contains a protection mechanism that restricts access to a long filename on a Windows operating system, but it does not properly restrict access to the equivalent short 8.3 filename.Guidelines:::TYPE:Research Gap:NOTE:Probably under-studied.::",{"point":"43","priority":"6","details":"44"},"CWE-ID: 59Improper Link Resolution Before File Access ('Link Following')","The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.Guidelines:::TYPE:Theoretical:NOTE:Link following vulnerabilities are Multi-factor Vulnerabilities (MFV). They are the combination of multiple elements: file or directory permissions, filename predictability, race conditions, and in some cases, a design limitation in which there is no mechanism for performing atomic file creation operations. Some potential factors are race conditions, permissions, and predictability.::",{"point":"46","priority":"6","details":"47"},"CWE-ID: 61UNIX Symbolic Link (Symlink) Following","The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.Guidelines:::TYPE:Research Gap:NOTE:Symlink vulnerabilities are regularly found in C and shell programs, but all programming languages can have this problem. Even shell programs are probably under-reported. Second-order symlink vulnerabilities may exist in programs that invoke other programs that follow symlinks. They are rarely reported but are likely to be fairly common when process invocation is used [REF-493].::",{"point":"49","priority":"6","details":"4a"},"CWE-ID: 62UNIX Hard Link","The product, when opening a file or directory, does not sufficiently account for when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.Guidelines:",{"point":"4c","priority":"6","details":"4d"},"CWE-ID: 64Windows Shortcut Following (.LNK)","The product, when opening a file or directory, does not sufficiently handle when the file is a Windows shortcut (.LNK) whose target is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.Guidelines:::TYPE:Research Gap:NOTE:Under-studied. Windows .LNK files are more portable than Unix symlinks and have been used in remote exploits. Some Windows API's will access LNK's as if they are regular files, so one would expect that they would be reported more frequently.::",{"point":"4f","priority":"6","details":"4g"},"CWE-ID: 65Windows Hard Link","The product, when opening a file or directory, does not sufficiently handle when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.Guidelines:",{"point":"4i","priority":"6","details":"4j"},"CWE-ID: 66Improper Handling of File Names that Identify Virtual Resources","The product does not handle or incorrectly handles a file name that identifies a virtual resource that is not directly specified within the directory that is associated with the file name, causing the product to perform file-based operations on a resource that is not a file.Guidelines:",{"point":"4l","priority":"6","details":"4m"},"CWE-ID: 67Improper Handling of Windows Device Names","The product constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.Guidelines:",{"point":"4o","priority":"6","details":"4p"},"CWE-ID: 69Improper Handling of Windows ::DATA Alternate Data Stream","The product does not properly prevent access to, or detect usage of, alternate data streams (ADS).Guidelines:::TYPE:Theoretical:NOTE:This and similar problems exist because the same resource can have multiple identifiers that dictate which behavior can be performed on the resource.::",{"point":"4r","priority":"6","details":"4s"},"CWE-ID: 72Improper Handling of Apple HFS+ Alternate Data Stream Path","The product does not properly handle special paths that may identify the data or resource fork of a file on the HFS+ file system.Guidelines:::TYPE:Theoretical:NOTE:This and similar problems exist because the same resource can have multiple identifiers that dictate which behavior can be performed on the resource.::TYPE:Research Gap:NOTE:Under-studied::",{"point":"4u","priority":"6","details":"4v"},"CWE-ID: 73External Control of File Name or Path","The product allows user input to control or influence paths or file names that are used in filesystem operations.Guidelines:::TYPE:Maintenance:NOTE:CWE-114 is a Class, but it is listed a child of CWE-73 in view 1000. This suggests some abstraction problems that should be resolved in future versions.::TYPE:Relationship:NOTE:The external control of filenames can be the primary link in chains with other file-related weaknesses, as seen in the CanPrecede relationships. This is because software systems use files for many different purposes: to execute programs, load code libraries, to store application data, to store configuration settings, record temporary data, act as signals or semaphores to other processes, etc. However, those weaknesses do not always require external control. For example, link-following weaknesses (CWE-59) often involve pathnames that are not controllable by the attacker at all. The external control can be resultant from other issues. For example, in PHP applications, the register_globals setting can allow an attacker to modify variables that the programmer thought were immutable, enabling file inclusion (CWE-98) and path traversal (CWE-22). Operating with excessive privileges (CWE-250) might allow an attacker to specify an input filename that is not directly readable by the attacker, but is accessible to the privileged program. A buffer overflow (CWE-119) might give an attacker control over nearby memory locations that are related to pathnames, but were not directly modifiable by the attacker.::",{"point":"4x","priority":"6","details":"4y"},"CWE-ID: 74Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')","The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Guidelines:::TYPE:Theoretical:NOTE:Many people treat injection only as an input validation problem (CWE-20) because many people do not distinguish between the consequence/attack (injection) and the protection mechanism that prevents the attack from succeeding. However, input validation is only one potential protection mechanism (output encoding is another), and there is a chaining relationship between improper input validation and the improper enforcement of the structure of messages to other components. Other issues not directly related to input validation, such as race conditions, could similarly impact message structure.::",{"point":"50","priority":"6","details":"51"},"CWE-ID: 75Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)","The product does not adequately filter user-controlled input for special elements with control implications.Guidelines:",{"point":"53","priority":"6","details":"54"},"CWE-ID: 76Improper Neutralization of Equivalent Special Elements","The product correctly neutralizes certain special elements, but it improperly neutralizes equivalent special elements.Guidelines:",{"point":"56","priority":"6","details":"57"},"CWE-ID: 77Improper Neutralization of Special Elements used in a Command ('Command Injection')","The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.Guidelines:::TYPE:Terminology:NOTE:The command injection phrase carries different meanings to different people. For some people, it refers to any type of attack that can allow the attacker to execute commands of their own choosing, regardless of how those commands are inserted. The command injection could thus be resultant from another weakness. This usage also includes cases in which the functionality allows the user to specify an entire command, which is then executed; within CWE, this situation might be better regarded as an authorization problem (since an attacker should not be able to specify arbitrary commands.) Another common usage, which includes CWE-77 and its descendants, involves cases in which the attacker injects separators into the command being constructed.::",{"point":"59","priority":"6","details":"5a"},"CWE-ID: 78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Guidelines:::TYPE:Terminology:NOTE:The OS command injection phrase carries different meanings to different people. For some people, it only refers to cases in which the attacker injects command separators into arguments for an application-controlled program that is being invoked. For some people, it refers to any type of attack that can allow the attacker to execute OS commands of their own choosing. This usage could include untrusted search path weaknesses (CWE-426) that cause the application to find and execute an attacker-controlled program. Further complicating the issue is the case when argument injection (CWE-88) allows alternate command-line switches or options to be inserted into the command line, such as an -exec switch whose purpose may be to execute the subsequent argument as a command (this -exec switch exists in the UNIX find command, for example). In this latter case, however, CWE-88 could be regarded as the primary weakness in a chain with CWE-78.::TYPE:Research Gap:NOTE:More investigation is needed into the distinction between the OS command injection variants, including the role with argument injection (CWE-88). Equivalent distinctions may exist in other injection-related problems such as SQL injection.::",{"point":"5c","priority":"6","details":"5d"},"CWE-ID: 79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Guidelines:::TYPE:Relationship:NOTE:There can be a close relationship between XSS and CSRF (CWE-352). An attacker might use CSRF in order to trick the victim into submitting requests to the server in which the requests contain an XSS payload. A well-known example of this was the Samy worm on MySpace [REF-956]. The worm used XSS to insert malicious HTML sequences into a user's profile and add the attacker as a MySpace friend. MySpace friends of that victim would then execute the payload to modify their own profiles, causing the worm to propagate exponentially. Since the victims did not intentionally insert the malicious script themselves, CSRF was a root cause.::TYPE:Applicable Platform:NOTE:XSS flaws are very common in web applications, since they require a great deal of developer discipline to avoid them.::",{"point":"5f","priority":"6","details":"5g"},"CWE-ID: 80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as <, >, and & that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.Guidelines:",{"point":"5i","priority":"6","details":"5j"},"CWE-ID: 81Improper Neutralization of Script in an Error Message Web Page","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters that could be interpreted as web-scripting elements when they are sent to an error page.Guidelines:",{"point":"5l","priority":"6","details":"5m"},"CWE-ID: 82Improper Neutralization of Script in Attributes of IMG Tags in a Web Page","The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute.Guidelines:",{"point":"5o","priority":"6","details":"5p"},"CWE-ID: 83Improper Neutralization of Script in Attributes in a Web Page","The product does not neutralize or incorrectly neutralizes javascript: or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.Guidelines:",{"point":"5r","priority":"6","details":"5s"},"CWE-ID: 84Improper Neutralization of Encoded URI Schemes in a Web Page","The web application improperly neutralizes user-controlled input for executable script disguised with URI encodings.Guidelines:",{"point":"5u","priority":"6","details":"5v"},"CWE-ID: 85Doubled Character XSS Manipulations","The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters.Guidelines:",{"point":"5x","priority":"6","details":"5y"},"CWE-ID: 86Improper Neutralization of Invalid Characters in Identifiers in Web Pages","The product does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers.Guidelines:",{"point":"60","priority":"6","details":"61"},"CWE-ID: 87Improper Neutralization of Alternate XSS Syntax","The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.Guidelines:",{"point":"63","priority":"6","details":"64"},"CWE-ID: 88Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')","The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.Guidelines:::TYPE:Relationship:NOTE:At one layer of abstraction, this can overlap other weaknesses that have whitespace problems, e.g. injection of javascript into attributes of HTML tags.::",{"point":"66","priority":"6","details":"67"},"CWE-ID: 89Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:SQL injection can be resultant from special character mismanagement, MAID, or denylist/allowlist problems. It can be primary to authentication errors.::",{"point":"69","priority":"6","details":"6a"},"CWE-ID: 90Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')","The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:Factors: resultant to special character mismanagement, MAID, or denylist/allowlist problems. Can be primary to authentication and verification errors.::",{"point":"6c","priority":"6","details":"6d"},"CWE-ID: 91XML Injection (aka Blind XPath Injection)","The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.Guidelines:::TYPE:Maintenance:NOTE:The description for this entry is generally applicable to XML, but the name includes blind XPath injection which is more closely associated with CWE-643. Therefore this entry might need to be deprecated or converted to a general category - although injection into raw XML is not covered by CWE-643 or CWE-652.::TYPE:Theoretical:NOTE:In vulnerability theory terms, this is a representation-specific case of a Data/Directive Boundary Error.::TYPE:Research Gap:NOTE:Under-reported. This is likely found regularly by third party code auditors, but there are very few publicly reported examples.::",{"point":"6f","priority":"6","details":"6g"},"CWE-ID: 93Improper Neutralization of CRLF Sequences ('CRLF Injection')","The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.Guidelines:",{"point":"6i","priority":"6","details":"6j"},"CWE-ID: 94Improper Control of Generation of Code ('Code Injection')","The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.Guidelines:",{"point":"6l","priority":"6","details":"6m"},"CWE-ID: 95Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. eval).Guidelines:::TYPE:Other:NOTE:Factors: special character errors can play a role in increasing the variety of code that can be injected, although some vulnerabilities do not require special characters at all, e.g. when a single function without arguments can be referenced and a terminator character is not necessary.::",{"point":"6o","priority":"6","details":"6p"},"CWE-ID: 96Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.Guidelines:::TYPE:Relationship:NOTE:HTML injection (see CWE-79: XSS) could be thought of as an example of this, but the code is injected and executed on the client side, not the server side. Server-Side Includes (SSI) are an example of direct static code injection.::",{"point":"6r","priority":"6","details":"6s"},"CWE-ID: 97Improper Neutralization of Server-Side Includes (SSI) Within a Web Page","The product generates a web page, but does not neutralize or incorrectly neutralizes user-controllable input that could be interpreted as a server-side include (SSI) directive.Guidelines:::TYPE:Relationship:NOTE:This can be resultant from XSS/HTML injection because the same special characters can be involved. However, this is server-side code execution, not client-side.::",{"point":"6u","priority":"6","details":"6v"},"CWE-ID: 98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')","The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in require, include, or similar functions.Guidelines:::TYPE:Relationship:NOTE:This is frequently a functional consequence of other weaknesses. It is usually multi-factor with other factors (e.g. MAID), although not all inclusion bugs involve assumed-immutable data. Direct request weaknesses frequently play a role. Can overlap directory traversal in local inclusion problems.::",{"point":"6x","priority":"6","details":"6y"},"CWE-ID: 99Improper Control of Resource Identifiers ('Resource Injection')","The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.Guidelines:::TYPE:Relationship:NOTE:Resource injection that involves resources stored on the filesystem goes by the name path manipulation (CWE-73).::TYPE:Maintenance:NOTE:The relationship between CWE-99 and CWE-610 needs further investigation and clarification. They might be duplicates. CWE-99 Resource Injection, as originally defined in Seven Pernicious Kingdoms taxonomy, emphasizes the identifier used to access a system resource such as a file name or port number, yet it explicitly states that the resource injection term does not apply to path manipulation, which effectively identifies the path at which a resource can be found and could be considered to be one aspect of a resource identifier. Also, CWE-610 effectively covers any type of resource, whether that resource is at the system layer, the application layer, or the code layer.::",{"point":"70","priority":"6","details":"71"},"CWE-ID: 102Struts: Duplicate Validation Forms","The product uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not expect.Guidelines:",{"point":"73","priority":"6","details":"74"},"CWE-ID: 103Struts: Incomplete validate() Method Definition","The product has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate().Guidelines:::TYPE:Relationship:NOTE:This could introduce other weaknesses related to missing input validation.::TYPE:Maintenance:NOTE:The current description implies a loose composite of two separate weaknesses, so this node might need to be split or converted into a low-level category.::",{"point":"76","priority":"6","details":"77"},"CWE-ID: 104Struts: Form Bean Does Not Extend Validation Class","If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation.Guidelines:",{"point":"79","priority":"6","details":"7a"},"CWE-ID: 105Struts: Form Field Without Validator","The product has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation.Guidelines:",{"point":"7c","priority":"6","details":"7d"},"CWE-ID: 106Struts: Plug-in Framework not in Use","When an application does not use an input validation framework such as the Struts Validator, there is a greater risk of introducing weaknesses related to insufficient input validation.Guidelines:",{"point":"7f","priority":"6","details":"7g"},"CWE-ID: 107Struts: Unused Validation Form","An unused validation form indicates that validation logic is not up-to-date.Guidelines:",{"point":"7i","priority":"6","details":"7j"},"CWE-ID: 108Struts: Unvalidated Action Form","Every Action Form must have a corresponding validation form.Guidelines:",{"point":"7l","priority":"6","details":"7m"},"CWE-ID: 109Struts: Validator Turned Off","Automatic filtering via a Struts bean has been turned off, which disables the Struts Validator and custom validation logic. This exposes the application to other weaknesses related to insufficient input validation.Guidelines:::TYPE:Other:NOTE:The Action Form mapping in the demonstrative example disables the form's validate() method. The Struts bean: write tag automatically encodes special HTML characters, replacing a < with < and a > with >. This action can be disabled by specifying filter=false as an attribute of the tag to disable specified JSP pages. However, being disabled makes these pages susceptible to cross-site scripting attacks. An attacker may be able to insert malicious scripts as user input to write to these JSP pages.::",{"point":"7o","priority":"6","details":"7p"},"CWE-ID: 110Struts: Validator Without Form Field","Validation fields that do not appear in forms they are associated with indicate that the validation logic is out of date.Guidelines:",{"point":"7r","priority":"6","details":"7s"},"CWE-ID: 111Direct Use of Unsafe JNI","When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that code, even if those weaknesses cannot occur in Java.Guidelines:",{"point":"7u","priority":"6","details":"7v"},"CWE-ID: 112Missing XML Validation","The product accepts XML from an untrusted source but does not validate the XML against the proper schema.Guidelines:",{"point":"7x","priority":"6","details":"7y"},"CWE-ID: 113Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')","The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.Guidelines:",{"point":"80","priority":"6","details":"81"},"CWE-ID: 114Process Control","Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) on behalf of an attacker.Guidelines:::TYPE:Maintenance:NOTE:CWE-114 is a Class, but it is listed a child of CWE-73 in view 1000. This suggests some abstraction problems that should be resolved in future versions.::TYPE:Maintenance:NOTE:This entry seems to have close relationships with CWE-426/CWE-427. It seems more attack-oriented.::",{"point":"83","priority":"6","details":"84"},"CWE-ID: 115Misinterpretation of Input","The product misinterprets an input, whether from an attacker or another product, in a security-relevant fashion.Guidelines:::TYPE:Research Gap:NOTE:This concept needs further study. It is likely a factor in several weaknesses, possibly resultant as well. Overlaps Multiple Interpretation Errors (MIE).::",{"point":"86","priority":"6","details":"87"},"CWE-ID: 116Improper Encoding or Escaping of Output","The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.Guidelines:::TYPE:Relationship:NOTE:This weakness is primary to all weaknesses related to injection (CWE-74) since the inherent nature of injection involves the violation of structured messages.::TYPE:Relationship:NOTE:CWE-116 and CWE-20 have a close association because, depending on the nature of the structured message, proper input validation can indirectly prevent special characters from changing the meaning of a structured message. For example, by validating that a numeric ID field should only contain the 0-9 characters, the programmer effectively prevents injection attacks. However, input validation is not always sufficient, especially when less stringent data types must be supported, such as free-form text. Consider a SQL injection scenario in which a last name is inserted into a query. The name O'Reilly would likely pass the validation step since it is a common last name in the English language. However, it cannot be directly inserted into the database because it contains the ' apostrophe character, which would need to be escaped or otherwise neutralized. In this case, stripping the apostrophe might reduce the risk of SQL injection, but it would produce incorrect behavior because the wrong name would be recorded.::TYPE:Terminology:NOTE:The usage of the encoding and escaping terms varies widely. For example, in some programming languages, the terms are used interchangeably, while other languages provide APIs that use both terms for different tasks. This overlapping usage extends to the Web, such as the escape JavaScript function whose purpose is stated to be encoding. The concepts of encoding and escaping predate the Web by decades. Given such a context, it is difficult for CWE to adopt a consistent vocabulary that will not be misinterpreted by some constituency.::TYPE:Theoretical:NOTE:This is a data/directive boundary error in which data boundaries are not sufficiently enforced before it is sent to a different control sphere.::TYPE:Research Gap:NOTE:While many published vulnerabilities are related to insufficient output encoding, there is such an emphasis on input validation as a protection mechanism that the underlying causes are rarely described. Within CVE, the focus is primarily on well-understood issues like cross-site scripting and SQL injection. It is likely that this weakness frequently occurs in custom protocols that support multiple encodings, which are not necessarily detectable with automated techniques.::",{"point":"89","priority":"6","details":"8a"},"CWE-ID: 117Improper Output Neutralization for Logs","The product does not neutralize or incorrectly neutralizes output that is written to logs.Guidelines:",{"point":"8c","priority":"6","details":"8d"},"CWE-ID: 118Incorrect Access of Indexable Resource ('Range Error')","The product does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files.Guidelines:",{"point":"8f","priority":"6","details":"8g"},"CWE-ID: 119Improper Restriction of Operations within the Bounds of a Memory Buffer","The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.Guidelines:::TYPE:Applicable Platform:NOTE:It is possible in any programming languages without memory management support to attempt an operation outside of the bounds of a memory buffer, but the consequences will vary widely depending on the language, platform, and chip architecture.::",{"point":"8i","priority":"6","details":"8j"},"CWE-ID: 120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')","The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.Guidelines:::TYPE:Relationship:NOTE:At the code level, stack-based and heap-based overflows do not differ significantly, so there usually is not a need to distinguish them. From the attacker perspective, they can be quite different, since different techniques are required to exploit them.::TYPE:Terminology:NOTE:Many issues that are now called buffer overflows are substantively different than the classic overflow, including entirely different bug types that rely on overflow exploit techniques, such as integer signedness errors, integer overflows, and format string bugs. This imprecise terminology can make it difficult to determine which variant is being reported.::",{"point":"8l","priority":"6","details":"8m"},"CWE-ID: 121Stack-based Buffer Overflow","A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).Guidelines:::TYPE:Other:NOTE:Stack-based buffer overflows can instantiate in return address overwrites, stack pointer overwrites or frame pointer overwrites. They can also be considered function pointer overwrites, array indexer overwrites or write-what-where condition, etc.::",{"point":"8o","priority":"6","details":"8p"},"CWE-ID: 122Heap-based Buffer Overflow","A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().Guidelines:::TYPE:Relationship:NOTE:Heap-based buffer overflows are usually just as dangerous as stack-based buffer overflows.::",{"point":"8r","priority":"6","details":"8s"},"CWE-ID: 123Write-what-where Condition","Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow.Guidelines:",{"point":"8u","priority":"6","details":"8v"},"CWE-ID: 124Buffer Underwrite ('Buffer Underflow')","The product writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.Guidelines:::TYPE:Relationship:NOTE:This could be resultant from several errors, including a bad offset or an array index that decrements before the beginning of the buffer (see CWE-129).::",{"point":"8x","priority":"6","details":"8y"},"CWE-ID: 125Out-of-bounds Read","The product reads data past the end, or before the beginning, of the intended buffer.Guidelines:",{"point":"90","priority":"6","details":"91"},"CWE-ID: 126Buffer Over-read","The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.Guidelines:::TYPE:Relationship:NOTE:These problems may be resultant from missing sentinel values (CWE-463) or trusting a user-influenced input length variable.::",{"point":"93","priority":"6","details":"94"},"CWE-ID: 127Buffer Under-read","The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"96","priority":"6","details":"97"},"CWE-ID: 128Wrap-around Error","Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore wraps around to a very small, negative, or undefined value.Guidelines:::TYPE:Relationship:NOTE:The relationship between overflow and wrap-around needs to be examined more closely, since several entries (including CWE-190) are closely related.::",{"point":"99","priority":"6","details":"9a"},"CWE-ID: 129Improper Validation of Array Index","The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.Guidelines:::TYPE:Relationship:NOTE:This weakness can precede uncontrolled memory allocation (CWE-789) in languages that automatically expand an array when an index is used that is larger than the size of the array, such as JavaScript.::TYPE:Theoretical:NOTE:An improperly validated array index might lead directly to the always-incorrect behavior of access of array using out-of-bounds index.::",{"point":"9c","priority":"6","details":"9d"},"CWE-ID: 130Improper Handling of Length Parameter Inconsistency","The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.Guidelines:::TYPE:Relationship:NOTE:This probably overlaps other categories including zero-length issues.::",{"point":"9f","priority":"6","details":"9g"},"CWE-ID: 131Incorrect Calculation of Buffer Size","The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.Guidelines:::TYPE:Maintenance:NOTE:This is a broad category. Some examples include: simple math errors, incorrectly updating parallel counters, not accounting for size differences when transforming one input to another format (e.g. URL canonicalization or other transformation that can generate a result that's larger than the original input, i.e. expansion). This level of detail is rarely available in public reports, so it is difficult to find good examples.::TYPE:Maintenance:NOTE:This weakness may be a composite or a chain. It also may contain layering or perspective differences. This issue may be associated with many different types of incorrect calculations (CWE-682), although the integer overflow (CWE-190) is probably the most prevalent. This can be primary to resource consumption problems (CWE-400), including uncontrolled memory allocation (CWE-789). However, its relationship with out-of-bounds buffer access (CWE-119) must also be considered.::",{"point":"9i","priority":"6","details":"9j"},"CWE-ID: 134Use of Externally-Controlled Format String","The product uses a function that accepts a format string as an argument, but the format string originates from an external source.Guidelines:::TYPE:Applicable Platform:NOTE:This weakness is possible in any programming language that support format strings.::TYPE:Other:NOTE:While Format String vulnerabilities typically fall under the Buffer Overflow category, technically they are not overflowed buffers. The Format String vulnerability is fairly new (circa 1999) and stems from the fact that there is no realistic way for a function that takes a variable number of arguments to determine just how many arguments were passed in. The most common functions that take a variable number of arguments, including C-runtime functions, are the printf() family of calls. The Format String problem appears in a number of ways. A *printf() call without a format specifier is dangerous and can be exploited. For example, printf(input); is exploitable, while printf(y, input); is not exploitable in that context. The result of the first call, used incorrectly, allows for an attacker to be able to peek at stack memory since the input string will be used as the format specifier. The attacker can stuff the input string with format specifiers and begin reading stack values, since the remaining parameters will be pulled from the stack. Worst case, this improper use may give away enough control to allow an arbitrary value (or values in the case of an exploit program) to be written into the memory of the running program. Frequently targeted entities are file names, process names, identifiers. Format string problems are a classic C/C++ issue that are now rare due to the ease of discovery. One main reason format string vulnerabilities can be exploited is due to the %n operator. The %n operator will write the number of characters, which have been printed by the format string therefore far, to the memory pointed to by its argument. Through skilled creation of a format string, a malicious user may use values on the stack to create a write-what-where condition. Once this is achieved, they can execute arbitrary code. Other operators can be used as well; for example, a %9999s operator could also trigger a buffer overflow, or when used in file-formatting functions like fprintf, it can generate a much larger output than intended.::TYPE:Research Gap:NOTE:Format string issues are under-studied for languages other than C. Memory or disk consumption, control flow or variable alteration, and data corruption may result from format string exploitation in applications written in other languages such as Perl, PHP, Python, etc.::",{"point":"9l","priority":"6","details":"9m"},"CWE-ID: 135Incorrect Calculation of Multi-Byte String Length","The product does not correctly calculate the length of strings that can contain wide or multi-byte characters.Guidelines:",{"point":"9o","priority":"6","details":"9p"},"CWE-ID: 138Improper Neutralization of Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:This weakness can be related to interpretation conflicts or interaction errors in intermediaries (such as proxies or application firewalls) when the intermediary's model of an endpoint does not account for protocol-specific special elements.::TYPE:Relationship:NOTE:See this entry's children for different types of special elements that have been observed at one point or another. However, it can be difficult to find suitable CVE examples. In an attempt to be complete, CWE includes some types that do not have any associated observed example.::TYPE:Research Gap:NOTE:This weakness is probably under-studied for proprietary or custom formats. It is likely that these issues are fairly common in applications that use their own custom format for configuration files, logs, meta-data, messaging, etc. They would only be found by accident or with a focused effort based on an understanding of the format.::",{"point":"9r","priority":"6","details":"9s"},"CWE-ID: 140Improper Neutralization of Delimiters","The product does not neutralize or incorrectly neutralizes delimiters.Guidelines:",{"point":"9u","priority":"6","details":"9v"},"CWE-ID: 141Improper Neutralization of Parameter/Argument Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component.Guidelines:",{"point":"9x","priority":"6","details":"9y"},"CWE-ID: 142Improper Neutralization of Value Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component.Guidelines:",{"point":"a0","priority":"6","details":"a1"},"CWE-ID: 143Improper Neutralization of Record Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component.Guidelines:",{"point":"a3","priority":"6","details":"a4"},"CWE-ID: 144Improper Neutralization of Line Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as line delimiters when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:Depending on the language and syntax being used, this could be the same as the record delimiter (CWE-143).::",{"point":"a6","priority":"6","details":"a7"},"CWE-ID: 145Improper Neutralization of Section Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as section delimiters when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:Depending on the language and syntax being used, this could be the same as the record delimiter (CWE-143).::",{"point":"a9","priority":"6","details":"aa"},"CWE-ID: 146Improper Neutralization of Expression/Command Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:A shell metacharacter (covered in CWE-150) is one example of a potential delimiter that may need to be neutralized.::",{"point":"ac","priority":"6","details":"ad"},"CWE-ID: 147Improper Neutralization of Input Terminators","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as input terminators when they are sent to a downstream component.Guidelines:",{"point":"af","priority":"6","details":"ag"},"CWE-ID: 148Improper Neutralization of Input Leaders","The product does not properly handle when a leading character or sequence (leader) is missing or malformed, or if multiple leaders are used when only one should be allowed.Guidelines:",{"point":"ai","priority":"6","details":"aj"},"CWE-ID: 149Improper Neutralization of Quoting Syntax","Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.Guidelines:",{"point":"al","priority":"6","details":"am"},"CWE-ID: 150Improper Neutralization of Escape, Meta, or Control Sequences","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.Guidelines:",{"point":"ao","priority":"6","details":"ap"},"CWE-ID: 151Improper Neutralization of Comment Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as comment delimiters when they are sent to a downstream component.Guidelines:",{"point":"ar","priority":"6","details":"as"},"CWE-ID: 152Improper Neutralization of Macro Symbols","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as macro symbols when they are sent to a downstream component.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"au","priority":"6","details":"av"},"CWE-ID: 153Improper Neutralization of Substitution Characters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as substitution characters when they are sent to a downstream component.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"ax","priority":"6","details":"ay"},"CWE-ID: 154Improper Neutralization of Variable Name Delimiters","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as variable name delimiters when they are sent to a downstream component.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"b0","priority":"6","details":"b1"},"CWE-ID: 155Improper Neutralization of Wildcards or Matching Symbols","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as wildcards or matching symbols when they are sent to a downstream component.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"b3","priority":"6","details":"b4"},"CWE-ID: 156Improper Neutralization of Whitespace","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as whitespace when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:Can overlap other separator characters or delimiters.::",{"point":"b6","priority":"6","details":"b7"},"CWE-ID: 157Failure to Sanitize Paired Delimiters","The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.Guidelines:::TYPE:Research Gap:NOTE:Under-studied.::",{"point":"b9","priority":"6","details":"ba"},"CWE-ID: 158Improper Neutralization of Null Byte or NUL Character","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component.Guidelines:::TYPE:Relationship:NOTE:This can be a factor in multiple interpretation errors, other interaction errors, filename equivalence, etc.::",{"point":"bc","priority":"6","details":"bd"},"CWE-ID: 159Improper Handling of Invalid Use of Special Elements","The product does not properly filter, remove, quote, or otherwise manage the invalid use of special elements in user-controlled input, which could cause adverse effect on its behavior and integrity.Guidelines:::TYPE:Maintenance:NOTE:The list of children for this entry is far from complete. However, the types of special elements might be too precise for use within CWE.::TYPE:Terminology:NOTE:Precise terminology for the underlying weaknesses does not exist. Therefore, these weaknesses use the terminology associated with the manipulation.::TYPE:Research Gap:NOTE:Customized languages and grammars, even those that are specific to a particular product, are potential sources of weaknesses that are related to special elements. However, most researchers concentrate on the most commonly used representations for data transmission, such as HTML and SQL. Any representation that is commonly used is likely to be a rich source of weaknesses; researchers are encouraged to investigate previously unexplored representations.::",{"point":"bf","priority":"6","details":"bg"},"CWE-ID: 160Improper Neutralization of Leading Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes leading special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bi","priority":"6","details":"bj"},"CWE-ID: 161Improper Neutralization of Multiple Leading Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple leading special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bl","priority":"6","details":"bm"},"CWE-ID: 162Improper Neutralization of Trailing Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes trailing special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bo","priority":"6","details":"bp"},"CWE-ID: 163Improper Neutralization of Multiple Trailing Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple trailing special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"br","priority":"6","details":"bs"},"CWE-ID: 164Improper Neutralization of Internal Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes internal special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bu","priority":"6","details":"bv"},"CWE-ID: 165Improper Neutralization of Multiple Internal Special Elements","The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple internal special elements that could be interpreted in unexpected ways when they are sent to a downstream component.Guidelines:",{"point":"bx","priority":"6","details":"by"},"CWE-ID: 166Improper Handling of Missing Special Element","The product receives input from an upstream component, but it does not handle or incorrectly handles when an expected special element is missing.Guidelines:",{"point":"c0","priority":"6","details":"c1"},"CWE-ID: 167Improper Handling of Additional Special Element","The product receives input from an upstream component, but it does not handle or incorrectly handles when an additional unexpected special element is provided.Guidelines:",{"point":"c3","priority":"6","details":"c4"},"CWE-ID: 168Improper Handling of Inconsistent Special Elements","The product does not properly handle input in which an inconsistency exists between two or more special characters or reserved words.Guidelines:",{"point":"c6","priority":"6","details":"c7"},"CWE-ID: 170Improper Null Termination","The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.Guidelines:::TYPE:Relationship:NOTE:Factors: this is usually resultant from other weaknesses such as off-by-one errors, but it can be primary to boundary condition violations such as buffer overflows. In buffer overflows, it can act as an expander for assumed-immutable data.::TYPE:Relationship:NOTE:Overlaps missing input terminator.::TYPE:Applicable Platform:NOTE:Conceptually, this does not just apply to the C language; any language or representation that involves a terminator could have this type of problem.::TYPE:Maintenance:NOTE:As currently described, this entry is more like a category than a weakness.::",{"point":"c9","priority":"6","details":"ca"},"CWE-ID: 172Encoding Error","The product does not properly encode or decode the data, resulting in unexpected values.Guidelines:::TYPE:Relationship:NOTE:Partially overlaps path traversal and equivalence weaknesses.::TYPE:Maintenance:NOTE:This is more like a category than a weakness.::TYPE:Maintenance:NOTE:Many other types of encodings should be listed in this category.::",{"point":"cc","priority":"6","details":"cd"},"CWE-ID: 173Improper Handling of Alternate Encoding","The product does not properly handle when an input uses an alternate encoding that is valid for the control sphere to which the input is being sent.Guidelines:",{"point":"cf","priority":"6","details":"cg"},"CWE-ID: 174Double Decoding of the Same Data","The product decodes the same input twice, which can limit the effectiveness of any protection mechanism that occurs in between the decoding operations.Guidelines:::TYPE:Research Gap:NOTE:Probably under-studied.::",{"point":"ci","priority":"6","details":"cj"},"CWE-ID: 175Improper Handling of Mixed Encoding","The product does not properly handle when the same input uses several different (mixed) encodings.Guidelines:",{"point":"cl","priority":"6","details":"cm"},"CWE-ID: 176Improper Handling of Unicode Encoding","The product does not properly handle when an input contains Unicode encoding.Guidelines:",{"point":"co","priority":"6","details":"cp"},"CWE-ID: 177Improper Handling of URL Encoding (Hex Encoding)","The product does not properly handle when all or part of an input has been URL encoded.Guidelines:",{"point":"cr","priority":"6","details":"cs"},"CWE-ID: 178Improper Handling of Case Sensitivity","The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.Guidelines:::TYPE:Research Gap:NOTE:These are probably under-studied in Windows and Mac environments, where file names are case-insensitive and thus are subject to equivalence manipulations involving case.::",{"point":"cu","priority":"6","details":"cv"},"CWE-ID: 179Incorrect Behavior Order: Early Validation","The product validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous inputs that only arise after the modification.Guidelines:::TYPE:Research Gap:NOTE:These errors are mostly reported in path traversal vulnerabilities, but the concept applies whenever validation occurs.::",{"point":"cx","priority":"6","details":"cy"},"CWE-ID: 180Incorrect Behavior Order: Validate Before Canonicalize","The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step.Guidelines:::TYPE:Relationship:NOTE:This overlaps other categories.::",{"point":"d0","priority":"6","details":"d1"},"CWE-ID: 181Incorrect Behavior Order: Validate Before Filter","The product validates data before it has been filtered, which prevents the product from detecting data that becomes invalid after the filtering step.Guidelines:::TYPE:Research Gap:NOTE:This category is probably under-studied.::",{"point":"d3","priority":"6","details":"d4"},"CWE-ID: 182Collapse of Data into Unsafe Value","The product filters data in a way that causes it to be reduced or collapsed into an unsafe value that violates an expected security property.Guidelines:::TYPE:Relationship:NOTE:Overlaps regular expressions, although an implementation might not necessarily use regexp's.::",{"point":"d6","priority":"6","details":"d7"},"CWE-ID: 183Permissive List of Allowed Inputs","The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.Guidelines:",{"point":"d9","priority":"6","details":"da"},"CWE-ID: 184Incomplete List of Disallowed Inputs","The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses.Guidelines:::TYPE:Relationship:NOTE:Multiple interpretation errors can indirectly introduce inputs that should be disallowed. For example, a list of dangerous shell metacharacters might not include a metacharacter that only has meaning in one particular shell, not all of them; or a check for XSS manipulations might ignore an unusual construct that is supported by one web browser, but not others.::",{"point":"dc","priority":"6","details":"dd"},"CWE-ID: 185Incorrect Regular Expression","The product specifies a regular expression in a way that causes data to be improperly matched or compared.Guidelines:::TYPE:Relationship:NOTE:While there is some overlap with allowlist/denylist problems, this entry is intended to deal with incorrectly written regular expressions, regardless of their intended use. Not every regular expression is intended for use as an allowlist or denylist. In addition, allowlists and denylists can be implemented using other mechanisms besides regular expressions.::TYPE:Research Gap:NOTE:Regexp errors are likely a primary factor in many MFVs, especially those that require multiple manipulations to exploit. However, they are rarely diagnosed at this level of detail.::",{"point":"df","priority":"6","details":"dg"},"CWE-ID: 186Overly Restrictive Regular Expression","A regular expression is overly restrictive, which prevents dangerous values from being detected.Guidelines:::TYPE:Relationship:NOTE:Can overlap allowlist/denylist errors (CWE-183/CWE-184)::",{"point":"di","priority":"6","details":"dj"},"CWE-ID: 187Partial String Comparison","The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.Guidelines:::TYPE:Relationship:NOTE:This is conceptually similar to other weaknesses, such as insufficient verification and regular expression errors. It is primary to some weaknesses.::",{"point":"dl","priority":"6","details":"dm"},"CWE-ID: 188Reliance on Data/Memory Layout","The product makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior.Guidelines:",{"point":"do","priority":"6","details":"dp"},"CWE-ID: 190Integer Overflow or Wraparound","The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.Guidelines:::TYPE:Relationship:NOTE:Integer overflows can be primary to buffer overflows.::TYPE:Terminology:NOTE:Integer overflow is sometimes used to cover several types of errors, including signedness errors, or buffer overflows that involve manipulation of integer data types instead of characters. Part of the confusion results from the fact that 0xffffffff is -1 in a signed context. Other confusion also arises because of the role that integer overflows have in chains.::",{"point":"dr","priority":"6","details":"ds"},"CWE-ID: 191Integer Underflow (Wrap or Wraparound)","The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.Guidelines:",{"point":"du","priority":"6","details":"dv"},"CWE-ID: 192Integer Coercion Error","Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types.Guidelines:::TYPE:Maintenance:NOTE:Within C, it might be that coercion is semantically different than casting, possibly depending on whether the programmer directly specifies the conversion, or if the compiler does it implicitly. This has implications for the presentation of this entry and others, such as CWE-681, and whether there is enough of a difference for these entries to be split.::",{"point":"dx","priority":"6","details":"dy"},"CWE-ID: 193Off-by-one Error","A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.Guidelines:::TYPE:Relationship:NOTE:This is not always a buffer overflow. For example, an off-by-one error could be a factor in a partial comparison, a read from the wrong memory location, an incorrect conditional, etc.::",{"point":"e0","priority":"6","details":"e1"},"CWE-ID: 194Unexpected Sign Extension","The product performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses.Guidelines:::TYPE:Relationship:NOTE:Sign extension errors can lead to buffer overflows and other memory-based problems. They are also likely to be factors in other weaknesses that are not based on memory operations, but rely on numeric calculation.::TYPE:Maintenance:NOTE:This entry is closely associated with signed-to-unsigned conversion errors (CWE-195) and other numeric errors. These relationships need to be more closely examined within CWE.::",{"point":"e3","priority":"6","details":"e4"},"CWE-ID: 195Signed to Unsigned Conversion Error","The product uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive.Guidelines:",{"point":"e6","priority":"6","details":"e7"},"CWE-ID: 196Unsigned to Signed Conversion Error","The product uses an unsigned primitive and performs a cast to a signed primitive, which can produce an unexpected value if the value of the unsigned primitive can not be represented using a signed primitive.Guidelines:",{"point":"e9","priority":"6","details":"ea"},"CWE-ID: 197Numeric Truncation Error","Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion.Guidelines:::TYPE:Research Gap:NOTE:This weakness has traditionally been under-studied and under-reported, although vulnerabilities in popular software have been published in 2008 and 2009.::",{"point":"ec","priority":"6","details":"ed"},"CWE-ID: 198Use of Incorrect Byte Ordering","The product receives input from an upstream component, but it does not account for byte ordering (e.g. big-endian and little-endian) when processing the input, causing an incorrect number or value to be used.Guidelines:::TYPE:Research Gap:NOTE:Under-reported.::",{"point":"ef","priority":"6","details":"eg"},"CWE-ID: 200Exposure of Sensitive Information to an Unauthorized Actor","The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Guidelines:::TYPE:Maintenance:NOTE:As a result of mapping analysis in the 2020 Top 25 and more recent versions, this weakness is under review, since it is frequently misused in mapping to cover many problems that lead to loss of confidentiality. See Mapping Notes, Extended Description, and Alternate Terms.::",{"point":"ei","priority":"6","details":"ej"},"CWE-ID: 201Insertion of Sensitive Information Into Sent Data","The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.Guidelines:",{"point":"el","priority":"6","details":"em"},"CWE-ID: 202Exposure of Sensitive Information Through Data Queries","When trying to keep information confidential, an attacker can often infer some of the information by using statistics.Guidelines:::TYPE:Maintenance:NOTE:The relationship between CWE-202 and CWE-612 needs to be investigated more closely, as they may be different descriptions of the same kind of problem. CWE-202 is also being considered for deprecation, as it is not clearly described and may have been misunderstood by CWE users. It could be argued that this issue is better covered by CAPEC; an attacker can utilize their data-query privileges to perform this kind of operation, and if the attacker should not be allowed to perform the operation - or if the sensitive data should not have been made accessible at all - then that is more appropriately classified as a separate CWE related to authorization (see the parent, CWE-1230).::",{"point":"eo","priority":"6","details":"ep"},"CWE-ID: 203Observable Discrepancy","The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.Guidelines:",{"point":"er","priority":"6","details":"es"},"CWE-ID: 204Observable Response Discrepancy","The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.Guidelines:::TYPE:Relationship:NOTE:can overlap errors related to escalated privileges::",{"point":"eu","priority":"6","details":"ev"},"CWE-ID: 205Observable Behavioral Discrepancy","The product's behaviors indicate important differences that may be observed by unauthorized actors in a way that reveals (1) its internal state or decision process, or (2) differences from other products with equivalent functionality.Guidelines:",{"point":"ex","priority":"6","details":"ey"},"CWE-ID: 206Observable Internal Behavioral Discrepancy","The product performs multiple behaviors that are combined to produce a single result, but the individual behaviors are observable separately in a way that allows attackers to reveal internal state or internal decision points.Guidelines:",{"point":"f0","priority":"6","details":"f1"},"CWE-ID: 207Observable Behavioral Discrepancy With Equivalent Products","The product operates in an environment in which its existence or specific identity should not be known, but it behaves differently than other products with equivalent functionality, in a way that is observable to an attacker.Guidelines:",{"point":"f3","priority":"6","details":"f4"},"CWE-ID: 208Observable Timing Discrepancy","Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.Guidelines:::TYPE:Relationship:NOTE:Often primary in cryptographic applications and algorithms.::",{"point":"f6","priority":"6","details":"f7"},"CWE-ID: 209Generation of Error Message Containing Sensitive Information","The product generates an error message that includes sensitive information about its environment, users, or associated data.Guidelines:",{"point":"f9","priority":"6","details":"fa"},"CWE-ID: 210Self-generated Error Message Containing Sensitive Information","The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.Guidelines:",{"point":"fc","priority":"6","details":"fd"},"CWE-ID: 211Externally-Generated Error Message Containing Sensitive Information","The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information.Guidelines:::TYPE:Relationship:NOTE:This is inherently a resultant vulnerability from a weakness within the product or an interaction error.::",{"point":"ff","priority":"6","details":"fg"},"CWE-ID: 212Improper Removal of Sensitive Information Before Storage or Transfer","The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.Guidelines:::TYPE:Relationship:NOTE:This entry is intended to be different from resultant information leaks, including those that occur from improper buffer initialization and reuse, improper encryption, interaction errors, and multiple interpretation errors. This entry could be regarded as a privacy leak, depending on the type of information that is leaked.::TYPE:Relationship:NOTE:There is a close association between CWE-226 and CWE-212. The difference is partially that of perspective. CWE-226 is geared towards the final stage of the resource lifecycle, in which the resource is deleted, eliminated, expired, or otherwise released for reuse. Technically, this involves a transfer to a different control sphere, in which the original contents of the resource are no longer relevant. CWE-212, however, is intended for sensitive data in resources that are intentionally shared with others, so they are still active. This distinction is useful from the perspective of the CWE research view (CWE-1000).::TYPE:Terminology:NOTE:The terms cleansing and scrubbing have multiple uses within computing. In information security, these are used for the removal of sensitive data, but they are also used for the modification of incoming/outgoing data so that it conforms to specifications.::",{"point":"fi","priority":"6","details":"fj"},"CWE-ID: 213Exposure of Sensitive Information Due to Incompatible Policies","The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product's administrator, users, or others whose information is being processed.Guidelines:::TYPE:Maintenance:NOTE:This entry is being considered for deprecation. It overlaps many other entries related to information exposures. It might not be essential to preserve this entry, since other key stakeholder policies are covered elsewhere, e.g. personal privacy leaks (CWE-359) and system-level exposures that are important to system administrators (CWE-497).::TYPE:Theoretical:NOTE:In vulnerability theory terms, this covers cases in which the developer's Intended Policy allows the information to be made available, but the information might be in violation of a Universal Policy in which the product's administrator should have control over which information is considered sensitive and therefore should not be exposed.::",{"point":"fl","priority":"6","details":"fm"},"CWE-ID: 214Invocation of Process Using Visible Sensitive Information","A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system.Guidelines:::TYPE:Research Gap:NOTE:Under-studied, especially environment variables.::",{"point":"fo","priority":"6","details":"fp"},"CWE-ID: 215Insertion of Sensitive Information Into Debugging Code","The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.Guidelines:::TYPE:Relationship:NOTE:This overlaps other categories.::",{"point":"fr","priority":"6","details":"fs"},"CWE-ID: 219Storage of File with Sensitive Data Under Web Root","The product stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties.Guidelines:",{"point":"fu","priority":"6","details":"fv"},"CWE-ID: 220Storage of File With Sensitive Data Under FTP Root","The product stores sensitive data under the FTP server root with insufficient access control, which might make it accessible to untrusted parties.Guidelines:",{"point":"fx","priority":"6","details":"fy"},"CWE-ID: 221Information Loss or Omission","The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.Guidelines:",{"point":"g0","priority":"6","details":"g1"},"CWE-ID: 222Truncation of Security-relevant Information","The product truncates the display, recording, or processing of security-relevant information in a way that can obscure the source or nature of an attack.Guidelines:",{"point":"g3","priority":"6","details":"g4"},"CWE-ID: 223Omission of Security-relevant Information","The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.Guidelines:",{"point":"g6","priority":"6","details":"g7"},"CWE-ID: 224Obscured Security-relevant Information by Alternate Name","The product records security-relevant information according to an alternate name of the affected entity, instead of the canonical name.Guidelines:",{"point":"g9","priority":"6","details":"ga"},"CWE-ID: 226Sensitive Information in Resource Not Removed Before Reuse","The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or zeroize the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.Guidelines:::TYPE:Relationship:NOTE:There is a close association between CWE-226 and CWE-212. The difference is partially that of perspective. CWE-226 is geared towards the final stage of the resource lifecycle, in which the resource is deleted, eliminated, expired, or otherwise released for reuse. Technically, this involves a transfer to a different control sphere, in which the original contents of the resource are no longer relevant. CWE-212, however, is intended for sensitive data in resources that are intentionally shared with others, so they are still active. This distinction is useful from the perspective of the CWE research view (CWE-1000).::TYPE:Maintenance:NOTE:This entry needs modification to clarify the differences with CWE-212. The description also combines two problems that are distinct from the CWE research perspective: the inadvertent transfer of information to another sphere, and improper initialization/shutdown. Some of the associated taxonomy mappings reflect these different uses.::TYPE:Research Gap:NOTE:This is frequently found for network packets, but it can also exist in local memory allocation, files, etc.::",{"point":"gc","priority":"6","details":"gd"},"CWE-ID: 228Improper Handling of Syntactically Invalid Structure","The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification.Guidelines:::TYPE:Maintenance:NOTE:This entry needs more investigation. Public vulnerability research generally focuses on the manipulations that generate invalid structure, instead of the weaknesses that are exploited by those manipulations. For example, a common attack involves making a request that omits a required field, which can trigger a crash in some cases. The crash could be due to a named chain such as CWE-690 (Unchecked Return Value to NULL Pointer Dereference), but public reports rarely cover this aspect of a vulnerability.::TYPE:Theoretical:NOTE:The validity of input could be roughly classified along syntactic, semantic, and lexical dimensions. If the specification requires that an input value should be delimited with the [ and ] square brackets, then any input that does not follow this specification would be syntactically invalid. If the input between the brackets is expected to be a number, but the letters aaa are provided, then the input is syntactically invalid. If the input is a number and enclosed in brackets, but the number is outside of the allowable range, then it is semantically invalid. The inter-relationships between these properties - and their associated weaknesses- need further exploration.::",{"point":"gf","priority":"6","details":"gg"},"CWE-ID: 229Improper Handling of Values","The product does not properly handle when the expected number of values for parameters, fields, or arguments is not provided in input, or if those values are undefined.Guidelines:",{"point":"gi","priority":"6","details":"gj"},"CWE-ID: 230Improper Handling of Missing Values","The product does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empty, blank, or null.Guidelines:::TYPE:Research Gap:NOTE:Some crash by port scan bugs are probably due to this, but lack of diagnosis makes it difficult to be certain.::",{"point":"gl","priority":"6","details":"gm"},"CWE-ID: 231Improper Handling of Extra Values","The product does not handle or incorrectly handles when more values are provided than expected.Guidelines:::TYPE:Relationship:NOTE:This can overlap buffer overflows.::",{"point":"go","priority":"6","details":"gp"},"CWE-ID: 232Improper Handling of Undefined Values","The product does not handle or incorrectly handles when a value is not defined or supported for the associated parameter, field, or argument name.Guidelines:",{"point":"gr","priority":"6","details":"gs"},"CWE-ID: 233Improper Handling of Parameters","The product does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined.Guidelines:",{"point":"gu","priority":"6","details":"gv"},"CWE-ID: 234Failure to Handle Missing Parameter","If too few arguments are sent to a function, the function will still pop the expected number of arguments from the stack. Potentially, a variable number of arguments could be exhausted in a function as well.Guidelines:::TYPE:Maintenance:NOTE:This entry will be deprecated in a future version of CWE. The term missing parameter was used in both PLOVER and CLASP, with completely different meanings. However, data from both taxonomies was merged into this entry. In PLOVER, it was meant to cover malformed inputs that do not contain required parameters, such as a missing parameter in a CGI request. This entry's observed examples and classification came from PLOVER. However, the description, demonstrative example, and other information are derived from CLASP. They are related to an incorrect number of function arguments, which is already covered by CWE-685.::",{"point":"gx","priority":"6","details":"gy"},"CWE-ID: 235Improper Handling of Extra Parameters","The product does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount.Guidelines:::TYPE:Relationship:NOTE:This type of problem has a big role in multiple interpretation vulnerabilities and various HTTP attacks.::",{"point":"h0","priority":"6","details":"h1"},"CWE-ID: 236Improper Handling of Undefined Parameters","The product does not handle or incorrectly handles when a particular parameter, field, or argument name is not defined or supported by the product.Guidelines:",{"point":"h3","priority":"6","details":"h4"},"CWE-ID: 237Improper Handling of Structural Elements","The product does not handle or incorrectly handles inputs that are related to complex structures.Guidelines:",{"point":"h6","priority":"6","details":"h7"},"CWE-ID: 238Improper Handling of Incomplete Structural Elements","The product does not handle or incorrectly handles when a particular structural element is not completely specified.Guidelines:::TYPE:Relationship:NOTE:Can be primary to other problems.::",{"point":"h9","priority":"6","details":"ha"},"CWE-ID: 239Failure to Handle Incomplete Element","The product does not properly handle when a particular element is not completely specified.Guidelines:",{"point":"hc","priority":"6","details":"hd"},"CWE-ID: 240Improper Handling of Inconsistent Structural Elements","The product does not handle or incorrectly handles when two or more structural elements should be consistent, but are not.Guidelines:",{"point":"hf","priority":"6","details":"hg"},"CWE-ID: 241Improper Handling of Unexpected Data Type","The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).Guidelines:::TYPE:Research Gap:NOTE:Probably under-studied.::",{"point":"hi","priority":"6","details":"hj"},"CWE-ID: 242Use of Inherently Dangerous Function","The product calls a function that can never be guaranteed to work safely.Guidelines:",{"point":"hl","priority":"6","details":"hm"},"CWE-ID: 243Creation of chroot Jail Without Changing Working Directory","The product uses the chroot() system call to create a jail, but does not change the working directory afterward. This does not prevent access to files outside of the jail.Guidelines:",{"point":"ho","priority":"6","details":"hp"},"CWE-ID: 244Improper Clearing of Heap Memory Before Release ('Heap Inspection')","Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory.Guidelines:",{"point":"hr","priority":"6","details":"hs"},"CWE-ID: 245J2EE Bad Practices: Direct Management of Connections","The J2EE application directly manages connections, instead of using the container's connection management facilities.Guidelines:",{"point":"hu","priority":"6","details":"hv"},"CWE-ID: 246J2EE Bad Practices: Direct Use of Sockets","The J2EE application directly uses sockets instead of using framework method calls.Guidelines:",{"point":"hx","priority":"6","details":"hy"},"CWE-ID: 248Uncaught Exception","An exception is thrown from a function, but it is not caught.Guidelines:",{"point":"i0","priority":"6","details":"i1"},"CWE-ID: 250Execution with Unnecessary Privileges","The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.Guidelines:::TYPE:Relationship:NOTE:There is a close association with CWE-653 (Insufficient Separation of Privileges). CWE-653 is about providing separate components for each privilege; CWE-250 is about ensuring that each component has the least amount of privileges possible.::TYPE:Maintenance:NOTE:CWE-271, CWE-272, and CWE-250 are all closely related and possibly overlapping. CWE-271 is probably better suited as a category. Both CWE-272 and CWE-250 are in active use by the community. The least privilege phrase has multiple interpretations.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"i3","priority":"6","details":"i4"},"CWE-ID: 252Unchecked Return Value","The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.Guidelines:",{"point":"i6","priority":"6","details":"i7"},"CWE-ID: 253Incorrect Check of Function Return Value","The product incorrectly checks a return value from a function, which prevents it from detecting errors or exceptional conditions.Guidelines:",{"point":"i9","priority":"6","details":"ia"},"CWE-ID: 256Plaintext Storage of a Password","Storing a password in plaintext may result in a system compromise.Guidelines:",{"point":"ic","priority":"6","details":"id"},"CWE-ID: 257Storing Passwords in a Recoverable Format","The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.Guidelines:::TYPE:Maintenance:NOTE:The meaning of this entry needs to be investigated more closely, especially with respect to what is meant by recoverable.::",{"point":"if","priority":"6","details":"ig"},"CWE-ID: 258Empty Password in Configuration File","Using an empty string as a password is insecure.Guidelines:",{"point":"ii","priority":"6","details":"ij"},"CWE-ID: 259Use of Hard-coded Password","The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.Guidelines:::TYPE:Maintenance:NOTE:This entry could be split into multiple variants: an inbound variant (as seen in the second demonstrative example) and an outbound variant (as seen in the first demonstrative example). These variants are likely to have different consequences, detectability, etc. More importantly, from a vulnerability theory perspective, they could be characterized as different behaviors.::",{"point":"il","priority":"6","details":"im"},"CWE-ID: 260Password in Configuration File","The product stores a password in a configuration file that might be accessible to actors who do not know the password.Guidelines:",{"point":"io","priority":"6","details":"ip"},"CWE-ID: 261Weak Encoding for Password","Obscuring a password with a trivial encoding does not protect the password.Guidelines:::TYPE:Other:NOTE:The crypt family of functions uses weak cryptographic algorithms and should be avoided. It may be present in some projects for compatibility.::",{"point":"ir","priority":"6","details":"is"},"CWE-ID: 262Not Using Password Aging","The product does not have a mechanism in place for managing password aging.Guidelines:",{"point":"iu","priority":"6","details":"iv"},"CWE-ID: 263Password Aging with Long Expiration","The product supports password aging, but the expiration period is too long.Guidelines:",{"point":"ix","priority":"6","details":"iy"},"CWE-ID: 266Incorrect Privilege Assignment","A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.Guidelines:",{"point":"j0","priority":"6","details":"j1"},"CWE-ID: 267Privilege Defined With Unsafe Actions","A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity.Guidelines:::TYPE:Maintenance:NOTE:Note: there are 2 separate sub-categories here: - privilege incorrectly allows entities to perform certain actions - object is incorrectly accessible to entities with a given privilege::",{"point":"j3","priority":"6","details":"j4"},"CWE-ID: 268Privilege Chaining","Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination.Guidelines:::TYPE:Relationship:NOTE:There is some conceptual overlap with Unsafe Privilege.::",{"point":"j6","priority":"6","details":"j7"},"CWE-ID: 269Improper Privilege Management","The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.Guidelines:::TYPE:Maintenance:NOTE:The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693).::",{"point":"j9","priority":"6","details":"ja"},"CWE-ID: 270Privilege Context Switching Error","The product does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control.Guidelines:::TYPE:Research Gap:NOTE:This concept needs more study.::",{"point":"jc","priority":"6","details":"jd"},"CWE-ID: 271Privilege Dropping / Lowering Errors","The product does not drop privileges before passing control of a resource to an actor that does not have those privileges.Guidelines:::TYPE:Maintenance:NOTE:CWE-271, CWE-272, and CWE-250 are all closely related and possibly overlapping. CWE-271 is probably better suited as a category.::",{"point":"jf","priority":"6","details":"jg"},"CWE-ID: 272Least Privilege Violation","The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.Guidelines:::TYPE:Maintenance:NOTE:CWE-271, CWE-272, and CWE-250 are all closely related and possibly overlapping. CWE-271 is probably better suited as a category.::TYPE:Other:NOTE:If system privileges are not dropped when it is reasonable to do so, this is not a vulnerability by itself. According to the principle of least privilege, access should be allowed only when it is absolutely necessary to the function of a given system, and only for the minimal necessary amount of time. Any further allowance of privilege widens the window of time during which a successful exploitation of the system will provide an attacker with that same privilege. If at all possible, limit the allowance of system privilege to small, simple sections of code that may be called atomically. When a program calls a privileged function, such as chroot(), it must first acquire root privilege. As soon as the privileged operation has completed, the program should drop root privilege and return to the privilege level of the invoking user.::",{"point":"ji","priority":"6","details":"jj"},"CWE-ID: 273Improper Check for Dropped Privileges","The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.Guidelines:",{"point":"jl","priority":"6","details":"jm"},"CWE-ID: 274Improper Handling of Insufficient Privileges","The product does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses.Guidelines:::TYPE:Maintenance:NOTE:CWE-280 and CWE-274 are too similar. It is likely that CWE-274 will be deprecated in the future.::TYPE:Relationship:NOTE:Overlaps dropped privileges, insufficient permissions.::TYPE:Theoretical:NOTE:This has a layering relationship with Unchecked Error Condition and Unchecked Return Value.::TYPE:Theoretical:NOTE:Within the context of vulnerability theory, privileges and permissions are two sides of the same coin. Privileges are associated with actors, and permissions are associated with resources. To perform access control, at some point the product makes a decision about whether the actor (and the privileges that have been assigned to that actor) is allowed to access the resource (based on the permissions that have been specified for that resource).::",{"point":"jo","priority":"6","details":"jp"},"CWE-ID: 276Incorrect Default Permissions","During installation, installed file permissions are set to allow anyone to modify those files.Guidelines:",{"point":"jr","priority":"6","details":"js"},"CWE-ID: 277Insecure Inherited Permissions","A product defines a set of insecure permissions that are inherited by objects that are created by the program.Guidelines:",{"point":"ju","priority":"6","details":"jv"},"CWE-ID: 278Insecure Preserved Inherited Permissions","A product inherits a set of insecure permissions for an object, e.g. when copying from an archive file, without user awareness or involvement.Guidelines:",{"point":"jx","priority":"6","details":"jy"},"CWE-ID: 279Incorrect Execution-Assigned Permissions","While it is executing, the product sets the permissions of an object in a way that violates the intended permissions that have been specified by the user.Guidelines:",{"point":"k0","priority":"6","details":"k1"},"CWE-ID: 280Improper Handling of Insufficient Permissions or Privileges","The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.Guidelines:::TYPE:Maintenance:NOTE:CWE-280 and CWE-274 are too similar. It is likely that CWE-274 will be deprecated in the future.::TYPE:Relationship:NOTE:This can be both primary and resultant. When primary, it can expose a variety of weaknesses because a resource might not have the expected state, and subsequent operations might fail. It is often resultant from Unchecked Error Condition (CWE-391).::TYPE:Theoretical:NOTE:Within the context of vulnerability theory, privileges and permissions are two sides of the same coin. Privileges are associated with actors, and permissions are associated with resources. To perform access control, at some point the software makes a decision about whether the actor (and the privileges that have been assigned to that actor) is allowed to access the resource (based on the permissions that have been specified for that resource).::TYPE:Research Gap:NOTE:This type of issue is under-studied, since researchers often concentrate on whether an object has too many permissions, instead of not enough. These weaknesses are likely to appear in environments with fine-grained models for permissions and privileges, which can include operating systems and other large-scale software packages. However, even highly simplistic permission/privilege models are likely to contain these issues if the developer has not considered the possibility of access failure.::",{"point":"k3","priority":"6","details":"k4"},"CWE-ID: 281Improper Preservation of Permissions","The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.Guidelines:",{"point":"k6","priority":"6","details":"k7"},"CWE-ID: 282Improper Ownership Management","The product assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.Guidelines:::TYPE:Maintenance:NOTE:The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693).::",{"point":"k9","priority":"6","details":"ka"},"CWE-ID: 283Unverified Ownership","The product does not properly verify that a critical resource is owned by the proper entity.Guidelines:::TYPE:Relationship:NOTE:This overlaps insufficient comparison, verification errors, permissions, and privileges.::",{"point":"kc","priority":"6","details":"kd"},"CWE-ID: 284Improper Access Control","The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.Guidelines:::TYPE:Maintenance:NOTE:This entry needs more work. Possible sub-categories include: Trusted group includes undesired entities (partially covered by CWE-286) Group can perform undesired actions ACL parse error does not fail closed::",{"point":"kf","priority":"6","details":"kg"},"CWE-ID: 285Improper Authorization","The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.Guidelines:",{"point":"ki","priority":"6","details":"kj"},"CWE-ID: 286Incorrect User Management","The product does not properly manage a user within its environment.Guidelines:::TYPE:Maintenance:NOTE:The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693).::TYPE:Maintenance:NOTE:This item needs more work. Possible sub-categories include: user in wrong group, and user with insecure profile or configuration. It also might be better expressed as a category than a weakness.::",{"point":"kl","priority":"6","details":"km"},"CWE-ID: 287Improper Authentication","When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Guidelines:::TYPE:Relationship:NOTE:This can be resultant from SQL injection vulnerabilities and other issues.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"ko","priority":"6","details":"kp"},"CWE-ID: 288Authentication Bypass Using an Alternate Path or Channel","A product requires authentication, but the product has an alternate path or channel that does not require authentication.Guidelines:::TYPE:Relationship:NOTE:overlaps Unprotected Alternate Channel::",{"point":"kr","priority":"6","details":"ks"},"CWE-ID: 289Authentication Bypass by Alternate Name","The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.Guidelines:::TYPE:Relationship:NOTE:Overlaps equivalent encodings, canonicalization, authorization, multiple trailing slash, trailing space, mixed case, and other equivalence issues.::TYPE:Theoretical:NOTE:Alternate names are useful in data driven manipulation attacks, not just for authentication.::",{"point":"ku","priority":"6","details":"kv"},"CWE-ID: 290Authentication Bypass by Spoofing","This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.Guidelines:::TYPE:Relationship:NOTE:This can be resultant from insufficient verification.::",{"point":"kx","priority":"6","details":"ky"},"CWE-ID: 291Reliance on IP Address for Authentication","The product uses an IP address for authentication.Guidelines:",{"point":"l0","priority":"6","details":"l1"},"CWE-ID: 293Using Referer Field for Authentication","The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking.Guidelines:",{"point":"l3","priority":"6","details":"l4"},"CWE-ID: 294Authentication Bypass by Capture-replay","A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).Guidelines:",{"point":"l6","priority":"6","details":"l7"},"CWE-ID: 295Improper Certificate Validation","The product does not validate, or incorrectly validates, a certificate.Guidelines:",{"point":"l9","priority":"6","details":"la"},"CWE-ID: 296Improper Following of a Certificate's Chain of Trust","The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.Guidelines:",{"point":"lc","priority":"6","details":"ld"},"CWE-ID: 297Improper Validation of Certificate with Host Mismatch","The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.Guidelines:",{"point":"lf","priority":"6","details":"lg"},"CWE-ID: 298Improper Validation of Certificate Expiration","A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age.Guidelines:",{"point":"li","priority":"6","details":"lj"},"CWE-ID: 299Improper Check for Certificate Revocation","The product does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised.Guidelines:",{"point":"ll","priority":"6","details":"lm"},"CWE-ID: 300Channel Accessible by Non-Endpoint","The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.Guidelines:::TYPE:Maintenance:NOTE:The summary identifies multiple distinct possibilities, suggesting that this is a category that must be broken into more specific weaknesses.::",{"point":"lo","priority":"6","details":"lp"},"CWE-ID: 301Reflection Attack in an Authentication Protocol","Simple authentication protocols are subject to reflection attacks if a malicious user can use the target machine to impersonate a trusted user.Guidelines:::TYPE:Maintenance:NOTE:The term reflection is used in multiple ways within CWE and the community, so its usage should be reviewed.::",{"point":"lr","priority":"6","details":"ls"},"CWE-ID: 302Authentication Bypass by Assumed-Immutable Data","The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.Guidelines:",{"point":"lu","priority":"6","details":"lv"},"CWE-ID: 303Incorrect Implementation of Authentication Algorithm","The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.Guidelines:",{"point":"lx","priority":"6","details":"ly"},"CWE-ID: 304Missing Critical Step in Authentication","The product implements an authentication technique, but it skips a step that weakens the technique.Guidelines:",{"point":"m0","priority":"6","details":"m1"},"CWE-ID: 305Authentication Bypass by Primary Weakness","The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.Guidelines:::TYPE:Relationship:NOTE:Most authentication bypass errors are resultant, not primary.::",{"point":"m3","priority":"6","details":"m4"},"CWE-ID: 306Missing Authentication for Critical Function","The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.Guidelines:",{"point":"m6","priority":"6","details":"m7"},"CWE-ID: 307Improper Restriction of Excessive Authentication Attempts","The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.Guidelines:",{"point":"m9","priority":"6","details":"ma"},"CWE-ID: 308Use of Single-factor Authentication","The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme.Guidelines:",{"point":"mc","priority":"6","details":"md"},"CWE-ID: 309Use of Password System for Primary Authentication","The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.Guidelines:",{"point":"mf","priority":"6","details":"mg"},"CWE-ID: 311Missing Encryption of Sensitive Data","The product does not encrypt sensitive or critical information before storage or transmission.Guidelines:::TYPE:Relationship:NOTE:There is an overlapping relationship between insecure storage of sensitive information (CWE-922) and missing encryption of sensitive information (CWE-311). Encryption is often used to prevent an attacker from reading the sensitive data. However, encryption does not prevent the attacker from erasing or overwriting the data.::",{"point":"mi","priority":"6","details":"mj"},"CWE-ID: 312Cleartext Storage of Sensitive Information","The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"ml","priority":"6","details":"mm"},"CWE-ID: 313Cleartext Storage in a File or on Disk","The product stores sensitive information in cleartext in a file, or on disk.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"mo","priority":"6","details":"mp"},"CWE-ID: 314Cleartext Storage in the Registry","The product stores sensitive information in cleartext in the registry.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"mr","priority":"6","details":"ms"},"CWE-ID: 315Cleartext Storage of Sensitive Information in a Cookie","The product stores sensitive information in cleartext in a cookie.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"mu","priority":"6","details":"mv"},"CWE-ID: 316Cleartext Storage of Sensitive Information in Memory","The product stores sensitive information in cleartext in memory.Guidelines:::TYPE:Relationship:NOTE:This could be a resultant weakness, e.g. if the compiler removes code that was intended to wipe memory.::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"mx","priority":"6","details":"my"},"CWE-ID: 317Cleartext Storage of Sensitive Information in GUI","The product stores sensitive information in cleartext within the GUI.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"n0","priority":"6","details":"n1"},"CWE-ID: 318Cleartext Storage of Sensitive Information in Executable","The product stores sensitive information in cleartext in an executable.Guidelines:::TYPE:Terminology:NOTE:Different people use cleartext and plaintext to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).::",{"point":"n3","priority":"6","details":"n4"},"CWE-ID: 319Cleartext Transmission of Sensitive Information","The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.Guidelines:::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"n6","priority":"6","details":"n7"},"CWE-ID: 321Use of Hard-coded Cryptographic Key","The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.Guidelines:::TYPE:Other:NOTE:The main difference between the use of hard-coded passwords and the use of hard-coded cryptographic keys is the false sense of security that the former conveys. Many people believe that simply hashing a hard-coded password before storage will protect the information from malicious users. However, many hashes are reversible (or at least vulnerable to brute force attacks) -- and further, many authentication protocols simply request the hash itself, making it no better than a password.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"n9","priority":"6","details":"na"},"CWE-ID: 322Key Exchange without Entity Authentication","The product performs a key exchange with an actor without verifying the identity of that actor.Guidelines:",{"point":"nc","priority":"6","details":"nd"},"CWE-ID: 323Reusing a Nonce, Key Pair in Encryption","Nonces should be used for the present occasion and only once.Guidelines:",{"point":"nf","priority":"6","details":"ng"},"CWE-ID: 324Use of a Key Past its Expiration Date","The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.Guidelines:",{"point":"ni","priority":"6","details":"nj"},"CWE-ID: 325Missing Cryptographic Step","The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.Guidelines:::TYPE:Relationship:NOTE:Overlaps incomplete/missing security check.::TYPE:Relationship:NOTE:Can be resultant.::",{"point":"nl","priority":"6","details":"nm"},"CWE-ID: 326Inadequate Encryption Strength","The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.Guidelines:",{"point":"no","priority":"6","details":"np"},"CWE-ID: 327Use of a Broken or Risky Cryptographic Algorithm","The product uses a broken or risky cryptographic algorithm or protocol.Guidelines:::TYPE:Maintenance:NOTE:Since CWE 4.4, various cryptography-related entries, including CWE-327 and CWE-1240, have been slated for extensive research, analysis, and community consultation to define consistent terminology, improve relationships, and reduce overlap or duplication. As of CWE 4.6, this work is still ongoing.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"nr","priority":"6","details":"ns"},"CWE-ID: 328Use of Weak Hash","The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).Guidelines:::TYPE:Maintenance:NOTE:Since CWE 4.4, various cryptography-related entries including CWE-328 have been slated for extensive research, analysis, and community consultation to define consistent terminology, improve relationships, and reduce overlap or duplication. As of CWE 4.6, this work is still ongoing.::",{"point":"nu","priority":"6","details":"nv"},"CWE-ID: 329Generation of Predictable IV with CBC Mode","The product generates and uses a predictable initialization Vector (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible to dictionary attacks when they are encrypted under the same key.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"nx","priority":"6","details":"ny"},"CWE-ID: 330Use of Insufficiently Random Values","The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.Guidelines:::TYPE:Relationship:NOTE:This can be primary to many other weaknesses such as cryptographic errors, authentication errors, symlink following, information leaks, and others.::TYPE:Maintenance:NOTE:As of CWE 4.3, CWE-330 and its descendants are being investigated by the CWE crypto team to identify gaps related to randomness and unpredictability, as well as the relationships between randomness and cryptographic primitives. This subtree analysis might result in the addition or deprecation of existing entries; the reorganization of relationships in some views, e.g. the research view (CWE-1000); more consistent use of terminology; and/or significant modifications to related entries.::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"o0","priority":"6","details":"o1"},"CWE-ID: 331Insufficient Entropy","The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"o3","priority":"6","details":"o4"},"CWE-ID: 332Insufficient Entropy in PRNG","The lack of entropy available for, or used by, a Pseudo-Random Number Generator (PRNG) can be a stability and security threat.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"o6","priority":"6","details":"o7"},"CWE-ID: 333Improper Handling of Insufficient Entropy in TRNG","True random number generators (TRNG) generally have a limited source of entropy and therefore can fail or block.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"o9","priority":"6","details":"oa"},"CWE-ID: 334Small Space of Random Values","The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"oc","priority":"6","details":"od"},"CWE-ID: 335Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)","The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"of","priority":"6","details":"og"},"CWE-ID: 336Same Seed in Pseudo-Random Number Generator (PRNG)","A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"oi","priority":"6","details":"oj"},"CWE-ID: 337Predictable Seed in Pseudo-Random Number Generator (PRNG)","A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"ol","priority":"6","details":"om"},"CWE-ID: 338Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)","The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"oo","priority":"6","details":"op"},"CWE-ID: 339Small Seed Space in PRNG","A Pseudo-Random Number Generator (PRNG) uses a relatively small seed space, which makes it more susceptible to brute force attacks.Guidelines:::TYPE:Maintenance:NOTE:This entry may have a chaining relationship with predictable from observable state (CWE-341).::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"or","priority":"6","details":"os"},"CWE-ID: 340Generation of Predictable Numbers or Identifiers","The product uses a scheme that generates numbers or identifiers that are more predictable than required.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"ou","priority":"6","details":"ov"},"CWE-ID: 341Predictable from Observable State","A number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"ox","priority":"6","details":"oy"},"CWE-ID: 342Predictable Exact Value from Previous Values","An exact value or random number can be precisely predicted by observing previous values.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"p0","priority":"6","details":"p1"},"CWE-ID: 343Predictable Value Range from Previous Values","The product's random number generator produces a series of values which, when observed, can be used to infer a relatively small range of possibilities for the next value that could be generated.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"p3","priority":"6","details":"p4"},"CWE-ID: 344Use of Invariant Value in Dynamically Changing Context","The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.Guidelines:::TYPE:Relationship:NOTE:overlaps default configuration.::",{"point":"p6","priority":"6","details":"p7"},"CWE-ID: 345Insufficient Verification of Data Authenticity","The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.Guidelines:::TYPE:Relationship:NOTE:origin validation could fall under this.::TYPE:Maintenance:NOTE:The specific ways in which the origin is not properly identified should be laid out as separate weaknesses. In some sense, this is more like a category.::",{"point":"p9","priority":"6","details":"pa"},"CWE-ID: 346Origin Validation Error","The product does not properly verify that the source of data or communication is valid.Guidelines:::TYPE:Maintenance:NOTE:This entry has some significant overlap with other CWE entries and may need some clarification. See terminology notes.::TYPE:Terminology:NOTE:The Origin Validation Error term was originally used in a 1995 thesis [REF-324]. Although not formally defined, an issue is considered to be an origin validation error if either (1) an object [accepts] input from an unauthorized subject, or (2) the system [fails] to properly or completely authenticate a subject. A later section says that an origin validation error can occur when the system (1) does not properly authenticate a user or process or (2) does not properly authenticate the shared data or libraries. The only example provided in the thesis (covered by OSVDB:57615) involves a setuid program running command-line arguments without dropping privileges. So, this definition (and its examples in the thesis) effectively cover other weaknesses such as CWE-287 (Improper Authentication), CWE-285 (Improper Authorization), and CWE-250 (Execution with Unnecessary Privileges). There appears to be little usage of this term today, except in the SecurityFocus vulnerability database, where the term is used for a variety of issues, including web-browser problems that allow violation of the Same Origin Policy and improper validation of the source of an incoming message.::",{"point":"pc","priority":"6","details":"pd"},"CWE-ID: 347Improper Verification of Cryptographic Signature","The product does not verify, or incorrectly verifies, the cryptographic signature for data.Guidelines:",{"point":"pf","priority":"6","details":"pg"},"CWE-ID: 348Use of Less Trusted Source","The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.Guidelines:",{"point":"pi","priority":"6","details":"pj"},"CWE-ID: 349Acceptance of Extraneous Untrusted Data With Trusted Data","The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.Guidelines:",{"point":"pl","priority":"6","details":"pm"},"CWE-ID: 350Reliance on Reverse DNS Resolution for a Security-Critical Action","The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.Guidelines:::TYPE:Maintenance:NOTE:CWE-350, CWE-247, and CWE-292 were merged into CWE-350 in CWE 2.5. CWE-247 was originally derived from Seven Pernicious Kingdoms, CWE-350 from PLOVER, and CWE-292 from CLASP. All taxonomies focused closely on the use of reverse DNS for authentication of incoming requests.::",{"point":"po","priority":"6","details":"pp"},"CWE-ID: 351Insufficient Type Distinction","The product does not properly distinguish between different types of elements in a way that leads to insecure behavior.Guidelines:::TYPE:Relationship:NOTE:Overlaps others, e.g. Multiple Interpretation Errors.::",{"point":"pr","priority":"6","details":"ps"},"CWE-ID: 352Cross-Site Request Forgery (CSRF)","The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.Guidelines:::TYPE:Relationship:NOTE:There can be a close relationship between XSS and CSRF (CWE-352). An attacker might use CSRF in order to trick the victim into submitting requests to the server in which the requests contain an XSS payload. A well-known example of this was the Samy worm on MySpace [REF-956]. The worm used XSS to insert malicious HTML sequences into a user's profile and add the attacker as a MySpace friend. MySpace friends of that victim would then execute the payload to modify their own profiles, causing the worm to propagate exponentially. Since the victims did not intentionally insert the malicious script themselves, CSRF was a root cause.::TYPE:Theoretical:NOTE:The CSRF topology is multi-channel: Attacker (as outsider) to intermediary (as user). The interaction point is either an external or internal channel. Intermediary (as user) to server (as victim). The activation point is an internal channel.::",{"point":"pu","priority":"6","details":"pv"},"CWE-ID: 353Missing Support for Integrity Check","The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.Guidelines:",{"point":"px","priority":"6","details":"py"},"CWE-ID: 354Improper Validation of Integrity Check Value","The product does not validate or incorrectly validates the integrity check values or checksums of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.Guidelines:",{"point":"q0","priority":"6","details":"q1"},"CWE-ID: 356Product UI does not Warn User of Unsafe Actions","The product's user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick users into inflicting damage to their system.Guidelines:::TYPE:Relationship:NOTE:Often resultant, e.g. in unhandled error conditions.::TYPE:Relationship:NOTE:Can overlap privilege errors, conceptually at least.::",{"point":"q3","priority":"6","details":"q4"},"CWE-ID: 357Insufficient UI Warning of Dangerous Operations","The user interface provides a warning to a user regarding dangerous or sensitive operations, but the warning is not noticeable enough to warrant attention.Guidelines:",{"point":"q6","priority":"6","details":"q7"},"CWE-ID: 358Improperly Implemented Security Check for Standard","The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.Guidelines:::TYPE:Relationship:NOTE:This is a missing step error on the product side, which can overlap weaknesses such as insufficient verification and spoofing. It is frequently found in cryptographic and authentication errors. It is sometimes resultant.::",{"point":"q9","priority":"6","details":"qa"},"CWE-ID: 359Exposure of Private Personal Information to an Unauthorized Actor","The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.Guidelines:::TYPE:Maintenance:NOTE:This entry overlaps many other entries that are not organized around the kind of sensitive information that is exposed. However, because privacy is treated with such importance due to regulations and other factors, and it may be useful for weakness-finding tools to highlight capabilities that detect personal private information instead of system information, it is not clear whether - and how - this entry should be deprecated.::",{"point":"qc","priority":"6","details":"qd"},"CWE-ID: 360Trust of System Event Data","Security based on event locations are insecure and can be spoofed.Guidelines:",{"point":"qf","priority":"6","details":"qg"},"CWE-ID: 362Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')","The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.Guidelines:::TYPE:Maintenance:NOTE:The relationship between race conditions and synchronization problems (CWE-662) needs to be further developed. They are not necessarily two perspectives of the same core concept, since synchronization is only one technique for avoiding race conditions, and synchronization can be used for other purposes besides race condition prevention.::TYPE:Research Gap:NOTE:Race conditions in web applications are under-studied and probably under-reported. However, in 2008 there has been growing interest in this area.::TYPE:Research Gap:NOTE:Much of the focus of race condition research has been in Time-of-check Time-of-use (TOCTOU) variants (CWE-367), but many race conditions are related to synchronization problems that do not necessarily require a time-of-check.::TYPE:Research Gap:NOTE:From a classification/taxonomy perspective, the relationships between concurrency and program state need closer investigation and may be useful in organizing related issues.::",{"point":"qi","priority":"6","details":"qj"},"CWE-ID: 363Race Condition Enabling Link Following","The product checks the status of a file or directory before accessing it, which produces a race condition in which the file can be replaced with a link before the access is performed, causing the product to access the wrong file.Guidelines:::TYPE:Relationship:NOTE:This is already covered by the Link Following weakness (CWE-59). It is included here because so many people associate race conditions with link problems; however, not all link following issues involve race conditions.::",{"point":"ql","priority":"6","details":"qm"},"CWE-ID: 364Signal Handler Race Condition","The product uses a signal handler that introduces a race condition.Guidelines:",{"point":"qo","priority":"6","details":"qp"},"CWE-ID: 366Race Condition within a Thread","If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.Guidelines:",{"point":"qr","priority":"6","details":"qs"},"CWE-ID: 367Time-of-check Time-of-use (TOCTOU) Race Condition","The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.Guidelines:::TYPE:Relationship:NOTE:TOCTOU issues do not always involve symlinks, and not every symlink issue is a TOCTOU problem.::TYPE:Research Gap:NOTE:Non-symlink TOCTOU issues are not reported frequently, but they are likely to occur in code that attempts to be secure.::",{"point":"qu","priority":"6","details":"qv"},"CWE-ID: 368Context Switching Race Condition","A product performs a series of non-atomic actions to switch between contexts that cross privilege or other security boundaries, but a race condition allows an attacker to modify or misrepresent the product's behavior during the switch.Guidelines:::TYPE:Relationship:NOTE:Can overlap signal handler race conditions.::TYPE:Research Gap:NOTE:Under-studied as a concept. Frequency unknown; few vulnerability reports give enough detail to know when a context switching race condition is a factor.::",{"point":"qx","priority":"6","details":"qy"},"CWE-ID: 369Divide By Zero","The product divides a value by zero.Guidelines:",{"point":"r0","priority":"6","details":"r1"},"CWE-ID: 370Missing Check for Certificate Revocation after Initial Check","The product does not check the revocation status of a certificate after its initial revocation check, which can cause the product to perform privileged actions even after the certificate is revoked at a later time.Guidelines:",{"point":"r3","priority":"6","details":"r4"},"CWE-ID: 372Incomplete Internal State Distinction","The product does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect operations in a security-relevant manner.Guidelines:::TYPE:Relationship:NOTE:This conceptually overlaps other categories such as insufficient verification, but this entry refers to the product's incorrect perception of its own state.::TYPE:Relationship:NOTE:This is probably resultant from other weaknesses such as unhandled error conditions, inability to handle out-of-order steps, multiple interpretation errors, etc.::TYPE:Maintenance:NOTE:This entry is being considered for deprecation. It was poorly-defined in PLOVER and is not easily described using the behavior/resource/property model of vulnerability theory.::",{"point":"r6","priority":"6","details":"r7"},"CWE-ID: 374Passing Mutable Objects to an Untrusted Method","The product sends non-cloned mutable data as an argument to a method or function.Guidelines:",{"point":"r9","priority":"6","details":"ra"},"CWE-ID: 375Returning a Mutable Object to an Untrusted Caller","Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function.Guidelines:",{"point":"rc","priority":"6","details":"rd"},"CWE-ID: 377Insecure Temporary File","Creating and using insecure temporary files can leave application and system data vulnerable to attack.Guidelines:::TYPE:Other:NOTE:Applications require temporary files so frequently that many different mechanisms exist for creating them in the C Library and Windows(R) API. Most of these functions are vulnerable to various forms of attacks. The functions designed to aid in the creation of temporary files can be broken into two groups based whether they simply provide a filename or actually open a new file. - Group 1: Unique Filenames: The first group of C Library and WinAPI functions designed to help with the process of creating temporary files do so by generating a unique file name for a new temporary file, which the program is then supposed to open. This group includes C Library functions like tmpnam(), tempnam(), mktemp() and their C++ equivalents prefaced with an _ (underscore) as well as the GetTempFileName() function from the Windows API. This group of functions suffers from an underlying race condition on the filename chosen. Although the functions guarantee that the filename is unique at the time it is selected, there is no mechanism to prevent another process or an attacker from creating a file with the same name after it is selected but before the application attempts to open the file. Beyond the risk of a legitimate collision caused by another call to the same function, there is a high probability that an attacker will be able to create a malicious collision because the filenames generated by these functions are not sufficiently randomized to make them difficult to guess. If a file with the selected name is created, then depending on how the file is opened the existing contents or access permissions of the file may remain intact. If the existing contents of the file are malicious in nature, an attacker may be able to inject dangerous data into the application when it reads data back from the temporary file. If an attacker pre-creates the file with relaxed access permissions, then data stored in the temporary file by the application may be accessed, modified or corrupted by an attacker. On Unix based systems an even more insidious attack is possible if the attacker pre-creates the file as a link to another important file. Then, if the application truncates or writes data to the file, it may unwittingly perform damaging operations for the attacker. This is an especially serious threat if the program operates with elevated permissions. Finally, in the best case the file will be opened with the a call to open() using the O_CREAT and O_EXCL flags or to CreateFile() using the CREATE_NEW attribute, which will fail if the file already exists and therefore prevent the types of attacks described above. However, if an attacker is able to accurately predict a sequence of temporary file names, then the application may be prevented from opening necessary temporary storage causing a denial of service (DoS) attack. This type of attack would not be difficult to mount given the small amount of randomness used in the selection of the filenames generated by these functions. - Group 2: Unique Files: The second group of C Library functions attempts to resolve some of the security problems related to temporary files by not only generating a unique file name, but also opening the file. This group includes C Library functions like tmpfile() and its C++ equivalents prefaced with an _ (underscore), as well as the slightly better-behaved C Library function mkstemp(). The tmpfile() style functions construct a unique filename and open it in the same way that fopen() would if passed the flags wb+, that is, as a binary file in read/write mode. If the file already exists, tmpfile() will truncate it to size zero, possibly in an attempt to assuage the security concerns mentioned earlier regarding the race condition that exists between the selection of a supposedly unique filename and the subsequent opening of the selected file. However, this behavior clearly does not solve the function's security problems. First, an attacker can pre-create the file with relaxed access-permissions that will likely be retained by the file opened by tmpfile(). Furthermore, on Unix based systems if the attacker pre-creates the file as a link to another important file, the application may use its possibly elevated permissions to truncate that file, thereby doing damage on behalf of the attacker. Finally, if tmpfile() does create a new file, the access permissions applied to that file will vary from one operating system to another, which can leave application data vulnerable even if an attacker is unable to predict the filename to be used in advance. Finally, mkstemp() is a reasonably safe way create temporary files. It will attempt to create and open a unique file based on a filename template provided by the user combined with a series of randomly generated characters. If it is unable to create such a file, it will fail and return -1. On modern systems the file is opened using mode 0600, which means the file will be secure from tampering unless the user explicitly changes its access permissions. However, mkstemp() still suffers from the use of predictable file names and can leave an application vulnerable to denial of service attacks if an attacker causes mkstemp() to fail by predicting and pre-creating the filenames to be used.::",{"point":"rf","priority":"6","details":"rg"},"CWE-ID: 378Creation of Temporary File With Insecure Permissions","Opening temporary files without appropriate measures or controls can leave the file, its contents and any function that it impacts vulnerable to attack.Guidelines:",{"point":"ri","priority":"6","details":"rj"},"CWE-ID: 379Creation of Temporary File in Directory with Insecure Permissions","The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.Guidelines:",{"point":"rl","priority":"6","details":"rm"},"CWE-ID: 382J2EE Bad Practices: Use of System.exit()","A J2EE application uses System.exit(), which also shuts down its container.Guidelines:",{"point":"ro","priority":"6","details":"rp"},"CWE-ID: 383J2EE Bad Practices: Direct Use of Threads","Thread management in a Web application is forbidden in some circumstances and is always highly error prone.Guidelines:",{"point":"rr","priority":"6","details":"rs"},"CWE-ID: 384Session Fixation","Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.Guidelines:::TYPE:Other:NOTE:Other attack vectors include DNS poisoning and related network based attacks where an attacker causes the user to visit a malicious site by redirecting a request for a valid site. Network based attacks typically involve a physical presence on the victim's network or control of a compromised machine on the network, which makes them harder to exploit remotely, but their significance should not be overlooked. Less secure session management mechanisms, such as the default implementation in Apache Tomcat, allow session identifiers normally expected in a cookie to be specified on the URL as well, which enables an attacker to cause a victim to use a fixed session identifier simply by emailing a malicious URL.::",{"point":"ru","priority":"6","details":"rv"},"CWE-ID: 385Covert Timing Channel","Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are working to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks that create or exploit covert channels. As a result of that work, this entry might change in CWE 4.10.::",{"point":"rx","priority":"6","details":"ry"},"CWE-ID: 386Symbolic Name not Mapping to Correct Object","A constant symbolic reference to an object is used, even though the reference can resolve to a different object over time.Guidelines:",{"point":"s0","priority":"6","details":"s1"},"CWE-ID: 390Detection of Error Condition Without Action","The product detects a specific error, but takes no actions to handle the error.Guidelines:",{"point":"s3","priority":"6","details":"s4"},"CWE-ID: 391Unchecked Error Condition","[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.Guidelines:::TYPE:Maintenance:NOTE:This entry is slated for deprecation; it has multiple widespread interpretations by CWE analysts. It currently combines information from three different taxonomies, but each taxonomy is talking about a slightly different issue. CWE analysts might map to this entry based on any of these issues. 7PK has Empty Catch Block which has an association with empty exception block (CWE-1069); in this case, the exception has performed the check, but does not handle. In PLOVER there is Unchecked Return Value which is CWE-252, but unlike Empty Catch Block there isn't even a check of the issue - and Unchecked Error Condition implies lack of a check. For CLASP, Uncaught Exception (CWE-248) is associated with incorrect error propagation - uncovered in CWE 3.2 and earlier, at least. There are other issues related to error handling and checks.::TYPE:Other:NOTE:When a programmer ignores an exception, they implicitly state that they are operating under one of two assumptions: This method call can never fail. It doesn't matter if this call fails.::",{"point":"s6","priority":"6","details":"s7"},"CWE-ID: 392Missing Report of Error Condition","The product encounters an error but does not provide a status code or return value to indicate that an error has occurred.Guidelines:",{"point":"s9","priority":"6","details":"sa"},"CWE-ID: 393Return of Wrong Status Code","A function or operation returns an incorrect return value or status code that does not indicate an error, but causes the product to modify its behavior based on the incorrect result.Guidelines:::TYPE:Relationship:NOTE:This can be primary or resultant, but it is probably most often primary to other issues.::",{"point":"sc","priority":"6","details":"sd"},"CWE-ID: 394Unexpected Status Code or Return Value","The product does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the product.Guidelines:::TYPE:Relationship:NOTE:Usually primary, but can be resultant from issues such as behavioral change or API abuse. This can produce resultant vulnerabilities.::",{"point":"sf","priority":"6","details":"sg"},"CWE-ID: 395Use of NullPointerException Catch to Detect NULL Pointer Dereference","Catching NullPointerException should not be used as an alternative to programmatic checks to prevent dereferencing a null pointer.Guidelines:",{"point":"si","priority":"6","details":"sj"},"CWE-ID: 396Declaration of Catch for Generic Exception","Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.Guidelines:",{"point":"sl","priority":"6","details":"sm"},"CWE-ID: 397Declaration of Throws for Generic Exception","Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.Guidelines:::TYPE:Applicable Platform:NOTE:For C++, this weakness only applies to C++98, C++03, and C++11. It relies on a feature known as Dynamic Exception Specification, which was part of early versions of C++ but was deprecated in C++11. It has been removed for C++17 and later.::",{"point":"so","priority":"6","details":"sp"},"CWE-ID: 400Uncontrolled Resource Consumption","The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Guidelines:::TYPE:Maintenance:NOTE:Resource consumption could be interpreted as a consequence instead of an insecure behavior, so this entry is being considered for modification. It appears to be referenced too frequently when more precise mappings are available. Some of its children, such as CWE-771, might be better considered as a chain.::TYPE:Theoretical:NOTE:Vulnerability theory is largely about how behaviors and resources interact. Resource exhaustion can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect the underlying weaknesses that enable these attacks (or consequences) to take place.::TYPE:Other:NOTE:Database queries that take a long time to process are good DoS targets. An attacker would have to write a few lines of Perl code to generate enough traffic to exceed the site's ability to keep up. This would effectively prevent authorized users from using the site at all. Resources can be exploited simply by ensuring that the target machine must do much more work and consume more resources in order to service a request than the attacker must do to initiate a request. A prime example of this can be found in old switches that were vulnerable to macof attacks (so named for a tool developed by Dugsong). These attacks flooded a switch with random IP and MAC address combinations, therefore exhausting the switch's cache, which held the information of which port corresponded to which MAC addresses. Once this cache was exhausted, the switch would fail in an insecure way and would begin to act simply as a hub, broadcasting all traffic on all ports and allowing for basic sniffing attacks.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"sr","priority":"6","details":"ss"},"CWE-ID: 401Missing Release of Memory after Effective Lifetime","The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.Guidelines:::TYPE:Relationship:NOTE:This is often a resultant weakness due to improper handling of malformed data or early termination of sessions.::TYPE:Terminology:NOTE:memory leak has sometimes been used to describe other kinds of issues, e.g. for information leaks in which the contents of memory are inadvertently leaked (CVE-2003-0400 is one such example of this terminology conflict).::",{"point":"su","priority":"6","details":"sv"},"CWE-ID: 402Transmission of Private Resources into a New Sphere ('Resource Leak')","The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product.Guidelines:",{"point":"sx","priority":"6","details":"sy"},"CWE-ID: 403Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')","A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors.Guidelines:",{"point":"t0","priority":"6","details":"t1"},"CWE-ID: 404Improper Resource Shutdown or Release","The product does not release or incorrectly releases a resource before it is made available for re-use.Guidelines:::TYPE:Relationship:NOTE:Overlaps memory leaks, asymmetric resource consumption, malformed input errors.::",{"point":"t3","priority":"6","details":"t4"},"CWE-ID: 405Asymmetric Resource Consumption (Amplification)","The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is asymmetric.Guidelines:",{"point":"t6","priority":"6","details":"t7"},"CWE-ID: 406Insufficient Control of Network Message Volume (Network Amplification)","The product does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the product to transmit more traffic than should be allowed for that actor.Guidelines:::TYPE:Relationship:NOTE:This can be resultant from weaknesses that simplify spoofing attacks.::TYPE:Theoretical:NOTE:Network amplification, when performed with spoofing, is normally a multi-channel attack from attacker (acting as user) to amplifier, and amplifier to victim.::",{"point":"t9","priority":"6","details":"ta"},"CWE-ID: 407Inefficient Algorithmic Complexity","An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.Guidelines:",{"point":"tc","priority":"6","details":"td"},"CWE-ID: 408Incorrect Behavior Order: Early Amplification","The product allows an entity to perform a legitimate but expensive operation before authentication or authorization has taken place.Guidelines:::TYPE:Relationship:NOTE:Overlaps authentication errors.::",{"point":"tf","priority":"6","details":"tg"},"CWE-ID: 409Improper Handling of Highly Compressed Data (Data Amplification)","The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.Guidelines:",{"point":"ti","priority":"6","details":"tj"},"CWE-ID: 410Insufficient Resource Pool","The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.Guidelines:",{"point":"tl","priority":"6","details":"tm"},"CWE-ID: 412Unrestricted Externally Accessible Lock","The product properly checks for the existence of a lock, but the lock can be externally controlled or influenced by an actor that is outside of the intended sphere of control.Guidelines:::TYPE:Relationship:NOTE:This overlaps Insufficient Resource Pool when the pool is of size 1. It can also be resultant from race conditions, although the timing window could be quite large in some cases.::",{"point":"to","priority":"6","details":"tp"},"CWE-ID: 413Improper Resource Locking","The product does not lock or does not correctly lock a resource when the product must have exclusive access to the resource.Guidelines:",{"point":"tr","priority":"6","details":"ts"},"CWE-ID: 414Missing Lock Check","A product does not check to see if a lock is present before performing sensitive operations on a resource.Guidelines:",{"point":"tu","priority":"6","details":"tv"},"CWE-ID: 415Double Free","The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.Guidelines:::TYPE:Relationship:NOTE:This is usually resultant from another weakness, such as an unhandled error or race condition between threads. It could also be primary to weaknesses such as buffer overflows.::TYPE:Theoretical:NOTE:It could be argued that Double Free would be most appropriately located as a child of Use after Free, but Use and Release are considered to be distinct operations within vulnerability theory, therefore this is more accurately Release of a Resource after Expiration or Release, which doesn't exist yet.::",{"point":"tx","priority":"6","details":"ty"},"CWE-ID: 416Use After Free","Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.Guidelines:",{"point":"u0","priority":"6","details":"u1"},"CWE-ID: 419Unprotected Primary Channel","The product uses a primary channel for administration or restricted functionality, but it does not properly protect the channel.Guidelines:",{"point":"u3","priority":"6","details":"u4"},"CWE-ID: 420Unprotected Alternate Channel","The product protects a primary channel, but it does not use the same level of protection for an alternate channel.Guidelines:::TYPE:Relationship:NOTE:This can be primary to authentication errors, and resultant from unhandled error conditions.::",{"point":"u6","priority":"6","details":"u7"},"CWE-ID: 421Race Condition During Access to Alternate Channel","The product opens an alternate channel to communicate with an authorized user, but the channel is accessible to other actors.Guidelines:",{"point":"u9","priority":"6","details":"ua"},"CWE-ID: 422Unprotected Windows Messaging Channel ('Shatter')","The product does not properly verify the source of a message in the Windows Messaging System while running at elevated privileges, creating an alternate channel through which an attacker can directly send a message to the product.Guidelines:::TYPE:Relationship:NOTE:Overlaps privilege errors and UI errors.::TYPE:Research Gap:NOTE:Possibly under-reported, probably under-studied. It is suspected that a number of publicized vulnerabilities that involve local privilege escalation on Windows systems may be related to Shatter attacks, but they are not labeled as such. Alternate channel attacks likely exist in other operating systems and messaging models, e.g. in privileged X Windows applications, but examples are not readily available.::",{"point":"uc","priority":"6","details":"ud"},"CWE-ID: 424Improper Protection of Alternate Path","The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.Guidelines:",{"point":"uf","priority":"6","details":"ug"},"CWE-ID: 425Direct Request ('Forced Browsing')","The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.Guidelines:::TYPE:Relationship:NOTE:Overlaps Modification of Assumed-Immutable Data (MAID), authorization errors, container errors; often primary to other weaknesses such as XSS and SQL injection.::TYPE:Theoretical:NOTE:Forced browsing is a step-based manipulation involving the omission of one or more steps, whose order is assumed to be immutable. The application does not verify that the first step was performed successfully before the second step. The consequence is typically authentication bypass or path disclosure, although it can be primary to all kinds of weaknesses, especially in languages such as PHP, which allow external modification of assumed-immutable variables.::",{"point":"ui","priority":"6","details":"uj"},"CWE-ID: 426Untrusted Search Path","The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.Guidelines:",{"point":"ul","priority":"6","details":"um"},"CWE-ID: 427Uncontrolled Search Path Element","The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.Guidelines:::TYPE:Relationship:NOTE:Unlike untrusted search path (CWE-426), which inherently involves control over the definition of a control sphere (i.e., modification of a search path), this entry concerns a fixed control sphere in which some part of the sphere may be under attacker control (i.e., the search path cannot be modified by an attacker, but one element of the path can be under attacker control).::TYPE:Theoretical:NOTE:This weakness is not a clean fit under CWE-668 or CWE-610, which suggests that the control sphere model might need enhancement or clarification.::",{"point":"uo","priority":"6","details":"up"},"CWE-ID: 428Unquoted Search Path or Element","The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.Guidelines:::TYPE:Applicable Platform:NOTE:This weakness could apply to any OS that supports spaces in filenames, especially any OS that make it easy for a user to insert spaces into filenames or folders, such as Windows. While spaces are technically supported in Unix, the practice is generally avoided. .::TYPE:Maintenance:NOTE:This weakness primarily involves the lack of quoting, which is not explicitly stated as a part of CWE-116. CWE-116 also describes output in light of structured messages, but the generation of a filename or search path (as in this weakness) might not be considered a structured message. An additional complication is the relationship to control spheres. Unlike untrusted search path (CWE-426), which inherently involves control over the definition of a control sphere, this entry concerns a fixed control sphere in which some part of the sphere may be under attacker control. This is not a clean fit under CWE-668 or CWE-610, which suggests that the control sphere model needs enhancement or clarification.::",{"point":"ur","priority":"6","details":"us"},"CWE-ID: 430Deployment of Wrong Handler","The wrong handler is assigned to process an object.Guidelines:",{"point":"uu","priority":"6","details":"uv"},"CWE-ID: 431Missing Handler","A handler is not available or implemented.Guidelines:",{"point":"ux","priority":"6","details":"uy"},"CWE-ID: 432Dangerous Signal Handler not Disabled During Sensitive Operations","The product uses a signal handler that shares state with other signal handlers, but it does not properly mask or prevent those signal handlers from being invoked while the original signal handler is still running.Guidelines:",{"point":"v0","priority":"6","details":"v1"},"CWE-ID: 433Unparsed Raw Web Content Delivery","The product stores raw content or supporting code under the web document root with an extension that is not specifically handled by the server.Guidelines:::TYPE:Relationship:NOTE:This overlaps direct requests (CWE-425), alternate path (CWE-424), permissions (CWE-275), and sensitive file under web root (CWE-219).::",{"point":"v3","priority":"6","details":"v4"},"CWE-ID: 434Unrestricted Upload of File with Dangerous Type","The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.Guidelines:::TYPE:Relationship:NOTE:This can have a chaining relationship with incomplete denylist / permissive allowlist errors when the product tries, but fails, to properly limit which types of files are allowed (CWE-183, CWE-184). This can also overlap multiple interpretation errors for intermediaries, e.g. anti-virus products that do not remove or quarantine attachments with certain file extensions that can be processed by client systems.::",{"point":"v6","priority":"6","details":"v7"},"CWE-ID: 435Improper Interaction Between Multiple Correctly-Behaving Entities","An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses.Guidelines:::TYPE:Research Gap:NOTE:Weaknesses related to this Pillar appear to be under-studied, especially with respect to classification schemes. Input from academic and other communities could help identify and resolve gaps or organizational difficulties within CWE.::TYPE:Relationship:NOTE:The Interaction Error term, in CWE and elsewhere, is only intended to describe products that behave according to specification. When one or more of the products do not comply with specifications, then it is more likely to be API Abuse (CWE-227) or an interpretation conflict (CWE-436). This distinction can be blurred in real world scenarios, especially when de facto standards do not comply with specifications, or when there are no standards but there is widespread adoption. As a result, it can be difficult to distinguish these weaknesses during mapping and classification.::",{"point":"v9","priority":"6","details":"va"},"CWE-ID: 436Interpretation Conflict","Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.Guidelines:",{"point":"vc","priority":"6","details":"vd"},"CWE-ID: 437Incomplete Model of Endpoint Features","A product acts as an intermediary or monitor between two or more endpoints, but it does not have a complete model of an endpoint's features, behaviors, or state, potentially causing the product to perform incorrect actions based on this incomplete model.Guidelines:::TYPE:Relationship:NOTE:This can be related to interaction errors, although in some cases, one of the endpoints is not performing correctly according to specification.::",{"point":"vf","priority":"6","details":"vg"},"CWE-ID: 439Behavioral Change in New Version or Environment","A's behavior or functionality changes with a new version of A, or a new environment, which is not known (or manageable) by B.Guidelines:",{"point":"vi","priority":"6","details":"vj"},"CWE-ID: 440Expected Behavior Violation","A feature, API, or function does not perform according to its specification.Guidelines:::TYPE:Theoretical:NOTE:The behavior of an application that is not consistent with the expectations of the developer may lead to incorrect use of the software.::",{"point":"vl","priority":"6","details":"vm"},"CWE-ID: 441Unintended Proxy or Intermediary ('Confused Deputy')","The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.Guidelines:::TYPE:Relationship:NOTE:This weakness has a chaining relationship with CWE-668 (Exposure of Resource to Wrong Sphere) because the proxy effectively provides the attacker with access to the target's resources that the attacker cannot directly obtain.::TYPE:Maintenance:NOTE:This could possibly be considered as an emergent resource.::TYPE:Theoretical:NOTE:It could be argued that the confused deputy is a fundamental aspect of most vulnerabilities that require an active attacker. Even for common implementation issues such as buffer overflows, SQL injection, OS command injection, and path traversal, the vulnerable program already has the authorization to run code or access files. The vulnerability arises when the attacker causes the program to run unexpected code or access unexpected files.::",{"point":"vo","priority":"6","details":"vp"},"CWE-ID: 444Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')","The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.Guidelines:::TYPE:Theoretical:NOTE:Request smuggling can be performed due to a multiple interpretation error, where the target is an intermediary or monitor, via a consistency manipulation (Transfer-Encoding and Content-Length headers).::",{"point":"vr","priority":"6","details":"vs"},"CWE-ID: 446UI Discrepancy for Security Feature","The user interface does not correctly enable or configure a security feature, but the interface provides feedback that causes the user to believe that the feature is in a secure state.Guidelines:::TYPE:Maintenance:NOTE:This entry is likely a loose composite that could be broken down into the different types of errors that cause the user interface to have incorrect interactions with the underlying security feature.::",{"point":"vu","priority":"6","details":"vv"},"CWE-ID: 447Unimplemented or Unsupported Feature in UI","A UI function for a security feature appears to be supported and gives feedback to the user that suggests that it is supported, but the underlying functionality is not implemented.Guidelines:::TYPE:Research Gap:NOTE:This issue needs more study, as there are not many examples. It is not clear whether it is primary or resultant.::",{"point":"vx","priority":"6","details":"vy"},"CWE-ID: 448Obsolete Feature in UI","A UI function is obsolete and the product does not warn the user.Guidelines:",{"point":"w0","priority":"6","details":"w1"},"CWE-ID: 449The UI Performs the Wrong Action","The UI performs the wrong action with respect to the user's request.Guidelines:",{"point":"w3","priority":"6","details":"w4"},"CWE-ID: 450Multiple Interpretations of UI Input","The UI has multiple interpretations of user input but does not prompt the user when it selects the less secure interpretation.Guidelines:",{"point":"w6","priority":"6","details":"w7"},"CWE-ID: 451User Interface (UI) Misrepresentation of Critical Information","The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks.Guidelines:::TYPE:Maintenance:NOTE:This entry should be broken down into more precise entries. See extended description.::TYPE:Research Gap:NOTE:Misrepresentation problems are frequently studied in web browsers, but there are no known efforts for classifying these kinds of problems in terms of the shortcomings of the interface. In addition, many misrepresentation issues are resultant.::",{"point":"w9","priority":"6","details":"wa"},"CWE-ID: 453Insecure Default Variable Initialization","The product, by default, initializes an internal variable with an insecure or less secure value than is possible.Guidelines:::TYPE:Maintenance:NOTE:This overlaps other categories, probably should be split into separate items.::",{"point":"wc","priority":"6","details":"wd"},"CWE-ID: 454External Initialization of Trusted Variables or Data Stores","The product initializes critical internal variables or data stores using inputs that can be modified by untrusted actors.Guidelines:::TYPE:Relationship:NOTE:Overlaps Missing variable initialization, especially in PHP.::TYPE:Applicable Platform:NOTE:This is often found in PHP due to register_globals and the common practice of storing library/include files under the web document root so that they are available using a direct request.::",{"point":"wf","priority":"6","details":"wg"},"CWE-ID: 455Non-exit on Failed Initialization","The product does not exit or otherwise modify its operation when security-relevant errors occur during initialization, such as when a configuration file has a format error or a hardware security module (HSM) cannot be activated, which can cause the product to execute in a less secure fashion than intended by the administrator.Guidelines:::TYPE:Research Gap:NOTE:Under-studied. These issues are not frequently reported, and it is difficult to find published examples.::",{"point":"wi","priority":"6","details":"wj"},"CWE-ID: 456Missing Initialization of a Variable","The product does not initialize critical variables, which causes the execution environment to use unexpected values.Guidelines:::TYPE:Relationship:NOTE:This weakness is a major factor in a number of resultant weaknesses, especially in web applications that allow global variable initialization (such as PHP) with libraries that can be directly requested.::TYPE:Research Gap:NOTE:It is highly likely that a large number of resultant weaknesses have missing initialization as a primary factor, but researcher reports generally do not provide this level of detail.::",{"point":"wl","priority":"6","details":"wm"},"CWE-ID: 457Use of Uninitialized Variable","The code uses a variable that has not been initialized, leading to unpredictable or unintended results.Guidelines:",{"point":"wo","priority":"6","details":"wp"},"CWE-ID: 459Incomplete Cleanup","The product does not properly clean up and remove temporary or supporting resources after they have been used.Guidelines:::TYPE:Relationship:NOTE:CWE-459 is a child of CWE-404 because, while CWE-404 covers any type of improper shutdown or release of a resource, CWE-459 deals specifically with a multi-step shutdown process in which a crucial step for proper cleanup is omitted or impossible. That is, CWE-459 deals specifically with a cleanup or shutdown process that does not successfully remove all potentially sensitive data.::TYPE:Relationship:NOTE:Overlaps other categories such as permissions and containment. Concept needs further development. This could be primary (e.g. leading to infoleak) or resultant (e.g. resulting from unhandled error conditions or early termination).::",{"point":"wr","priority":"6","details":"ws"},"CWE-ID: 460Improper Cleanup on Thrown Exception","The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow.Guidelines:",{"point":"wu","priority":"6","details":"wv"},"CWE-ID: 462Duplicate Key in Associative List (Alist)","Duplicate keys in associative lists can lead to non-unique keys being mistaken for an error.Guidelines:",{"point":"wx","priority":"6","details":"wy"},"CWE-ID: 463Deletion of Data Structure Sentinel","The accidental deletion of a data-structure sentinel can cause serious programming logic problems.Guidelines:",{"point":"x0","priority":"6","details":"x1"},"CWE-ID: 464Addition of Data Structure Sentinel","The accidental addition of a data-structure sentinel can cause serious programming logic problems.Guidelines:",{"point":"x3","priority":"6","details":"x4"},"CWE-ID: 466Return of Pointer Value Outside of Expected Range","A function can return a pointer to memory that is outside of the buffer that the pointer is expected to reference.Guidelines:::TYPE:Maintenance:NOTE:This entry should have a chaining relationship with CWE-119 instead of a parent / child relationship, however the focus of this weakness does not map cleanly to any existing entries in CWE. A new parent is being considered which covers the more generic problem of incorrect return values. There is also an abstract relationship to weaknesses in which one component sends incorrect messages to another component; in this case, one routine is sending an incorrect value to another.::",{"point":"x6","priority":"6","details":"x7"},"CWE-ID: 467Use of sizeof() on a Pointer Type","The code calls sizeof() on a malloced pointer type, which always returns the wordsize/8. This can produce an unexpected result if the programmer intended to determine how much memory has been allocated.Guidelines:",{"point":"x9","priority":"6","details":"xa"},"CWE-ID: 468Incorrect Pointer Scaling","In C and C++, one may often accidentally refer to the wrong memory due to the semantics of when math operations are implicitly scaled.Guidelines:",{"point":"xc","priority":"6","details":"xd"},"CWE-ID: 469Use of Pointer Subtraction to Determine Size","The product subtracts one pointer from another in order to determine size, but this calculation can be incorrect if the pointers do not exist in the same memory chunk.Guidelines:",{"point":"xf","priority":"6","details":"xg"},"CWE-ID: 470Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')","The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.Guidelines:",{"point":"xi","priority":"6","details":"xj"},"CWE-ID: 471Modification of Assumed-Immutable Data (MAID)","The product does not properly protect an assumed-immutable element from being modified by an attacker.Guidelines:::TYPE:Relationship:NOTE:MAID issues can be primary to many other weaknesses, and they are a major factor in languages that provide easy access to internal program constructs, such as PHP's register_globals and similar features. However, MAID issues can also be resultant from weaknesses that modify internal state; for example, a program might validate some data and store it in memory, but a buffer overflow could overwrite that validated data, leading to a change in program logic.::TYPE:Theoretical:NOTE:There are many examples where the MUTABILITY property is a major factor in a vulnerability.::",{"point":"xl","priority":"6","details":"xm"},"CWE-ID: 472External Control of Assumed-Immutable Web Parameter","The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.Guidelines:::TYPE:Relationship:NOTE:This is a primary weakness for many other weaknesses and functional consequences, including XSS, SQL injection, path disclosure, and file inclusion.::TYPE:Theoretical:NOTE:This is a technology-specific MAID problem.::",{"point":"xo","priority":"6","details":"xp"},"CWE-ID: 473PHP External Variable Modification","A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies. This can expose the application to numerous weaknesses that would not exist otherwise.Guidelines:::TYPE:Relationship:NOTE:This is a language-specific instance of Modification of Assumed-Immutable Data (MAID). This can be resultant from direct request (alternate path) issues. It can be primary to weaknesses such as PHP file inclusion, SQL injection, XSS, authentication bypass, and others.::",{"point":"xr","priority":"6","details":"xs"},"CWE-ID: 474Use of Function with Inconsistent Implementations","The code uses a function that has inconsistent implementations across operating systems and versions.Guidelines:",{"point":"xu","priority":"6","details":"xv"},"CWE-ID: 475Undefined Behavior for Input to API","The behavior of this function is undefined unless its control parameter is set to a specific value.Guidelines:::TYPE:Other:NOTE:The Linux Standard Base Specification 2.0.1 for libc places constraints on the arguments to some internal functions [21]. If the constraints are not met, the behavior of the functions is not defined. It is unusual for this function to be called directly. It is almost always invoked through a macro defined in a system header file, and the macro ensures that the following constraints are met: The value 1 must be passed to the third parameter (the version number) of the following file system function: __xmknod The value 2 must be passed to the third parameter (the group argument) of the following wide character string functions: __wcstod_internal __wcstof_internal __wcstol_internal __wcstold_internal __wcstoul_internal The value 3 must be passed as the first parameter (the version number) of the following file system functions: __xstat __lxstat __fxstat __xstat64 __lxstat64 __fxstat64::",{"point":"xx","priority":"6","details":"xy"},"CWE-ID: 476NULL Pointer Dereference","A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.Guidelines:",{"point":"y0","priority":"6","details":"y1"},"CWE-ID: 477Use of Obsolete Function","The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained.Guidelines:",{"point":"y3","priority":"6","details":"y4"},"CWE-ID: 478Missing Default Case in Multiple Condition Expression","The code does not have a default case in an expression with multiple conditions, such as a switch statement.Guidelines:",{"point":"y6","priority":"6","details":"y7"},"CWE-ID: 479Signal Handler Use of a Non-reentrant Function","The product defines a signal handler that calls a non-reentrant function.Guidelines:",{"point":"y9","priority":"6","details":"ya"},"CWE-ID: 480Use of Incorrect Operator","The product accidentally uses the wrong operator, which changes the logic in security-relevant ways.Guidelines:",{"point":"yc","priority":"6","details":"yd"},"CWE-ID: 481Assigning instead of Comparing","The code uses an operator for assignment when the intention was to perform a comparison.Guidelines:",{"point":"yf","priority":"6","details":"yg"},"CWE-ID: 482Comparing instead of Assigning","The code uses an operator for comparison when the intention was to perform an assignment.Guidelines:",{"point":"yi","priority":"6","details":"yj"},"CWE-ID: 483Incorrect Block Delimitation","The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.Guidelines:",{"point":"yl","priority":"6","details":"ym"},"CWE-ID: 484Omitted Break Statement in Switch","The product omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition.Guidelines:",{"point":"yo","priority":"6","details":"yp"},"CWE-ID: 486Comparison of Classes by Name","The product compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name.Guidelines:",{"point":"yr","priority":"6","details":"ys"},"CWE-ID: 487Reliance on Package-level Scope","Java packages are not inherently closed; therefore, relying on them for code security is not a good practice.Guidelines:",{"point":"yu","priority":"6","details":"yv"},"CWE-ID: 488Exposure of Data Element to Wrong Session","The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.Guidelines:",{"point":"yx","priority":"6","details":"yy"},"CWE-ID: 489Active Debug Code","The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.Guidelines:::TYPE:Other:NOTE:In J2EE a main method may be a good indicator that debug code has been left in the application, although there may not be any direct security impact.::",{"point":"z0","priority":"6","details":"z1"},"CWE-ID: 491Public cloneable() Method Without Final ('Object Hijack')","A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state.Guidelines:",{"point":"z3","priority":"6","details":"z4"},"CWE-ID: 492Use of Inner Class Containing Sensitive Data","Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers.Guidelines:::TYPE:Other:NOTE:Mobile code, in this case a Java Applet, is code that is transmitted across a network and executed on a remote machine. Because mobile code developers have little if any control of the environment in which their code will execute, special security concerns become relevant. One of the biggest environmental threats results from the risk that the mobile code will run side-by-side with other, potentially malicious, mobile code. Because all of the popular web browsers execute code from multiple sources together in the same JVM, many of the security guidelines for mobile code are focused on preventing manipulation of your objects' state and behavior by adversaries who have access to the same virtual machine where your program is running.::",{"point":"z6","priority":"6","details":"z7"},"CWE-ID: 493Critical Public Variable Without Final Modifier","The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.Guidelines:",{"point":"z9","priority":"6","details":"za"},"CWE-ID: 494Download of Code Without Integrity Check","The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.Guidelines:::TYPE:Research Gap:NOTE:This is critical for mobile code, but it is likely to become more and more common as developers continue to adopt automated, network-based product distributions and upgrades. Software-as-a-Service (SaaS) might introduce additional subtleties. Common exploitation scenarios may include ad server compromises and bad upgrades.::",{"point":"zc","priority":"6","details":"zd"},"CWE-ID: 495Private Data Structure Returned From A Public Method","The product has a method that is declared public, but returns a reference to a private data structure, which could then be modified in unexpected ways.Guidelines:",{"point":"zf","priority":"6","details":"zg"},"CWE-ID: 496Public Data Assigned to Private Array-Typed Field","Assigning public data to a private array is equivalent to giving public access to the array.Guidelines:",{"point":"zi","priority":"6","details":"zj"},"CWE-ID: 497Exposure of Sensitive System Information to an Unauthorized Control Sphere","The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.Guidelines:",{"point":"zl","priority":"6","details":"zm"},"CWE-ID: 498Cloneable Class Containing Sensitive Information","The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class.Guidelines:",{"point":"zo","priority":"6","details":"zp"},"CWE-ID: 499Serializable Class Containing Sensitive Data","The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another class.Guidelines:",{"point":"zr","priority":"6","details":"zs"},"CWE-ID: 500Public Static Field Not Marked Final","An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways.Guidelines:",{"point":"zu","priority":"6","details":"zv"},"CWE-ID: 501Trust Boundary Violation","The product mixes trusted and untrusted data in the same data structure or structured message.Guidelines:",{"point":"zx","priority":"6","details":"zy"},"CWE-ID: 502Deserialization of Untrusted Data","The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.Guidelines:::TYPE:Maintenance:NOTE:The relationships between CWE-502 and CWE-915 need further exploration. CWE-915 is more narrowly scoped to object modification, and is not necessarily used for deserialization.::",{"point":"100","priority":"6","details":"101"},"CWE-ID: 506Embedded Malicious Code","The product contains code that appears to be malicious in nature.Guidelines:::TYPE:Terminology:NOTE:The term Trojan horse was introduced by Dan Edwards and recorded by James Anderson [18] to characterize a particular computer security threat; it has been redefined many times [4,18-20].::",{"point":"103","priority":"6","details":"104"},"CWE-ID: 507Trojan Horse","The product appears to contain benign or useful functionality, but it also contains code that is hidden from normal operation that violates the intended security policy of the user or the system administrator.Guidelines:::TYPE:Other:NOTE:Potentially malicious dynamic code compiled at runtime can conceal any number of attacks that will not appear in the baseline. The use of dynamically compiled code could also allow the injection of attacks on post-deployed applications.::TYPE:Terminology:NOTE:Definitions of Trojan horse and related terms have varied widely over the years, but common usage in 2008 generally refers to software that performs a legitimate function, but also contains malicious code. Almost any malicious code can be called a Trojan horse, since the author of malicious code needs to disguise it somehow so that it will be invoked by a nonmalicious user (unless the author means also to invoke the code, in which case they presumably already possess the authorization to perform the intended sabotage). A Trojan horse that replicates itself by copying its code into other program files (see case MA1) is commonly referred to as a virus. One that replicates itself by creating new processes or files to contain its code, instead of modifying existing storage entities, is often called a worm. Denning provides a general discussion of these terms; differences of opinion about the term applicable to a particular flaw or its exploitations sometimes occur.::",{"point":"106","priority":"6","details":"107"},"CWE-ID: 508Non-Replicating Malicious Code","Non-replicating malicious code only resides on the target system or product that is attacked; it does not attempt to spread to other systems.Guidelines:",{"point":"109","priority":"6","details":"10a"},"CWE-ID: 509Replicating Malicious Code (Virus or Worm)","Replicating malicious code, including viruses and worms, will attempt to attack other systems once it has successfully compromised the target system or the product.Guidelines:",{"point":"10c","priority":"6","details":"10d"},"CWE-ID: 510Trapdoor","A trapdoor is a hidden piece of code that responds to a special input, allowing its user access to resources without passing through the normal security enforcement mechanism.Guidelines:",{"point":"10f","priority":"6","details":"10g"},"CWE-ID: 511Logic/Time Bomb","The product contains code that is designed to disrupt the legitimate operation of the product (or its environment) when a certain time passes, or when a certain logical condition is met.Guidelines:",{"point":"10i","priority":"6","details":"10j"},"CWE-ID: 512Spyware","The product collects personally identifiable information about a human user or the user's activities, but the product accesses this information using other resources besides itself, and it does not require that user's explicit approval or direct input into the product.Guidelines:",{"point":"10l","priority":"6","details":"10m"},"CWE-ID: 514Covert Channel","A covert channel is a path that can be used to transfer information in a way not intended by the system's designers.Guidelines:::TYPE:Theoretical:NOTE:A covert channel can be thought of as an emergent resource, meaning that it was not an originally intended resource, however it exists due the application's behaviors.::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are working to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks that create or exploit covert channels. As a result of that work, this entry might change in CWE 4.10.::",{"point":"10o","priority":"6","details":"10p"},"CWE-ID: 515Covert Storage Channel","A covert storage channel transfers information through the setting of bits by one program and the reading of those bits by another. What distinguishes this case from that of ordinary operation is that the bits are used to convey encoded information.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are working to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks that create or exploit covert channels. As a result of that work, this entry might change in CWE 4.10.::",{"point":"10r","priority":"6","details":"10s"},"CWE-ID: 520.NET Misconfiguration: Use of Impersonation","Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms of attacks.Guidelines:",{"point":"10u","priority":"6","details":"10v"},"CWE-ID: 521Weak Password Requirements","The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.Guidelines:",{"point":"10x","priority":"6","details":"10y"},"CWE-ID: 522Insufficiently Protected Credentials","The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.Guidelines:",{"point":"110","priority":"6","details":"111"},"CWE-ID: 523Unprotected Transport of Credentials","Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.Guidelines:",{"point":"113","priority":"6","details":"114"},"CWE-ID: 524Use of Cache Containing Sensitive Information","The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.Guidelines:",{"point":"116","priority":"6","details":"117"},"CWE-ID: 525Use of Web Browser Cache Containing Sensitive Information","The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.Guidelines:",{"point":"119","priority":"6","details":"11a"},"CWE-ID: 526Cleartext Storage of Sensitive Information in an Environment Variable","The product uses an environment variable to store unencrypted sensitive information.Guidelines:",{"point":"11c","priority":"6","details":"11d"},"CWE-ID: 527Exposure of Version-Control Repository to an Unauthorized Control Sphere","The product stores a CVS, git, or other repository in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.Guidelines:",{"point":"11f","priority":"6","details":"11g"},"CWE-ID: 528Exposure of Core Dump File to an Unauthorized Control Sphere","The product generates a core dump file in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.Guidelines:",{"point":"11i","priority":"6","details":"11j"},"CWE-ID: 529Exposure of Access Control List Files to an Unauthorized Control Sphere","The product stores access control list files in a directory or other container that is accessible to actors outside of the intended control sphere.Guidelines:",{"point":"11l","priority":"6","details":"11m"},"CWE-ID: 530Exposure of Backup File to an Unauthorized Control Sphere","A backup file is stored in a directory or archive that is made accessible to unauthorized actors.Guidelines:",{"point":"11o","priority":"6","details":"11p"},"CWE-ID: 531Inclusion of Sensitive Information in Test Code","Accessible test applications can pose a variety of security risks. Since developers or administrators rarely consider that someone besides themselves would even know about the existence of these applications, it is common for them to contain sensitive information or functions.Guidelines:",{"point":"11r","priority":"6","details":"11s"},"CWE-ID: 532Insertion of Sensitive Information into Log File","Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.Guidelines:",{"point":"11u","priority":"6","details":"11v"},"CWE-ID: 535Exposure of Information Through Shell Error Message","A command shell error message indicates that there exists an unhandled exception in the web application code. In many cases, an attacker can leverage the conditions that cause these errors in order to gain unauthorized access to the system.Guidelines:",{"point":"11x","priority":"6","details":"11y"},"CWE-ID: 536Servlet Runtime Error Message Containing Sensitive Information","A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker.Guidelines:",{"point":"120","priority":"6","details":"121"},"CWE-ID: 537Java Runtime Error Message Containing Sensitive Information","In many cases, an attacker can leverage the conditions that cause unhandled exception errors in order to gain unauthorized access to the system.Guidelines:",{"point":"123","priority":"6","details":"124"},"CWE-ID: 538Insertion of Sensitive Information into Externally-Accessible File or Directory","The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.Guidelines:::TYPE:Maintenance:NOTE:Depending on usage, this could be a weakness or a category. Further study of all its children is needed, and the entire sub-tree may need to be clarified. The current organization is based primarily on the exposure of sensitive information as a consequence, instead of as a primary weakness.::TYPE:Maintenance:NOTE:There is a close relationship with CWE-552, which is more focused on weaknesses. As a result, it may be more appropriate to convert CWE-538 to a category.::",{"point":"126","priority":"6","details":"127"},"CWE-ID: 539Use of Persistent Cookies Containing Sensitive Information","The web application uses persistent cookies, but the cookies contain sensitive information.Guidelines:",{"point":"129","priority":"6","details":"12a"},"CWE-ID: 540Inclusion of Sensitive Information in Source Code","Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.Guidelines:",{"point":"12c","priority":"6","details":"12d"},"CWE-ID: 541Inclusion of Sensitive Information in an Include File","If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system.Guidelines:",{"point":"12f","priority":"6","details":"12g"},"CWE-ID: 543Use of Singleton Pattern Without Synchronization in a Multithreaded Context","The product uses the singleton pattern when creating a resource within a multithreaded environment.Guidelines:",{"point":"12i","priority":"6","details":"12j"},"CWE-ID: 544Missing Standardized Error Handling Mechanism","The product does not use a standardized method for handling errors throughout the code, which might introduce inconsistent error handling and resultant weaknesses.Guidelines:",{"point":"12l","priority":"6","details":"12m"},"CWE-ID: 546Suspicious Comment","The code contains comments that suggest the presence of bugs, incomplete functionality, or weaknesses.Guidelines:",{"point":"12o","priority":"6","details":"12p"},"CWE-ID: 547Use of Hard-coded, Security-relevant Constants","The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change.Guidelines:",{"point":"12r","priority":"6","details":"12s"},"CWE-ID: 548Exposure of Information Through Directory Listing","A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers.Guidelines:",{"point":"12u","priority":"6","details":"12v"},"CWE-ID: 549Missing Password Field Masking","The product does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords.Guidelines:",{"point":"12x","priority":"6","details":"12y"},"CWE-ID: 550Server-generated Error Message Containing Sensitive Information","Certain conditions, such as network failure, will cause a server error message to be displayed.Guidelines:",{"point":"130","priority":"6","details":"131"},"CWE-ID: 551Incorrect Behavior Order: Authorization Before Parsing and Canonicalization","If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.Guidelines:",{"point":"133","priority":"6","details":"134"},"CWE-ID: 552Files or Directories Accessible to External Parties","The product makes files or directories accessible to unauthorized actors, even though they should not be.Guidelines:",{"point":"136","priority":"6","details":"137"},"CWE-ID: 553Command Shell in Externally Accessible Directory","A possible shell file exists in /cgi-bin/ or other accessible directories. This is extremely dangerous and can be used by an attacker to execute commands on the web server.Guidelines:",{"point":"139","priority":"6","details":"13a"},"CWE-ID: 554ASP.NET Misconfiguration: Not Using Input Validation Framework","The ASP.NET application does not use an input validation framework.Guidelines:",{"point":"13c","priority":"6","details":"13d"},"CWE-ID: 555J2EE Misconfiguration: Plaintext Password in Configuration File","The J2EE application stores a plaintext password in a configuration file.Guidelines:",{"point":"13f","priority":"6","details":"13g"},"CWE-ID: 556ASP.NET Misconfiguration: Use of Identity Impersonation","Configuring an ASP.NET application to run with impersonated credentials may give the application unnecessary privileges.Guidelines:",{"point":"13i","priority":"6","details":"13j"},"CWE-ID: 558Use of getlogin() in Multithreaded Application","The product uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values.Guidelines:",{"point":"13l","priority":"6","details":"13m"},"CWE-ID: 560Use of umask() with chmod-style Argument","The product calls umask() with an incorrect argument that is specified as if it is an argument to chmod().Guidelines:::TYPE:Other:NOTE:Some umask() manual pages begin with the false statement: umask sets the umask to mask & 0777 Although this behavior would better align with the usage of chmod(), where the user provided argument specifies the bits to enable on the specified file, the behavior of umask() is in fact opposite: umask() sets the umask to ~mask & 0777. The documentation goes on to describe the correct usage of umask(): The umask is used by open() to set initial file permissions on a newly-created file. Specifically, permissions in the umask are turned off from the mode argument to open(2) (so, for example, the common umask default value of 022 results in new files being created with permissions 0666 & ~022 = 0644 = rw-r--r-- in the usual case where the mode is specified as 0666).::",{"point":"13o","priority":"6","details":"13p"},"CWE-ID: 561Dead Code","The product contains dead code, which can never be executed.Guidelines:",{"point":"13r","priority":"6","details":"13s"},"CWE-ID: 562Return of Stack Variable Address","A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.Guidelines:",{"point":"13u","priority":"6","details":"13v"},"CWE-ID: 563Assignment to Variable without Use","The variable's value is assigned but never used, making it a dead store.Guidelines:",{"point":"13x","priority":"6","details":"13y"},"CWE-ID: 564SQL Injection: Hibernate","Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.Guidelines:",{"point":"140","priority":"6","details":"141"},"CWE-ID: 565Reliance on Cookies without Validation and Integrity Checking","The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.Guidelines:::TYPE:Relationship:NOTE:This problem can be primary to many types of weaknesses in web applications. A developer may perform proper validation against URL parameters while assuming that attackers cannot modify cookies. As a result, the program might skip basic input validation to enable cross-site scripting, SQL injection, price tampering, and other attacks..::",{"point":"143","priority":"6","details":"144"},"CWE-ID: 566Authorization Bypass Through User-Controlled SQL Primary Key","The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.Guidelines:",{"point":"146","priority":"6","details":"147"},"CWE-ID: 567Unsynchronized Access to Shared Data in a Multithreaded Context","The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.Guidelines:",{"point":"149","priority":"6","details":"14a"},"CWE-ID: 568finalize() Method Without super.finalize()","The product contains a finalize() method that does not call super.finalize().Guidelines:",{"point":"14c","priority":"6","details":"14d"},"CWE-ID: 570Expression is Always False","The product contains an expression that will always evaluate to false.Guidelines:",{"point":"14f","priority":"6","details":"14g"},"CWE-ID: 571Expression is Always True","The product contains an expression that will always evaluate to true.Guidelines:",{"point":"14i","priority":"6","details":"14j"},"CWE-ID: 572Call to Thread run() instead of start()","The product calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee.Guidelines:",{"point":"14l","priority":"6","details":"14m"},"CWE-ID: 573Improper Following of Specification by Caller","The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.Guidelines:",{"point":"14o","priority":"6","details":"14p"},"CWE-ID: 574EJB Bad Practices: Use of Synchronization Primitives","The product violates the Enterprise JavaBeans (EJB) specification by using thread synchronization primitives.Guidelines:",{"point":"14r","priority":"6","details":"14s"},"CWE-ID: 575EJB Bad Practices: Use of AWT Swing","The product violates the Enterprise JavaBeans (EJB) specification by using AWT/Swing.Guidelines:",{"point":"14u","priority":"6","details":"14v"},"CWE-ID: 576EJB Bad Practices: Use of Java I/O","The product violates the Enterprise JavaBeans (EJB) specification by using the java.io package.Guidelines:",{"point":"14x","priority":"6","details":"14y"},"CWE-ID: 577EJB Bad Practices: Use of Sockets","The product violates the Enterprise JavaBeans (EJB) specification by using sockets.Guidelines:",{"point":"150","priority":"6","details":"151"},"CWE-ID: 578EJB Bad Practices: Use of Class Loader","The product violates the Enterprise JavaBeans (EJB) specification by using the class loader.Guidelines:",{"point":"153","priority":"6","details":"154"},"CWE-ID: 579J2EE Bad Practices: Non-serializable Object Stored in Session","The product stores a non-serializable object as an HttpSession attribute, which can hurt reliability.Guidelines:",{"point":"156","priority":"6","details":"157"},"CWE-ID: 580clone() Method Without super.clone()","The product contains a clone() method that does not call super.clone() to obtain the new object.Guidelines:",{"point":"159","priority":"6","details":"15a"},"CWE-ID: 581Object Model Violation: Just One of Equals and Hashcode Defined","The product does not maintain equal hashcodes for equal objects.Guidelines:",{"point":"15c","priority":"6","details":"15d"},"CWE-ID: 582Array Declared Public, Final, and Static","The product declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified.Guidelines:",{"point":"15f","priority":"6","details":"15g"},"CWE-ID: 583finalize() Method Declared Public","The product violates secure coding principles for mobile code by declaring a finalize() method public.Guidelines:",{"point":"15i","priority":"6","details":"15j"},"CWE-ID: 584Return Inside Finally Block","The code has a return statement inside a finally block, which will cause any thrown exception in the try block to be discarded.Guidelines:",{"point":"15l","priority":"6","details":"15m"},"CWE-ID: 585Empty Synchronized Block","The product contains an empty synchronized block.Guidelines:",{"point":"15o","priority":"6","details":"15p"},"CWE-ID: 586Explicit Call to Finalize()","The product makes an explicit call to the finalize() method from outside the finalizer.Guidelines:",{"point":"15r","priority":"6","details":"15s"},"CWE-ID: 587Assignment of a Fixed Address to a Pointer","The product sets a pointer to a specific address other than NULL or 0.Guidelines:",{"point":"15u","priority":"6","details":"15v"},"CWE-ID: 588Attempt to Access Child of a Non-structure Pointer","Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption.Guidelines:",{"point":"15x","priority":"6","details":"15y"},"CWE-ID: 589Call to Non-ubiquitous API","The product uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allow denial of service or other consequences.Guidelines:",{"point":"160","priority":"6","details":"161"},"CWE-ID: 590Free of Memory not on the Heap","The product calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc().Guidelines:::TYPE:Other:NOTE:In C++, if the new operator was used to allocate the memory, it may be allocated with the malloc(), calloc() or realloc() family of functions in the implementation. Someone aware of this behavior might choose to map this problem to CWE-590 or to its parent, CWE-762, depending on their perspective.::",{"point":"163","priority":"6","details":"164"},"CWE-ID: 591Sensitive Data Storage in Improperly Locked Memory","The product stores sensitive data in memory that is not locked, or that has been incorrectly locked, which might cause the memory to be written to swap files on disk by the virtual memory manager. This can make the data more accessible to external actors.Guidelines:",{"point":"166","priority":"6","details":"167"},"CWE-ID: 593Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created","The product modifies the SSL context after connection creation has begun.Guidelines:",{"point":"169","priority":"6","details":"16a"},"CWE-ID: 594J2EE Framework: Saving Unserializable Objects to Disk","When the J2EE container attempts to write unserializable objects to disk there is no guarantee that the process will complete successfully.Guidelines:",{"point":"16c","priority":"6","details":"16d"},"CWE-ID: 595Comparison of Object References Instead of Object Contents","The product compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects.Guidelines:",{"point":"16f","priority":"6","details":"16g"},"CWE-ID: 597Use of Wrong Operator in String Comparison","The product uses the wrong operator when comparing a string, such as using == when the .equals() method should be used instead.Guidelines:",{"point":"16i","priority":"6","details":"16j"},"CWE-ID: 598Use of GET Request Method With Sensitive Query Strings","The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.Guidelines:",{"point":"16l","priority":"6","details":"16m"},"CWE-ID: 599Missing Validation of OpenSSL Certificate","The product uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all necessary security requirements.Guidelines:::TYPE:Relationship:NOTE:CWE-295 and CWE-599 are very similar, although CWE-599 has a more narrow scope that is only applied to OpenSSL certificates. As a result, other children of CWE-295 can be regarded as children of CWE-599 as well. CWE's use of one-dimensional hierarchical relationships is not well-suited to handle different kinds of abstraction relationships based on concepts like types of resources (OpenSSL certificate as a child of any certificate) and types of behaviors (not validating expiration as a child of improper validation).::",{"point":"16o","priority":"6","details":"16p"},"CWE-ID: 600Uncaught Exception in Servlet","The Servlet does not catch all exceptions, which may reveal sensitive debugging information.Guidelines:::TYPE:Maintenance:NOTE:The Missing Catch Block concept is probably broader than just Servlets, but the broader concept is not sufficiently covered in CWE.::",{"point":"16r","priority":"6","details":"16s"},"CWE-ID: 601URL Redirection to Untrusted Site ('Open Redirect')","A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.Guidelines:",{"point":"16u","priority":"6","details":"16v"},"CWE-ID: 602Client-Side Enforcement of Server-Side Security","The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.Guidelines:",{"point":"16x","priority":"6","details":"16y"},"CWE-ID: 603Use of Client-Side Authentication","A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check.Guidelines:",{"point":"170","priority":"6","details":"171"},"CWE-ID: 605Multiple Binds to the Same Port","When multiple sockets are allowed to bind to the same port, other services on that port may be stolen or spoofed.Guidelines:",{"point":"173","priority":"6","details":"174"},"CWE-ID: 606Unchecked Input for Loop Condition","The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping.Guidelines:",{"point":"176","priority":"6","details":"177"},"CWE-ID: 607Public Static Final Field References Mutable Object","A public or protected static final field references a mutable object, which allows the object to be changed by malicious code, or accidentally from another package.Guidelines:",{"point":"179","priority":"6","details":"17a"},"CWE-ID: 608Struts: Non-private Field in ActionForm Class","An ActionForm class contains a field that has not been declared private, which can be accessed without using a setter or getter.Guidelines:",{"point":"17c","priority":"6","details":"17d"},"CWE-ID: 609Double-Checked Locking","The product uses double-checked locking to access a resource without the overhead of explicit synchronization, but the locking is insufficient.Guidelines:",{"point":"17f","priority":"6","details":"17g"},"CWE-ID: 610Externally Controlled Reference to a Resource in Another Sphere","The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.Guidelines:::TYPE:Relationship:NOTE:This is a general class of weakness, but most research is focused on more specialized cases, such as path traversal (CWE-22) and symlink following (CWE-61). A symbolic link has a name; in general, it appears like any other file in the file system. However, the link includes a reference to another file, often in another directory - perhaps in another sphere of control. Many common library functions that accept filenames will follow a symbolic link and use the link's target instead.::TYPE:Maintenance:NOTE:The relationship between CWE-99 and CWE-610 needs further investigation and clarification. They might be duplicates. CWE-99 Resource Injection, as originally defined in Seven Pernicious Kingdoms taxonomy, emphasizes the identifier used to access a system resource such as a file name or port number, yet it explicitly states that the resource injection term does not apply to path manipulation, which effectively identifies the path at which a resource can be found and could be considered to be one aspect of a resource identifier. Also, CWE-610 effectively covers any type of resource, whether that resource is at the system layer, the application layer, or the code layer.::",{"point":"17i","priority":"6","details":"17j"},"CWE-ID: 611Improper Restriction of XML External Entity Reference","The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.Guidelines:::TYPE:Relationship:NOTE:CWE-918 (SSRF) and CWE-611 (XXE) are closely related, because they both involve web-related technologies and can launch outbound requests to unexpected destinations. However, XXE can be performed client-side, or in other contexts in which the software is not acting directly as a server, so the Server portion of the SSRF acronym does not necessarily apply.::",{"point":"17l","priority":"6","details":"17m"},"CWE-ID: 612Improper Authorization of Index Containing Sensitive Information","The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the original information.Guidelines:::TYPE:Research Gap:NOTE:This weakness is probably under-studied and under-reported.::",{"point":"17o","priority":"6","details":"17p"},"CWE-ID: 613Insufficient Session Expiration","According to WASC, Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.Guidelines:::TYPE:Other:NOTE:The lack of proper session expiration may improve the likely success of certain attacks. For example, an attacker may intercept a session ID, possibly via a network sniffer or Cross-site Scripting attack. Although short session expiration times do not help if a stolen token is immediately used, they will protect against ongoing replaying of the session ID. In another scenario, a user might access a web site from a shared computer (such as at a library, Internet cafe, or open work environment). Insufficient Session Expiration could allow an attacker to use the browser's back button to access web pages previously accessed by the victim.::",{"point":"17r","priority":"6","details":"17s"},"CWE-ID: 614Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.Guidelines:",{"point":"17u","priority":"6","details":"17v"},"CWE-ID: 615Inclusion of Sensitive Information in Source Code Comments","While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc.Guidelines:",{"point":"17x","priority":"6","details":"17y"},"CWE-ID: 616Incomplete Identification of Uploaded File Variables (PHP)","The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files.Guidelines:",{"point":"180","priority":"6","details":"181"},"CWE-ID: 617Reachable Assertion","The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.Guidelines:",{"point":"183","priority":"6","details":"184"},"CWE-ID: 618Exposed Unsafe ActiveX Method","An ActiveX control is intended for use in a web browser, but it exposes dangerous methods that perform actions that are outside of the browser's security model (e.g. the zone or domain).Guidelines:",{"point":"186","priority":"6","details":"187"},"CWE-ID: 619Dangling Database Cursor ('Cursor Injection')","If a database cursor is not closed properly, then it could become accessible to other users while retaining the same privileges that were originally assigned, leaving the cursor dangling.Guidelines:",{"point":"189","priority":"6","details":"18a"},"CWE-ID: 620Unverified Password Change","When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.Guidelines:",{"point":"18c","priority":"6","details":"18d"},"CWE-ID: 621Variable Extraction Error","The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables.Guidelines:::TYPE:Research Gap:NOTE:Probably under-reported for PHP. Seems under-studied for other interpreted languages.::",{"point":"18f","priority":"6","details":"18g"},"CWE-ID: 622Improper Validation of Function Hook Arguments","The product adds hooks to user-accessible API functions, but it does not properly validate the arguments. This could lead to resultant vulnerabilities.Guidelines:",{"point":"18i","priority":"6","details":"18j"},"CWE-ID: 623Unsafe ActiveX Control Marked Safe For Scripting","An ActiveX control is intended for restricted use, but it has been marked as safe-for-scripting.Guidelines:",{"point":"18l","priority":"6","details":"18m"},"CWE-ID: 624Executable Regular Expression Error","The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.Guidelines:::TYPE:Research Gap:NOTE:Under-studied. The existing PHP reports are limited to highly skilled researchers, but there are few examples for other languages. It is suspected that this is under-reported for all languages. Usability factors might make it more prevalent in PHP, but this theory has not been investigated.::",{"point":"18o","priority":"6","details":"18p"},"CWE-ID: 625Permissive Regular Expression","The product uses a regular expression that does not sufficiently restrict the set of allowed values.Guidelines:",{"point":"18r","priority":"6","details":"18s"},"CWE-ID: 626Null Byte Interaction Error (Poison Null Byte)","The product does not properly handle null bytes or NUL characters when passing data between different representations or components.Guidelines:::TYPE:Terminology:NOTE:Current usage of poison null byte is typically related to this C/Perl/PHP interaction error, but the original term in 1998 was applied to an off-by-one buffer overflow involving a null byte.::TYPE:Research Gap:NOTE:There are not many CVE examples, because the poison NULL byte is a design limitation, which typically is not included in CVE by itself. It is typically used as a facilitator manipulation to widen the scope of potential attacks against other vulnerabilities.::",{"point":"18u","priority":"6","details":"18v"},"CWE-ID: 627Dynamic Variable Evaluation","In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions.Guidelines:::TYPE:Research Gap:NOTE:Under-studied, probably under-reported. Few researchers look for this issue; most public reports are for PHP, although other languages are affected. This issue is likely to grow in PHP as developers begin to implement functionality in place of register_globals.::",{"point":"18x","priority":"6","details":"18y"},"CWE-ID: 628Function Call with Incorrectly Specified Arguments","The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.Guidelines:",{"point":"190","priority":"6","details":"191"},"CWE-ID: 636Not Failing Securely ('Failing Open')","When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.Guidelines:::TYPE:Research Gap:NOTE:Since design issues are hard to fix, they are rarely publicly reported, so there are few CVE examples of this problem as of January 2008. Most publicly reported issues occur as the result of an implementation error instead of design, such as CVE-2005-3177 (Improper handling of large numbers of resources) or CVE-2005-2969 (inadvertently disabling a verification step, leading to selection of a weaker protocol).::",{"point":"193","priority":"6","details":"194"},"CWE-ID: 637Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')","The product uses a more complex mechanism than necessary, which could lead to resultant weaknesses when the mechanism is not correctly understood, modeled, configured, implemented, or used.Guidelines:",{"point":"196","priority":"6","details":"197"},"CWE-ID: 638Not Using Complete Mediation","The product does not perform access checks on a resource every time the resource is accessed by an entity, which can create resultant weaknesses if that entity's rights or privileges change over time.Guidelines:",{"point":"199","priority":"6","details":"19a"},"CWE-ID: 639Authorization Bypass Through User-Controlled Key","The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.Guidelines:",{"point":"19c","priority":"6","details":"19d"},"CWE-ID: 640Weak Password Recovery Mechanism for Forgotten Password","The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.Guidelines:::TYPE:Maintenance:NOTE:This entry might be reclassified as a category or loose composite, since it lists multiple specific errors that can make the mechanism weak. However, under view 1000, it could be a weakness under protection mechanism failure, although it is different from most PMF issues since it is related to a feature that is designed to bypass a protection mechanism (specifically, the lack of knowledge of a password).::TYPE:Maintenance:NOTE:This entry probably needs to be split; see extended description.::",{"point":"19f","priority":"6","details":"19g"},"CWE-ID: 641Improper Restriction of Names for Files and Other Resources","The product constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name.Guidelines:",{"point":"19i","priority":"6","details":"19j"},"CWE-ID: 642External Control of Critical State Data","The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.Guidelines:",{"point":"19l","priority":"6","details":"19m"},"CWE-ID: 643Improper Neutralization of Data within XPath Expressions ('XPath Injection')","The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.Guidelines:::TYPE:Relationship:NOTE:This weakness is similar to other weaknesses that enable injection style attacks, such as SQL injection, command injection and LDAP injection. The main difference is that the target of attack here is the XML database.::",{"point":"19o","priority":"6","details":"19p"},"CWE-ID: 644Improper Neutralization of HTTP Headers for Scripting Syntax","The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.Guidelines:",{"point":"19r","priority":"6","details":"19s"},"CWE-ID: 645Overly Restrictive Account Lockout Mechanism","The product contains an account lockout protection mechanism, but the mechanism is too restrictive and can be triggered too easily, which allows attackers to deny service to legitimate users by causing their accounts to be locked out.Guidelines:",{"point":"19u","priority":"6","details":"19v"},"CWE-ID: 646Reliance on File Name or Extension of Externally-Supplied File","The product allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attackers to cause the file to be misclassified and processed in a dangerous fashion.Guidelines:",{"point":"19x","priority":"6","details":"19y"},"CWE-ID: 647Use of Non-Canonical URL Paths for Authorization Decisions","The product defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization.Guidelines:",{"point":"1a0","priority":"6","details":"1a1"},"CWE-ID: 648Incorrect Use of Privileged APIs","The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.Guidelines:",{"point":"1a3","priority":"6","details":"1a4"},"CWE-ID: 649Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking","The product uses obfuscation or encryption of inputs that should not be mutable by an external actor, but the product does not use integrity checks to detect if those inputs have been modified.Guidelines:",{"point":"1a6","priority":"6","details":"1a7"},"CWE-ID: 650Trusting HTTP Permission Methods on the Server Side","The server contains a protection mechanism that assumes that any URI that is accessed using HTTP GET will not cause a state change to the associated resource. This might allow attackers to bypass intended access restrictions and conduct resource modification and deletion attacks, since some applications allow GET to modify state.Guidelines:",{"point":"1a9","priority":"6","details":"1aa"},"CWE-ID: 651Exposure of WSDL File Containing Sensitive Information","The Web services architecture may require exposing a Web Service Definition Language (WSDL) file that contains information on the publicly accessible services and how callers of these services should interact with them (e.g. what parameters they expect and what types they return).Guidelines:",{"point":"1ac","priority":"6","details":"1ad"},"CWE-ID: 652Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')","The product uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.Guidelines:::TYPE:Relationship:NOTE:This weakness is similar to other weaknesses that enable injection style attacks, such as SQL injection, command injection and LDAP injection. The main difference is that the target of attack here is the XML database.::",{"point":"1af","priority":"6","details":"1ag"},"CWE-ID: 653Improper Isolation or Compartmentalization","The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.Guidelines:::TYPE:Relationship:NOTE:There is a close association with CWE-250 (Execution with Unnecessary Privileges). CWE-653 is about providing separate components for each privilege; CWE-250 is about ensuring that each component has the least amount of privileges possible. In this fashion, compartmentalization becomes one mechanism for reducing privileges.::TYPE:Terminology:NOTE:The term Separation of Privilege is used in several different ways in the industry, but they generally combine two closely related principles: compartmentalization (this node) and using only one factor in a security decision (CWE-654). Proper compartmentalization implicitly introduces multiple factors into a security decision, but there can be cases in which multiple factors are required for authentication or other mechanisms that do not involve compartmentalization, such as performing all required checks on a submitted certificate. It is likely that CWE-653 and CWE-654 will provoke further discussion.::",{"point":"1ai","priority":"6","details":"1aj"},"CWE-ID: 654Reliance on a Single Factor in a Security Decision","A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality.Guidelines:::TYPE:Maintenance:NOTE:This entry is closely associated with the term Separation of Privilege. This term is used in several different ways in the industry, but they generally combine two closely related principles: compartmentalization (CWE-653) and using only one factor in a security decision (this entry). Proper compartmentalization implicitly introduces multiple factors into a security decision, but there can be cases in which multiple factors are required for authentication or other mechanisms that do not involve compartmentalization, such as performing all required checks on a submitted certificate. It is likely that CWE-653 and CWE-654 will provoke further discussion.::",{"point":"1al","priority":"6","details":"1am"},"CWE-ID: 655Insufficient Psychological Acceptability","The product has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose.Guidelines:::TYPE:Other:NOTE:This weakness covers many security measures causing user inconvenience, requiring effort or causing frustration, that are disproportionate to the risks or value of the protected assets, or that are perceived to be ineffective.::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"1ao","priority":"6","details":"1ap"},"CWE-ID: 656Reliance on Security Through Obscurity","The product uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism.Guidelines:::TYPE:Relationship:NOTE:Note that there is a close relationship between this weakness and CWE-603 (Use of Client-Side Authentication). If developers do not believe that a user can reverse engineer a client, then they are more likely to choose client-side authentication in the belief that it is safe.::",{"point":"1ar","priority":"6","details":"1as"},"CWE-ID: 657Violation of Secure Design Principles","The product violates well-established principles for secure design.Guidelines:::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"1au","priority":"6","details":"1av"},"CWE-ID: 662Improper Synchronization","The product utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.Guidelines:::TYPE:Maintenance:NOTE:Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships.::",{"point":"1ax","priority":"6","details":"1ay"},"CWE-ID: 663Use of a Non-reentrant Function in a Concurrent Context","The product calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity to call the same function or otherwise influence its state.Guidelines:",{"point":"1b0","priority":"6","details":"1b1"},"CWE-ID: 664Improper Control of a Resource Through its Lifetime","The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.Guidelines:::TYPE:Maintenance:NOTE:More work is needed on this entry and its children. There are perspective/layering issues; for example, one breakdown is based on lifecycle phase (CWE-404, CWE-665), while other children are independent of lifecycle, such as CWE-400. Others do not specify as many bases or variants, such as CWE-704, which primarily covers numbers at this stage.::",{"point":"1b3","priority":"6","details":"1b4"},"CWE-ID: 665Improper Initialization","The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.Guidelines:",{"point":"1b6","priority":"6","details":"1b7"},"CWE-ID: 666Operation on Resource in Wrong Phase of Lifetime","The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors.Guidelines:",{"point":"1b9","priority":"6","details":"1ba"},"CWE-ID: 667Improper Locking","The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.Guidelines:::TYPE:Maintenance:NOTE:Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships.::",{"point":"1bc","priority":"6","details":"1bd"},"CWE-ID: 668Exposure of Resource to Wrong Sphere","The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.Guidelines:::TYPE:Theoretical:NOTE:A control sphere is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product's security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for administrators who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be users who are authenticated to the operating system on which the product is installed. Each sphere has different sets of actors and allowable behaviors.::",{"point":"1bf","priority":"6","details":"1bg"},"CWE-ID: 669Incorrect Resource Transfer Between Spheres","The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.Guidelines:",{"point":"1bi","priority":"6","details":"1bj"},"CWE-ID: 670Always-Incorrect Control Flow Implementation","The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.Guidelines:::TYPE:Maintenance:NOTE:This node could possibly be split into lower-level nodes. Early Return is for returning control to the caller too soon (e.g., CWE-584). Excess Return is when control is returned too far up the call stack (CWE-600, CWE-395). Improper control limitation occurs when the product maintains control at a lower level of execution, when control should be returned further up the call stack (CWE-455). Incorrect syntax covers code that's just plain wrong such as CWE-484 and CWE-483.::",{"point":"1bl","priority":"6","details":"1bm"},"CWE-ID: 671Lack of Administrator Control over Security","The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.Guidelines:",{"point":"1bo","priority":"6","details":"1bp"},"CWE-ID: 672Operation on a Resource after Expiration or Release","The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.Guidelines:",{"point":"1br","priority":"6","details":"1bs"},"CWE-ID: 673External Influence of Sphere Definition","The product does not prevent the definition of control spheres from external actors.Guidelines:::TYPE:Theoretical:NOTE:A control sphere is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product's security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for administrators who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be users who are authenticated to the operating system on which the product is installed. Each sphere has different sets of actors and allowable behaviors.::",{"point":"1bu","priority":"6","details":"1bv"},"CWE-ID: 674Uncontrolled Recursion","The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.Guidelines:",{"point":"1bx","priority":"6","details":"1by"},"CWE-ID: 675Multiple Operations on Resource in Single-Operation Context","The product performs the same operation on a resource two or more times, when the operation should only be applied once.Guidelines:::TYPE:Relationship:NOTE:This weakness is probably closely associated with other issues related to doubling, such as CWE-462 (duplicate key in alist) or CWE-102 (Struts duplicate validation forms). It's usually a case of an API contract violation (CWE-227).::",{"point":"1c0","priority":"6","details":"1c1"},"CWE-ID: 676Use of Potentially Dangerous Function","The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.Guidelines:::TYPE:Relationship:NOTE:This weakness is different than CWE-242 (Use of Inherently Dangerous Function). CWE-242 covers functions with such significant security problems that they can never be guaranteed to be safe. Some functions, if used properly, do not directly pose a security risk, but can introduce a weakness if not called correctly. These are regarded as potentially dangerous. A well-known example is the strcpy() function. When provided with a destination buffer that is larger than its source, strcpy() will not overflow. However, it is so often misused that some developers prohibit strcpy() entirely.::",{"point":"1c3","priority":"6","details":"1c4"},"CWE-ID: 680Integer Overflow to Buffer Overflow","The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow.Guidelines:",{"point":"1c6","priority":"6","details":"1c7"},"CWE-ID: 681Incorrect Conversion between Numeric Types","When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.Guidelines:",{"point":"1c9","priority":"6","details":"1ca"},"CWE-ID: 682Incorrect Calculation","The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.Guidelines:::TYPE:Research Gap:NOTE:Weaknesses related to this Pillar appear to be under-studied, especially with respect to classification schemes. Input from academic and other communities could help identify and resolve gaps or organizational difficulties within CWE.::",{"point":"1cc","priority":"6","details":"1cd"},"CWE-ID: 683Function Call With Incorrect Order of Arguments","The product calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses.Guidelines:",{"point":"1cf","priority":"6","details":"1cg"},"CWE-ID: 684Incorrect Provision of Specified Functionality","The code does not function according to its published specifications, potentially leading to incorrect usage.Guidelines:",{"point":"1ci","priority":"6","details":"1cj"},"CWE-ID: 685Function Call With Incorrect Number of Arguments","The product calls a function, procedure, or routine, but the caller specifies too many arguments, or too few arguments, which may lead to undefined behavior and resultant weaknesses.Guidelines:",{"point":"1cl","priority":"6","details":"1cm"},"CWE-ID: 686Function Call With Incorrect Argument Type","The product calls a function, procedure, or routine, but the caller specifies an argument that is the wrong data type, which may lead to resultant weaknesses.Guidelines:",{"point":"1co","priority":"6","details":"1cp"},"CWE-ID: 687Function Call With Incorrectly Specified Argument Value","The product calls a function, procedure, or routine, but the caller specifies an argument that contains the wrong value, which may lead to resultant weaknesses.Guidelines:::TYPE:Relationship:NOTE:When primary, this weakness is most likely to occur in rarely-tested code, since the wrong value can change the semantic meaning of the program's execution and lead to obviously-incorrect behavior. It can also be resultant from issues in which the program assigns the wrong value to a variable, and that variable is later used in a function call. In that sense, this issue could be argued as having chaining relationships with many implementation errors in CWE.::",{"point":"1cr","priority":"6","details":"1cs"},"CWE-ID: 688Function Call With Incorrect Variable or Reference as Argument","The product calls a function, procedure, or routine, but the caller specifies the wrong variable or reference as one of the arguments, which may lead to undefined behavior and resultant weaknesses.Guidelines:",{"point":"1cu","priority":"6","details":"1cv"},"CWE-ID: 689Permission Race Condition During Resource Copy","The product, while copying or cloning a resource, does not set the resource's permissions or access control until the copy is complete, leaving the resource exposed to other spheres while the copy is taking place.Guidelines:::TYPE:Research Gap:NOTE:Under-studied. It seems likely that this weakness could occur in any situation in which a complex or large copy operation occurs, when the resource can be made available to other spheres as soon as it is created, but before its initialization is complete.::",{"point":"1cx","priority":"6","details":"1cy"},"CWE-ID: 690Unchecked Return Value to NULL Pointer Dereference","The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference.Guidelines:",{"point":"1d0","priority":"6","details":"1d1"},"CWE-ID: 691Insufficient Control Flow Management","The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.Guidelines:",{"point":"1d3","priority":"6","details":"1d4"},"CWE-ID: 692Incomplete Denylist to Cross-Site Scripting","The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.Guidelines:",{"point":"1d6","priority":"6","details":"1d7"},"CWE-ID: 693Protection Mechanism Failure","The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.Guidelines:::TYPE:Research Gap:NOTE:The concept of protection mechanisms is well established, but protection mechanism failures have not been studied comprehensively. It is suspected that protection mechanisms can have significantly different types of weaknesses than the weaknesses that they are intended to prevent.::",{"point":"1d9","priority":"6","details":"1da"},"CWE-ID: 694Use of Multiple Resources with Duplicate Identifier","The product uses multiple resources that can have the same identifier, in a context in which unique identifiers are required.Guidelines:::TYPE:Relationship:NOTE:This weakness is probably closely associated with other issues related to doubling, such as CWE-675 (Duplicate Operations on Resource). It's often a case of an API contract violation (CWE-227).::",{"point":"1dc","priority":"6","details":"1dd"},"CWE-ID: 695Use of Low-Level Functionality","The product uses low-level functionality that is explicitly prohibited by the framework or specification under which the product is supposed to operate.Guidelines:",{"point":"1df","priority":"6","details":"1dg"},"CWE-ID: 696Incorrect Behavior Order","The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses.Guidelines:",{"point":"1di","priority":"6","details":"1dj"},"CWE-ID: 697Incorrect Comparison","The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.Guidelines:::TYPE:Research Gap:NOTE:Weaknesses related to this Pillar appear to be under-studied, especially with respect to classification schemes. Input from academic and other communities could help identify and resolve gaps or organizational difficulties within CWE.::TYPE:Maintenance:NOTE:This entry likely has some relationships with case sensitivity (CWE-178), but case sensitivity is a factor in other types of weaknesses besides comparison. Also, in cryptography, certain attacks are possible when certain comparison operations do not take place in constant time, causing a timing-related information leak (CWE-208).::",{"point":"1dl","priority":"6","details":"1dm"},"CWE-ID: 698Execution After Redirect (EAR)","The web application sends a redirect to another location, but instead of exiting, it executes additional code.Guidelines:",{"point":"1do","priority":"6","details":"1dp"},"CWE-ID: 703Improper Check or Handling of Exceptional Conditions","The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.Guidelines:::TYPE:Relationship:NOTE:This is a high-level class that might have some overlap with other classes. It could be argued that even normal weaknesses such as buffer overflows involve unusual or exceptional conditions. In that sense, this might be an inherent aspect of most other weaknesses within CWE, similar to API Abuse (CWE-227) and Indicator of Poor Code Quality (CWE-398). However, this entry is currently intended to unify disparate concepts that do not have other places within the Research Concepts view (CWE-1000).::",{"point":"1dr","priority":"6","details":"1ds"},"CWE-ID: 704Incorrect Type Conversion or Cast","The product does not correctly convert an object, resource, or structure from one type to a different type.Guidelines:",{"point":"1du","priority":"6","details":"1dv"},"CWE-ID: 705Incorrect Control Flow Scoping","The product does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.Guidelines:",{"point":"1dx","priority":"6","details":"1dy"},"CWE-ID: 706Use of Incorrectly-Resolved Name or Reference","The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.Guidelines:",{"point":"1e0","priority":"6","details":"1e1"},"CWE-ID: 707Improper Neutralization","The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.Guidelines:::TYPE:Maintenance:NOTE:Concepts such as validation, data transformation, and neutralization are being refined, so relationships between CWE-20 and other entries such as CWE-707 may change in future versions, along with an update to the Vulnerability Theory document.::",{"point":"1e3","priority":"6","details":"1e4"},"CWE-ID: 708Incorrect Ownership Assignment","The product assigns an owner to a resource, but the owner is outside of the intended control sphere.Guidelines:::TYPE:Maintenance:NOTE:This overlaps verification errors, permissions, and privileges. A closely related weakness is the incorrect assignment of groups to a resource. It is not clear whether it would fall under this entry or require a different entry.::",{"point":"1e6","priority":"6","details":"1e7"},"CWE-ID: 710Improper Adherence to Coding Standards","The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.Guidelines:",{"point":"1e9","priority":"6","details":"1ea"},"CWE-ID: 732Incorrect Permission Assignment for Critical Resource","The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.Guidelines:::TYPE:Maintenance:NOTE:The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693).::",{"point":"1ec","priority":"6","details":"1ed"},"CWE-ID: 733Compiler Optimization Removal or Modification of Security-critical Code","The developer builds a security-critical protection mechanism into the software, but the compiler optimizes the program such that the mechanism is removed or modified.Guidelines:",{"point":"1ef","priority":"6","details":"1eg"},"CWE-ID: 749Exposed Dangerous Method or Function","The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.Guidelines:::TYPE:Research Gap:NOTE:Under-reported and under-studied. This weakness could appear in any technology, language, or framework that allows the programmer to provide a functional interface to external parties, but it is not heavily reported. In 2007, CVE began showing a notable increase in reports of exposed method vulnerabilities in ActiveX applications, as well as IOCTL access to OS-level resources. These weaknesses have been documented for Java applications in various secure programming sources, but there are few reports in CVE, which suggests limited awareness in most parts of the vulnerability research community.::",{"point":"1ei","priority":"6","details":"1ej"},"CWE-ID: 754Improper Check for Unusual or Exceptional Conditions","The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.Guidelines:::TYPE:Relationship:NOTE:Sometimes, when a return value can be used to indicate an error, an unchecked return value is a code-layer instance of a missing application-layer check for exceptional conditions. However, return values are not always needed to communicate exceptional conditions. For example, expiration of resources, values passed by reference, asynchronously modified data, sockets, etc. may indicate exceptional conditions without the use of a return value.::",{"point":"1el","priority":"6","details":"1em"},"CWE-ID: 755Improper Handling of Exceptional Conditions","The product does not handle or incorrectly handles an exceptional condition.Guidelines:",{"point":"1eo","priority":"6","details":"1ep"},"CWE-ID: 756Missing Custom Error Page","The product does not return custom error pages to the user, possibly exposing sensitive information.Guidelines:",{"point":"1er","priority":"6","details":"1es"},"CWE-ID: 757Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')","A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties.Guidelines:::TYPE:Relationship:NOTE:This is related to CWE-300, although not all downgrade attacks necessarily require an entity that redirects or interferes with the network. See examples.::",{"point":"1eu","priority":"6","details":"1ev"},"CWE-ID: 758Reliance on Undefined, Unspecified, or Implementation-Defined Behavior","The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity.Guidelines:",{"point":"1ex","priority":"6","details":"1ey"},"CWE-ID: 759Use of a One-Way Hash without a Salt","The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.Guidelines:",{"point":"1f0","priority":"6","details":"1f1"},"CWE-ID: 760Use of a One-Way Hash with a Predictable Salt","The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"1f3","priority":"6","details":"1f4"},"CWE-ID: 761Free of Pointer not at Start of Buffer","The product calls free() on a pointer to a memory resource that was allocated on the heap, but the pointer is not at the start of the buffer.Guidelines:::TYPE:Maintenance:NOTE:Currently, CWE-763 is the parent, however it may be desirable to have an intermediate parent which is not function-specific, similar to how CWE-762 is an intermediate parent between CWE-763 and CWE-590.::",{"point":"1f6","priority":"6","details":"1f7"},"CWE-ID: 762Mismatched Memory Management Routines","The product attempts to return a memory resource to the system, but it calls a release function that is not compatible with the function that was originally used to allocate that resource.Guidelines:::TYPE:Applicable Platform:NOTE:This weakness is possible in any programming language that allows manual management of memory.::",{"point":"1f9","priority":"6","details":"1fa"},"CWE-ID: 763Release of Invalid Pointer or Reference","The product attempts to return a memory resource to the system, but it calls the wrong release function or calls the appropriate release function incorrectly.Guidelines:::TYPE:Maintenance:NOTE:The view-1000 subtree that is associated with this weakness needs additional work. Several entries will likely be created in this branch. Currently the focus is on free() of memory, but delete and other related release routines may require the creation of intermediate entries that are not specific to a particular function. In addition, the role of other types of invalid pointers, such as an expired pointer, i.e. CWE-415 Double Free and release of uninitialized pointers, related to CWE-457.::",{"point":"1fc","priority":"6","details":"1fd"},"CWE-ID: 764Multiple Locks of a Critical Resource","The product locks a critical resource more times than intended, leading to an unexpected state in the system.Guidelines:::TYPE:Maintenance:NOTE:An alternate way to think about this weakness is as an imbalance between the number of locks / unlocks in the control flow. Over the course of execution, if each lock call is not followed by a subsequent call to unlock in a reasonable amount of time, then system performance may be degraded or at least operating at less than peak levels if there is competition for the locks. This entry may need to be modified to reflect these concepts in the future.::",{"point":"1ff","priority":"6","details":"1fg"},"CWE-ID: 765Multiple Unlocks of a Critical Resource","The product unlocks a critical resource more times than intended, leading to an unexpected state in the system.Guidelines:::TYPE:Maintenance:NOTE:An alternate way to think about this weakness is as an imbalance between the number of locks / unlocks in the control flow. Over the course of execution, if each lock call is not followed by a subsequent call to unlock in a reasonable amount of time, then system performance may be degraded or at least operating at less than peak levels if there is competition for the locks. This entry may need to be modified to reflect these concepts in the future.::",{"point":"1fi","priority":"6","details":"1fj"},"CWE-ID: 766Critical Data Element Declared Public","The product declares a critical variable, field, or member to be public when intended security policy requires it to be private.Guidelines:",{"point":"1fl","priority":"6","details":"1fm"},"CWE-ID: 767Access to Critical Private Variable via Public Method","The product defines a public method that reads or modifies a private variable.Guidelines:::TYPE:Maintenance:NOTE:This entry is closely associated with access control for public methods. If the public methods are restricted with proper access controls, then the information in the private variable will not be exposed to unexpected parties. There may be chaining or composite relationships between improper access controls and this weakness.::",{"point":"1fo","priority":"6","details":"1fp"},"CWE-ID: 768Incorrect Short Circuit Evaluation","The product contains a conditional statement with multiple logical expressions in which one of the non-leading expressions may produce side effects. This may lead to an unexpected state in the program after the execution of the conditional, because short-circuiting logic may prevent the side effects from occurring.Guidelines:",{"point":"1fr","priority":"6","details":"1fs"},"CWE-ID: 770Allocation of Resources Without Limits or Throttling","The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.Guidelines:::TYPE:Relationship:NOTE:This entry is different from uncontrolled resource consumption (CWE-400) in that there are other weaknesses that are related to inability to control resource consumption, such as holding on to a resource too long after use, or not correctly keeping track of active resources so that they can be managed and released when they are finished (CWE-771).::TYPE:Theoretical:NOTE:Vulnerability theory is largely about how behaviors and resources interact. Resource exhaustion can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect one of the underlying weaknesses that enable these attacks (or consequences) to take place.::",{"point":"1fu","priority":"6","details":"1fv"},"CWE-ID: 771Missing Reference to Active Allocated Resource","The product does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed.Guidelines:",{"point":"1fx","priority":"6","details":"1fy"},"CWE-ID: 772Missing Release of Resource after Effective Lifetime","The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.Guidelines:::TYPE:Maintenance:NOTE:Resource exhaustion (CWE-400) is currently treated as a weakness, although it is more like a category of weaknesses that all have the same type of consequence. While this entry treats CWE-400 as a parent in view 1000, the relationship is probably more appropriately described as a chain.::TYPE:Theoretical:NOTE:Vulnerability theory is largely about how behaviors and resources interact. Resource exhaustion can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect one of the underlying weaknesses that enable these attacks (or consequences) to take place.::",{"point":"1g0","priority":"6","details":"1g1"},"CWE-ID: 773Missing Reference to Active File Descriptor or Handle","The product does not properly maintain references to a file descriptor or handle, which prevents that file descriptor/handle from being reclaimed.Guidelines:",{"point":"1g3","priority":"6","details":"1g4"},"CWE-ID: 774Allocation of File Descriptors or Handles Without Limits or Throttling","The product allocates file descriptors or handles on behalf of an actor without imposing any restrictions on how many descriptors can be allocated, in violation of the intended security policy for that actor.Guidelines:",{"point":"1g6","priority":"6","details":"1g7"},"CWE-ID: 775Missing Release of File Descriptor or Handle after Effective Lifetime","The product does not release a file descriptor or handle after its effective lifetime has ended, i.e., after the file descriptor/handle is no longer needed.Guidelines:",{"point":"1g9","priority":"6","details":"1ga"},"CWE-ID: 776Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.Guidelines:",{"point":"1gc","priority":"6","details":"1gd"},"CWE-ID: 777Regular Expression without Anchors","The product uses a regular expression to perform neutralization, but the regular expression is not anchored and may allow malicious or malformed data to slip through.Guidelines:",{"point":"1gf","priority":"6","details":"1gg"},"CWE-ID: 778Insufficient Logging","When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.Guidelines:",{"point":"1gi","priority":"6","details":"1gj"},"CWE-ID: 779Logging of Excessive Data","The product logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack.Guidelines:",{"point":"1gl","priority":"6","details":"1gm"},"CWE-ID: 780Use of RSA Algorithm without OAEP","The product uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption.Guidelines:::TYPE:Maintenance:NOTE:This entry could probably have a new parent related to improper padding, however the role of padding in cryptographic algorithms can vary, such as hiding the length of the plaintext and providing additional random bits for the cipher. In general, cryptographic problems in CWE are not well organized and further research is needed.::",{"point":"1go","priority":"6","details":"1gp"},"CWE-ID: 781Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code","The product defines an IOCTL that uses METHOD_NEITHER for I/O, but it does not validate or incorrectly validates the addresses that are provided.Guidelines:::TYPE:Applicable Platform:NOTE:Because IOCTL functionality is typically performing low-level actions and closely interacts with the operating system, this weakness may only appear in code that is written in low-level languages.::TYPE:Research Gap:NOTE:While this type of issue has been known since 2006, it is probably still under-studied and under-reported. Most of the focus has been on high-profile software and security products, but other kinds of system software also use drivers. Since exploitation requires the development of custom code, it requires some skill to find this weakness. Because exploitation typically requires local privileges, it might not be a priority for active attackers. However, remote exploitation may be possible for software such as device drivers. Even when remote vectors are not available, it may be useful as the final privilege-escalation step in multi-stage remote attacks against application-layer software, or as the primary attack by a local user on a multi-user system.::",{"point":"1gr","priority":"6","details":"1gs"},"CWE-ID: 782Exposed IOCTL with Insufficient Access Control","The product implements an IOCTL with functionality that should be restricted, but it does not properly enforce access control for the IOCTL.Guidelines:::TYPE:Relationship:NOTE:This can be primary to many other weaknesses when the programmer assumes that the IOCTL can only be accessed by trusted parties. For example, a program or driver might not validate incoming addresses in METHOD_NEITHER IOCTLs in Windows environments (CWE-781), which could allow buffer overflow and similar attacks to take place, even when the attacker never should have been able to access the IOCTL at all.::TYPE:Applicable Platform:NOTE:Because IOCTL functionality is typically performing low-level actions and closely interacts with the operating system, this weakness may only appear in code that is written in low-level languages.::",{"point":"1gu","priority":"6","details":"1gv"},"CWE-ID: 783Operator Precedence Logic Error","The product uses an expression in which operator precedence causes incorrect logic to be used.Guidelines:",{"point":"1gx","priority":"6","details":"1gy"},"CWE-ID: 784Reliance on Cookies without Validation and Integrity Checking in a Security Decision","The product uses a protection mechanism that relies on the existence or values of a cookie, but it does not properly ensure that the cookie is valid for the associated user.Guidelines:::TYPE:Maintenance:NOTE:A new parent might need to be defined for this entry. This entry is specific to cookies, which reflects the significant number of vulnerabilities being reported for cookie-based authentication in CVE during 2008 and 2009. However, other types of inputs - such as parameters or headers - could also be used for similar authentication or authorization. Similar issues (under the Research view) include CWE-247 and CWE-472.::",{"point":"1h0","priority":"6","details":"1h1"},"CWE-ID: 785Use of Path Manipulation Function without Maximum-sized Buffer","The product invokes a function for normalizing paths or file names, but it provides an output buffer that is smaller than the maximum possible size, such as PATH_MAX.Guidelines:::TYPE:Maintenance:NOTE:This entry is at a much lower level of abstraction than most entries because it is function-specific. It also has significant overlap with other entries that can vary depending on the perspective. For example, incorrect usage could trigger either a stack-based overflow (CWE-121) or a heap-based overflow (CWE-122). The CWE team has not decided how to handle such entries.::",{"point":"1h3","priority":"6","details":"1h4"},"CWE-ID: 786Access of Memory Location Before Start of Buffer","The product reads or writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.Guidelines:",{"point":"1h6","priority":"6","details":"1h7"},"CWE-ID: 787Out-of-bounds Write","The product writes data past the end, or before the beginning, of the intended buffer.Guidelines:",{"point":"1h9","priority":"6","details":"1ha"},"CWE-ID: 788Access of Memory Location After End of Buffer","The product reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer.Guidelines:",{"point":"1hc","priority":"6","details":"1hd"},"CWE-ID: 789Memory Allocation with Excessive Size Value","The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.Guidelines:::TYPE:Relationship:NOTE:This weakness can be closely associated with integer overflows (CWE-190). Integer overflow attacks would concentrate on providing an extremely large number that triggers an overflow that causes less memory to be allocated than expected. By providing a large value that does not trigger an integer overflow, the attacker could still cause excessive amounts of memory to be allocated.::TYPE:Applicable Platform:NOTE:Uncontrolled memory allocation is possible in many languages, such as dynamic array allocation in perl or initial size parameters in Collections in Java. However, languages like C and C++ where programmers have the power to more directly control memory management will be more susceptible.::",{"point":"1hf","priority":"6","details":"1hg"},"CWE-ID: 790Improper Filtering of Special Elements","The product receives data from an upstream component, but does not filter or incorrectly filters special elements before sending it to a downstream component.Guidelines:",{"point":"1hi","priority":"6","details":"1hj"},"CWE-ID: 791Incomplete Filtering of Special Elements","The product receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component.Guidelines:",{"point":"1hl","priority":"6","details":"1hm"},"CWE-ID: 792Incomplete Filtering of One or More Instances of Special Elements","The product receives data from an upstream component, but does not completely filter one or more instances of special elements before sending it to a downstream component.Guidelines:",{"point":"1ho","priority":"6","details":"1hp"},"CWE-ID: 793Only Filtering One Instance of a Special Element","The product receives data from an upstream component, but only filters a single instance of a special element before sending it to a downstream component.Guidelines:",{"point":"1hr","priority":"6","details":"1hs"},"CWE-ID: 794Incomplete Filtering of Multiple Instances of Special Elements","The product receives data from an upstream component, but does not filter all instances of a special element before sending it to a downstream component.Guidelines:",{"point":"1hu","priority":"6","details":"1hv"},"CWE-ID: 795Only Filtering Special Elements at a Specified Location","The product receives data from an upstream component, but only accounts for special elements at a specified location, thereby missing remaining special elements that may exist before sending it to a downstream component.Guidelines:",{"point":"1hx","priority":"6","details":"1hy"},"CWE-ID: 796Only Filtering Special Elements Relative to a Marker","The product receives data from an upstream component, but only accounts for special elements positioned relative to a marker (e.g. at the beginning/end of a string; the second argument), thereby missing remaining special elements that may exist before sending it to a downstream component.Guidelines:",{"point":"1i0","priority":"6","details":"1i1"},"CWE-ID: 797Only Filtering Special Elements at an Absolute Position","The product receives data from an upstream component, but only accounts for special elements at an absolute position (e.g. byte number 10), thereby missing remaining special elements that may exist before sending it to a downstream component.Guidelines:",{"point":"1i3","priority":"6","details":"1i4"},"CWE-ID: 798Use of Hard-coded Credentials","The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.Guidelines:::TYPE:Maintenance:NOTE:The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4.10, but they are still under review and might change in future CWE versions. These draft mappings were performed by members of the Mapping CWE to 62443 subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4.10. The mappings are included to facilitate discussion and review by the broader ICS/OT community, and they are likely to change in future CWE versions.::",{"point":"1i6","priority":"6","details":"1i7"},"CWE-ID: 799Improper Control of Interaction Frequency","The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.Guidelines:",{"point":"1i9","priority":"6","details":"1ia"},"CWE-ID: 804Guessable CAPTCHA","The product uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.Guidelines:",{"point":"1ic","priority":"6","details":"1id"},"CWE-ID: 805Buffer Access with Incorrect Length Value","The product uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer.Guidelines:",{"point":"1if","priority":"6","details":"1ig"},"CWE-ID: 806Buffer Access Using Size of Source Buffer","The product uses the size of a source buffer when reading from or writing to a destination buffer, which may cause it to access memory that is outside of the bounds of the buffer.Guidelines:",{"point":"1ii","priority":"6","details":"1ij"},"CWE-ID: 807Reliance on Untrusted Inputs in a Security Decision","The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.Guidelines:",{"point":"1il","priority":"6","details":"1im"},"CWE-ID: 820Missing Synchronization","The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.Guidelines:::TYPE:Maintenance:NOTE:Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships.::",{"point":"1io","priority":"6","details":"1ip"},"CWE-ID: 821Incorrect Synchronization","The product utilizes a shared resource in a concurrent manner, but it does not correctly synchronize access to the resource.Guidelines:::TYPE:Maintenance:NOTE:Deeper research is necessary for synchronization and related mechanisms, including locks, mutexes, semaphores, and other mechanisms. Multiple entries are dependent on this research, which includes relationships to concurrency, race conditions, reentrant functions, etc. CWE-662 and its children - including CWE-667, CWE-820, CWE-821, and others - may need to be modified significantly, along with their relationships.::",{"point":"1ir","priority":"6","details":"1is"},"CWE-ID: 822Untrusted Pointer Dereference","The product obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer.Guidelines:::TYPE:Maintenance:NOTE:There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.::TYPE:Terminology:NOTE:Many weaknesses related to pointer dereferences fall under the general term of memory corruption or memory safety. As of September 2010, there is no commonly-used terminology that covers the lower-level variants.::",{"point":"1iu","priority":"6","details":"1iv"},"CWE-ID: 823Use of Out-of-range Pointer Offset","The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.Guidelines:::TYPE:Maintenance:NOTE:There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.::TYPE:Terminology:NOTE:Many weaknesses related to pointer dereferences fall under the general term of memory corruption or memory safety. As of September 2010, there is no commonly-used terminology that covers the lower-level variants.::",{"point":"1ix","priority":"6","details":"1iy"},"CWE-ID: 824Access of Uninitialized Pointer","The product accesses or uses a pointer that has not been initialized.Guidelines:::TYPE:Maintenance:NOTE:There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.::TYPE:Terminology:NOTE:Many weaknesses related to pointer dereferences fall under the general term of memory corruption or memory safety. As of September 2010, there is no commonly-used terminology that covers the lower-level variants.::",{"point":"1j0","priority":"6","details":"1j1"},"CWE-ID: 825Expired Pointer Dereference","The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.Guidelines:::TYPE:Maintenance:NOTE:There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.::TYPE:Terminology:NOTE:Many weaknesses related to pointer dereferences fall under the general term of memory corruption or memory safety. As of September 2010, there is no commonly-used terminology that covers the lower-level variants.::",{"point":"1j3","priority":"6","details":"1j4"},"CWE-ID: 826Premature Release of Resource During Expected Lifetime","The product releases a resource that is still intended to be used by itself or another actor.Guidelines:::TYPE:Research Gap:NOTE:Under-studied and under-reported as of September 2010. This weakness has been reported in high-visibility software, although the focus has been primarily on memory allocation and de-allocation. There are very few examples of this weakness that are not directly related to memory management, although such weaknesses are likely to occur in real-world software for other types of resources.::",{"point":"1j6","priority":"6","details":"1j7"},"CWE-ID: 827Improper Control of Document Type Definition","The product does not restrict a reference to a Document Type Definition (DTD) to the intended control sphere. This might allow attackers to reference arbitrary DTDs, possibly causing the product to expose files, consume excessive system resources, or execute arbitrary http requests on behalf of the attacker.Guidelines:",{"point":"1j9","priority":"6","details":"1ja"},"CWE-ID: 828Signal Handler with Functionality that is not Asynchronous-Safe","The product defines a signal handler that contains code sequences that are not asynchronous-safe, i.e., the functionality is not reentrant, or it can be interrupted.Guidelines:",{"point":"1jc","priority":"6","details":"1jd"},"CWE-ID: 829Inclusion of Functionality from Untrusted Control Sphere","The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.Guidelines:",{"point":"1jf","priority":"6","details":"1jg"},"CWE-ID: 830Inclusion of Web Functionality from an Untrusted Source","The product includes web functionality (such as a web widget) from another domain, which causes it to operate within the domain of the product, potentially granting total access and control of the product to the untrusted source.Guidelines:",{"point":"1ji","priority":"6","details":"1jj"},"CWE-ID: 831Signal Handler Function Associated with Multiple Signals","The product defines a function that is used as a handler for more than one signal.Guidelines:",{"point":"1jl","priority":"6","details":"1jm"},"CWE-ID: 832Unlock of a Resource that is not Locked","The product attempts to unlock a resource that is not locked.Guidelines:",{"point":"1jo","priority":"6","details":"1jp"},"CWE-ID: 833Deadlock","The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.Guidelines:",{"point":"1jr","priority":"6","details":"1js"},"CWE-ID: 834Excessive Iteration","The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.Guidelines:",{"point":"1ju","priority":"6","details":"1jv"},"CWE-ID: 835Loop with Unreachable Exit Condition ('Infinite Loop')","The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.Guidelines:",{"point":"1jx","priority":"6","details":"1jy"},"CWE-ID: 836Use of Password Hash Instead of Password for Authentication","The product records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store.Guidelines:",{"point":"1k0","priority":"6","details":"1k1"},"CWE-ID: 837Improper Enforcement of a Single, Unique Action","The product requires that an actor should only be able to perform an action once, or to have only one unique action, but the product does not enforce or improperly enforces this restriction.Guidelines:",{"point":"1k3","priority":"6","details":"1k4"},"CWE-ID: 838Inappropriate Encoding for Output Context","The product uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is expected by the downstream component.Guidelines:",{"point":"1k6","priority":"6","details":"1k7"},"CWE-ID: 839Numeric Range Comparison Without Minimum Check","The product checks a value to ensure that it is less than or equal to a maximum, but it does not also verify that the value is greater than or equal to the minimum.Guidelines:",{"point":"1k9","priority":"6","details":"1ka"},"CWE-ID: 841Improper Enforcement of Behavioral Workflow","The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.Guidelines:::TYPE:Research Gap:NOTE:This weakness is typically associated with business logic flaws, except when it produces resultant weaknesses. The classification of business logic flaws has been under-studied, although exploitation of business flaws frequently happens in real-world systems, and many applied vulnerability researchers investigate them. The greatest focus is in web applications. There is debate within the community about whether these problems represent particularly new concepts, or if they are variations of well-known principles. Many business logic flaws appear to be oriented toward business processes, application flows, and sequences of behaviors, which are not as well-represented in CWE as weaknesses related to input validation, memory management, etc.::",{"point":"1kc","priority":"6","details":"1kd"},"CWE-ID: 842Placement of User into Incorrect Group","The product or the administrator places a user into an incorrect group.Guidelines:",{"point":"1kf","priority":"6","details":"1kg"},"CWE-ID: 843Access of Resource Using Incompatible Type ('Type Confusion')","The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.Guidelines:::TYPE:Applicable Platform:NOTE:This weakness is possible in any type-unsafe programming language.::TYPE:Research Gap:NOTE:Type confusion weaknesses have received some attention by applied researchers and major software vendors for C and C++ code. Some publicly-reported vulnerabilities probably have type confusion as a root-cause weakness, but these may be described as memory corruption instead. For other languages, there are very few public reports of type confusion weaknesses. These are probably under-studied. Since many programs rely directly or indirectly on loose typing, a potential type confusion behavior might be intentional, possibly requiring more manual analysis.::",{"point":"1ki","priority":"6","details":"1kj"},"CWE-ID: 862Missing Authorization","The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Guidelines:",{"point":"1kl","priority":"6","details":"1km"},"CWE-ID: 863Incorrect Authorization","The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.Guidelines:",{"point":"1ko","priority":"6","details":"1kp"},"CWE-ID: 908Use of Uninitialized Resource","The product uses or accesses a resource that has not been initialized.Guidelines:",{"point":"1kr","priority":"6","details":"1ks"},"CWE-ID: 909Missing Initialization of Resource","The product does not initialize a critical resource.Guidelines:",{"point":"1ku","priority":"6","details":"1kv"},"CWE-ID: 910Use of Expired File Descriptor","The product uses or accesses a file descriptor after it has been closed.Guidelines:",{"point":"1kx","priority":"6","details":"1ky"},"CWE-ID: 911Improper Update of Reference Count","The product uses a reference count to manage a resource, but it does not update or incorrectly updates the reference count.Guidelines:",{"point":"1l0","priority":"6","details":"1l1"},"CWE-ID: 912Hidden Functionality","The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the product's users or administrators.Guidelines:",{"point":"1l3","priority":"6","details":"1l4"},"CWE-ID: 913Improper Control of Dynamically-Managed Code Resources","The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.Guidelines:",{"point":"1l6","priority":"6","details":"1l7"},"CWE-ID: 914Improper Control of Dynamically-Identified Variables","The product does not properly restrict reading from or writing to dynamically-identified variables.Guidelines:",{"point":"1l9","priority":"6","details":"1la"},"CWE-ID: 915Improperly Controlled Modification of Dynamically-Determined Object Attributes","The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.Guidelines:::TYPE:Maintenance:NOTE:The relationships between CWE-502 and CWE-915 need further exploration. CWE-915 is more narrowly scoped to object modification, and is not necessarily used for deserialization.::",{"point":"1lc","priority":"6","details":"1ld"},"CWE-ID: 916Use of Password Hash With Insufficient Computational Effort","The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.Guidelines:",{"point":"1lf","priority":"6","details":"1lg"},"CWE-ID: 917Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')","The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.Guidelines:::TYPE:Maintenance:NOTE:The interrelationships and differences between CWE-917 and CWE-1336 need to be further clarified.::TYPE:Relationship:NOTE:In certain versions of Spring 3.0.5 and earlier, there was a vulnerability (CVE-2011-2730) in which Expression Language tags would be evaluated twice, which effectively exposed any application to EL injection. However, even for later versions, this weakness is still possible depending on configuration.::",{"point":"1li","priority":"6","details":"1lj"},"CWE-ID: 918Server-Side Request Forgery (SSRF)","The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.Guidelines:::TYPE:Relationship:NOTE:CWE-918 (SSRF) and CWE-611 (XXE) are closely related, because they both involve web-related technologies and can launch outbound requests to unexpected destinations. However, XXE can be performed client-side, or in other contexts in which the software is not acting directly as a server, so the Server portion of the SSRF acronym does not necessarily apply.::",{"point":"1ll","priority":"6","details":"1lm"},"CWE-ID: 920Improper Restriction of Power Consumption","The product operates in an environment in which power is a limited resource that cannot be automatically replenished, but the product does not properly restrict the amount of power that its operation consumes.Guidelines:",{"point":"1lo","priority":"6","details":"1lp"},"CWE-ID: 921Storage of Sensitive Data in a Mechanism without Access Control","The product stores sensitive information in a file system or device that does not have built-in access control.Guidelines:",{"point":"1lr","priority":"6","details":"1ls"},"CWE-ID: 922Insecure Storage of Sensitive Information","The product stores sensitive information without properly limiting read or write access by unauthorized actors.Guidelines:::TYPE:Relationship:NOTE:There is an overlapping relationship between insecure storage of sensitive information (CWE-922) and missing encryption of sensitive information (CWE-311). Encryption is often used to prevent an attacker from reading the sensitive data. However, encryption does not prevent the attacker from erasing or overwriting the data. While data tampering would be visible upon inspection, the integrity and availability of the data is compromised prior to the audit.::TYPE:Maintenance:NOTE:This is a high-level entry that includes children from various parts of the CWE research view (CWE-1000). Currently, most of the information is in these child entries. This entry will be made more comprehensive in later CWE versions.::",{"point":"1lu","priority":"6","details":"1lv"},"CWE-ID: 923Improper Restriction of Communication Channel to Intended Endpoints","The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.Guidelines:",{"point":"1lx","priority":"6","details":"1ly"},"CWE-ID: 924Improper Enforcement of Message Integrity During Transmission in a Communication Channel","The product establishes a communication channel with an endpoint and receives a message from that endpoint, but it does not sufficiently ensure that the message was not modified during transmission.Guidelines:::TYPE:Maintenance:NOTE:This entry should be made more comprehensive in later CWE versions, as it is likely an important design flaw that underlies (or chains to) other weaknesses.::",{"point":"1m0","priority":"6","details":"1m1"},"CWE-ID: 925Improper Verification of Intent by Broadcast Receiver","The Android application uses a Broadcast Receiver that receives an Intent but does not properly verify that the Intent came from an authorized source.Guidelines:::TYPE:Maintenance:NOTE:This entry will be made more comprehensive in later CWE versions.::",{"point":"1m3","priority":"6","details":"1m4"},"CWE-ID: 926Improper Export of Android Application Components","The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.Guidelines:",{"point":"1m6","priority":"6","details":"1m7"},"CWE-ID: 927Use of Implicit Intent for Sensitive Communication","The Android application uses an implicit intent for transmitting sensitive data to other applications.Guidelines:",{"point":"1m9","priority":"6","details":"1ma"},"CWE-ID: 939Improper Authorization in Handler for Custom URL Scheme","The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.Guidelines:",{"point":"1mc","priority":"6","details":"1md"},"CWE-ID: 940Improper Verification of Source of a Communication Channel","The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin.Guidelines:::TYPE:Relationship:NOTE:While many access control issues involve authenticating the user, this weakness is more about authenticating the actual source of the communication channel itself; there might not be any user in such cases.::",{"point":"1mf","priority":"6","details":"1mg"},"CWE-ID: 941Incorrectly Specified Destination in a Communication Channel","The product creates a communication channel to initiate an outgoing request to an actor, but it does not correctly specify the intended destination for that actor.Guidelines:",{"point":"1mi","priority":"6","details":"1mj"},"CWE-ID: 942Permissive Cross-domain Policy with Untrusted Domains","The product uses a cross-domain policy file that includes domains that should not be trusted.Guidelines:",{"point":"1ml","priority":"6","details":"1mm"},"CWE-ID: 943Improper Neutralization of Special Elements in Data Query Logic","The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.Guidelines:::TYPE:Relationship:NOTE:It could be argued that data query languages are effectively a command language - albeit with a limited set of commands - and thus any query-language injection issue could be treated as a child of CWE-74. However, CWE-943 is intended to better organize query-oriented issues to separate them from fully-functioning programming languages, and also to provide a more precise identifier for the many query languages that do not have their own CWE identifier.::",{"point":"1mo","priority":"6","details":"1mp"},"CWE-ID: 1004Sensitive Cookie Without 'HttpOnly' Flag","The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.Guidelines:",{"point":"1mr","priority":"6","details":"1ms"},"CWE-ID: 1007Insufficient Visual Distinction of Homoglyphs Presented to User","The product displays information or identifiers to a user, but the display mechanism does not make it easy for the user to distinguish between visually similar or identical glyphs (homoglyphs), which may cause the user to misinterpret a glyph and perform an unintended, insecure action.Guidelines:",{"point":"1mu","priority":"6","details":"1mv"},"CWE-ID: 1021Improper Restriction of Rendered UI Layers or Frames","The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.Guidelines:",{"point":"1mx","priority":"6","details":"1my"},"CWE-ID: 1022Use of Web Link to Untrusted Target with window.opener Access","The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property.Guidelines:",{"point":"1n0","priority":"6","details":"1n1"},"CWE-ID: 1023Incomplete Comparison with Missing Factors","The product performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors.Guidelines:",{"point":"1n3","priority":"6","details":"1n4"},"CWE-ID: 1024Comparison of Incompatible Types","The product performs a comparison between two entities, but the entities are of different, incompatible types that cannot be guaranteed to provide correct results when they are directly compared.Guidelines:",{"point":"1n6","priority":"6","details":"1n7"},"CWE-ID: 1025Comparison Using Wrong Factors","The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.Guidelines:",{"point":"1n9","priority":"6","details":"1na"},"CWE-ID: 1037Processor Optimization Removal or Modification of Security-critical Code","The developer builds a security-critical protection mechanism into the software, but the processor optimizes the execution of the program such that the mechanism is removed or modified.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. As a result, this entry might change significantly in CWE 4.10.::",{"point":"1nc","priority":"6","details":"1nd"},"CWE-ID: 1038Insecure Automated Optimizations","The product uses a mechanism that automatically optimizes code, e.g. to improve a characteristic such as performance, but the optimizations can have an unintended side effect that might violate an intended security assumption.Guidelines:",{"point":"1nf","priority":"6","details":"1ng"},"CWE-ID: 1039Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations","The product uses an automated mechanism such as machine learning to recognize complex data inputs (e.g. image or audio) as a particular concept or category, but it does not properly detect or handle inputs that have been modified or constructed in a way that causes the mechanism to detect a different, incorrect concept.Guidelines:::TYPE:Relationship:NOTE:Further investigation is needed to determine if better relationships exist or if additional organizational entries need to be created. For example, this issue might be better related to recognition of input as an incorrect type, which might place it as a sibling of CWE-704 (incorrect type conversion).::",{"point":"1ni","priority":"6","details":"1nj"},"CWE-ID: 1041Use of Redundant Code","The product has multiple functions, methods, procedures, macros, etc. that contain the same code.Guidelines:",{"point":"1nl","priority":"6","details":"1nm"},"CWE-ID: 1042Static Member Data Element outside of a Singleton Class Element","The code contains a member element that is declared as static (but not final), in which its parent class element is not a singleton class - that is, a class element that can be used only once in the 'to' association of a Create action.Guidelines:",{"point":"1no","priority":"6","details":"1np"},"CWE-ID: 1043Data Element Aggregating an Excessively Large Number of Non-Primitive Elements","The product uses a data element that has an excessively large number of sub-elements with non-primitive data types such as structures or aggregated objects.Guidelines:",{"point":"1nr","priority":"6","details":"1ns"},"CWE-ID: 1044Architecture with Number of Horizontal Layers Outside of Expected Range","The product's architecture contains too many - or too few - horizontal layers.Guidelines:",{"point":"1nu","priority":"6","details":"1nv"},"CWE-ID: 1045Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor","A parent class has a virtual destructor method, but the parent has a child class that does not have a virtual destructor.Guidelines:",{"point":"1nx","priority":"6","details":"1ny"},"CWE-ID: 1046Creation of Immutable Text Using String Concatenation","The product creates an immutable text string using string concatenation operations.Guidelines:",{"point":"1o0","priority":"6","details":"1o1"},"CWE-ID: 1047Modules with Circular Dependencies","The product contains modules in which one module has references that cycle back to itself, i.e., there are circular dependencies.Guidelines:",{"point":"1o3","priority":"6","details":"1o4"},"CWE-ID: 1048Invokable Control Element with Large Number of Outward Calls","The code contains callable control elements that contain an excessively large number of references to other application objects external to the context of the callable, i.e. a Fan-Out value that is excessively large.Guidelines:",{"point":"1o6","priority":"6","details":"1o7"},"CWE-ID: 1049Excessive Data Query Operations in a Large Data Table","The product performs a data query with a large number of joins and sub-queries on a large data table.Guidelines:",{"point":"1o9","priority":"6","details":"1oa"},"CWE-ID: 1050Excessive Platform Resource Consumption within a Loop","The product has a loop body or loop condition that contains a control element that directly or indirectly consumes platform resources, e.g. messaging, sessions, locks, or file descriptors.Guidelines:",{"point":"1oc","priority":"6","details":"1od"},"CWE-ID: 1051Initialization with Hard-Coded Network Resource Configuration Data","The product initializes data using hard-coded values that act as network resource identifiers.Guidelines:",{"point":"1of","priority":"6","details":"1og"},"CWE-ID: 1052Excessive Use of Hard-Coded Literals in Initialization","The product initializes a data element using a hard-coded literal that is not a simple integer or static constant element.Guidelines:",{"point":"1oi","priority":"6","details":"1oj"},"CWE-ID: 1053Missing Documentation for Design","The product does not have documentation that represents how it is designed.Guidelines:",{"point":"1ol","priority":"6","details":"1om"},"CWE-ID: 1054Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer","The code at one architectural layer invokes code that resides at a deeper layer than the adjacent layer, i.e., the invocation skips at least one layer, and the invoked code is not part of a vertical utility layer that can be referenced from any horizontal layer.Guidelines:",{"point":"1oo","priority":"6","details":"1op"},"CWE-ID: 1055Multiple Inheritance from Concrete Classes","The product contains a class with inheritance from more than one concrete class.Guidelines:",{"point":"1or","priority":"6","details":"1os"},"CWE-ID: 1056Invokable Control Element with Variadic Parameters","A named-callable or method control element has a signature that supports a variable (variadic) number of parameters or arguments.Guidelines:",{"point":"1ou","priority":"6","details":"1ov"},"CWE-ID: 1057Data Access Operations Outside of Expected Data Manager Component","The product uses a dedicated, central data manager component as required by design, but it contains code that performs data-access operations that do not use this data manager.Guidelines:",{"point":"1ox","priority":"6","details":"1oy"},"CWE-ID: 1058Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element","The code contains a function or method that operates in a multi-threaded environment but owns an unsafe non-final static storable or member data element.Guidelines:",{"point":"1p0","priority":"6","details":"1p1"},"CWE-ID: 1059Insufficient Technical Documentation","The product does not contain sufficient technical or engineering documentation (whether on paper or in electronic form) that contains descriptions of all the relevant software/hardware elements of the product, such as its usage, structure, architectural components, interfaces, design, implementation, configuration, operation, etc.Guidelines:",{"point":"1p3","priority":"6","details":"1p4"},"CWE-ID: 1060Excessive Number of Inefficient Server-Side Data Accesses","The product performs too many data queries without using efficient data processing functionality such as stored procedures.Guidelines:",{"point":"1p6","priority":"6","details":"1p7"},"CWE-ID: 1061Insufficient Encapsulation","The product does not sufficiently hide the internal representation and implementation details of data or methods, which might allow external components or modules to modify data unexpectedly, invoke unexpected functionality, or introduce dependencies that the programmer did not intend.Guidelines:",{"point":"1p9","priority":"6","details":"1pa"},"CWE-ID: 1062Parent Class with References to Child Class","The code has a parent class that contains references to a child class, its methods, or its members.Guidelines:",{"point":"1pc","priority":"6","details":"1pd"},"CWE-ID: 1063Creation of Class Instance within a Static Code Block","A static code block creates an instance of a class.Guidelines:",{"point":"1pf","priority":"6","details":"1pg"},"CWE-ID: 1064Invokable Control Element with Signature Containing an Excessive Number of Parameters","The product contains a function, subroutine, or method whose signature has an unnecessarily large number of parameters/arguments.Guidelines:",{"point":"1pi","priority":"6","details":"1pj"},"CWE-ID: 1065Runtime Resource Management Control Element in a Component Built to Run on Application Servers","The product uses deployed components from application servers, but it also uses low-level functions/methods for management of resources, instead of the API provided by the application server.Guidelines:",{"point":"1pl","priority":"6","details":"1pm"},"CWE-ID: 1066Missing Serialization Control Element","The product contains a serializable data element that does not have an associated serialization method.Guidelines:",{"point":"1po","priority":"6","details":"1pp"},"CWE-ID: 1067Excessive Execution of Sequential Searches of Data Resource","The product contains a data query against an SQL table or view that is configured in a way that does not utilize an index and may cause sequential searches to be performed.Guidelines:",{"point":"1pr","priority":"6","details":"1ps"},"CWE-ID: 1068Inconsistency Between Implementation and Documented Design","The implementation of the product is not consistent with the design as described within the relevant documentation.Guidelines:",{"point":"1pu","priority":"6","details":"1pv"},"CWE-ID: 1069Empty Exception Block","An invokable code block contains an exception handling block that does not contain any code, i.e. is empty.Guidelines:",{"point":"1px","priority":"6","details":"1py"},"CWE-ID: 1070Serializable Data Element Containing non-Serializable Item Elements","The product contains a serializable, storable data element such as a field or member, but the data element contains member elements that are not serializable.Guidelines:",{"point":"1q0","priority":"6","details":"1q1"},"CWE-ID: 1071Empty Code Block","The source code contains a block that does not contain any code, i.e., the block is empty.Guidelines:",{"point":"1q3","priority":"6","details":"1q4"},"CWE-ID: 1072Data Resource Access without Use of Connection Pooling","The product accesses a data resource through a database without using a connection pooling capability.Guidelines:",{"point":"1q6","priority":"6","details":"1q7"},"CWE-ID: 1073Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses","The product contains a client with a function or method that contains a large number of data accesses/queries that are sent through a data manager, i.e., does not use efficient database capabilities.Guidelines:",{"point":"1q9","priority":"6","details":"1qa"},"CWE-ID: 1074Class with Excessively Deep Inheritance","A class has an inheritance level that is too high, i.e., it has a large number of parent classes.Guidelines:",{"point":"1qc","priority":"6","details":"1qd"},"CWE-ID: 1075Unconditional Control Flow Transfer outside of Switch Block","The product performs unconditional control transfer (such as a goto) in code outside of a branching structure such as a switch block.Guidelines:",{"point":"1qf","priority":"6","details":"1qg"},"CWE-ID: 1076Insufficient Adherence to Expected Conventions","The product's architecture, source code, design, documentation, or other artifact does not follow required conventions.Guidelines:",{"point":"1qi","priority":"6","details":"1qj"},"CWE-ID: 1077Floating Point Comparison with Incorrect Operator","The code performs a comparison such as an equality test between two float (floating point) values, but it uses comparison operators that do not account for the possibility of loss of precision.Guidelines:",{"point":"1ql","priority":"6","details":"1qm"},"CWE-ID: 1078Inappropriate Source Code Style or Formatting","The source code does not follow desired style or formatting for indentation, white space, comments, etc.Guidelines:",{"point":"1qo","priority":"6","details":"1qp"},"CWE-ID: 1079Parent Class without Virtual Destructor Method","A parent class contains one or more child classes, but the parent class does not have a virtual destructor method.Guidelines:",{"point":"1qr","priority":"6","details":"1qs"},"CWE-ID: 1080Source Code File with Excessive Number of Lines of Code","A source code file has too many lines of code.Guidelines:",{"point":"1qu","priority":"6","details":"1qv"},"CWE-ID: 1082Class Instance Self Destruction Control Element","The code contains a class instance that calls the method or function to delete or destroy itself.Guidelines:",{"point":"1qx","priority":"6","details":"1qy"},"CWE-ID: 1083Data Access from Outside Expected Data Manager Component","The product is intended to manage data access through a particular data manager component such as a relational or non-SQL database, but it contains code that performs data access operations without using that component.Guidelines:",{"point":"1r0","priority":"6","details":"1r1"},"CWE-ID: 1084Invokable Control Element with Excessive File or Data Access Operations","A function or method contains too many operations that utilize a data manager or file resource.Guidelines:",{"point":"1r3","priority":"6","details":"1r4"},"CWE-ID: 1085Invokable Control Element with Excessive Volume of Commented-out Code","A function, method, procedure, etc. contains an excessive amount of code that has been commented out within its body.Guidelines:",{"point":"1r6","priority":"6","details":"1r7"},"CWE-ID: 1086Class with Excessive Number of Child Classes","A class contains an unnecessarily large number of children.Guidelines:",{"point":"1r9","priority":"6","details":"1ra"},"CWE-ID: 1087Class with Virtual Method without a Virtual Destructor","A class contains a virtual method, but the method does not have an associated virtual destructor.Guidelines:",{"point":"1rc","priority":"6","details":"1rd"},"CWE-ID: 1088Synchronous Access of Remote Resource without Timeout","The code has a synchronous call to a remote resource, but there is no timeout for the call, or the timeout is set to infinite.Guidelines:",{"point":"1rf","priority":"6","details":"1rg"},"CWE-ID: 1089Large Data Table with Excessive Number of Indices","The product uses a large data table that contains an excessively large number of indices.Guidelines:",{"point":"1ri","priority":"6","details":"1rj"},"CWE-ID: 1090Method Containing Access of a Member Element from Another Class","A method for a class performs an operation that directly accesses a member element from another class.Guidelines:",{"point":"1rl","priority":"6","details":"1rm"},"CWE-ID: 1091Use of Object without Invoking Destructor Method","The product contains a method that accesses an object but does not later invoke the element's associated finalize/destructor method.Guidelines:",{"point":"1ro","priority":"6","details":"1rp"},"CWE-ID: 1092Use of Same Invokable Control Element in Multiple Architectural Layers","The product uses the same control element across multiple architectural layers.Guidelines:",{"point":"1rr","priority":"6","details":"1rs"},"CWE-ID: 1093Excessively Complex Data Representation","The product uses an unnecessarily complex internal representation for its data structures or interrelationships between those structures.Guidelines:",{"point":"1ru","priority":"6","details":"1rv"},"CWE-ID: 1094Excessive Index Range Scan for a Data Resource","The product contains an index range scan for a large data table, but the scan can cover a large number of rows.Guidelines:",{"point":"1rx","priority":"6","details":"1ry"},"CWE-ID: 1095Loop Condition Value Update within the Loop","The product uses a loop with a control flow condition based on a value that is updated within the body of the loop.Guidelines:",{"point":"1s0","priority":"6","details":"1s1"},"CWE-ID: 1096Singleton Class Instance Creation without Proper Locking or Synchronization","The product implements a Singleton design pattern but does not use appropriate locking or other synchronization mechanism to ensure that the singleton class is only instantiated once.Guidelines:",{"point":"1s3","priority":"6","details":"1s4"},"CWE-ID: 1097Persistent Storable Data Element without Associated Comparison Control Element","The product uses a storable data element that does not have all of the associated functions or methods that are necessary to support comparison.Guidelines:",{"point":"1s6","priority":"6","details":"1s7"},"CWE-ID: 1098Data Element containing Pointer Item without Proper Copy Control Element","The code contains a data element with a pointer that does not have an associated copy or constructor method.Guidelines:",{"point":"1s9","priority":"6","details":"1sa"},"CWE-ID: 1099Inconsistent Naming Conventions for Identifiers","The product's code, documentation, or other artifacts do not consistently use the same naming conventions for variables, callables, groups of related callables, I/O capabilities, data types, file names, or similar types of elements.Guidelines:",{"point":"1sc","priority":"6","details":"1sd"},"CWE-ID: 1100Insufficient Isolation of System-Dependent Functions","The product or code does not isolate system-dependent functionality into separate standalone modules.Guidelines:",{"point":"1sf","priority":"6","details":"1sg"},"CWE-ID: 1101Reliance on Runtime Component in Generated Code","The product uses automatically-generated code that cannot be executed without a specific runtime support component.Guidelines:",{"point":"1si","priority":"6","details":"1sj"},"CWE-ID: 1102Reliance on Machine-Dependent Data Representation","The code uses a data representation that relies on low-level data representation or constructs that may vary across different processors, physical machines, OSes, or other physical components.Guidelines:",{"point":"1sl","priority":"6","details":"1sm"},"CWE-ID: 1103Use of Platform-Dependent Third Party Components","The product relies on third-party components that do not provide equivalent functionality across all desirable platforms.Guidelines:",{"point":"1so","priority":"6","details":"1sp"},"CWE-ID: 1104Use of Unmaintained Third Party Components","The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer.Guidelines:",{"point":"1sr","priority":"6","details":"1ss"},"CWE-ID: 1105Insufficient Encapsulation of Machine-Dependent Functionality","The product or code uses machine-dependent functionality, but it does not sufficiently encapsulate or isolate this functionality from the rest of the code.Guidelines:",{"point":"1su","priority":"6","details":"1sv"},"CWE-ID: 1106Insufficient Use of Symbolic Constants","The source code uses literal constants that may need to change or evolve over time, instead of using symbolic constants.Guidelines:",{"point":"1sx","priority":"6","details":"1sy"},"CWE-ID: 1107Insufficient Isolation of Symbolic Constant Definitions","The source code uses symbolic constants, but it does not sufficiently place the definitions of these constants into a more centralized or isolated location.Guidelines:",{"point":"1t0","priority":"6","details":"1t1"},"CWE-ID: 1108Excessive Reliance on Global Variables","The code is structured in a way that relies too much on using or setting global variables throughout various points in the code, instead of preserving the associated information in a narrower, more local context.Guidelines:",{"point":"1t3","priority":"6","details":"1t4"},"CWE-ID: 1109Use of Same Variable for Multiple Purposes","The code contains a callable, block, or other code element in which the same variable is used to control more than one unique task or store more than one instance of data.Guidelines:",{"point":"1t6","priority":"6","details":"1t7"},"CWE-ID: 1110Incomplete Design Documentation","The product's design documentation does not adequately describe control flow, data flow, system initialization, relationships between tasks, components, rationales, or other important aspects of the design.Guidelines:",{"point":"1t9","priority":"6","details":"1ta"},"CWE-ID: 1111Incomplete I/O Documentation","The product's documentation does not adequately define inputs, outputs, or system/software interfaces.Guidelines:",{"point":"1tc","priority":"6","details":"1td"},"CWE-ID: 1112Incomplete Documentation of Program Execution","The document does not fully define all mechanisms that are used to control or influence how product-specific programs are executed.Guidelines:",{"point":"1tf","priority":"6","details":"1tg"},"CWE-ID: 1113Inappropriate Comment Style","The source code uses comment styles or formats that are inconsistent or do not follow expected standards for the product.Guidelines:",{"point":"1ti","priority":"6","details":"1tj"},"CWE-ID: 1114Inappropriate Whitespace Style","The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product.Guidelines:",{"point":"1tl","priority":"6","details":"1tm"},"CWE-ID: 1115Source Code Element without Standard Prologue","The source code contains elements such as source files that do not consistently provide a prologue or header that has been standardized for the project.Guidelines:",{"point":"1to","priority":"6","details":"1tp"},"CWE-ID: 1116Inaccurate Comments","The source code contains comments that do not accurately describe or explain aspects of the portion of the code with which the comment is associated.Guidelines:",{"point":"1tr","priority":"6","details":"1ts"},"CWE-ID: 1117Callable with Insufficient Behavioral Summary","The code contains a function or method whose signature and/or associated inline documentation does not sufficiently describe the callable's inputs, outputs, side effects, assumptions, or return codes.Guidelines:",{"point":"1tu","priority":"6","details":"1tv"},"CWE-ID: 1118Insufficient Documentation of Error Handling Techniques","The documentation does not sufficiently describe the techniques that are used for error handling, exception processing, or similar mechanisms.Guidelines:",{"point":"1tx","priority":"6","details":"1ty"},"CWE-ID: 1119Excessive Use of Unconditional Branching","The code uses too many unconditional branches (such as goto).Guidelines:",{"point":"1u0","priority":"6","details":"1u1"},"CWE-ID: 1120Excessive Code Complexity","The code is too complex, as calculated using a well-defined, quantitative measure.Guidelines:",{"point":"1u3","priority":"6","details":"1u4"},"CWE-ID: 1121Excessive McCabe Cyclomatic Complexity","The code contains McCabe cyclomatic complexity that exceeds a desirable maximum.Guidelines:",{"point":"1u6","priority":"6","details":"1u7"},"CWE-ID: 1122Excessive Halstead Complexity","The code is structured in a way that a Halstead complexity measure exceeds a desirable maximum.Guidelines:",{"point":"1u9","priority":"6","details":"1ua"},"CWE-ID: 1123Excessive Use of Self-Modifying Code","The product uses too much self-modifying code.Guidelines:",{"point":"1uc","priority":"6","details":"1ud"},"CWE-ID: 1124Excessively Deep Nesting","The code contains a callable or other code grouping in which the nesting / branching is too deep.Guidelines:",{"point":"1uf","priority":"6","details":"1ug"},"CWE-ID: 1125Excessive Attack Surface","The product has an attack surface whose quantitative measurement exceeds a desirable maximum.Guidelines:",{"point":"1ui","priority":"6","details":"1uj"},"CWE-ID: 1126Declaration of Variable with Unnecessarily Wide Scope","The source code declares a variable in one scope, but the variable is only used within a narrower scope.Guidelines:",{"point":"1ul","priority":"6","details":"1um"},"CWE-ID: 1127Compilation with Insufficient Warnings or Errors","The code is compiled without sufficient warnings enabled, which may prevent the detection of subtle bugs or quality issues.Guidelines:",{"point":"1uo","priority":"6","details":"1up"},"CWE-ID: 1164Irrelevant Code","The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness.Guidelines:",{"point":"1ur","priority":"6","details":"1us"},"CWE-ID: 1173Improper Use of Validation Framework","The product does not use, or incorrectly uses, an input validation framework that is provided by the source language or an independent library.Guidelines:",{"point":"1uu","priority":"6","details":"1uv"},"CWE-ID: 1174ASP.NET Misconfiguration: Improper Model Validation","The ASP.NET application does not use, or incorrectly uses, the model validation framework.Guidelines:",{"point":"1ux","priority":"6","details":"1uy"},"CWE-ID: 1176Inefficient CPU Computation","The product performs CPU computations using algorithms that are not as efficient as they could be for the needs of the developer, i.e., the computations can be optimized further.Guidelines:",{"point":"1v0","priority":"6","details":"1v1"},"CWE-ID: 1177Use of Prohibited Code","The product uses a function, library, or third party component that has been explicitly prohibited, whether by the developer or the customer.Guidelines:",{"point":"1v3","priority":"6","details":"1v4"},"CWE-ID: 1188Initialization of a Resource with an Insecure Default","The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.Guidelines:::TYPE:Maintenance:NOTE:This entry improves organization of concepts under initialization. The typical CWE model is to cover Missing and Incorrect behaviors. Arguably, this entry could be named as Incorrect instead of Insecure. This might be changed in the near future.::",{"point":"1v6","priority":"6","details":"1v7"},"CWE-ID: 1189Improper Isolation of Shared Resources on System-on-a-Chip (SoC)","The System-On-a-Chip (SoC) does not properly isolate shared resources between trusted and untrusted agents.Guidelines:",{"point":"1v9","priority":"6","details":"1va"},"CWE-ID: 1190DMA Device Enabled Too Early in Boot Phase","The product enables a Direct Memory Access (DMA) capable device before the security configuration settings are established, which allows an attacker to extract data from or gain privileges on the product.Guidelines:",{"point":"1vc","priority":"6","details":"1vd"},"CWE-ID: 1191On-Chip Debug and Test Interface With Improper Access Control","The chip does not implement or does not correctly perform access control to check whether users are authorized to access internal registers and test modes through the physical debug/test interface.Guidelines:::TYPE:Relationship:NOTE:CWE-1191 and CWE-1244 both involve physical debug access, but the weaknesses are different. CWE-1191 is effectively about missing authorization for a debug interface, i.e. JTAG. CWE-1244 is about providing internal assets with the wrong debug access level, exposing the asset to untrusted debug agents.::",{"point":"1vf","priority":"6","details":"1vg"},"CWE-ID: 1192Improper Identifier for IP Block used in System-On-Chip (SOC)","The System-on-Chip (SoC) does not have unique, immutable identifiers for each of its components.Guidelines:",{"point":"1vi","priority":"6","details":"1vj"},"CWE-ID: 1193Power-On of Untrusted Execution Core Before Enabling Fabric Access Control","The product enables components that contain untrusted firmware before memory and fabric access controls have been enabled.Guidelines:",{"point":"1vl","priority":"6","details":"1vm"},"CWE-ID: 1204Generation of Weak Initialization Vector (IV)","The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or unique according to the expected cryptographic requirements for that primitive.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"1vo","priority":"6","details":"1vp"},"CWE-ID: 1209Failure to Disable Reserved Bits","The reserved bits in a hardware design are not disabled prior to production. Typically, reserved bits are used for future capabilities and should not support any functional logic in the design. However, designers might covertly use these bits to debug or further develop new capabilities in production hardware. Adversaries with access to these bits will write to them in hopes of compromising hardware state.Guidelines:",{"point":"1vr","priority":"6","details":"1vs"},"CWE-ID: 1220Insufficient Granularity of Access Control","The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.Guidelines:",{"point":"1vu","priority":"6","details":"1vv"},"CWE-ID: 1221Incorrect Register Defaults or Module Parameters","Hardware description language code incorrectly defines register defaults or hardware Intellectual Property (IP) parameters to insecure values.Guidelines:",{"point":"1vx","priority":"6","details":"1vy"},"CWE-ID: 1222Insufficient Granularity of Address Regions Protected by Register Locks","The product defines a large address region protected from modification by the same register lock control bit. This results in a conflict between the functional requirement that some addresses need to be writable by software during operation and the security requirement that the system configuration lock bit must be set during the boot process.Guidelines:",{"point":"1w0","priority":"6","details":"1w1"},"CWE-ID: 1223Race Condition for Write-Once Attributes","A write-once register in hardware design is programmable by an untrusted software component earlier than the trusted software component, resulting in a race condition issue.Guidelines:",{"point":"1w3","priority":"6","details":"1w4"},"CWE-ID: 1224Improper Restriction of Write-Once Bit Fields","The hardware design control register sticky bits or write-once bit fields are improperly implemented, such that they can be reprogrammed by software.Guidelines:",{"point":"1w6","priority":"6","details":"1w7"},"CWE-ID: 1229Creation of Emergent Resource","The product manages resources or behaves in a way that indirectly creates a new, distinct resource that can be used by attackers in violation of the intended policy.Guidelines:",{"point":"1w9","priority":"6","details":"1wa"},"CWE-ID: 1230Exposure of Sensitive Information Through Metadata","The product prevents direct access to a resource containing sensitive information, but it does not sufficiently limit access to metadata that is derived from the original, sensitive information.Guidelines:",{"point":"1wc","priority":"6","details":"1wd"},"CWE-ID: 1231Improper Prevention of Lock Bit Modification","The product uses a trusted lock bit for restricting access to registers, address regions, or other resources, but the product does not prevent the value of the lock bit from being modified after it has been set.Guidelines:",{"point":"1wf","priority":"6","details":"1wg"},"CWE-ID: 1232Improper Lock Behavior After Power State Transition","Register lock bit protection disables changes to system configuration once the bit is set. Some of the protected registers or lock bits become programmable after power state transitions (e.g., Entry and wake from low power sleep modes) causing the system configuration to be changeable.Guidelines:",{"point":"1wi","priority":"6","details":"1wj"},"CWE-ID: 1233Security-Sensitive Hardware Controls with Missing Lock Bit Protection","The product uses a register lock bit protection mechanism, but it does not ensure that the lock bit prevents modification of system registers or controls that perform changes to important hardware system configuration.Guidelines:",{"point":"1wl","priority":"6","details":"1wm"},"CWE-ID: 1234Hardware Internal or Debug Modes Allow Override of Locks","System configuration protection may be bypassed during debug mode.Guidelines:",{"point":"1wo","priority":"6","details":"1wp"},"CWE-ID: 1235Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations","The code uses boxed primitives, which may introduce inefficiencies into performance-critical operations.Guidelines:",{"point":"1wr","priority":"6","details":"1ws"},"CWE-ID: 1236Improper Neutralization of Formula Elements in a CSV File","The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.Guidelines:",{"point":"1wu","priority":"6","details":"1wv"},"CWE-ID: 1239Improper Zeroization of Hardware Register","The hardware product does not properly clear sensitive information from built-in registers when the user of the hardware block changes.Guidelines:",{"point":"1wx","priority":"6","details":"1wy"},"CWE-ID: 1240Use of a Cryptographic Primitive with a Risky Implementation","To fulfill the need for a cryptographic primitive, the product implements a cryptographic algorithm using a non-standard, unproven, or disallowed/non-compliant cryptographic implementation.Guidelines:::TYPE:Terminology:NOTE:Terminology for cryptography varies widely, from informal and colloquial to mathematically-defined, with different precision and formalism depending on whether the stakeholder is a developer, cryptologist, etc. Yet there is a need for CWE to be self-consistent while remaining understandable and acceptable to multiple audiences. As of CWE 4.6, CWE terminology around primitives and algorithms is emerging as shown by the following example, subject to future consultation and agreement within the CWE and cryptography communities. Suppose one wishes to send encrypted data using a CLI tool such as OpenSSL. One might choose to use AES with a 256-bit key and require tamper protection (GCM mode, for instance). For compatibility's sake, one might also choose the ciphertext to be formatted to the PKCS#5 standard. In this case, the cryptographic system would be AES-256-GCM with PKCS#5 formatting. The cryptographic function would be AES-256 in the GCM mode of operation, and the algorithm would be AES. Colloquially, one would say that AES (and sometimes AES-256) is the cryptographic primitive, because it is the algorithm that realizes the concept of symmetric encryption (without modes of operation or other protocol related modifications). In practice, developers and architects typically refer to base cryptographic algorithms (AES, SHA, etc.) as cryptographic primitives.::TYPE:Maintenance:NOTE:Since CWE 4.4, various cryptography-related entries, including CWE-327 and CWE-1240, have been slated for extensive research, analysis, and community consultation to define consistent terminology, improve relationships, and reduce overlap or duplication. As of CWE 4.6, this work is still ongoing.::",{"point":"1x0","priority":"6","details":"1x1"},"CWE-ID: 1241Use of Predictable Algorithm in Random Number Generator","The device uses an algorithm that is predictable and generates a pseudo-random number.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, randomness is used heavily. However, within cryptography, entropy is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.::",{"point":"1x3","priority":"6","details":"1x4"},"CWE-ID: 1242Inclusion of Undocumented Features or Chicken Bits","The device includes chicken bits or undocumented features that can create entry points for unauthorized actors.Guidelines:",{"point":"1x6","priority":"6","details":"1x7"},"CWE-ID: 1243Sensitive Non-Volatile Information Not Protected During Debug","Access to security-sensitive information stored in fuses is not limited during debug.Guidelines:",{"point":"1x9","priority":"6","details":"1xa"},"CWE-ID: 1244Internal Asset Exposed to Unsafe Debug Access Level or State","The product uses physical debug or test interfaces with support for multiple access levels, but it assigns the wrong debug access level to an internal asset, providing unintended access to the asset from untrusted debug agents.Guidelines:::TYPE:Relationship:NOTE:CWE-1191 and CWE-1244 both involve physical debug access, but the weaknesses are different. CWE-1191 is effectively about missing authorization for a debug interface, i.e. JTAG. CWE-1244 is about providing internal assets with the wrong debug access level, exposing the asset to untrusted debug agents.::",{"point":"1xc","priority":"6","details":"1xd"},"CWE-ID: 1245Improper Finite State Machines (FSMs) in Hardware Logic","Faulty finite state machines (FSMs) in the hardware logic allow an attacker to put the system in an undefined state, to cause a denial of service (DoS) or gain privileges on the victim's system.Guidelines:",{"point":"1xf","priority":"6","details":"1xg"},"CWE-ID: 1246Improper Write Handling in Limited-write Non-Volatile Memories","The product does not implement or incorrectly implements wear leveling operations in limited-write non-volatile memories.Guidelines:",{"point":"1xi","priority":"6","details":"1xj"},"CWE-ID: 1247Improper Protection Against Voltage and Clock Glitches","The device does not contain or contains incorrectly implemented circuitry or sensors to detect and mitigate voltage and clock glitches and protect sensitive information or software contained on the device.Guidelines:",{"point":"1xl","priority":"6","details":"1xm"},"CWE-ID: 1248Semiconductor Defects in Hardware Logic with Security-Sensitive Implications","The security-sensitive hardware module contains semiconductor defects.Guidelines:",{"point":"1xo","priority":"6","details":"1xp"},"CWE-ID: 1249Application-Level Admin Tool with Inconsistent View of Underlying Operating System","The product provides an application for administrators to manage parts of the underlying operating system, but the application does not accurately identify all of the relevant entities or resources that exist in the OS; that is, the application's model of the OS's state is inconsistent with the OS's actual state.Guidelines:",{"point":"1xr","priority":"6","details":"1xs"},"CWE-ID: 1250Improper Preservation of Consistency Between Independent Representations of Shared State","The product has or supports multiple distributed components or sub-systems that are each required to keep their own local copy of shared data - such as state or cache - but the product does not ensure that all local copies remain consistent with each other.Guidelines:::TYPE:Research Gap:NOTE:Issues related to state and cache - creation, preservation, and update - are a significant gap in CWE that is expected to be addressed in future versions. It likely has relationships to concurrency and synchronization, incorrect behavior order, and other areas that already have some coverage in CWE, although the focus has typically been on independent processes on the same operating system - not on independent systems that are all a part of a larger system-of-systems.::",{"point":"1xu","priority":"6","details":"1xv"},"CWE-ID: 1251Mirrored Regions with Different Values","The product's architecture mirrors regions without ensuring that their contents always stay in sync.Guidelines:::TYPE:Research Gap:NOTE:Issues related to state and cache - creation, preservation, and update - are a significant gap in CWE that is expected to be addressed in future versions. It has relationships to concurrency and synchronization, incorrect behavior order, and other areas that already have some coverage in CWE, although the focus has typically been on independent processes on the same operating system - not on independent systems that are all a part of a larger system-of-systems.::",{"point":"1xx","priority":"6","details":"1xy"},"CWE-ID: 1252CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations","The CPU is not configured to provide hardware support for exclusivity of write and execute operations on memory. This allows an attacker to execute data from all of memory.Guidelines:",{"point":"1y0","priority":"6","details":"1y1"},"CWE-ID: 1253Incorrect Selection of Fuse Values","The logic level used to set a system to a secure state relies on a fuse being unblown. An attacker can set the system to an insecure state merely by blowing the fuse.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1y3","priority":"6","details":"1y4"},"CWE-ID: 1254Incorrect Comparison Logic Granularity","The product's comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failure on one of these steps, the operation may be vulnerable to a timing attack that can result in the interception of the process for nefarious purposes.Guidelines:",{"point":"1y6","priority":"6","details":"1y7"},"CWE-ID: 1255Comparison Logic is Vulnerable to Power Side-Channel Attacks","A device's real time power consumption may be monitored during security token evaluation and the information gleaned may be used to determine the value of the reference token.Guidelines:",{"point":"1y9","priority":"6","details":"1ya"},"CWE-ID: 1256Improper Restriction of Software Interfaces to Hardware Features","The product provides software-controllable device functionality for capabilities such as power and clock management, but it does not properly limit functionality that can lead to modification of hardware memory or register bits, or the ability to observe physical side channels.Guidelines:",{"point":"1yc","priority":"6","details":"1yd"},"CWE-ID: 1257Improper Access Control Applied to Mirrored or Aliased Memory Regions","Aliased or mirrored memory regions in hardware designs may have inconsistent read/write permissions enforced by the hardware. A possible result is that an untrusted agent is blocked from accessing a memory region but is not blocked from accessing the corresponding aliased memory region.Guidelines:",{"point":"1yf","priority":"6","details":"1yg"},"CWE-ID: 1258Exposure of Sensitive System Information Due to Uncleared Debug Information","The hardware does not fully clear security-sensitive values, such as keys and intermediate values in cryptographic operations, when debug mode is entered.Guidelines:",{"point":"1yi","priority":"6","details":"1yj"},"CWE-ID: 1259Improper Restriction of Security Token Assignment","The System-On-A-Chip (SoC) implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens are improperly protected.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements. Currently it is expressed as a general absence of a protection mechanism as opposed to a specific mistake, and the entry's name and description could be interpreted as applying to software.::",{"point":"1yl","priority":"6","details":"1ym"},"CWE-ID: 1260Improper Handling of Overlap Between Protected Memory Ranges","The product allows address regions to overlap, which can result in the bypassing of intended memory protection.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.6, CWE-1260 and CWE-1316 are siblings under view 1000, but CWE-1260 might be a parent of CWE-1316. More analysis is warranted.::",{"point":"1yo","priority":"6","details":"1yp"},"CWE-ID: 1261Improper Handling of Single Event Upsets","The hardware logic does not effectively handle when single-event upsets (SEUs) occur.Guidelines:",{"point":"1yr","priority":"6","details":"1ys"},"CWE-ID: 1262Improper Access Control for Register Interface","The product uses memory-mapped I/O registers that act as an interface to hardware functionality from software, but there is improper access control to those registers.Guidelines:",{"point":"1yu","priority":"6","details":"1yv"},"CWE-ID: 1263Improper Physical Access Control","The product is designed with access restricted to certain information, but it does not sufficiently protect against an unauthorized actor with physical access to these areas.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1yx","priority":"6","details":"1yy"},"CWE-ID: 1264Hardware Logic with Insecure De-Synchronization between Control and Data Channels","The hardware logic for error handling and security checks can incorrectly forward data before the security check is complete.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. As a result, this entry might change significantly in CWE 4.10.::",{"point":"1z0","priority":"6","details":"1z1"},"CWE-ID: 1265Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls","During execution of non-reentrant code, the product performs a call that unintentionally produces a nested invocation of the non-reentrant code.Guidelines:",{"point":"1z3","priority":"6","details":"1z4"},"CWE-ID: 1266Improper Scrubbing of Sensitive Data from Decommissioned Device","The product does not properly provide a capability for the product administrator to remove sensitive data at the time the product is decommissioned. A scrubbing capability could be missing, insufficient, or incorrect.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1z6","priority":"6","details":"1z7"},"CWE-ID: 1267Policy Uses Obsolete Encoding","The product uses an obsolete encoding mechanism to implement access controls.Guidelines:",{"point":"1z9","priority":"6","details":"1za"},"CWE-ID: 1268Policy Privileges are not Assigned Consistently Between Control and Data Agents","The product's hardware-enforced access control for a particular resource improperly accounts for privilege discrepancies between control and write policies.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1zc","priority":"6","details":"1zd"},"CWE-ID: 1269Product Released in Non-Release Configuration","The product released to market is released in pre-production or manufacturing configuration.Guidelines:",{"point":"1zf","priority":"6","details":"1zg"},"CWE-ID: 1270Generation of Incorrect Security Tokens","The product implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens generated in the system are incorrect.Guidelines:",{"point":"1zi","priority":"6","details":"1zj"},"CWE-ID: 1271Uninitialized Value on Reset for Registers Holding Security Settings","Security-critical logic is not set to a known value on reset.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1zl","priority":"6","details":"1zm"},"CWE-ID: 1272Sensitive Information Uncleared Before Debug/Power State Transition","The product performs a power or debug state transition, but it does not clear sensitive information that should no longer be accessible due to changes to information access restrictions.Guidelines:",{"point":"1zo","priority":"6","details":"1zp"},"CWE-ID: 1273Device Unlock Credential Sharing","The credentials necessary for unlocking a device are shared across multiple parties and may expose sensitive information.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"1zr","priority":"6","details":"1zs"},"CWE-ID: 1274Improper Access Control for Volatile Memory Containing Boot Code","The product conducts a secure-boot process that transfers bootloader code from Non-Volatile Memory (NVM) into Volatile Memory (VM), but it does not have sufficient access control or other protections for the Volatile Memory.Guidelines:",{"point":"1zu","priority":"6","details":"1zv"},"CWE-ID: 1275Sensitive Cookie with Improper SameSite Attribute","The SameSite attribute for sensitive cookies is not set, or an insecure value is used.Guidelines:",{"point":"1zx","priority":"6","details":"1zy"},"CWE-ID: 1276Hardware Child Block Incorrectly Connected to Parent System","Signals between a hardware IP and the parent system design are incorrectly connected causing security risks.Guidelines:",{"point":"200","priority":"6","details":"201"},"CWE-ID: 1277Firmware Not Updateable","The product does not provide its users with the ability to update or patch its firmware to address any vulnerabilities or weaknesses that may be present.Guidelines:::TYPE:Terminology:NOTE:The firmware term does not have a single commonly-shared definition, so there may be variations in how this CWE entry is interpreted during mapping.::",{"point":"203","priority":"6","details":"204"},"CWE-ID: 1278Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques","Information stored in hardware may be recovered by an attacker with the capability to capture and analyze images of the integrated circuit using techniques such as scanning electron microscopy.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements. It is more attack-oriented, so it might be more suited for CAPEC.::",{"point":"206","priority":"6","details":"207"},"CWE-ID: 1279Cryptographic Operations are run Before Supporting Units are Ready","Performing cryptographic operations without ensuring that the supporting inputs are ready to supply valid data may compromise the cryptographic result.Guidelines:",{"point":"209","priority":"6","details":"20a"},"CWE-ID: 1280Access Control Check Implemented After Asset is Accessed","A product's hardware-based access control check occurs after the asset has been accessed.Guidelines:",{"point":"20c","priority":"6","details":"20d"},"CWE-ID: 1281Sequence of Processor Instructions Leads to Unexpected Behavior","Specific combinations of processor instructions lead to undesirable behavior such as locking the processor until a hard reset performed.Guidelines:",{"point":"20f","priority":"6","details":"20g"},"CWE-ID: 1282Assumed-Immutable Data is Stored in Writable Memory","Immutable data, such as a first-stage bootloader, device identifiers, and write-once configuration settings are stored in writable memory that can be re-programmed or updated in the field.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::TYPE:Maintenance:NOTE:As of CWE 4.3, CWE-1282 and CWE-1233 are being investigated for potential duplication or overlap.::",{"point":"20i","priority":"6","details":"20j"},"CWE-ID: 1283Mutable Attestation or Measurement Reporting Data","The register contents used for attestation or measurement reporting data to verify boot flow are modifiable by an adversary.Guidelines:::TYPE:Maintenance:NOTE:This entry is still in development and will continue to see updates and content improvements.::",{"point":"20l","priority":"6","details":"20m"},"CWE-ID: 1284Improper Validation of Specified Quantity in Input","The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"20o","priority":"6","details":"20p"},"CWE-ID: 1285Improper Validation of Specified Index, Position, or Offset in Input","The product receives input that is expected to specify an index, position, or offset into an indexable resource such as a buffer or file, but it does not validate or incorrectly validates that the specified index/position/offset has the required properties.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"20r","priority":"6","details":"20s"},"CWE-ID: 1286Improper Validation of Syntactic Correctness of Input","The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"20u","priority":"6","details":"20v"},"CWE-ID: 1287Improper Validation of Specified Type of Input","The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"20x","priority":"6","details":"20y"},"CWE-ID: 1288Improper Validation of Consistency within Input","The product receives a complex input with multiple elements or fields that must be consistent with each other, but it does not validate or incorrectly validates that the input is actually consistent.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"210","priority":"6","details":"211"},"CWE-ID: 1289Improper Validation of Unsafe Equivalence in Input","The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"213","priority":"6","details":"214"},"CWE-ID: 1290Incorrect Decoding of Security Identifiers","The product implements a decoding mechanism to decode certain bus-transaction signals to security identifiers. If the decoding is implemented incorrectly, then untrusted agents can now gain unauthorized access to the asset.Guidelines:",{"point":"216","priority":"6","details":"217"},"CWE-ID: 1291Public Key Re-Use for Signing both Debug and Production Code","The same public key is used for signing both debug and production code.Guidelines:",{"point":"219","priority":"6","details":"21a"},"CWE-ID: 1292Incorrect Conversion of Security Identifiers","The product implements a conversion mechanism to map certain bus-transaction signals to security identifiers. However, if the conversion is incorrectly implemented, untrusted agents can gain unauthorized access to the asset.Guidelines:",{"point":"21c","priority":"6","details":"21d"},"CWE-ID: 1293Missing Source Correlation of Multiple Independent Data","The product relies on one source of data, preventing the ability to detect if an adversary has compromised a data source.Guidelines:",{"point":"21f","priority":"6","details":"21g"},"CWE-ID: 1294Insecure Security Identifier Mechanism","The System-on-Chip (SoC) implements a Security Identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Identifiers are not correctly implemented.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"21i","priority":"6","details":"21j"},"CWE-ID: 1295Debug Messages Revealing Unnecessary Information","The product fails to adequately prevent the revealing of unnecessary and potentially sensitive system information within debugging messages.Guidelines:",{"point":"21l","priority":"6","details":"21m"},"CWE-ID: 1296Incorrect Chaining or Granularity of Debug Components","The product's debug components contain incorrect chaining or granularity of debug components.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"21o","priority":"6","details":"21p"},"CWE-ID: 1297Unprotected Confidential Information on Device is Accessible by OSAT Vendors","The product does not adequately protect confidential information on the device from being accessed by Outsourced Semiconductor Assembly and Test (OSAT) vendors.Guidelines:::TYPE:Maintenance:NOTE:This entry might be subject to CWE Scope Exclusion SCOPE.SITUATIONS (Focus on situations in which weaknesses may appear); SCOPE.HUMANPROC (Human/organizational process; and/or SCOPE.CUSTREL (Not customer-relevant).::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"21r","priority":"6","details":"21s"},"CWE-ID: 1298Hardware Logic Contains Race Conditions","A race condition in the hardware logic results in undermining security guarantees of the system.Guidelines:",{"point":"21u","priority":"6","details":"21v"},"CWE-ID: 1299Missing Protection Mechanism for Alternate Hardware Interface","The lack of protections on alternate paths to access control-protected assets (such as unprotected shadow registers and other external facing unguarded interfaces) allows an attacker to bypass existing protections to the asset that are only performed against the primary path.Guidelines:",{"point":"21x","priority":"6","details":"21y"},"CWE-ID: 1300Improper Protection of Physical Side Channels","The device does not contain sufficient protection mechanisms to prevent physical side channels from exposing sensitive information due to patterns in physically observable phenomena such as variations in power consumption, electromagnetic emissions (EME), or acoustic emissions.Guidelines:",{"point":"220","priority":"6","details":"221"},"CWE-ID: 1301Insufficient or Incomplete Data Removal within Hardware Component","The product's data removal process does not completely delete all data and potentially sensitive information within hardware components.Guidelines:::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"223","priority":"6","details":"224"},"CWE-ID: 1302Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)","The product implements a security identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. A transaction is sent without a security identifier.Guidelines:",{"point":"226","priority":"6","details":"227"},"CWE-ID: 1303Non-Transparent Sharing of Microarchitectural Resources","Hardware structures shared across execution contexts (e.g., caches and branch predictors) can violate the expected architecture isolation between contexts.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. Finally, this entry's demonstrative example might not be appropriate. As a result, this entry might change significantly in CWE 4.10.::",{"point":"229","priority":"6","details":"22a"},"CWE-ID: 1304Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation","The product performs a power save/restore operation, but it does not ensure that the integrity of the configuration state is maintained and/or verified between the beginning and ending of the operation.Guidelines:",{"point":"22c","priority":"6","details":"22d"},"CWE-ID: 1310Missing Ability to Patch ROM Code","Missing an ability to patch ROM code may leave a System or System-on-Chip (SoC) in a vulnerable state.Guidelines:",{"point":"22f","priority":"6","details":"22g"},"CWE-ID: 1311Improper Translation of Security Attributes by Fabric Bridge","The bridge incorrectly translates security attributes from either trusted to untrusted or from untrusted to trusted when converting from one fabric protocol to another.Guidelines:",{"point":"22i","priority":"6","details":"22j"},"CWE-ID: 1312Missing Protection for Mirrored Regions in On-Chip Fabric Firewall","The firewall in an on-chip fabric protects the main addressed region, but it does not protect any mirrored memory or memory-mapped-IO (MMIO) regions.Guidelines:",{"point":"22l","priority":"6","details":"22m"},"CWE-ID: 1313Hardware Allows Activation of Test or Debug Logic at Runtime","During runtime, the hardware allows for test or debug logic (feature) to be activated, which allows for changing the state of the hardware. This feature can alter the intended behavior of the system and allow for alteration and leakage of sensitive data by an adversary.Guidelines:",{"point":"22o","priority":"6","details":"22p"},"CWE-ID: 1314Missing Write Protection for Parametric Data Values","The device does not write-protect the parametric data values for sensors that scale the sensor value, allowing untrusted software to manipulate the apparent result and potentially damage hardware or cause operational failure.Guidelines:",{"point":"22r","priority":"6","details":"22s"},"CWE-ID: 1315Improper Setting of Bus Controlling Capability in Fabric End-point","The bus controller enables bits in the fabric end-point to allow responder devices to control transactions on the fabric.Guidelines:",{"point":"22u","priority":"6","details":"22v"},"CWE-ID: 1316Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges","The address map of the on-chip fabric has protected and unprotected regions overlapping, allowing an attacker to bypass access control to the overlapping portion of the protected region.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.6, CWE-1260 and CWE-1316 are siblings under view 1000, but CWE-1260 might be a parent of CWE-1316. More analysis is warranted.::",{"point":"22x","priority":"6","details":"22y"},"CWE-ID: 1317Improper Access Control in Fabric Bridge","The product uses a fabric bridge for transactions between two Intellectual Property (IP) blocks, but the bridge does not properly perform the expected privilege, identity, or other access control checks between those IP blocks.Guidelines:",{"point":"230","priority":"6","details":"231"},"CWE-ID: 1318Missing Support for Security Features in On-chip Fabrics or Buses","On-chip fabrics or buses either do not support or are not configured to support privilege separation or other security features, such as access control.Guidelines:",{"point":"233","priority":"6","details":"234"},"CWE-ID: 1319Improper Protection against Electromagnetic Fault Injection (EM-FI)","The device is susceptible to electromagnetic fault injection attacks, causing device internal information to be compromised or security mechanisms to be bypassed.Guidelines:::TYPE:Maintenance:NOTE:This entry is attack-oriented and may require significant modification in future versions, or even deprecation. It is not clear whether there is really a design mistake that enables such attacks, so this is not necessarily a weakness and may be more appropriate for CAPEC.::",{"point":"236","priority":"6","details":"237"},"CWE-ID: 1320Improper Protection for Outbound Error Messages and Alert Signals","Untrusted agents can disable alerts about signal conditions exceeding limits or the response mechanism that handles such alerts.Guidelines:",{"point":"239","priority":"6","details":"23a"},"CWE-ID: 1321Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')","The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.Guidelines:",{"point":"23c","priority":"6","details":"23d"},"CWE-ID: 1322Use of Blocking Code in Single-threaded, Non-blocking Context","The product uses a non-blocking model that relies on a single threaded process for features such as scalability, but it contains code that can block when it is invoked.Guidelines:",{"point":"23f","priority":"6","details":"23g"},"CWE-ID: 1323Improper Management of Sensitive Trace Data","Trace data collected from several sources on the System-on-Chip (SoC) is stored in unprotected locations or transported to untrusted agents.Guidelines:",{"point":"23i","priority":"6","details":"23j"},"CWE-ID: 1325Improperly Controlled Sequential Memory Allocation","The product manages a group of objects or resources and performs a separate memory allocation for each object, but it does not properly limit the total amount of memory that is consumed by all of the combined objects.Guidelines:",{"point":"23l","priority":"6","details":"23m"},"CWE-ID: 1326Missing Immutable Root of Trust in Hardware","A missing immutable root of trust in the hardware results in the ability to bypass secure boot or execute untrusted or adversarial boot code.Guidelines:",{"point":"23o","priority":"6","details":"23p"},"CWE-ID: 1327Binding to an Unrestricted IP Address","The product assigns the address 0.0.0.0 for a database server, a cloud service/instance, or any computing resource that communicates remotely.Guidelines:",{"point":"23r","priority":"6","details":"23s"},"CWE-ID: 1328Security Version Number Mutable to Older Versions","Security-version number in hardware is mutable, resulting in the ability to downgrade (roll-back) the boot firmware to vulnerable code versions.Guidelines:",{"point":"23u","priority":"6","details":"23v"},"CWE-ID: 1329Reliance on Component That is Not Updateable","The product contains a component that cannot be updated or patched in order to remove vulnerabilities or significant bugs.Guidelines:",{"point":"23x","priority":"6","details":"23y"},"CWE-ID: 1330Remanent Data Readable after Memory Erase","Confidential information stored in memory circuits is readable or recoverable after being cleared or erased.Guidelines:",{"point":"240","priority":"6","details":"241"},"CWE-ID: 1331Improper Isolation of Shared Resources in Network On Chip (NoC)","The Network On Chip (NoC) does not isolate or incorrectly isolates its on-chip-fabric and internal resources such that they are shared between trusted and untrusted agents, creating timing channels.Guidelines:",{"point":"243","priority":"6","details":"244"},"CWE-ID: 1332Improper Handling of Faults that Lead to Instruction Skips","The device is missing or incorrectly implements circuitry or sensors that detect and mitigate the skipping of security-critical CPU instructions when they occur.Guidelines:",{"point":"246","priority":"6","details":"247"},"CWE-ID: 1333Inefficient Regular Expression Complexity","The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.Guidelines:",{"point":"249","priority":"6","details":"24a"},"CWE-ID: 1334Unauthorized Error Injection Can Degrade Hardware Redundancy","An unauthorized agent can inject errors into a redundant block to deprive the system of redundancy or put the system in a degraded operating mode.Guidelines:",{"point":"24c","priority":"6","details":"24d"},"CWE-ID: 1335Incorrect Bitwise Shift of Integer","An integer value is specified to be shifted by a negative amount or an amount greater than or equal to the number of bits contained in the value causing an unexpected or indeterminate result.Guidelines:",{"point":"24f","priority":"6","details":"24g"},"CWE-ID: 1336Improper Neutralization of Special Elements Used in a Template Engine","The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.Guidelines:::TYPE:Relationship:NOTE:Since expression languages are often used in templating languages, there may be some overlap with CWE-917 (Expression Language Injection). XSS (CWE-79) is also co-located with template injection.::TYPE:Maintenance:NOTE:The interrelationships and differences between CWE-917 and CWE-1336 need to be further clarified.::",{"point":"24i","priority":"6","details":"24j"},"CWE-ID: 1338Improper Protections Against Hardware Overheating","A hardware device is missing or has inadequate protection features to prevent overheating.Guidelines:",{"point":"24l","priority":"6","details":"24m"},"CWE-ID: 1339Insufficient Precision or Accuracy of a Real Number","The product processes a real number with an implementation in which the number's representation does not preserve required accuracy and precision in its fractional part, causing an incorrect result.Guidelines:",{"point":"24o","priority":"6","details":"24p"},"CWE-ID: 1341Multiple Releases of Same Resource or Handle","The product attempts to close or release a resource or handle more than once, without any successful open between the close operations.Guidelines:::TYPE:Terminology:NOTE:The terms related to release may vary depending on the type of resource, programming language, specification, or framework. Close has been used synonymously for the release of resources like file descriptors and file handles. Return is sometimes used instead of Release. Free is typically used when releasing memory or buffers back into the system for reuse.::",{"point":"24r","priority":"6","details":"24s"},"CWE-ID: 1342Information Exposure through Microarchitectural State after Transient Execution","The processor does not properly clear microarchitectural state after incorrect microcode assists or speculative execution, resulting in transient execution.Guidelines:::TYPE:Relationship:NOTE:CWE-1342 differs from CWE-1303, which is related to misprediction and biasing microarchitectural components, while CWE-1342 addresses illegal data flows and retention. For example, Spectre is an instance of CWE-1303 biasing branch prediction to steer the transient execution indirectly.::TYPE:Maintenance:NOTE:As of CWE 4.9, members of the CWE Hardware SIG are closely analyzing this entry and others to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks. Additional investigation may include other weaknesses related to microarchitectural state. As a result, this entry might change significantly in CWE 4.10.::",{"point":"24u","priority":"6","details":"24v"},"CWE-ID: 1351Improper Handling of Hardware Behavior in Exceptionally Cold Environments","A hardware device, or the firmware running on it, is missing or has incorrect protection features to maintain goals of security primitives when the device is cooled below standard operating temperatures.Guidelines:",{"point":"24x","priority":"6","details":"24y"},"CWE-ID: 1357Reliance on Insufficiently Trustworthy Component","The product is built from multiple separate components, but it uses a component that is not sufficiently trusted to meet expectations for security, reliability, updateability, and maintainability.Guidelines:::TYPE:Maintenance:NOTE:As of CWE 4.10, the name and description for this entry has undergone significant change and is still under public discussion, especially by members of the HW SIG.::",{"point":"250","priority":"6","details":"251"},"CWE-ID: 1384Improper Handling of Physical or Environmental Conditions","The product does not properly handle unexpected physical or environmental conditions that occur naturally or are artificially induced.Guidelines:",{"point":"253","priority":"6","details":"254"},"CWE-ID: 1385Missing Origin Validation in WebSockets","The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid.Guidelines:",{"point":"256","priority":"6","details":"257"},"CWE-ID: 1386Insecure Operation on Windows Junction / Mount Point","The product opens a file or directory, but it does not properly prevent the name from being associated with a junction or mount point to a destination that is outside of the intended control sphere.Guidelines:::TYPE:Terminology:NOTE:Symbolic links, hard links, junctions, and mount points can be confusing terminology, as there are differences in how they operate between UNIX-based systems and Windows, and there are interactions between them.::TYPE:Maintenance:NOTE:This entry is still under development and will continue to see updates and content improvements.::",{"point":"259","priority":"6","details":"25a"},"CWE-ID: 1389Incorrect Parsing of Numbers with Different Radices","The product parses numeric input assuming base 10 (decimal) values, but it does not account for inputs that use a different base number (radix).Guidelines:",{"point":"25c","priority":"6","details":"25d"},"CWE-ID: 1390Weak Authentication","The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.Guidelines:",{"point":"25f","priority":"6","details":"25g"},"CWE-ID: 1391Use of Weak Credentials","The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker.Guidelines:",{"point":"25i","priority":"6","details":"25j"},"CWE-ID: 1392Use of Default Credentials","The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality.Guidelines:",{"point":"25l","priority":"6","details":"25m"},"CWE-ID: 1393Use of Default Password","The product uses default passwords for potentially critical functionality.Guidelines:",{"point":"25o","priority":"6","details":"25p"},"CWE-ID: 1394Use of Default Cryptographic Key","The product uses a default cryptographic key for potentially critical functionality.Guidelines:",{"point":"25r","priority":"6","details":"25s"},"CWE-ID: 1395Dependency on Vulnerable Third-Party Component","The product has a dependency on a third-party component that contains one or more known vulnerabilities.Guidelines:",{"point":"25u","priority":"6","details":"25v"},"CWE-ID: 1419Incorrect Initialization of Resource","The product attempts to initialize a resource but does not correctly do so, which might leave the resource in an unexpected, incorrect, or insecure state when it is accessed.Guidelines:",{"point":"25x","priority":"6","details":"25y"},"CWE-ID: 1420Exposure of Sensitive Information during Transient Execution","A processor event or prediction may allow incorrect operations (or correct operations with incorrect data) to execute transiently, potentially exposing data over a covert channel.Guidelines:",{"point":"260","priority":"6","details":"261"},"CWE-ID: 1421Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution","A processor event may allow transient operations to access architecturally restricted data (for example, in another address space) in a shared microarchitectural structure (for example, a CPU cache), potentially exposing the data over a covert channel.Guidelines:",{"point":"263","priority":"6","details":"264"},"CWE-ID: 1422Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution","A processor event or prediction may allow incorrect or stale data to be forwarded to transient operations, potentially exposing data over a covert channel.Guidelines:",{"point":"266","priority":"6","details":"267"},"CWE-ID: 1423Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution","Shared microarchitectural predictor state may allow code to influence transient execution across a hardware boundary, potentially exposing data that is accessible beyond the boundary over a covert channel.Guidelines:",{"point":"269","priority":"6","details":"26a"},["8","b","e","h","k","n","q","t","w","z","12","15","18","1b","1e","1h","1k","1n","1q","1t","1w","1z","22","25","28","2b","2e","2h","2k","2n","2q","2t","2w","2z","32","35","38","3b","3e","3h","3k","3n","3q","3t","3w","3z","42","45","48","4b","4e","4h","4k","4n","4q","4t","4w","4z","52","55","58","5b","5e","5h","5k","5n","5q","5t","5w","5z","62","65","68","6b","6e","6h","6k","6n","6q","6t","6w","6z","72","75","78","7b","7e","7h","7k","7n","7q","7t","7w","7z","82","85","88","8b","8e","8h","8k","8n","8q","8t","8w","8z","92","95","98","9b","9e","9h","9k","9n","9q","9t","9w","9z","a2","a5","a8","ab","ae","ah","ak","an","aq","at","aw","az","b2","b5","b8","bb","be","bh","bk","bn","bq","bt","bw","bz","c2","c5","c8","cb","ce","ch","ck","cn","cq","ct","cw","cz","d2","d5","d8","db","de","dh","dk","dn","dq","dt","dw","dz","e2","e5","e8","eb","ee","eh","ek","en","eq","et","ew","ez","f2","f5","f8","fb","fe","fh","fk","fn","fq","ft","fw","fz","g2","g5","g8","gb","ge","gh","gk","gn","gq","gt","gw","gz","h2","h5","h8","hb","he","hh","hk","hn","hq","ht","hw","hz","i2","i5","i8","ib","ie","ih","ik","in","iq","it","iw","iz","j2","j5","j8","jb","je","jh","jk","jn","jq","jt","jw","jz","k2","k5","k8","kb","ke","kh","kk","kn","kq","kt","kw","kz","l2","l5","l8","lb","le","lh","lk","ln","lq","lt","lw","lz","m2","m5","m8","mb","me","mh","mk","mn","mq","mt","mw","mz","n2","n5","n8","nb","ne","nh","nk","nn","nq","nt","nw","nz","o2","o5","o8","ob","oe","oh","ok","on","oq","ot","ow","oz","p2","p5","p8","pb","pe","ph","pk","pn","pq","pt","pw","pz","q2","q5","q8","qb","qe","qh","qk","qn","qq","qt","qw","qz","r2","r5","r8","rb","re","rh","rk","rn","rq","rt","rw","rz","s2","s5","s8","sb","se","sh","sk","sn","sq","st","sw","sz","t2","t5","t8","tb","te","th","tk","tn","tq","tt","tw","tz","u2","u5","u8","ub","ue","uh","uk","un","uq","ut","uw","uz","v2","v5","v8","vb","ve","vh","vk","vn","vq","vt","vw","vz","w2","w5","w8","wb","we","wh","wk","wn","wq","wt","ww","wz","x2","x5","x8","xb","xe","xh","xk","xn","xq","xt","xw","xz","y2","y5","y8","yb","ye","yh","yk","yn","yq","yt","yw","yz","z2","z5","z8","zb","ze","zh","zk","zn","zq","zt","zw","zz","102","105","108","10b","10e","10h","10k","10n","10q","10t","10w","10z","112","115","118","11b","11e","11h","11k","11n","11q","11t","11w","11z","122","125","128","12b","12e","12h","12k","12n","12q","12t","12w","12z","132","135","138","13b","13e","13h","13k","13n","13q","13t","13w","13z","142","145","148","14b","14e","14h","14k","14n","14q","14t","14w","14z","152","155","158","15b","15e","15h","15k","15n","15q","15t","15w","15z","162","165","168","16b","16e","16h","16k","16n","16q","16t","16w","16z","172","175","178","17b","17e","17h","17k","17n","17q","17t","17w","17z","182","185","188","18b","18e","18h","18k","18n","18q","18t","18w","18z","192","195","198","19b","19e","19h","19k","19n","19q","19t","19w","19z","1a2","1a5","1a8","1ab","1ae","1ah","1ak","1an","1aq","1at","1aw","1az","1b2","1b5","1b8","1bb","1be","1bh","1bk","1bn","1bq","1bt","1bw","1bz","1c2","1c5","1c8","1cb","1ce","1ch","1ck","1cn","1cq","1ct","1cw","1cz","1d2","1d5","1d8","1db","1de","1dh","1dk","1dn","1dq","1dt","1dw","1dz","1e2","1e5","1e8","1eb","1ee","1eh","1ek","1en","1eq","1et","1ew","1ez","1f2","1f5","1f8","1fb","1fe","1fh","1fk","1fn","1fq","1ft","1fw","1fz","1g2","1g5","1g8","1gb","1ge","1gh","1gk","1gn","1gq","1gt","1gw","1gz","1h2","1h5","1h8","1hb","1he","1hh","1hk","1hn","1hq","1ht","1hw","1hz","1i2","1i5","1i8","1ib","1ie","1ih","1ik","1in","1iq","1it","1iw","1iz","1j2","1j5","1j8","1jb","1je","1jh","1jk","1jn","1jq","1jt","1jw","1jz","1k2","1k5","1k8","1kb","1ke","1kh","1kk","1kn","1kq","1kt","1kw","1kz","1l2","1l5","1l8","1lb","1le","1lh","1lk","1ln","1lq","1lt","1lw","1lz","1m2","1m5","1m8","1mb","1me","1mh","1mk","1mn","1mq","1mt","1mw","1mz","1n2","1n5","1n8","1nb","1ne","1nh","1nk","1nn","1nq","1nt","1nw","1nz","1o2","1o5","1o8","1ob","1oe","1oh","1ok","1on","1oq","1ot","1ow","1oz","1p2","1p5","1p8","1pb","1pe","1ph","1pk","1pn","1pq","1pt","1pw","1pz","1q2","1q5","1q8","1qb","1qe","1qh","1qk","1qn","1qq","1qt","1qw","1qz","1r2","1r5","1r8","1rb","1re","1rh","1rk","1rn","1rq","1rt","1rw","1rz","1s2","1s5","1s8","1sb","1se","1sh","1sk","1sn","1sq","1st","1sw","1sz","1t2","1t5","1t8","1tb","1te","1th","1tk","1tn","1tq","1tt","1tw","1tz","1u2","1u5","1u8","1ub","1ue","1uh","1uk","1un","1uq","1ut","1uw","1uz","1v2","1v5","1v8","1vb","1ve","1vh","1vk","1vn","1vq","1vt","1vw","1vz","1w2","1w5","1w8","1wb","1we","1wh","1wk","1wn","1wq","1wt","1ww","1wz","1x2","1x5","1x8","1xb","1xe","1xh","1xk","1xn","1xq","1xt","1xw","1xz","1y2","1y5","1y8","1yb","1ye","1yh","1yk","1yn","1yq","1yt","1yw","1yz","1z2","1z5","1z8","1zb","1ze","1zh","1zk","1zn","1zq","1zt","1zw","1zz","202","205","208","20b","20e","20h","20k","20n","20q","20t","20w","20z","212","215","218","21b","21e","21h","21k","21n","21q","21t","21w","21z","222","225","228","22b","22e","22h","22k","22n","22q","22t","22w","22z","232","235","238","23b","23e","23h","23k","23n","23q","23t","23w","23z","242","245","248","24b","24e","24h","24k","24n","24q","24t","24w","24z","252","255","258","25b","25e","25h","25k","25n","25q","25t","25w","25z","262","265","268","26b"],"red",{"title":"0","slug":"1","description":"2","icon":"3","intro":"4","checklist":"26c","color":"26d"},"CWE: Weaknesses During Design","cwe-design","This view (slice) lists weaknesses that can be introduced during design.","physical","This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities.","CWE-ID:20 Improper Input Validation","::METHOD:Automated Static Analysis:DESCRIPTION:Some instances of improper input validation can be detected using automated static analysis. A static analysis tool might allow the user to specify which application-specific methods or functions perform input validation; the tool might also have built-in knowledge of validation frameworks such as Struts. The tool may then suppress or de-prioritize any associated warnings. This allows the analyst to focus on areas of the software in which input validation does not appear to be present. Except in the cases described in the previous paragraph, automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes.::METHOD:Manual Static Analysis:DESCRIPTION:When custom input validation is required, such as when enforcing business rules, manual analysis is necessary to ensure that the validation is properly implemented.::METHOD:Fuzzing:DESCRIPTION:Fuzzing techniques can be useful for detecting input validation errors. When unexpected inputs are provided to the software, the software should not crash or otherwise become unstable, and it should generate application-controlled error messages. If exceptions or interpreter-generated error messages occur, this indicates that the input was not detected and handled within the application logic itself.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer Cost effective for partial coverage: Host Application Interface Scanner Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"26k","priority":"6","details":"11","howto":"26l"},"CWE-ID:73 External Control of File Name or Path","::METHOD:Automated Static Analysis:DESCRIPTION:The external control or influence of filenames can often be detected using automated static analysis that models data flow within the product. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes.::",{"point":"26n","priority":"6","details":"4y","howto":"26o"},"CWE-ID:99 Improper Control of Resource Identifiers ('Resource Injection')","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"26q","priority":"6","details":"71","howto":"26r"},"CWE-ID:115 Misinterpretation of Input","::METHOD:Fuzzing:DESCRIPTION:Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.:EFFECTIVENESS:High::",{"point":"26t","priority":"6","details":"87","howto":"26u"},"CWE-ID:184 Incomplete List of Disallowed Inputs","::METHOD:Black Box:DESCRIPTION:Exploitation of a vulnerability with commonly-used manipulations might fail, but minor variations might succeed.::",{"point":"26w","priority":"6","details":"dd","howto":"26x"},"CWE-ID:200 Exposure of Sensitive Information to an Unauthorized Actor","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Inter-application Flow Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Source code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"26z","priority":"6","details":"ej","howto":"270"},"CWE-ID:201 Insertion of Sensitive Information Into Sent Data",{"point":"272","priority":"6","details":"em","howto":"26r"},"CWE-ID:202 Exposure of Sensitive Information Through Data Queries","",{"point":"274","priority":"6","details":"ep","howto":"275"},"CWE-ID:203 Observable Discrepancy",{"point":"277","priority":"6","details":"es","howto":"275"},"CWE-ID:204 Observable Response Discrepancy",{"point":"279","priority":"6","details":"ev","howto":"275"},"CWE-ID:205 Observable Behavioral Discrepancy",{"point":"27b","priority":"6","details":"ey","howto":"275"},"CWE-ID:208 Observable Timing Discrepancy",{"point":"27d","priority":"6","details":"f7","howto":"275"},"CWE-ID:209 Generation of Error Message Containing Sensitive Information","::METHOD:Manual Analysis:DESCRIPTION:This weakness generally requires domain-specific interpretation using manual analysis. However, the number of potential error conditions may be too large to cover completely within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Analysis:DESCRIPTION:Automated methods may be able to detect certain idioms automatically, such as exposed stack traces or pathnames, but violation of business rules or privacy requirements is not typically feasible.:EFFECTIVENESS:Moderate::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Error conditions may be triggered with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.)::",{"point":"27f","priority":"6","details":"fa","howto":"27g"},"CWE-ID:210 Self-generated Error Message Containing Sensitive Information",{"point":"27i","priority":"6","details":"fd","howto":"275"},"CWE-ID:211 Externally-Generated Error Message Containing Sensitive Information",{"point":"27k","priority":"6","details":"fg","howto":"275"},"CWE-ID:212 Improper Removal of Sensitive Information Before Storage or Transfer",{"point":"27m","priority":"6","details":"fj","howto":"275"},"CWE-ID:213 Exposure of Sensitive Information Due to Incompatible Policies",{"point":"27o","priority":"6","details":"fm","howto":"275"},"CWE-ID:214 Invocation of Process Using Visible Sensitive Information",{"point":"27q","priority":"6","details":"fp","howto":"275"},"CWE-ID:221 Information Loss or Omission",{"point":"27s","priority":"6","details":"g1","howto":"275"},"CWE-ID:223 Omission of Security-relevant Information",{"point":"27u","priority":"6","details":"g7","howto":"275"},"CWE-ID:250 Execution with Unnecessary Privileges","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and perform a login. Look for library functions and system calls that indicate when privileges are being raised or dropped. Look for accesses of resources that are restricted to normal users.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Compare binary / bytecode to application permission manifest Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker Permission Manifest Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"27w","priority":"6","details":"i4","howto":"27x"},"CWE-ID:256 Plaintext Storage of a Password",{"point":"27z","priority":"6","details":"id","howto":"26r"},"CWE-ID:257 Storing Passwords in a Recoverable Format",{"point":"281","priority":"6","details":"ig","howto":"26r"},"CWE-ID:260 Password in Configuration File",{"point":"283","priority":"6","details":"ip","howto":"26r"},"CWE-ID:261 Weak Encoding for Password",{"point":"285","priority":"6","details":"is","howto":"26r"},"CWE-ID:262 Not Using Password Aging",{"point":"287","priority":"6","details":"iv","howto":"275"},"CWE-ID:263 Password Aging with Long Expiration",{"point":"289","priority":"6","details":"iy","howto":"275"},"CWE-ID:267 Privilege Defined With Unsafe Actions",{"point":"28b","priority":"6","details":"j4","howto":"275"},"CWE-ID:268 Privilege Chaining",{"point":"28d","priority":"6","details":"j7","howto":"275"},"CWE-ID:269 Improper Privilege Management",{"point":"28f","priority":"6","details":"ja","howto":"26r"},"CWE-ID:270 Privilege Context Switching Error",{"point":"28h","priority":"6","details":"jd","howto":"275"},"CWE-ID:271 Privilege Dropping / Lowering Errors",{"point":"28j","priority":"6","details":"jg","howto":"275"},"CWE-ID:276 Incorrect Default Permissions","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Inter-application Flow Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Host Application Interface Scanner Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Forced Path Execution:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"28l","priority":"6","details":"js","howto":"28m"},"CWE-ID:282 Improper Ownership Management",{"point":"28o","priority":"6","details":"ka","howto":"26r"},"CWE-ID:283 Unverified Ownership",{"point":"28q","priority":"6","details":"kd","howto":"275"},"CWE-ID:285 Improper Authorization","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries. Generally, automated static analysis tools have difficulty detecting custom authorization schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an authorization check; an automated technique that detects the absence of authorization may report false positives.:EFFECTIVENESS:Limited::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated dynamic analysis may find many or all possible interfaces that do not require authorization, but manual analysis is required to determine if the lack of authorization violates business logic::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer Forced Path Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"28s","priority":"6","details":"kj","howto":"28t"},"CWE-ID:286 Incorrect User Management",{"point":"28v","priority":"6","details":"km","howto":"275"},"CWE-ID:287 Improper Authentication","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting certain types of authentication. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authentication libraries. Generally, automated static analysis tools have difficulty detecting custom authentication schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an established identity; an automated technique that detects the absence of authentication may report false positives.:EFFECTIVENESS:Limited::METHOD:Manual Static Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Manual static analysis is useful for evaluating the correctness of custom authentication mechanisms.:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"28x","priority":"6","details":"kp","howto":"28y"},"CWE-ID:288 Authentication Bypass Using an Alternate Path or Channel",{"point":"290","priority":"6","details":"ks","howto":"275"},"CWE-ID:289 Authentication Bypass by Alternate Name",{"point":"292","priority":"6","details":"kv","howto":"275"},"CWE-ID:294 Authentication Bypass by Capture-replay",{"point":"294","priority":"6","details":"l7","howto":"275"},"CWE-ID:295 Improper Certificate Validation","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Man-in-the-middle attack tool:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"296","priority":"6","details":"la","howto":"297"},"CWE-ID:300 Channel Accessible by Non-Endpoint",{"point":"299","priority":"6","details":"lp","howto":"26r"},"CWE-ID:301 Reflection Attack in an Authentication Protocol",{"point":"29b","priority":"6","details":"ls","howto":"275"},"CWE-ID:302 Authentication Bypass by Assumed-Immutable Data",{"point":"29d","priority":"6","details":"lv","howto":"275"},"CWE-ID:306 Missing Authentication for Critical Function","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authentication mechanisms.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting commonly-used idioms for authentication. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authentication libraries. Generally, automated static analysis tools have difficulty detecting custom authentication schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an established identity; an automated technique that detects the absence of authentication may report false positives.:EFFECTIVENESS:Limited::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"29f","priority":"6","details":"m7","howto":"29g"},"CWE-ID:307 Improper Restriction of Excessive Authentication Attempts","::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer Cost effective for partial coverage: Forced Path Execution:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"29i","priority":"6","details":"ma","howto":"29j"},"CWE-ID:308 Use of Single-factor Authentication",{"point":"29l","priority":"6","details":"md","howto":"275"},"CWE-ID:309 Use of Password System for Primary Authentication",{"point":"29n","priority":"6","details":"mg","howto":"275"},"CWE-ID:311 Missing Encryption of Sensitive Data","::METHOD:Manual Analysis:DESCRIPTION:The characterizaton of sensitive data often requires domain-specific understanding, so manual methods are useful. However, manual efforts might not achieve desired code coverage within limited time constraints. Black box methods may produce artifacts (e.g. stored data or unencrypted network transfer) that require manual evaluation.:EFFECTIVENESS:High::METHOD:Automated Analysis:DESCRIPTION:Automated measurement of the entropy of an input/output source may indicate the use or lack of encryption, but human analysis is still required to distinguish intentionally-unencrypted data (e.g. metadata) from sensitive data.::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Network Sniffer Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Man-in-the-middle attack tool:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"29p","priority":"6","details":"mj","howto":"29q"},"CWE-ID:312 Cleartext Storage of Sensitive Information",{"point":"29s","priority":"6","details":"mm","howto":"26r"},"CWE-ID:319 Cleartext Transmission of Sensitive Information","::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process, trigger the feature that sends the data, and look for the presence or absence of common cryptographic functions in the call tree. Monitor the network and determine if the data packets contain readable commands. Tools exist for detecting if certain encodings are in use. If the traffic contains high entropy, this might indicate the usage of encryption.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"29u","priority":"6","details":"n7","howto":"29v"},"CWE-ID:322 Key Exchange without Entity Authentication",{"point":"29x","priority":"6","details":"nd","howto":"275"},"CWE-ID:323 Reusing a Nonce, Key Pair in Encryption",{"point":"29z","priority":"6","details":"ng","howto":"275"},"CWE-ID:324 Use of a Key Past its Expiration Date",{"point":"2a1","priority":"6","details":"nj","howto":"275"},"CWE-ID:326 Inadequate Encryption Strength",{"point":"2a3","priority":"6","details":"np","howto":"26r"},"CWE-ID:327 Use of a Broken or Risky Cryptographic Algorithm","::METHOD:Automated Analysis:DESCRIPTION:Automated methods may be useful for recognizing commonly-used libraries or features that have become obsolete.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis Binary / Bytecode simple extractor - strings, ELF readers, etc.:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Man-in-the-middle attack tool Cost effective for partial coverage: Framework-based Fuzzer Automated Monitored Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2a5","priority":"6","details":"ns","howto":"2a6"},"CWE-ID:328 Use of Weak Hash",{"point":"2a8","priority":"6","details":"nv","howto":"26r"},"CWE-ID:330 Use of Insufficiently Random Values","::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and look for library functions that indicate when randomness is being used. Run the process multiple times to see if the seed changes. Look for accesses of devices or equivalent resources that are commonly used for strong (or weak) randomness, such as /dev/urandom on Linux. Look for library or system calls that access predictable information such as process IDs and system time.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Man-in-the-middle attack tool:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2aa","priority":"6","details":"o1","howto":"2ab"},"CWE-ID:331 Insufficient Entropy",{"point":"2ad","priority":"6","details":"o4","howto":"275"},"CWE-ID:334 Small Space of Random Values",{"point":"2af","priority":"6","details":"od","howto":"275"},"CWE-ID:338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",{"point":"2ah","priority":"6","details":"op","howto":"26r"},"CWE-ID:340 Generation of Predictable Numbers or Identifiers",{"point":"2aj","priority":"6","details":"ov","howto":"275"},"CWE-ID:341 Predictable from Observable State",{"point":"2al","priority":"6","details":"oy","howto":"275"},"CWE-ID:342 Predictable Exact Value from Previous Values",{"point":"2an","priority":"6","details":"p1","howto":"275"},"CWE-ID:343 Predictable Value Range from Previous Values",{"point":"2ap","priority":"6","details":"p4","howto":"275"},"CWE-ID:344 Use of Invariant Value in Dynamically Changing Context",{"point":"2ar","priority":"6","details":"p7","howto":"275"},"CWE-ID:345 Insufficient Verification of Data Authenticity",{"point":"2at","priority":"6","details":"pa","howto":"26r"},"CWE-ID:346 Origin Validation Error",{"point":"2av","priority":"6","details":"pd","howto":"275"},"CWE-ID:347 Improper Verification of Cryptographic Signature",{"point":"2ax","priority":"6","details":"pg","howto":"26r"},"CWE-ID:348 Use of Less Trusted Source",{"point":"2az","priority":"6","details":"pj","howto":"275"},"CWE-ID:353 Missing Support for Integrity Check",{"point":"2b1","priority":"6","details":"py","howto":"275"},"CWE-ID:354 Improper Validation of Integrity Check Value",{"point":"2b3","priority":"6","details":"q1","howto":"275"},"CWE-ID:356 Product UI does not Warn User of Unsafe Actions",{"point":"2b5","priority":"6","details":"q4","howto":"275"},"CWE-ID:357 Insufficient UI Warning of Dangerous Operations",{"point":"2b7","priority":"6","details":"q7","howto":"275"},"CWE-ID:358 Improperly Implemented Security Check for Standard",{"point":"2b9","priority":"6","details":"qa","howto":"275"},"CWE-ID:359 Exposure of Private Personal Information to an Unauthorized Actor","::METHOD:Architecture or Design Review:DESCRIPTION:Private personal data can enter a program in a variety of ways: Directly from the user in the form of a password or personal information Accessed from a database or other data store by the application Indirectly from a partner or other third party If the data is written to an external location - such as the console, file system, or network - a privacy violation may occur.:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2bb","priority":"6","details":"qd","howto":"2bc"},"CWE-ID:360 Trust of System Event Data",{"point":"2be","priority":"6","details":"qg","howto":"275"},"CWE-ID:362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')","::METHOD:Black Box:DESCRIPTION:Black box methods may be able to identify evidence of race conditions via methods such as multiple simultaneous connections, which may cause the software to become instable or crash. However, race conditions with very narrow timing windows would not be detectable.::METHOD:White Box:DESCRIPTION:Common idioms are detectable in white box analysis, such as time-of-check-time-of-use (TOCTOU) file operations (CWE-367), or double-checked locking (CWE-609).::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Race conditions may be detected with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior. Insert breakpoints or delays in between relevant code statements to artificially expand the race window so that it will be easier to detect.:EFFECTIVENESS:Moderate::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Framework-based Fuzzer Cost effective for partial coverage: Fuzz Tester Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2bg","priority":"6","details":"qj","howto":"2bh"},"CWE-ID:363 Race Condition Enabling Link Following",{"point":"2bj","priority":"6","details":"qm","howto":"275"},"CWE-ID:368 Context Switching Race Condition",{"point":"2bl","priority":"6","details":"qy","howto":"275"},"CWE-ID:385 Covert Timing Channel",{"point":"2bn","priority":"6","details":"ry","howto":"275"},"CWE-ID:386 Symbolic Name not Mapping to Correct Object",{"point":"2bp","priority":"6","details":"s1","howto":"275"},"CWE-ID:400 Uncontrolled Resource Consumption","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis typically has limited utility in recognizing resource exhaustion problems, except for program-independent system resources such as files, sockets, and processes. For system resources, automated static analysis may be able to detect circumstances in which resources are not released after they have expired. Automated analysis of configuration files may be able to detect settings that do not specify a maximum value. Automated static analysis tools will not be appropriate for detecting exhaustion of custom resources, such as an intended security policy in which a bulletin board user is only allowed to make a limited number of posts per day.:EFFECTIVENESS:Limited::METHOD:Automated Dynamic Analysis:DESCRIPTION:Certain automated dynamic analysis techniques may be effective in spotting resource exhaustion problems, especially with resources such as processes, memory, and connections. The technique may involve generating a large number of requests to the product within a short time frame.:EFFECTIVENESS:Moderate::METHOD:Fuzzing:DESCRIPTION:While fuzzing is typically geared toward finding low-level implementation bugs, it can inadvertently find resource exhaustion problems. This can occur when the fuzzer generates a large number of test cases but does not restart the targeted product in between test cases. If an individual test case produces a crash, but it does not do so reliably, then an inability to handle resource exhaustion may be the cause.:EFFECTIVENESS:Opportunistic::",{"point":"2br","priority":"6","details":"ss","howto":"2bs"},"CWE-ID:402 Transmission of Private Resources into a New Sphere ('Resource Leak')",{"point":"2bu","priority":"6","details":"sy","howto":"26r"},"CWE-ID:405 Asymmetric Resource Consumption (Amplification)",{"point":"2bw","priority":"6","details":"t7","howto":"275"},"CWE-ID:406 Insufficient Control of Network Message Volume (Network Amplification)",{"point":"2by","priority":"6","details":"ta","howto":"275"},"CWE-ID:407 Inefficient Algorithmic Complexity",{"point":"2c0","priority":"6","details":"td","howto":"275"},"CWE-ID:408 Incorrect Behavior Order: Early Amplification",{"point":"2c2","priority":"6","details":"tg","howto":"275"},"CWE-ID:409 Improper Handling of Highly Compressed Data (Data Amplification)",{"point":"2c4","priority":"6","details":"tj","howto":"275"},"CWE-ID:410 Insufficient Resource Pool",{"point":"2c6","priority":"6","details":"tm","howto":"275"},"CWE-ID:412 Unrestricted Externally Accessible Lock","::METHOD:White Box:DESCRIPTION:Automated code analysis techniques might not be able to reliably detect this weakness, since the application's behavior and general security model dictate which resource locks are critical. Interpretation of the weakness might require knowledge of the environment, e.g. if the existence of a file is used as a lock, but the file is created in a world-writable directory.::",{"point":"2c8","priority":"6","details":"tp","howto":"2c9"},"CWE-ID:413 Improper Resource Locking",{"point":"2cb","priority":"6","details":"ts","howto":"26r"},"CWE-ID:414 Missing Lock Check",{"point":"2cd","priority":"6","details":"tv","howto":"275"},"CWE-ID:419 Unprotected Primary Channel",{"point":"2cf","priority":"6","details":"u4","howto":"275"},"CWE-ID:420 Unprotected Alternate Channel",{"point":"2ch","priority":"6","details":"u7","howto":"275"},"CWE-ID:421 Race Condition During Access to Alternate Channel",{"point":"2cj","priority":"6","details":"ua","howto":"275"},"CWE-ID:424 Improper Protection of Alternate Path",{"point":"2cl","priority":"6","details":"ug","howto":"275"},"CWE-ID:434 Unrestricted Upload of File with Dangerous Type","::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2cn","priority":"6","details":"v7","howto":"2co"},"CWE-ID:436 Interpretation Conflict",{"point":"2cq","priority":"6","details":"vd","howto":"275"},"CWE-ID:437 Incomplete Model of Endpoint Features",{"point":"2cs","priority":"6","details":"vg","howto":"275"},"CWE-ID:439 Behavioral Change in New Version or Environment",{"point":"2cu","priority":"6","details":"vj","howto":"275"},"CWE-ID:440 Expected Behavior Violation",{"point":"2cw","priority":"6","details":"vm","howto":"275"},"CWE-ID:441 Unintended Proxy or Intermediary ('Confused Deputy')",{"point":"2cy","priority":"6","details":"vp","howto":"26r"},"CWE-ID:446 UI Discrepancy for Security Feature",{"point":"2d0","priority":"6","details":"vv","howto":"275"},"CWE-ID:451 User Interface (UI) Misrepresentation of Critical Information",{"point":"2d2","priority":"6","details":"wa","howto":"275"},"CWE-ID:454 External Initialization of Trusted Variables or Data Stores",{"point":"2d4","priority":"6","details":"wg","howto":"275"},"CWE-ID:470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')",{"point":"2d6","priority":"6","details":"xj","howto":"26r"},"CWE-ID:471 Modification of Assumed-Immutable Data (MAID)",{"point":"2d8","priority":"6","details":"xm","howto":"275"},"CWE-ID:475 Undefined Behavior for Input to API",{"point":"2da","priority":"6","details":"xy","howto":"26r"},"CWE-ID:494 Download of Code Without Integrity Check","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is typically required to find the behavior that triggers the download of code, and to determine whether integrity-checking methods are in use.::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and also sniff the network connection. Trigger features related to product updates or plugin installation, which is likely to force a code download. Monitor when files are downloaded and separately executed, or if they are otherwise read back into the process. Look for evidence of cryptographic library calls that use integrity checking.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2dc","priority":"6","details":"zd","howto":"2dd"},"CWE-ID:501 Trust Boundary Violation",{"point":"2df","priority":"6","details":"zy","howto":"26r"},"CWE-ID:502 Deserialization of Untrusted Data",{"point":"2dh","priority":"6","details":"101","howto":"26r"},"CWE-ID:510 Trapdoor","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Inter-application Flow Analysis Binary / Bytecode simple extractor - strings, ELF readers, etc.:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies Generated Code Inspection:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Automated Monitored Execution Forced Path Execution Debugger Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Cost effective for partial coverage: Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"2dj","priority":"6","details":"10g","howto":"2dk"},"CWE-ID:511 Logic/Time Bomb",{"point":"2dm","priority":"6","details":"10j","howto":"275"},"CWE-ID:512 Spyware",{"point":"2do","priority":"6","details":"10m","howto":"275"},"CWE-ID:521 Weak Password Requirements",{"point":"2dq","priority":"6","details":"10y","howto":"26r"},"CWE-ID:522 Insufficiently Protected Credentials",{"point":"2ds","priority":"6","details":"111","howto":"26r"},"CWE-ID:523 Unprotected Transport of Credentials",{"point":"2du","priority":"6","details":"114","howto":"26r"},"CWE-ID:532 Insertion of Sensitive Information into Log File",{"point":"2dw","priority":"6","details":"11v","howto":"26r"},"CWE-ID:544 Missing Standardized Error Handling Mechanism",{"point":"2dy","priority":"6","details":"12m","howto":"275"},"CWE-ID:552 Files or Directories Accessible to External Parties",{"point":"2e0","priority":"6","details":"137","howto":"26r"},"CWE-ID:565 Reliance on Cookies without Validation and Integrity Checking",{"point":"2e2","priority":"6","details":"144","howto":"26r"},"CWE-ID:601 URL Redirection to Untrusted Site ('Open Redirect')","::METHOD:Manual Static Analysis:DESCRIPTION:Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated black box tools that supply URLs to every input may be able to spot Location header modifications, but test case coverage is a factor, and custom redirects may not be detected.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis tools may not be able to determine whether input influences the beginning of a URL, which is important for reducing false positives.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2e4","priority":"6","details":"16v","howto":"2e5"},"CWE-ID:602 Client-Side Enforcement of Server-Side Security",{"point":"2e7","priority":"6","details":"16y","howto":"275"},"CWE-ID:603 Use of Client-Side Authentication",{"point":"2e9","priority":"6","details":"171","howto":"275"},"CWE-ID:610 Externally Controlled Reference to a Resource in Another Sphere",{"point":"2eb","priority":"6","details":"17j","howto":"275"},"CWE-ID:612 Improper Authorization of Index Containing Sensitive Information",{"point":"2ed","priority":"6","details":"17p","howto":"275"},"CWE-ID:613 Insufficient Session Expiration",{"point":"2ef","priority":"6","details":"17s","howto":"26r"},"CWE-ID:620 Unverified Password Change",{"point":"2eh","priority":"6","details":"18d","howto":"275"},"CWE-ID:636 Not Failing Securely ('Failing Open')",{"point":"2ej","priority":"6","details":"194","howto":"275"},"CWE-ID:637 Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')",{"point":"2el","priority":"6","details":"197","howto":"275"},"CWE-ID:639 Authorization Bypass Through User-Controlled Key",{"point":"2en","priority":"6","details":"19d","howto":"26r"},"CWE-ID:640 Weak Password Recovery Mechanism for Forgotten Password",{"point":"2ep","priority":"6","details":"19g","howto":"275"},"CWE-ID:641 Improper Restriction of Names for Files and Other Resources",{"point":"2er","priority":"6","details":"19j","howto":"275"},"CWE-ID:642 External Control of Critical State Data",{"point":"2et","priority":"6","details":"19m","howto":"26r"},"CWE-ID:645 Overly Restrictive Account Lockout Mechanism",{"point":"2ev","priority":"6","details":"19v","howto":"275"},"CWE-ID:648 Incorrect Use of Privileged APIs",{"point":"2ex","priority":"6","details":"1a4","howto":"275"},"CWE-ID:649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking",{"point":"2ez","priority":"6","details":"1a7","howto":"275"},"CWE-ID:653 Improper Isolation or Compartmentalization","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Compare binary / bytecode to application permission manifest:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"2f1","priority":"6","details":"1aj","howto":"2f2"},"CWE-ID:654 Reliance on a Single Factor in a Security Decision",{"point":"2f4","priority":"6","details":"1am","howto":"275"},"CWE-ID:655 Insufficient Psychological Acceptability",{"point":"2f6","priority":"6","details":"1ap","howto":"275"},"CWE-ID:656 Reliance on Security Through Obscurity",{"point":"2f8","priority":"6","details":"1as","howto":"275"},"CWE-ID:657 Violation of Secure Design Principles",{"point":"2fa","priority":"6","details":"1av","howto":"275"},"CWE-ID:662 Improper Synchronization",{"point":"2fc","priority":"6","details":"1ay","howto":"275"},"CWE-ID:667 Improper Locking",{"point":"2fe","priority":"6","details":"1bd","howto":"26r"},"CWE-ID:668 Exposure of Resource to Wrong Sphere",{"point":"2fg","priority":"6","details":"1bg","howto":"275"},"CWE-ID:669 Incorrect Resource Transfer Between Spheres",{"point":"2fi","priority":"6","details":"1bj","howto":"275"},"CWE-ID:671 Lack of Administrator Control over Security",{"point":"2fk","priority":"6","details":"1bp","howto":"275"},"CWE-ID:673 External Influence of Sphere Definition",{"point":"2fm","priority":"6","details":"1bv","howto":"275"},"CWE-ID:694 Use of Multiple Resources with Duplicate Identifier",{"point":"2fo","priority":"6","details":"1dd","howto":"275"},"CWE-ID:696 Incorrect Behavior Order",{"point":"2fq","priority":"6","details":"1dj","howto":"275"},"CWE-ID:706 Use of Incorrectly-Resolved Name or Reference",{"point":"2fs","priority":"6","details":"1e1","howto":"275"},"CWE-ID:708 Incorrect Ownership Assignment",{"point":"2fu","priority":"6","details":"1e7","howto":"275"},"CWE-ID:732 Incorrect Permission Assignment for Critical Resource","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis may be effective in detecting permission problems for system resources such as files, directories, shared memory, device interfaces, etc. Automated techniques may be able to detect the use of library functions that modify permissions, then analyze function calls for arguments that contain potentially insecure values. However, since the software's intended security policy might allow loose permissions for certain operations (such as publishing a file on a web server), automated static analysis may produce some false positives - i.e., warnings that do not have any security consequences or require any code changes. When custom permissions models are used - such as defining who can read messages in a particular forum in a bulletin board system - these can be difficult to detect using automated static analysis. It may be possible to define custom signatures that identify any custom functions that implement the permission checks and assignments.::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated dynamic analysis may be effective in detecting permission problems for system resources such as files, directories, shared memory, device interfaces, etc. However, since the software's intended security policy might allow loose permissions for certain operations (such as publishing a file on a web server), automated dynamic analysis may produce some false positives - i.e., warnings that do not have any security consequences or require any code changes. When custom permissions models are used - such as defining who can read messages in a particular forum in a bulletin board system - these can be difficult to detect using automated dynamic analysis. It may be possible to define custom signatures that identify any custom functions that implement the permission checks and assignments.::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.::METHOD:Manual Static Analysis:DESCRIPTION:Manual static analysis may be effective in detecting the use of custom permissions models and functions. The code could then be examined to identifying usage of the related functions. Then the human analyst could evaluate permission assignments in the context of the intended security model of the software.::METHOD:Manual Dynamic Analysis:DESCRIPTION:Manual dynamic analysis may be effective in detecting the use of custom permissions models and functions. The program could then be executed with a focus on exercising code paths that are related to the custom permissions. Then the human analyst could evaluate permission assignments in the context of the intended security model of the software.::METHOD:Fuzzing:DESCRIPTION:Fuzzing is not effective in detecting this weakness.::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and watch for library functions or system calls on OS resources such as files, directories, and shared memory. Examine the arguments to these calls to infer which permissions are being used.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Inter-application Flow Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Host Application Interface Scanner Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Forced Path Execution:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2fw","priority":"6","details":"1ed","howto":"2fx"},"CWE-ID:749 Exposed Dangerous Method or Function",{"point":"2fz","priority":"6","details":"1ej","howto":"26r"},"CWE-ID:757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')",{"point":"2g1","priority":"6","details":"1ev","howto":"26r"},"CWE-ID:770 Allocation of Resources Without Limits or Throttling","::METHOD:Manual Static Analysis:DESCRIPTION:Manual static analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. If denial-of-service is not considered a significant risk, or if there is strong emphasis on consequences such as code execution, then manual analysis may not focus on this weakness at all.::METHOD:Fuzzing:DESCRIPTION:While fuzzing is typically geared toward finding low-level implementation bugs, it can inadvertently find uncontrolled resource allocation problems. This can occur when the fuzzer generates a large number of test cases but does not restart the targeted product in between test cases. If an individual test case produces a crash, but it does not do so reliably, then an inability to limit resource allocation may be the cause. When the allocation is directly affected by numeric inputs, then fuzzing may produce indications of this weakness.:EFFECTIVENESS:Opportunistic::METHOD:Automated Dynamic Analysis:DESCRIPTION:Certain automated dynamic analysis techniques may be effective in producing side effects of uncontrolled resource allocation problems, especially with resources such as processes, memory, and connections. The technique may involve generating a large number of requests to the product within a short time frame. Manual analysis is likely required to interpret the results.::METHOD:Automated Static Analysis:DESCRIPTION:Specialized configuration or tuning may be required to train automated tools to recognize this weakness. Automated static analysis typically has limited utility in recognizing unlimited allocation problems, except for the missing release of program-independent system resources such as files, sockets, and processes, or unchecked arguments to memory. For system resources, automated static analysis may be able to detect circumstances in which resources are not released after they have expired, or if too much of a resource is requested at once, as can occur with memory. Automated analysis of configuration files may be able to detect settings that do not specify a maximum value. Automated static analysis tools will not be appropriate for detecting exhaustion of custom resources, such as an intended security policy in which a bulletin board user is only allowed to make a limited number of posts per day.::",{"point":"2g3","priority":"6","details":"1fv","howto":"2g4"},"CWE-ID:798 Use of Hard-coded Credentials","::METHOD:Black Box:DESCRIPTION:Credential storage in configuration files is findable using black box methods, but the use of hard-coded credentials for an incoming authentication routine typically involves an account that is not visible outside of the code.:EFFECTIVENESS:Moderate::METHOD:Automated Static Analysis:DESCRIPTION:Automated white box techniques have been published for detecting hard-coded credentials for incoming authentication, but there is some expert disagreement regarding their effectiveness and applicability to a broad range of methods.::METHOD:Manual Static Analysis:DESCRIPTION:This weakness may be detectable using manual code analysis. Unless authentication is decentralized and applied throughout the product, there can be sufficient time for the analyst to find incoming authentication routines and examine the program logic looking for usage of hard-coded credentials. Configuration files could also be analyzed.::METHOD:Manual Dynamic Analysis:DESCRIPTION:For hard-coded credentials in incoming authentication: use monitoring tools that examine the product's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the product was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and perform a login. Using call trees or similar artifacts from the output, examine the associated behaviors and see if any of them appear to be comparing the input to a fixed string or value.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Network Sniffer Forced Path Execution:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"2g6","priority":"6","details":"1i7","howto":"2g7"},"CWE-ID:799 Improper Control of Interaction Frequency",{"point":"2g9","priority":"6","details":"1ia","howto":"275"},"CWE-ID:804 Guessable CAPTCHA",{"point":"2gb","priority":"6","details":"1id","howto":"275"},"CWE-ID:807 Reliance on Untrusted Inputs in a Security Decision","::METHOD:Manual Static Analysis:DESCRIPTION:Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"2gd","priority":"6","details":"1im","howto":"2ge"},"CWE-ID:862 Missing Authorization","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries. Generally, automated static analysis tools have difficulty detecting custom authorization schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an authorization check; an automated technique that detects the absence of authorization may report false positives.:EFFECTIVENESS:Limited::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated dynamic analysis may find many or all possible interfaces that do not require authorization, but manual analysis is required to determine if the lack of authorization violates business logic.::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"2gg","priority":"6","details":"1km","howto":"2gh"},"CWE-ID:863 Incorrect Authorization","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries. Generally, automated static analysis tools have difficulty detecting custom authorization schemes. Even if they can be customized to recognize these schemes, they might not be able to tell whether the scheme correctly performs the authorization in a way that cannot be bypassed or subverted by an attacker.:EFFECTIVENESS:Limited::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated dynamic analysis may not be able to find interfaces that are protected by authorization checks, even if those checks contain weaknesses.::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer Forced Path Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2gj","priority":"6","details":"1kp","howto":"2gk"},"CWE-ID:912 Hidden Functionality",{"point":"2gm","priority":"6","details":"1l4","howto":"275"},"CWE-ID:913 Improper Control of Dynamically-Managed Code Resources",{"point":"2go","priority":"6","details":"1l7","howto":"26u"},"CWE-ID:915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",{"point":"2gq","priority":"6","details":"1ld","howto":"26r"},"CWE-ID:916 Use of Password Hash With Insufficient Computational Effort","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Configuration Checker:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2gs","priority":"6","details":"1lg","howto":"2gt"},"CWE-ID:917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')",{"point":"2gv","priority":"6","details":"1lj","howto":"26r"},"CWE-ID:918 Server-Side Request Forgery (SSRF)",{"point":"2gx","priority":"6","details":"1lm","howto":"26r"},"CWE-ID:920 Improper Restriction of Power Consumption",{"point":"2gz","priority":"6","details":"1lp","howto":"275"},"CWE-ID:921 Storage of Sensitive Data in a Mechanism without Access Control",{"point":"2h1","priority":"6","details":"1ls","howto":"275"},"CWE-ID:922 Insecure Storage of Sensitive Information",{"point":"2h3","priority":"6","details":"1lv","howto":"26r"},"CWE-ID:923 Improper Restriction of Communication Channel to Intended Endpoints",{"point":"2h5","priority":"6","details":"1ly","howto":"26r"},"CWE-ID:924 Improper Enforcement of Message Integrity During Transmission in a Communication Channel",{"point":"2h7","priority":"6","details":"1m1","howto":"275"},"CWE-ID:940 Improper Verification of Source of a Communication Channel",{"point":"2h9","priority":"6","details":"1mg","howto":"275"},"CWE-ID:941 Incorrectly Specified Destination in a Communication Channel",{"point":"2hb","priority":"6","details":"1mj","howto":"275"},"CWE-ID:1007 Insufficient Visual Distinction of Homoglyphs Presented to User","::METHOD:Manual Dynamic Analysis:DESCRIPTION:If utilizing user accounts, attempt to submit a username that contains homoglyphs. Similarly, check to see if links containing homoglyphs can be sent via email, web browsers, or other mechanisms.:EFFECTIVENESS:Moderate::",{"point":"2hd","priority":"6","details":"1mv","howto":"2he"},"CWE-ID:1037 Processor Optimization Removal or Modification of Security-critical Code","::METHOD:White Box:DESCRIPTION:In theory this weakness can be detected through the use of white box testing techniques where specifically crafted test cases are used in conjunction with debuggers to verify the order of statements being executed.:EFFECTIVENESS:Opportunistic::",{"point":"2hg","priority":"6","details":"1nd","howto":"2hh"},"CWE-ID:1038 Insecure Automated Optimizations",{"point":"2hj","priority":"6","details":"1ng","howto":"275"},"CWE-ID:1039 Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations",{"point":"2hl","priority":"6","details":"1nj","howto":"275"},"CWE-ID:1044 Architecture with Number of Horizontal Layers Outside of Expected Range",{"point":"2hn","priority":"6","details":"1nv","howto":"275"},"CWE-ID:1059 Insufficient Technical Documentation",{"point":"2hp","priority":"6","details":"1p4","howto":"275"},"CWE-ID:1173 Improper Use of Validation Framework","::METHOD:Automated Static Analysis:DESCRIPTION:Some instances of improper input validation can be detected using automated static analysis. A static analysis tool might allow the user to specify which application-specific methods or functions perform input validation; the tool might also have built-in knowledge of validation frameworks such as Struts. The tool may then suppress or de-prioritize any associated warnings. This allows the analyst to focus on areas of the software in which input validation does not appear to be present. Except in the cases described in the previous paragraph, automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes.::",{"point":"2hr","priority":"6","details":"1uv","howto":"2hs"},"CWE-ID:1176 Inefficient CPU Computation",{"point":"2hu","priority":"6","details":"1v1","howto":"275"},"CWE-ID:1189 Improper Isolation of Shared Resources on System-on-a-Chip (SoC)","::METHOD:Automated Dynamic Analysis:DESCRIPTION:Pre-silicon / post-silicon: Test access to shared systems resources (memory ranges, control registers, etc.) from untrusted software to verify that the assets are not incorrectly exposed to untrusted agents. Note that access to shared resources can be dynamically allowed or revoked based on system flows. Security testing should cover such dynamic shared resource allocation and access control modification flows.:EFFECTIVENESS:High::",{"point":"2hw","priority":"6","details":"1va","howto":"2hx"},"CWE-ID:1190 DMA Device Enabled Too Early in Boot Phase",{"point":"2hz","priority":"6","details":"1vd","howto":"275"},"CWE-ID:1191 On-Chip Debug and Test Interface With Improper Access Control","::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Authentication and authorization of debug and test interfaces should be part of the architecture and design review process. Withholding of private register documentation from the debug and test interface public specification (Security by obscurity) should not be considered as sufficient security.::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Dynamic tests should be done in the pre-silicon and post-silicon stages to verify that the debug and test interfaces are not open by default.::METHOD:Fuzzing:DESCRIPTION:Tests that fuzz Debug and Test Interfaces should ensure that no access without appropriate authentication and authorization is possible.:EFFECTIVENESS:Moderate::",{"point":"2i1","priority":"6","details":"1vg","howto":"2i2"},"CWE-ID:1192 Improper Identifier for IP Block used in System-On-Chip (SOC)",{"point":"2i4","priority":"6","details":"1vj","howto":"275"},"CWE-ID:1209 Failure to Disable Reserved Bits",{"point":"2i6","priority":"6","details":"1vs","howto":"275"},"CWE-ID:1220 Insufficient Granularity of Access Control",{"point":"2i8","priority":"6","details":"1vv","howto":"275"},"CWE-ID:1223 Race Condition for Write-Once Attributes",{"point":"2ia","priority":"6","details":"1w4","howto":"275"},"CWE-ID:1224 Improper Restriction of Write-Once Bit Fields",{"point":"2ic","priority":"6","details":"1w7","howto":"275"},"CWE-ID:1230 Exposure of Sensitive Information Through Metadata",{"point":"2ie","priority":"6","details":"1wd","howto":"275"},"CWE-ID:1231 Improper Prevention of Lock Bit Modification","::METHOD:Manual Analysis:DESCRIPTION:Set the lock bit. Power cycle the device. Attempt to clear the lock bit. If the information is changed, implement a design fix. Retest. Also, attempt to indirectly clear the lock bit or bypass it.:EFFECTIVENESS:High::",{"point":"2ig","priority":"6","details":"1wg","howto":"2ih"},"CWE-ID:1232 Improper Lock Behavior After Power State Transition",{"point":"2ij","priority":"6","details":"1wj","howto":"275"},"CWE-ID:1233 Security-Sensitive Hardware Controls with Missing Lock Bit Protection","::METHOD:Manual Analysis:DESCRIPTION:Set the lock bit. Attempt to modify the information protected by the lock bit. If the information is changed, implement a design fix. Retest. Also, attempt to indirectly clear the lock bit or bypass it.:EFFECTIVENESS:High::",{"point":"2il","priority":"6","details":"1wm","howto":"2im"},"CWE-ID:1234 Hardware Internal or Debug Modes Allow Override of Locks",{"point":"2io","priority":"6","details":"1wp","howto":"275"},"CWE-ID:1240 Use of a Cryptographic Primitive with a Risky Implementation","::METHOD:Architecture or Design Review:DESCRIPTION:Review requirements, documentation, and product design to ensure that primitives are consistent with the strongest-available recommendations from trusted parties. If the product appears to be using custom or proprietary implementations that have not had sufficient public review and approval, then this is a significant concern.:EFFECTIVENESS:High::METHOD:Manual Analysis:DESCRIPTION:Analyze the product to ensure that implementations for each primitive do not contain any known vulnerabilities and are not using any known-weak algorithms, including MD4, MD5, SHA1, DES, etc.:EFFECTIVENESS:Moderate::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:For hardware, during the implementation (pre-Silicon / post-Silicon) phase, dynamic tests should be done to ensure that outputs from cryptographic routines are indeed working properly, such as test vectors provided by NIST [REF-1236].:EFFECTIVENESS:Moderate::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:It needs to be determined if the output of a cryptographic primitive is lacking entropy, which is one clear sign that something went wrong with the crypto implementation. There exist many methods of measuring the entropy of a bytestream, from sophisticated ones (like calculating Shannon's entropy of a sequence of characters) to crude ones (by compressing it and comparing the size of the original bytestream vs. the compressed - a truly random byte stream should not be compressible and hence the uncompressed and compressed bytestreams should be nearly identical in size).:EFFECTIVENESS:Moderate::",{"point":"2iq","priority":"6","details":"1x1","howto":"2ir"},"CWE-ID:1241 Use of Predictable Algorithm in Random Number Generator",{"point":"2it","priority":"6","details":"1x4","howto":"275"},"CWE-ID:1242 Inclusion of Undocumented Features or Chicken Bits",{"point":"2iv","priority":"6","details":"1x7","howto":"275"},"CWE-ID:1243 Sensitive Non-Volatile Information Not Protected During Debug",{"point":"2ix","priority":"6","details":"1xa","howto":"275"},"CWE-ID:1244 Internal Asset Exposed to Unsafe Debug Access Level or State","::METHOD:Manual Analysis:DESCRIPTION:Check 2 devices for their passcode to authenticate access to JTAG/debugging ports. If the passcodes are missing or the same, update the design to fix and retest. Check communications over JTAG/debugging ports for encryption. If the communications are not encrypted, fix the design and retest.:EFFECTIVENESS:Moderate::",{"point":"2iz","priority":"6","details":"1xd","howto":"2j0"},"CWE-ID:1245 Improper Finite State Machines (FSMs) in Hardware Logic",{"point":"2j2","priority":"6","details":"1xg","howto":"275"},"CWE-ID:1246 Improper Write Handling in Limited-write Non-Volatile Memories",{"point":"2j4","priority":"6","details":"1xj","howto":"275"},"CWE-ID:1249 Application-Level Admin Tool with Inconsistent View of Underlying Operating System",{"point":"2j6","priority":"6","details":"1xs","howto":"275"},"CWE-ID:1252 CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations",{"point":"2j8","priority":"6","details":"1y1","howto":"275"},"CWE-ID:1253 Incorrect Selection of Fuse Values",{"point":"2ja","priority":"6","details":"1y4","howto":"275"},"CWE-ID:1254 Incorrect Comparison Logic Granularity",{"point":"2jc","priority":"6","details":"1y7","howto":"275"},"CWE-ID:1256 Improper Restriction of Software Interfaces to Hardware Features","::METHOD:Manual Analysis:DESCRIPTION:Perform a security evaluation of system-level architecture and design with software-aided physical attacks in scope.::METHOD:Automated Dynamic Analysis:DESCRIPTION:Use custom software to change registers that control clock settings or power settings to try to bypass security locks, or repeatedly write DRAM to try to change adjacent locations. This can be effective in extracting or changing data. The drawback is that it cannot be run before manufacturing, and it may require specialized software.:EFFECTIVENESS:Moderate::",{"point":"2je","priority":"6","details":"1yd","howto":"2jf"},"CWE-ID:1257 Improper Access Control Applied to Mirrored or Aliased Memory Regions",{"point":"2jh","priority":"6","details":"1yg","howto":"275"},"CWE-ID:1258 Exposure of Sensitive System Information Due to Uncleared Debug Information",{"point":"2jj","priority":"6","details":"1yj","howto":"275"},"CWE-ID:1259 Improper Restriction of Security Token Assignment",{"point":"2jl","priority":"6","details":"1ym","howto":"275"},"CWE-ID:1260 Improper Handling of Overlap Between Protected Memory Ranges","::METHOD:Manual Analysis:DESCRIPTION:Create a high privilege memory block of any arbitrary size. Attempt to create a lower privilege memory block with an overlap of the high privilege memory block. If the creation attempt works, fix the hardware. Repeat the test.:EFFECTIVENESS:High::",{"point":"2jn","priority":"6","details":"1yp","howto":"2jo"},"CWE-ID:1261 Improper Handling of Single Event Upsets",{"point":"2jq","priority":"6","details":"1ys","howto":"275"},"CWE-ID:1262 Improper Access Control for Register Interface","::METHOD:Manual Analysis:DESCRIPTION:This is applicable in the Architecture phase before implementation started. Make sure access policy is specified for the entire memory map. Manual analysis may not ensure the implementation is correct.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Registers controlling hardware should have access control implemented. This access control may be checked manually for correct implementation. Items to check consist of how are trusted parties set, how are trusted parties verified, how are accesses verified, etc. Effectiveness of a manual analysis will vary depending upon how complicated the interface is constructed.:EFFECTIVENESS:Moderate::METHOD:Simulation / Emulation:DESCRIPTION:Functional simulation is applicable during the Implementation Phase. Testcases must be created and executed for memory mapped registers to verify adherence to the access control policy. This method can be effective, since functional verification needs to be performed on the design, and verification for this weakness will be included. There can be difficulty covering the entire memory space during the test.:EFFECTIVENESS:Moderate::METHOD:Formal Verification:DESCRIPTION:Formal verification is applicable during the Implementation phase. Assertions need to be created in order to capture illegal register access scenarios and prove that they cannot occur. Formal methods are exhaustive and can be very effective, but creating the cases for large designs may be complex and difficult.:EFFECTIVENESS:High::METHOD:Automated Analysis:DESCRIPTION:Information flow tracking can be applicable during the Implementation phase. Security sensitive data (assets) - for example, as stored in registers - is automatically tracked over time through the design to verify the data doesn't reach illegal destinations that violate the access policies for the memory map. This method can be very effective when used together with simulation and emulation, since detecting violations doesn't rely on specific scenarios or data values. This method does rely on simulation and emulation, so testcases must exist in order to use this method.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Manual documentation review of the system memory map, register specification, and permissions associated with accessing security-relevant functionality exposed via memory-mapped registers.:EFFECTIVENESS:Moderate::METHOD:Fuzzing:DESCRIPTION:Perform penetration testing (either manual or semi-automated with fuzzing) to verify that access control mechanisms such as the memory protection units or on-chip bus firewall settings adequately protect critical hardware registers from software access.:EFFECTIVENESS:Moderate::",{"point":"2js","priority":"6","details":"1yv","howto":"2jt"},"CWE-ID:1263 Improper Physical Access Control",{"point":"2jv","priority":"6","details":"1yy","howto":"275"},"CWE-ID:1264 Hardware Logic with Insecure De-Synchronization between Control and Data Channels",{"point":"2jx","priority":"6","details":"1z1","howto":"275"},"CWE-ID:1266 Improper Scrubbing of Sensitive Data from Decommissioned Device",{"point":"2jz","priority":"6","details":"1z7","howto":"275"},"CWE-ID:1267 Policy Uses Obsolete Encoding",{"point":"2k1","priority":"6","details":"1za","howto":"275"},"CWE-ID:1268 Policy Privileges are not Assigned Consistently Between Control and Data Agents",{"point":"2k3","priority":"6","details":"1zd","howto":"275"},"CWE-ID:1270 Generation of Incorrect Security Tokens",{"point":"2k5","priority":"6","details":"1zj","howto":"275"},"CWE-ID:1272 Sensitive Information Uncleared Before Debug/Power State Transition","::METHOD:Manual Analysis:DESCRIPTION:Write a known pattern into each sensitive location. Enter the power/debug state in question. Read data back from the sensitive locations. If the reads are successful, and the data is the same as the pattern that was originally written, the test fails and the device needs to be fixed. Note that this test can likely be automated.:EFFECTIVENESS:High::",{"point":"2k7","priority":"6","details":"1zp","howto":"2k8"},"CWE-ID:1274 Improper Access Control for Volatile Memory Containing Boot Code","::METHOD:Manual Analysis:DESCRIPTION:Ensure the volatile memory is lockable or has locks. Ensure the volatile memory is locked for writes from untrusted agents or adversaries. Try modifying the volatile memory from an untrusted agent, and ensure these writes are dropped.:EFFECTIVENESS:High::METHOD:Manual Analysis:DESCRIPTION:Analyze the device using the following steps: Identify all fabric master agents that are active during system Boot Flow when initial code is loaded from Non-volatile storage to volatile memory. Identify the volatile memory regions that are used for storing loaded system executable program. During system boot, test programming the identified memory regions in step 2 from all the masters identified in step 1. Only trusted masters should be allowed to write to the memory regions. For example, pluggable device peripherals should not have write access to program load memory regions.:EFFECTIVENESS:Moderate::",{"point":"2ka","priority":"6","details":"1zv","howto":"2kb"},"CWE-ID:1277 Firmware Not Updateable","::METHOD:Manual Analysis:DESCRIPTION:Create a new installable boot image of the current build with a minor version number change. Use the standard installation method to update the boot image. Verify that the minor version number has changed. Create a fake image. Verify that the boot updater will not install the fake image and generates an invalid image error message or equivalent.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Check the consumer or maintainer documentation, the architecture/design documentation, or the original requirements to ensure that the documentation includes details for how to update the firmware.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Determine if there is a lack of a capability to update read-only memory (ROM) structure. This could manifest as a difference between the latest firmware version and the current version within the device.:EFFECTIVENESS:High::",{"point":"2kd","priority":"6","details":"204","howto":"2ke"},"CWE-ID:1278 Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques",{"point":"2kg","priority":"6","details":"207","howto":"275"},"CWE-ID:1279 Cryptographic Operations are run Before Supporting Units are Ready",{"point":"2ki","priority":"6","details":"20a","howto":"275"},"CWE-ID:1281 Sequence of Processor Instructions Leads to Unexpected Behavior",{"point":"2kk","priority":"6","details":"20g","howto":"275"},"CWE-ID:1283 Mutable Attestation or Measurement Reporting Data",{"point":"2km","priority":"6","details":"20m","howto":"275"},"CWE-ID:1290 Incorrect Decoding of Security Identifiers ",{"point":"2ko","priority":"6","details":"217","howto":"275"},"CWE-ID:1292 Incorrect Conversion of Security Identifiers",{"point":"2kq","priority":"6","details":"21d","howto":"275"},"CWE-ID:1293 Missing Source Correlation of Multiple Independent Data",{"point":"2ks","priority":"6","details":"21g","howto":"275"},"CWE-ID:1294 Insecure Security Identifier Mechanism",{"point":"2ku","priority":"6","details":"21j","howto":"275"},"CWE-ID:1298 Hardware Logic Contains Race Conditions",{"point":"2kw","priority":"6","details":"21v","howto":"275"},"CWE-ID:1299 Missing Protection Mechanism for Alternate Hardware Interface",{"point":"2ky","priority":"6","details":"21y","howto":"275"},"CWE-ID:1302 Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)",{"point":"2l0","priority":"6","details":"227","howto":"275"},"CWE-ID:1303 Non-Transparent Sharing of Microarchitectural Resources",{"point":"2l2","priority":"6","details":"22a","howto":"275"},"CWE-ID:1304 Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation",{"point":"2l4","priority":"6","details":"22d","howto":"275"},"CWE-ID:1310 Missing Ability to Patch ROM Code",{"point":"2l6","priority":"6","details":"22g","howto":"275"},"CWE-ID:1311 Improper Translation of Security Attributes by Fabric Bridge",{"point":"2l8","priority":"6","details":"22j","howto":"275"},"CWE-ID:1312 Missing Protection for Mirrored Regions in On-Chip Fabric Firewall","::METHOD:Manual Dynamic Analysis:DESCRIPTION:Using an external debugger, send write transactions to mirrored regions to test if original, write-protected regions are modified. Similarly, send read transactions to mirrored regions to test if the original, read-protected signals can be read.:EFFECTIVENESS:High::",{"point":"2la","priority":"6","details":"22m","howto":"2lb"},"CWE-ID:1313 Hardware Allows Activation of Test or Debug Logic at Runtime",{"point":"2ld","priority":"6","details":"22p","howto":"275"},"CWE-ID:1314 Missing Write Protection for Parametric Data Values",{"point":"2lf","priority":"6","details":"22s","howto":"275"},"CWE-ID:1315 Improper Setting of Bus Controlling Capability in Fabric End-point",{"point":"2lh","priority":"6","details":"22v","howto":"275"},"CWE-ID:1316 Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges","::METHOD:Automated Dynamic Analysis:DESCRIPTION:Review address map in specification to see if there are any overlapping ranges.:EFFECTIVENESS:High::METHOD:Manual Static Analysis:DESCRIPTION:Negative testing of access control on overlapped ranges.:EFFECTIVENESS:High::",{"point":"2lj","priority":"6","details":"22y","howto":"2lk"},"CWE-ID:1317 Improper Access Control in Fabric Bridge","::METHOD:Simulation / Emulation:DESCRIPTION:RTL simulation to ensure that bridge-access controls are implemented properly.:EFFECTIVENESS:High::METHOD:Formal Verification:DESCRIPTION:Formal verification of bridge RTL to ensure that access control cannot be bypassed.:EFFECTIVENESS:High::",{"point":"2lm","priority":"6","details":"231","howto":"2ln"},"CWE-ID:1318 Missing Support for Security Features in On-chip Fabrics or Buses","::METHOD:Architecture or Design Review:DESCRIPTION:Review the fabric specification and ensure that it contains signals to transfer security-sensitive signals.:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:Lack of security features can also be confirmed through manual RTL review of the fabric RTL.:EFFECTIVENESS:High::",{"point":"2lp","priority":"6","details":"234","howto":"2lq"},"CWE-ID:1319 Improper Protection against Electromagnetic Fault Injection (EM-FI)",{"point":"2ls","priority":"6","details":"237","howto":"275"},"CWE-ID:1320 Improper Protection for Outbound Error Messages and Alert Signals",{"point":"2lu","priority":"6","details":"23a","howto":"275"},"CWE-ID:1323 Improper Management of Sensitive Trace Data",{"point":"2lw","priority":"6","details":"23j","howto":"275"},"CWE-ID:1326 Missing Immutable Root of Trust in Hardware","::METHOD:Automated Dynamic Analysis:DESCRIPTION:Automated testing can verify that RoT components are immutable.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Root of trust elements and memory should be part of architecture and design reviews.:EFFECTIVENESS:High::",{"point":"2ly","priority":"6","details":"23p","howto":"2lz"},"CWE-ID:1328 Security Version Number Mutable to Older Versions","::METHOD:Automated Dynamic Analysis:DESCRIPTION:Mutability of stored security version numbers and programming with older firmware images should be part of automated testing.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Anti-roll-back features should be reviewed as part of Architecture or Design review.:EFFECTIVENESS:High::",{"point":"2m1","priority":"6","details":"23v","howto":"2m2"},"CWE-ID:1329 Reliance on Component That is Not Updateable","::METHOD:Architecture or Design Review:DESCRIPTION:Check the consumer or maintainer documentation, the architecture/design documentation, or the original requirements to ensure that the documentation includes details for how to update the firmware.:EFFECTIVENESS:Moderate::",{"point":"2m4","priority":"6","details":"23y","howto":"2m5"},"CWE-ID:1331 Improper Isolation of Shared Resources in Network On Chip (NoC)","::METHOD:Manual Analysis:DESCRIPTION:Providing marker flags to send through the interfaces coupled with examination of which users are able to read or manipulate the flags will help verify that the proper isolation has been achieved and is effective.:EFFECTIVENESS:Moderate::",{"point":"2m7","priority":"6","details":"244","howto":"2m8"},"CWE-ID:1332 Improper Handling of Faults that Lead to Instruction Skips","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can be found using automated static analysis once a developer has indicated which code paths are critical to protect.:EFFECTIVENESS:Moderate::METHOD:Simulation / Emulation:DESCRIPTION:This weakness can be found using automated dynamic analysis. Both emulation of a CPU with instruction skips, as well as RTL simulation of a CPU IP, can indicate parts of the code that are sensitive to faults due to instruction skips.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:This weakness can be found using manual (static) analysis. The analyst has security objectives that are matched against the high-level code. This method is less precise than emulation, especially if the analysis is done at the higher level language rather than at assembly level.:EFFECTIVENESS:Moderate::",{"point":"2ma","priority":"6","details":"247","howto":"2mb"},"CWE-ID:1334 Unauthorized Error Injection Can Degrade Hardware Redundancy",{"point":"2md","priority":"6","details":"24d","howto":"275"},"CWE-ID:1336 Improper Neutralization of Special Elements Used in a Template Engine",{"point":"2mf","priority":"6","details":"24j","howto":"275"},"CWE-ID:1338 Improper Protections Against Hardware Overheating","::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Dynamic tests should be performed to stress-test temperature controls.:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:Power management controls should be part of Architecture and Design reviews.:EFFECTIVENESS:High::",{"point":"2mh","priority":"6","details":"24m","howto":"2mi"},"CWE-ID:1342 Information Exposure through Microarchitectural State after Transient Execution",{"point":"2mk","priority":"6","details":"24v","howto":"275"},"CWE-ID:1351 Improper Handling of Hardware Behavior in Exceptionally Cold Environments",{"point":"2mm","priority":"6","details":"24y","howto":"275"},"CWE-ID:1357 Reliance on Insufficiently Trustworthy Component",{"point":"2mo","priority":"6","details":"251","howto":"275"},"CWE-ID:1384 Improper Handling of Physical or Environmental Conditions",{"point":"2mq","priority":"6","details":"254","howto":"275"},"CWE-ID:1390 Weak Authentication",{"point":"2ms","priority":"6","details":"25g","howto":"275"},"CWE-ID:1391 Use of Weak Credentials",{"point":"2mu","priority":"6","details":"25j","howto":"275"},"CWE-ID:1392 Use of Default Credentials",{"point":"2mw","priority":"6","details":"25m","howto":"275"},"CWE-ID:1393 Use of Default Password",{"point":"2my","priority":"6","details":"25p","howto":"275"},"CWE-ID:1394 Use of Default Cryptographic Key",{"point":"2n0","priority":"6","details":"25s","howto":"275"},"CWE-ID:1395 Dependency on Vulnerable Third-Party Component","::METHOD:Automated Analysis:DESCRIPTION:For software, use Software Composition Analysis (SCA) tools, which automatically analyze products to identify third-party dependencies. Often, SCA tools can be used to link with known vulnerabilities in the dependencies that they detect. There are commercial and open-source alternatives, such as OWASP Dependency-Check [REF-1312]. Many languages or frameworks have package managers with similar capabilities, such as npm audit for JavaScript, pip-audit for Python, govulncheck for Go, and many others. Dynamic methods can detect loading of third-party components.:EFFECTIVENESS:High::",{"point":"2n2","priority":"6","details":"25v","howto":"2n3"},"CWE-ID:1420 Exposure of Sensitive Information during Transient Execution","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected in hardware by manually inspecting processor specifications. Features that exhibit this weakness may include microarchitectural predictors, access control checks that occur out-of-order, or any other features that can allow operations to execute without committing to architectural state. Academic researchers have demonstrated that new hardware weaknesses can be discovered by exhaustively analyzing a processor's machine clear (or nuke) conditions ([REF-1427]).:EFFECTIVENESS:Moderate::METHOD:Fuzzing:DESCRIPTION:Academic researchers have demonstrated that this weakness can be detected in hardware using software fuzzing tools that treat the underlying hardware as a black box ([REF-1428]).:EFFECTIVENESS:Opportunistic::METHOD:Fuzzing:DESCRIPTION:Academic researchers have demonstrated that this weakness can be detected in software using software fuzzing tools ([REF-1429]).:EFFECTIVENESS:Opportunistic::METHOD:Automated Static Analysis:DESCRIPTION:A variety of automated static analysis tools can identify potentially exploitable code sequences in software. These tools may perform the analysis on source code, on binary code, or on an intermediate code representation (for example, during compilation).:EFFECTIVENESS:Limited::METHOD:Automated Analysis:DESCRIPTION:Software vendors can release tools that detect presence of known weaknesses on a processor. For example, some of these tools can attempt to transiently execute a vulnerable code sequence and detect whether code successfully leaks data in a manner consistent with the weakness under test. Alternatively, some hardware vendors provide enumeration for the presence of a weakness (or lack of a weakness). These enumeration bits can be checked and reported by system software. For example, Linux supports these checks for many commodity processors: $ cat /proc/cpuinfo | grep bugs | head -n 1 bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit srbds mmio_stale_data retbleed:EFFECTIVENESS:High::",{"point":"2n5","priority":"6","details":"261","howto":"2n6"},"CWE-ID:1421 Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected in hardware by manually inspecting processor specifications. Features that exhibit this weakness may include microarchitectural predictors, access control checks that occur out-of-order, or any other features that can allow operations to execute without committing to architectural state. Academic researchers have demonstrated that new hardware weaknesses can be discovered by examining publicly available patent filings, for example [REF-1405] and [REF-1406]. Hardware designers can also scrutinize aspects of the instruction set architecture that have undefined behavior; these can become a focal point when applying other detection methods.:EFFECTIVENESS:Moderate::METHOD:Automated Analysis:DESCRIPTION:This weakness can be detected (pre-discovery) in hardware by employing static or dynamic taint analysis methods [REF-1401]. These methods can label data in one context (for example, kernel data) and perform information flow analysis (or a simulation, etc.) to determine whether tainted data can appear in another context (for example, user mode). Alternatively, stale or invalid data in shared microarchitectural resources can be marked as tainted, and the taint analysis framework can identify when transient operations encounter tainted data.:EFFECTIVENESS:Moderate::METHOD:Automated Analysis:DESCRIPTION:Software vendors can release tools that detect presence of known weaknesses (post-discovery) on a processor. For example, some of these tools can attempt to transiently execute a vulnerable code sequence and detect whether code successfully leaks data in a manner consistent with the weakness under test. Alternatively, some hardware vendors provide enumeration for the presence of a weakness (or lack of a weakness). These enumeration bits can be checked and reported by system software. For example, Linux supports these checks for many commodity processors: $ cat /proc/cpuinfo | grep bugs | head -n 1 bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit srbds mmio_stale_data retbleed:EFFECTIVENESS:High::METHOD:Fuzzing:DESCRIPTION:Academic researchers have demonstrated that this weakness can be detected in hardware using software fuzzing tools that treat the underlying hardware as a black box ([REF-1406], [REF-1430]):EFFECTIVENESS:Opportunistic::",{"point":"2n8","priority":"6","details":"264","howto":"2n9"},"CWE-ID:1422 Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution","::METHOD:Automated Static Analysis:DESCRIPTION:A variety of automated static analysis tools can identify potentially exploitable code sequences in software. These tools may perform the analysis on source code, on binary code, or on an intermediate code representation (for example, during compilation).:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected in hardware by manually inspecting processor specifications. Features that exhibit this weakness may include microarchitectural predictors, access control checks that occur out-of-order, or any other features that can allow operations to execute without committing to architectural state.Hardware designers can also scrutinize aspects of the instruction set architecture that have undefined behavior; these can become a focal point when applying other detection methods.:EFFECTIVENESS:Moderate::METHOD:Automated Analysis:DESCRIPTION:Software vendors can release tools that detect presence of known weaknesses on a processor. For example, some of these tools can attempt to transiently execute a vulnerable code sequence and detect whether code successfully leaks data in a manner consistent with the weakness under test. Alternatively, some hardware vendors provide enumeration for the presence of a weakness (or lack of a weakness). These enumeration bits can be checked and reported by system software. For example, Linux supports these checks for many commodity processors: $ cat /proc/cpuinfo | grep bugs | head -n 1 bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit srbds mmio_stale_data retbleed:EFFECTIVENESS:High::",{"point":"2nb","priority":"6","details":"267","howto":"2nc"},"CWE-ID:1423 Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected in hardware by manually inspecting processor specifications. Features that exhibit this weakness may have microarchitectural predictor state that is shared between hardware threads, execution contexts (for example, user and kernel), or other components that may host mutually distrusting software (or firmware, etc.).:EFFECTIVENESS:Moderate::METHOD:Automated Analysis:DESCRIPTION:Software vendors can release tools that detect presence of known weaknesses on a processor. For example, some of these tools can attempt to transiently execute a vulnerable code sequence and detect whether code successfully leaks data in a manner consistent with the weakness under test. Alternatively, some hardware vendors provide enumeration for the presence of a weakness (or lack of a weakness). These enumeration bits can be checked and reported by system software. For example, Linux supports these checks for many commodity processors: $ cat /proc/cpuinfo | grep bugs | head -n 1 bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit srbds mmio_stale_data retbleed:EFFECTIVENESS:High::METHOD:Automated Analysis:DESCRIPTION:This weakness can be detected in hardware by employing static or dynamic taint analysis methods [REF-1401]. These methods can label each predictor entry (or prediction history, etc.) according to the processor context that created it. Taint analysis or information flow analysis can then be applied to detect when predictor state created in one context can influence predictions made in another context.:EFFECTIVENESS:Moderate::",{"point":"2ne","priority":"6","details":"26a","howto":"2nf"},["26m","26p","26s","26v","26y","271","273","276","278","27a","27c","27e","27h","27j","27l","27n","27p","27r","27t","27v","27y","280","282","284","286","288","28a","28c","28e","28g","28i","28k","28n","28p","28r","28u","28w","28z","291","293","295","298","29a","29c","29e","29h","29k","29m","29o","29r","29t","29w","29y","2a0","2a2","2a4","2a7","2a9","2ac","2ae","2ag","2ai","2ak","2am","2ao","2aq","2as","2au","2aw","2ay","2b0","2b2","2b4","2b6","2b8","2ba","2bd","2bf","2bi","2bk","2bm","2bo","2bq","2bt","2bv","2bx","2bz","2c1","2c3","2c5","2c7","2ca","2cc","2ce","2cg","2ci","2ck","2cm","2cp","2cr","2ct","2cv","2cx","2cz","2d1","2d3","2d5","2d7","2d9","2db","2de","2dg","2di","2dl","2dn","2dp","2dr","2dt","2dv","2dx","2dz","2e1","2e3","2e6","2e8","2ea","2ec","2ee","2eg","2ei","2ek","2em","2eo","2eq","2es","2eu","2ew","2ey","2f0","2f3","2f5","2f7","2f9","2fb","2fd","2ff","2fh","2fj","2fl","2fn","2fp","2fr","2ft","2fv","2fy","2g0","2g2","2g5","2g8","2ga","2gc","2gf","2gi","2gl","2gn","2gp","2gr","2gu","2gw","2gy","2h0","2h2","2h4","2h6","2h8","2ha","2hc","2hf","2hi","2hk","2hm","2ho","2hq","2ht","2hv","2hy","2i0","2i3","2i5","2i7","2i9","2ib","2id","2if","2ii","2ik","2in","2ip","2is","2iu","2iw","2iy","2j1","2j3","2j5","2j7","2j9","2jb","2jd","2jg","2ji","2jk","2jm","2jp","2jr","2ju","2jw","2jy","2k0","2k2","2k4","2k6","2k9","2kc","2kf","2kh","2kj","2kl","2kn","2kp","2kr","2kt","2kv","2kx","2kz","2l1","2l3","2l5","2l7","2l9","2lc","2le","2lg","2li","2ll","2lo","2lr","2lt","2lv","2lx","2m0","2m3","2m6","2m9","2mc","2me","2mg","2mj","2ml","2mn","2mp","2mr","2mt","2mv","2mx","2mz","2n1","2n4","2n7","2na","2nd","2ng"],"magenta",{"title":"26f","slug":"26g","description":"26h","icon":"26i","intro":"26j","checklist":"2nh","color":"2ni"},"CWE :Weaknesses During Implementation","implementation-security","This view (slice) lists weaknesses that can be introduced during implementation.","shield","CWE-ID:5 J2EE Misconfiguration: Data Transmission Without Encryption",{"point":"2no","priority":"6","details":"7","howto":"275"},"CWE-ID:6 J2EE Misconfiguration: Insufficient Session-ID Length",{"point":"2nq","priority":"6","details":"a","howto":"275"},"CWE-ID:7 J2EE Misconfiguration: Missing Custom Error Page",{"point":"2ns","priority":"6","details":"d","howto":"275"},"CWE-ID:8 J2EE Misconfiguration: Entity Bean Declared Remote",{"point":"2nu","priority":"6","details":"g","howto":"275"},"CWE-ID:9 J2EE Misconfiguration: Weak Access Permissions for EJB Methods",{"point":"2nw","priority":"6","details":"j","howto":"275"},"CWE-ID:11 ASP.NET Misconfiguration: Creating Debug Binary",{"point":"2ny","priority":"6","details":"m","howto":"26r"},"CWE-ID:12 ASP.NET Misconfiguration: Missing Custom Error Page",{"point":"2o0","priority":"6","details":"p","howto":"275"},"CWE-ID:13 ASP.NET Misconfiguration: Password in Configuration File",{"point":"2o2","priority":"6","details":"s","howto":"275"},"CWE-ID:14 Compiler Removal of Code to Clear Buffers","::METHOD:Black Box:DESCRIPTION:This specific weakness is impossible to detect using black box methods. While an analyst could examine memory to see that it has not been scrubbed, an analysis of the executable would not be successful. This is because the compiler has already removed the relevant code. Only the source code shows whether the programmer intended to clear the memory or not, so this weakness is indistinguishable from others.::METHOD:White Box:DESCRIPTION:This weakness is only detectable using white box methods (see black box detection factor). Careful analysis is required to determine if the code is likely to be removed by the compiler.::",{"point":"2o4","priority":"6","details":"v","howto":"2o5"},"CWE-ID:15 External Control of System or Configuration Setting",{"point":"2o7","priority":"6","details":"y","howto":"26r"},{"point":"26k","priority":"6","details":"11","howto":"26l"},"CWE-ID:22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","::METHOD:Automated Static Analysis:DESCRIPTION:Automated techniques can find areas where path traversal weaknesses exist. However, tuning or customization may be required to remove or de-prioritize path-traversal problems that are only exploitable by the product's administrator - or other privileged users - and thus potentially valid behavior or, at worst, a bug instead of a vulnerability.:EFFECTIVENESS:High::METHOD:Manual Static Analysis:DESCRIPTION:Manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all file access operations can be assessed within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2oa","priority":"6","details":"14","howto":"2ob"},"CWE-ID:23 Relative Path Traversal",{"point":"2od","priority":"6","details":"17","howto":"26r"},"CWE-ID:24 Path Traversal: '../filedir'",{"point":"2of","priority":"6","details":"1a","howto":"275"},"CWE-ID:25 Path Traversal: '/../filedir'",{"point":"2oh","priority":"6","details":"1d","howto":"275"},"CWE-ID:26 Path Traversal: '/dir/../filename'",{"point":"2oj","priority":"6","details":"1g","howto":"275"},"CWE-ID:27 Path Traversal: 'dir/../../filename'",{"point":"2ol","priority":"6","details":"1j","howto":"275"},"CWE-ID:28 Path Traversal: '..filedir'",{"point":"2on","priority":"6","details":"1m","howto":"275"},"CWE-ID:29 Path Traversal: '..filename'",{"point":"2op","priority":"6","details":"1p","howto":"275"},"CWE-ID:30 Path Traversal: 'dir..filename'",{"point":"2or","priority":"6","details":"1s","howto":"275"},"CWE-ID:31 Path Traversal: 'dir....filename'",{"point":"2ot","priority":"6","details":"1v","howto":"275"},"CWE-ID:32 Path Traversal: '...' (Triple Dot)",{"point":"2ov","priority":"6","details":"1y","howto":"275"},"CWE-ID:33 Path Traversal: '....' (Multiple Dot)",{"point":"2ox","priority":"6","details":"21","howto":"275"},"CWE-ID:34 Path Traversal: '....//'","::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"2oz","priority":"6","details":"24","howto":"2p0"},"CWE-ID:35 Path Traversal: '.../...//'",{"point":"2p2","priority":"6","details":"27","howto":"275"},"CWE-ID:36 Absolute Path Traversal",{"point":"2p4","priority":"6","details":"2a","howto":"26r"},"CWE-ID:37 Path Traversal: '/absolute/pathname/here'",{"point":"2p6","priority":"6","details":"2d","howto":"275"},"CWE-ID:38 Path Traversal: 'absolutepathnamehere'",{"point":"2p8","priority":"6","details":"2g","howto":"275"},"CWE-ID:39 Path Traversal: 'C:dirname'",{"point":"2pa","priority":"6","details":"2j","howto":"275"},"CWE-ID:40 Path Traversal: 'UNCsharename' (Windows UNC Share)",{"point":"2pc","priority":"6","details":"2m","howto":"275"},"CWE-ID:41 Improper Resolution of Path Equivalence","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2pe","priority":"6","details":"2p","howto":"2pf"},"CWE-ID:42 Path Equivalence: 'filename.' (Trailing Dot)",{"point":"2ph","priority":"6","details":"2s","howto":"275"},"CWE-ID:43 Path Equivalence: 'filename....' (Multiple Trailing Dot)",{"point":"2pj","priority":"6","details":"2v","howto":"275"},"CWE-ID:44 Path Equivalence: 'file.name' (Internal Dot)",{"point":"2pl","priority":"6","details":"2y","howto":"275"},"CWE-ID:45 Path Equivalence: 'file...name' (Multiple Internal Dot)",{"point":"2pn","priority":"6","details":"31","howto":"275"},"CWE-ID:46 Path Equivalence: 'filename ' (Trailing Space)",{"point":"2pp","priority":"6","details":"34","howto":"275"},"CWE-ID:47 Path Equivalence: ' filename' (Leading Space)",{"point":"2pr","priority":"6","details":"37","howto":"275"},"CWE-ID:48 Path Equivalence: 'file name' (Internal Whitespace)",{"point":"2pt","priority":"6","details":"3a","howto":"275"},"CWE-ID:49 Path Equivalence: 'filename/' (Trailing Slash)",{"point":"2pv","priority":"6","details":"3d","howto":"275"},"CWE-ID:50 Path Equivalence: '//multiple/leading/slash'",{"point":"2px","priority":"6","details":"3g","howto":"275"},"CWE-ID:51 Path Equivalence: '/multiple//internal/slash'",{"point":"2pz","priority":"6","details":"3j","howto":"275"},"CWE-ID:52 Path Equivalence: '/multiple/trailing/slash//'",{"point":"2q1","priority":"6","details":"3m","howto":"275"},"CWE-ID:53 Path Equivalence: 'multipleinternalbackslash'",{"point":"2q3","priority":"6","details":"3p","howto":"275"},"CWE-ID:54 Path Equivalence: 'filedir' (Trailing Backslash)",{"point":"2q5","priority":"6","details":"3s","howto":"275"},"CWE-ID:55 Path Equivalence: '/./' (Single Dot Directory)",{"point":"2q7","priority":"6","details":"3v","howto":"275"},"CWE-ID:56 Path Equivalence: 'filedir*' (Wildcard)",{"point":"2q9","priority":"6","details":"3y","howto":"275"},"CWE-ID:57 Path Equivalence: 'fakedir/../realdir/filename'",{"point":"2qb","priority":"6","details":"41","howto":"275"},"CWE-ID:58 Path Equivalence: Windows 8.3 Filename",{"point":"2qd","priority":"6","details":"44","howto":"275"},"CWE-ID:59 Improper Link Resolution Before File Access ('Link Following')",{"point":"2qf","priority":"6","details":"47","howto":"2pf"},"CWE-ID:61 UNIX Symbolic Link (Symlink) Following",{"point":"2qh","priority":"6","details":"4a","howto":"275"},"CWE-ID:62 UNIX Hard Link",{"point":"2qj","priority":"6","details":"4d","howto":"275"},"CWE-ID:65 Windows Hard Link",{"point":"2ql","priority":"6","details":"4j","howto":"275"},"CWE-ID:66 Improper Handling of File Names that Identify Virtual Resources",{"point":"2qn","priority":"6","details":"4m","howto":"2pf"},"CWE-ID:67 Improper Handling of Windows Device Names",{"point":"2qp","priority":"6","details":"4p","howto":"275"},"CWE-ID:69 Improper Handling of Windows ::DATA Alternate Data Stream",{"point":"2qr","priority":"6","details":"4s","howto":"275"},"CWE-ID:72 Improper Handling of Apple HFS+ Alternate Data Stream Path",{"point":"2qt","priority":"6","details":"4v","howto":"275"},{"point":"26n","priority":"6","details":"4y","howto":"26o"},"CWE-ID:74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')",{"point":"2qw","priority":"6","details":"51","howto":"26r"},"CWE-ID:75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)",{"point":"2qy","priority":"6","details":"54","howto":"275"},"CWE-ID:76 Improper Neutralization of Equivalent Special Elements",{"point":"2r0","priority":"6","details":"57","howto":"275"},"CWE-ID:77 Improper Neutralization of Special Elements used in a Command ('Command Injection')",{"point":"2r2","priority":"6","details":"5a","howto":"26r"},"CWE-ID:78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes. Automated static analysis might not be able to detect the usage of custom API functions or third-party libraries that indirectly invoke OS commands, leading to false negatives - especially if the API/library code is not available for analysis.::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis:DESCRIPTION:Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2r4","priority":"6","details":"5d","howto":"2r5"},"CWE-ID:79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","::METHOD:Automated Static Analysis:DESCRIPTION:Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible, especially when multiple components are involved.:EFFECTIVENESS:Moderate::METHOD:Black Box:DESCRIPTION:Use the XSS Cheat Sheet [REF-714] or automated test-generation tools to help launch a wide variety of attacks against your web application. The Cheat Sheet contains many subtle XSS variations that are specifically targeted against weak XSS defenses.:EFFECTIVENESS:Moderate::",{"point":"2r7","priority":"6","details":"5g","howto":"2r8"},"CWE-ID:80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",{"point":"2ra","priority":"6","details":"5j","howto":"26r"},"CWE-ID:81 Improper Neutralization of Script in an Error Message Web Page",{"point":"2rc","priority":"6","details":"5m","howto":"275"},"CWE-ID:82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page",{"point":"2re","priority":"6","details":"5p","howto":"275"},"CWE-ID:83 Improper Neutralization of Script in Attributes in a Web Page",{"point":"2rg","priority":"6","details":"5s","howto":"26r"},"CWE-ID:84 Improper Neutralization of Encoded URI Schemes in a Web Page",{"point":"2ri","priority":"6","details":"5v","howto":"275"},"CWE-ID:85 Doubled Character XSS Manipulations",{"point":"2rk","priority":"6","details":"5y","howto":"275"},"CWE-ID:86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages",{"point":"2rm","priority":"6","details":"61","howto":"26r"},"CWE-ID:87 Improper Neutralization of Alternate XSS Syntax",{"point":"2ro","priority":"6","details":"64","howto":"275"},"CWE-ID:88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')",{"point":"2rq","priority":"6","details":"67","howto":"26r"},"CWE-ID:89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or do not require any code changes. Automated static analysis might not be able to detect the usage of custom API functions or third-party libraries that indirectly invoke SQL commands, leading to false negatives - especially if the API/library code is not available for analysis.::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Database Scanners Cost effective for partial coverage: Web Application Scanner Web Services Scanner:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2rs","priority":"6","details":"6a","howto":"2rt"},"CWE-ID:90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')",{"point":"2rv","priority":"6","details":"6d","howto":"26r"},"CWE-ID:91 XML Injection (aka Blind XPath Injection)",{"point":"2rx","priority":"6","details":"6g","howto":"26r"},"CWE-ID:93 Improper Neutralization of CRLF Sequences ('CRLF Injection')",{"point":"2rz","priority":"6","details":"6j","howto":"26r"},"CWE-ID:94 Improper Control of Generation of Code ('Code Injection')",{"point":"2s1","priority":"6","details":"6m","howto":"26r"},"CWE-ID:95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')",{"point":"2s3","priority":"6","details":"6p","howto":"26r"},"CWE-ID:96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')",{"point":"2s5","priority":"6","details":"6s","howto":"275"},"CWE-ID:97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page",{"point":"2s7","priority":"6","details":"6v","howto":"275"},"CWE-ID:98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')","::METHOD:Manual Analysis:DESCRIPTION:Manual white-box analysis can be very effective for finding this issue, since there is typically a relatively small number of include or require statements in each program.:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:The external control or influence of filenames can often be detected using automated static analysis that models data flow within the product. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes. If the program uses a customized input validation library, then some tools may allow the analyst to create custom signatures to detect usage of those routines.::",{"point":"2s9","priority":"6","details":"6y","howto":"2sa"},{"point":"26q","priority":"6","details":"71","howto":"26r"},"CWE-ID:102 Struts: Duplicate Validation Forms",{"point":"2sd","priority":"6","details":"74","howto":"275"},"CWE-ID:103 Struts: Incomplete validate() Method Definition",{"point":"2sf","priority":"6","details":"77","howto":"26r"},"CWE-ID:104 Struts: Form Bean Does Not Extend Validation Class",{"point":"2sh","priority":"6","details":"7a","howto":"26r"},"CWE-ID:105 Struts: Form Field Without Validator",{"point":"2sj","priority":"6","details":"7d","howto":"275"},"CWE-ID:106 Struts: Plug-in Framework not in Use",{"point":"2sl","priority":"6","details":"7g","howto":"275"},"CWE-ID:107 Struts: Unused Validation Form",{"point":"2sn","priority":"6","details":"7j","howto":"275"},"CWE-ID:108 Struts: Unvalidated Action Form",{"point":"2sp","priority":"6","details":"7m","howto":"275"},"CWE-ID:109 Struts: Validator Turned Off",{"point":"2sr","priority":"6","details":"7p","howto":"275"},"CWE-ID:110 Struts: Validator Without Form Field","::METHOD:Automated Static Analysis:DESCRIPTION:To find the issue in the implementation, manual checks or automated static analysis could be applied to the XML configuration files.:EFFECTIVENESS:Moderate::METHOD:Manual Static Analysis:DESCRIPTION:To find the issue in the implementation, manual checks or automated static analysis could be applied to the XML configuration files.:EFFECTIVENESS:Moderate::",{"point":"2st","priority":"6","details":"7s","howto":"2su"},"CWE-ID:111 Direct Use of Unsafe JNI",{"point":"2sw","priority":"6","details":"7v","howto":"26r"},"CWE-ID:112 Missing XML Validation",{"point":"2sy","priority":"6","details":"7y","howto":"26r"},"CWE-ID:113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')",{"point":"2t0","priority":"6","details":"81","howto":"26r"},"CWE-ID:114 Process Control",{"point":"2t2","priority":"6","details":"84","howto":"26r"},{"point":"26t","priority":"6","details":"87","howto":"26u"},"CWE-ID:116 Improper Encoding or Escaping of Output","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.:EFFECTIVENESS:Moderate::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::",{"point":"2t5","priority":"6","details":"8a","howto":"2t6"},"CWE-ID:117 Improper Output Neutralization for Logs",{"point":"2t8","priority":"6","details":"8d","howto":"26r"},"CWE-ID:118 Incorrect Access of Indexable Resource ('Range Error')",{"point":"2ta","priority":"6","details":"8g","howto":"275"},"CWE-ID:119 Improper Restriction of Operations within the Bounds of a Memory Buffer","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode Quality Analysis Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Source Code Quality Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2tc","priority":"6","details":"8j","howto":"2td"},"CWE-ID:120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::METHOD:Manual Analysis:DESCRIPTION:Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2tf","priority":"6","details":"8m","howto":"2tg"},"CWE-ID:121 Stack-based Buffer Overflow","::METHOD:Fuzzing:DESCRIPTION:Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2ti","priority":"6","details":"8p","howto":"2tj"},"CWE-ID:122 Heap-based Buffer Overflow",{"point":"2tl","priority":"6","details":"8s","howto":"26u"},"CWE-ID:123 Write-what-where Condition",{"point":"2tn","priority":"6","details":"8v","howto":"275"},"CWE-ID:124 Buffer Underwrite ('Buffer Underflow')",{"point":"2tp","priority":"6","details":"8y","howto":"275"},"CWE-ID:125 Out-of-bounds Read",{"point":"2tr","priority":"6","details":"91","howto":"2tj"},"CWE-ID:126 Buffer Over-read",{"point":"2tt","priority":"6","details":"94","howto":"26r"},"CWE-ID:127 Buffer Under-read",{"point":"2tv","priority":"6","details":"97","howto":"275"},"CWE-ID:128 Wrap-around Error",{"point":"2tx","priority":"6","details":"9a","howto":"275"},"CWE-ID:129 Improper Validation of Array Index","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report array index errors that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::METHOD:Black Box:DESCRIPTION:Black box methods might not get the needed code coverage within limited time constraints, and a dynamic test might not produce any noticeable side effects even if it is successful.::",{"point":"2tz","priority":"6","details":"9d","howto":"2u0"},"CWE-ID:130 Improper Handling of Length Parameter Inconsistency",{"point":"2u2","priority":"6","details":"9g","howto":"275"},"CWE-ID:131 Incorrect Calculation of Buffer Size","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting potential errors in buffer calculations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of allocation calculations. This can be useful for detecting overflow conditions (CWE-190) or similar weaknesses that might have serious security impacts on the program.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Source Code Quality Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2u4","priority":"6","details":"9j","howto":"2u5"},"CWE-ID:134 Use of Externally-Controlled Format String","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.::METHOD:Black Box:DESCRIPTION:Since format strings often occur in rarely-occurring erroneous conditions (e.g. for error message logging), they can be difficult to detect using black box methods. It is highly likely that many latent issues exist in executables that do not have associated source code (or equivalent source.:EFFECTIVENESS:Limited::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary / Bytecode simple extractor - strings, ELF readers, etc.:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Warning Flags:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2u7","priority":"6","details":"9m","howto":"2u8"},"CWE-ID:135 Incorrect Calculation of Multi-Byte String Length",{"point":"2ua","priority":"6","details":"9p","howto":"26r"},"CWE-ID:138 Improper Neutralization of Special Elements",{"point":"2uc","priority":"6","details":"9s","howto":"275"},"CWE-ID:140 Improper Neutralization of Delimiters",{"point":"2ue","priority":"6","details":"9v","howto":"275"},"CWE-ID:141 Improper Neutralization of Parameter/Argument Delimiters",{"point":"2ug","priority":"6","details":"9y","howto":"275"},"CWE-ID:142 Improper Neutralization of Value Delimiters",{"point":"2ui","priority":"6","details":"a1","howto":"275"},"CWE-ID:143 Improper Neutralization of Record Delimiters",{"point":"2uk","priority":"6","details":"a4","howto":"275"},"CWE-ID:144 Improper Neutralization of Line Delimiters",{"point":"2um","priority":"6","details":"a7","howto":"275"},"CWE-ID:145 Improper Neutralization of Section Delimiters",{"point":"2uo","priority":"6","details":"aa","howto":"275"},"CWE-ID:146 Improper Neutralization of Expression/Command Delimiters",{"point":"2uq","priority":"6","details":"ad","howto":"275"},"CWE-ID:147 Improper Neutralization of Input Terminators",{"point":"2us","priority":"6","details":"ag","howto":"275"},"CWE-ID:148 Improper Neutralization of Input Leaders",{"point":"2uu","priority":"6","details":"aj","howto":"275"},"CWE-ID:149 Improper Neutralization of Quoting Syntax",{"point":"2uw","priority":"6","details":"am","howto":"275"},"CWE-ID:150 Improper Neutralization of Escape, Meta, or Control Sequences",{"point":"2uy","priority":"6","details":"ap","howto":"275"},"CWE-ID:151 Improper Neutralization of Comment Delimiters",{"point":"2v0","priority":"6","details":"as","howto":"275"},"CWE-ID:152 Improper Neutralization of Macro Symbols",{"point":"2v2","priority":"6","details":"av","howto":"275"},"CWE-ID:153 Improper Neutralization of Substitution Characters",{"point":"2v4","priority":"6","details":"ay","howto":"275"},"CWE-ID:154 Improper Neutralization of Variable Name Delimiters",{"point":"2v6","priority":"6","details":"b1","howto":"275"},"CWE-ID:155 Improper Neutralization of Wildcards or Matching Symbols",{"point":"2v8","priority":"6","details":"b4","howto":"275"},"CWE-ID:156 Improper Neutralization of Whitespace",{"point":"2va","priority":"6","details":"b7","howto":"275"},"CWE-ID:157 Failure to Sanitize Paired Delimiters",{"point":"2vc","priority":"6","details":"ba","howto":"275"},"CWE-ID:158 Improper Neutralization of Null Byte or NUL Character",{"point":"2ve","priority":"6","details":"bd","howto":"275"},"CWE-ID:159 Improper Handling of Invalid Use of Special Elements",{"point":"2vg","priority":"6","details":"bg","howto":"275"},"CWE-ID:160 Improper Neutralization of Leading Special Elements",{"point":"2vi","priority":"6","details":"bj","howto":"275"},"CWE-ID:161 Improper Neutralization of Multiple Leading Special Elements",{"point":"2vk","priority":"6","details":"bm","howto":"275"},"CWE-ID:162 Improper Neutralization of Trailing Special Elements",{"point":"2vm","priority":"6","details":"bp","howto":"275"},"CWE-ID:163 Improper Neutralization of Multiple Trailing Special Elements",{"point":"2vo","priority":"6","details":"bs","howto":"275"},"CWE-ID:164 Improper Neutralization of Internal Special Elements",{"point":"2vq","priority":"6","details":"bv","howto":"275"},"CWE-ID:165 Improper Neutralization of Multiple Internal Special Elements",{"point":"2vs","priority":"6","details":"by","howto":"275"},"CWE-ID:166 Improper Handling of Missing Special Element",{"point":"2vu","priority":"6","details":"c1","howto":"275"},"CWE-ID:167 Improper Handling of Additional Special Element",{"point":"2vw","priority":"6","details":"c4","howto":"275"},"CWE-ID:168 Improper Handling of Inconsistent Special Elements",{"point":"2vy","priority":"6","details":"c7","howto":"275"},"CWE-ID:170 Improper Null Termination",{"point":"2w0","priority":"6","details":"ca","howto":"26r"},"CWE-ID:172 Encoding Error",{"point":"2w2","priority":"6","details":"cd","howto":"275"},"CWE-ID:173 Improper Handling of Alternate Encoding",{"point":"2w4","priority":"6","details":"cg","howto":"275"},"CWE-ID:174 Double Decoding of the Same Data",{"point":"2w6","priority":"6","details":"cj","howto":"275"},"CWE-ID:175 Improper Handling of Mixed Encoding",{"point":"2w8","priority":"6","details":"cm","howto":"275"},"CWE-ID:176 Improper Handling of Unicode Encoding",{"point":"2wa","priority":"6","details":"cp","howto":"275"},"CWE-ID:177 Improper Handling of URL Encoding (Hex Encoding)",{"point":"2wc","priority":"6","details":"cs","howto":"275"},"CWE-ID:178 Improper Handling of Case Sensitivity",{"point":"2we","priority":"6","details":"cv","howto":"275"},"CWE-ID:179 Incorrect Behavior Order: Early Validation",{"point":"2wg","priority":"6","details":"cy","howto":"275"},"CWE-ID:180 Incorrect Behavior Order: Validate Before Canonicalize",{"point":"2wi","priority":"6","details":"d1","howto":"275"},"CWE-ID:181 Incorrect Behavior Order: Validate Before Filter",{"point":"2wk","priority":"6","details":"d4","howto":"275"},"CWE-ID:182 Collapse of Data into Unsafe Value",{"point":"2wm","priority":"6","details":"d7","howto":"26r"},"CWE-ID:183 Permissive List of Allowed Inputs",{"point":"2wo","priority":"6","details":"da","howto":"26r"},{"point":"26w","priority":"6","details":"dd","howto":"26x"},"CWE-ID:185 Incorrect Regular Expression",{"point":"2wr","priority":"6","details":"dg","howto":"26r"},"CWE-ID:186 Overly Restrictive Regular Expression",{"point":"2wt","priority":"6","details":"dj","howto":"275"},"CWE-ID:187 Partial String Comparison",{"point":"2wv","priority":"6","details":"dm","howto":"275"},"CWE-ID:188 Reliance on Data/Memory Layout",{"point":"2wx","priority":"6","details":"dp","howto":"26u"},"CWE-ID:190 Integer Overflow or Wraparound","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.:EFFECTIVENESS:High::METHOD:Black Box:DESCRIPTION:Sometimes, evidence of this weakness can be detected using dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of allocation calculations. This can be useful for detecting overflow conditions (CWE-190) or similar weaknesses that might have serious security impacts on the program.:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"2wz","priority":"6","details":"ds","howto":"2x0"},"CWE-ID:191 Integer Underflow (Wrap or Wraparound)",{"point":"2x2","priority":"6","details":"dv","howto":"26r"},"CWE-ID:192 Integer Coercion Error",{"point":"2x4","priority":"6","details":"dy","howto":"26r"},"CWE-ID:193 Off-by-one Error",{"point":"2x6","priority":"6","details":"e1","howto":"26r"},"CWE-ID:194 Unexpected Sign Extension",{"point":"2x8","priority":"6","details":"e4","howto":"275"},"CWE-ID:195 Signed to Unsigned Conversion Error",{"point":"2xa","priority":"6","details":"e7","howto":"26r"},"CWE-ID:196 Unsigned to Signed Conversion Error",{"point":"2xc","priority":"6","details":"ea","howto":"275"},"CWE-ID:197 Numeric Truncation Error",{"point":"2xe","priority":"6","details":"ed","howto":"2tj"},"CWE-ID:198 Use of Incorrect Byte Ordering","::METHOD:Black Box:DESCRIPTION:Because byte ordering bugs are usually very noticeable even with normal inputs, this bug is more likely to occur in rarely triggered error conditions, making them difficult to detect using black box methods.::",{"point":"2xg","priority":"6","details":"eg","howto":"2xh"},{"point":"26z","priority":"6","details":"ej","howto":"270"},{"point":"272","priority":"6","details":"em","howto":"26r"},{"point":"274","priority":"6","details":"ep","howto":"275"},{"point":"277","priority":"6","details":"es","howto":"275"},{"point":"279","priority":"6","details":"ev","howto":"275"},{"point":"27b","priority":"6","details":"ey","howto":"275"},"CWE-ID:206 Observable Internal Behavioral Discrepancy",{"point":"2xp","priority":"6","details":"f1","howto":"275"},"CWE-ID:207 Observable Behavioral Discrepancy With Equivalent Products",{"point":"2xr","priority":"6","details":"f4","howto":"275"},{"point":"27d","priority":"6","details":"f7","howto":"275"},{"point":"27f","priority":"6","details":"fa","howto":"27g"},{"point":"27i","priority":"6","details":"fd","howto":"275"},{"point":"27k","priority":"6","details":"fg","howto":"275"},{"point":"27m","priority":"6","details":"fj","howto":"275"},{"point":"27o","priority":"6","details":"fm","howto":"275"},{"point":"27q","priority":"6","details":"fp","howto":"275"},"CWE-ID:215 Insertion of Sensitive Information Into Debugging Code",{"point":"2y0","priority":"6","details":"fs","howto":"26r"},"CWE-ID:219 Storage of File with Sensitive Data Under Web Root",{"point":"2y2","priority":"6","details":"fv","howto":"275"},{"point":"27s","priority":"6","details":"g1","howto":"275"},"CWE-ID:222 Truncation of Security-relevant Information",{"point":"2y5","priority":"6","details":"g4","howto":"275"},{"point":"27u","priority":"6","details":"g7","howto":"275"},"CWE-ID:224 Obscured Security-relevant Information by Alternate Name",{"point":"2y8","priority":"6","details":"ga","howto":"275"},"CWE-ID:226 Sensitive Information in Resource Not Removed Before Reuse","::METHOD:Manual Analysis:DESCRIPTION:Write a known pattern into each sensitive location. Trigger the release of the resource or cause the desired state transition to occur. Read data back from the sensitive locations. If the reads are successful, and the data is the same as the pattern that was originally written, the test fails and the product needs to be fixed. Note that this test can likely be automated.:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2ya","priority":"6","details":"gd","howto":"2yb"},"CWE-ID:228 Improper Handling of Syntactically Invalid Structure",{"point":"2yd","priority":"6","details":"gg","howto":"26r"},"CWE-ID:229 Improper Handling of Values",{"point":"2yf","priority":"6","details":"gj","howto":"275"},"CWE-ID:230 Improper Handling of Missing Values",{"point":"2yh","priority":"6","details":"gm","howto":"275"},"CWE-ID:231 Improper Handling of Extra Values",{"point":"2yj","priority":"6","details":"gp","howto":"275"},"CWE-ID:232 Improper Handling of Undefined Values",{"point":"2yl","priority":"6","details":"gs","howto":"275"},"CWE-ID:233 Improper Handling of Parameters",{"point":"2yn","priority":"6","details":"gv","howto":"2tj"},"CWE-ID:234 Failure to Handle Missing Parameter",{"point":"2yp","priority":"6","details":"gy","howto":"275"},"CWE-ID:235 Improper Handling of Extra Parameters",{"point":"2yr","priority":"6","details":"h1","howto":"275"},"CWE-ID:236 Improper Handling of Undefined Parameters",{"point":"2yt","priority":"6","details":"h4","howto":"275"},"CWE-ID:238 Improper Handling of Incomplete Structural Elements",{"point":"2yv","priority":"6","details":"ha","howto":"275"},"CWE-ID:239 Failure to Handle Incomplete Element",{"point":"2yx","priority":"6","details":"hd","howto":"275"},"CWE-ID:240 Improper Handling of Inconsistent Structural Elements",{"point":"2yz","priority":"6","details":"hg","howto":"275"},"CWE-ID:241 Improper Handling of Unexpected Data Type",{"point":"2z1","priority":"6","details":"hj","howto":"275"},"CWE-ID:242 Use of Inherently Dangerous Function",{"point":"2z3","priority":"6","details":"hm","howto":"26r"},"CWE-ID:243 Creation of chroot Jail Without Changing Working Directory",{"point":"2z5","priority":"6","details":"hp","howto":"26r"},"CWE-ID:244 Improper Clearing of Heap Memory Before Release ('Heap Inspection')",{"point":"2z7","priority":"6","details":"hs","howto":"275"},"CWE-ID:245 J2EE Bad Practices: Direct Management of Connections",{"point":"2z9","priority":"6","details":"hv","howto":"26r"},"CWE-ID:246 J2EE Bad Practices: Direct Use of Sockets",{"point":"2zb","priority":"6","details":"hy","howto":"26r"},"CWE-ID:248 Uncaught Exception",{"point":"2zd","priority":"6","details":"i1","howto":"26r"},{"point":"27w","priority":"6","details":"i4","howto":"27x"},"CWE-ID:252 Unchecked Return Value",{"point":"2zg","priority":"6","details":"i7","howto":"26r"},"CWE-ID:253 Incorrect Check of Function Return Value",{"point":"2zi","priority":"6","details":"ia","howto":"275"},"CWE-ID:258 Empty Password in Configuration File",{"point":"2zk","priority":"6","details":"ij","howto":"275"},"CWE-ID:259 Use of Hard-coded Password","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and perform a login. Using disassembled code, look at the associated instructions and see if any of them appear to be comparing the input to a fixed string or value.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"2zm","priority":"6","details":"im","howto":"2zn"},{"point":"283","priority":"6","details":"ip","howto":"26r"},"CWE-ID:266 Incorrect Privilege Assignment",{"point":"2zq","priority":"6","details":"j1","howto":"275"},{"point":"28b","priority":"6","details":"j4","howto":"275"},{"point":"28d","priority":"6","details":"j7","howto":"275"},{"point":"28f","priority":"6","details":"ja","howto":"26r"},{"point":"28h","priority":"6","details":"jd","howto":"275"},{"point":"28j","priority":"6","details":"jg","howto":"275"},"CWE-ID:272 Least Privilege Violation","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Compare binary / bytecode to application permission manifest:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Permission Manifest Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"2zx","priority":"6","details":"jj","howto":"2zy"},"CWE-ID:273 Improper Check for Dropped Privileges",{"point":"300","priority":"6","details":"jm","howto":"26r"},"CWE-ID:274 Improper Handling of Insufficient Privileges",{"point":"302","priority":"6","details":"jp","howto":"26r"},{"point":"28l","priority":"6","details":"js","howto":"28m"},"CWE-ID:277 Insecure Inherited Permissions",{"point":"305","priority":"6","details":"jv","howto":"275"},"CWE-ID:279 Incorrect Execution-Assigned Permissions",{"point":"307","priority":"6","details":"k1","howto":"275"},"CWE-ID:280 Improper Handling of Insufficient Permissions or Privileges ",{"point":"309","priority":"6","details":"k4","howto":"275"},"CWE-ID:281 Improper Preservation of Permissions",{"point":"30b","priority":"6","details":"k7","howto":"275"},"CWE-ID:284 Improper Access Control",{"point":"30d","priority":"6","details":"kg","howto":"275"},{"point":"28s","priority":"6","details":"kj","howto":"28t"},{"point":"28v","priority":"6","details":"km","howto":"275"},{"point":"28x","priority":"6","details":"kp","howto":"28y"},{"point":"292","priority":"6","details":"kv","howto":"275"},"CWE-ID:290 Authentication Bypass by Spoofing",{"point":"30j","priority":"6","details":"ky","howto":"275"},{"point":"296","priority":"6","details":"la","howto":"297"},"CWE-ID:296 Improper Following of a Certificate's Chain of Trust",{"point":"30m","priority":"6","details":"ld","howto":"26r"},"CWE-ID:297 Improper Validation of Certificate with Host Mismatch","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Set up an untrusted endpoint (e.g. a server) with which the product will connect. Create a test certificate that uses an invalid hostname but is signed by a trusted CA and provide this certificate from the untrusted endpoint. If the product performs any operations instead of disconnecting and reporting an error, then this indicates that the hostname is not being checked and the test certificate has been accepted.::METHOD:Black Box:DESCRIPTION:When Certificate Pinning is being used in a mobile application, consider using a tool such as Spinner [REF-955]. This methodology might be extensible to other technologies.::",{"point":"30o","priority":"6","details":"lg","howto":"30p"},"CWE-ID:298 Improper Validation of Certificate Expiration",{"point":"30r","priority":"6","details":"lj","howto":"275"},"CWE-ID:299 Improper Check for Certificate Revocation",{"point":"30t","priority":"6","details":"lm","howto":"26r"},{"point":"29d","priority":"6","details":"lv","howto":"275"},"CWE-ID:303 Incorrect Implementation of Authentication Algorithm",{"point":"30w","priority":"6","details":"ly","howto":"275"},"CWE-ID:304 Missing Critical Step in Authentication",{"point":"30y","priority":"6","details":"m1","howto":"26r"},"CWE-ID:305 Authentication Bypass by Primary Weakness",{"point":"310","priority":"6","details":"m4","howto":"275"},"CWE-ID:318 Cleartext Storage of Sensitive Information in Executable",{"point":"312","priority":"6","details":"n4","howto":"275"},"CWE-ID:325 Missing Cryptographic Step",{"point":"314","priority":"6","details":"nm","howto":"275"},{"point":"2a5","priority":"6","details":"ns","howto":"2a6"},"CWE-ID:329 Generation of Predictable IV with CBC Mode",{"point":"317","priority":"6","details":"ny","howto":"26r"},{"point":"2aa","priority":"6","details":"o1","howto":"2ab"},{"point":"2ad","priority":"6","details":"o4","howto":"275"},"CWE-ID:332 Insufficient Entropy in PRNG",{"point":"31b","priority":"6","details":"o7","howto":"275"},"CWE-ID:333 Improper Handling of Insufficient Entropy in TRNG",{"point":"31d","priority":"6","details":"oa","howto":"275"},{"point":"2af","priority":"6","details":"od","howto":"275"},"CWE-ID:335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)",{"point":"31g","priority":"6","details":"og","howto":"275"},"CWE-ID:336 Same Seed in Pseudo-Random Number Generator (PRNG)",{"point":"31i","priority":"6","details":"oj","howto":"26r"},"CWE-ID:337 Predictable Seed in Pseudo-Random Number Generator (PRNG)",{"point":"31k","priority":"6","details":"om","howto":"275"},{"point":"2ah","priority":"6","details":"op","howto":"26r"},"CWE-ID:339 Small Seed Space in PRNG",{"point":"31n","priority":"6","details":"os","howto":"275"},{"point":"2aj","priority":"6","details":"ov","howto":"275"},{"point":"2al","priority":"6","details":"oy","howto":"275"},{"point":"2an","priority":"6","details":"p1","howto":"275"},{"point":"2ap","priority":"6","details":"p4","howto":"275"},{"point":"2ar","priority":"6","details":"p7","howto":"275"},{"point":"2at","priority":"6","details":"pa","howto":"26r"},{"point":"2av","priority":"6","details":"pd","howto":"275"},{"point":"2ax","priority":"6","details":"pg","howto":"26r"},{"point":"2az","priority":"6","details":"pj","howto":"275"},"CWE-ID:349 Acceptance of Extraneous Untrusted Data With Trusted Data",{"point":"31y","priority":"6","details":"pm","howto":"275"},"CWE-ID:351 Insufficient Type Distinction",{"point":"320","priority":"6","details":"ps","howto":"275"},{"point":"2b1","priority":"6","details":"py","howto":"275"},{"point":"2b3","priority":"6","details":"q1","howto":"275"},{"point":"2b5","priority":"6","details":"q4","howto":"275"},{"point":"2b7","priority":"6","details":"q7","howto":"275"},{"point":"2b9","priority":"6","details":"qa","howto":"275"},{"point":"2bb","priority":"6","details":"qd","howto":"2bc"},{"point":"2be","priority":"6","details":"qg","howto":"275"},{"point":"2bg","priority":"6","details":"qj","howto":"2bh"},{"point":"2bj","priority":"6","details":"qm","howto":"275"},"CWE-ID:364 Signal Handler Race Condition",{"point":"32b","priority":"6","details":"qp","howto":"275"},"CWE-ID:366 Race Condition within a Thread",{"point":"32d","priority":"6","details":"qs","howto":"26r"},"CWE-ID:367 Time-of-check Time-of-use (TOCTOU) Race Condition",{"point":"32f","priority":"6","details":"qv","howto":"26r"},{"point":"2bl","priority":"6","details":"qy","howto":"275"},"CWE-ID:369 Divide By Zero","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::METHOD:Fuzzing:DESCRIPTION:Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.:EFFECTIVENESS:High::",{"point":"32i","priority":"6","details":"r1","howto":"32j"},"CWE-ID:370 Missing Check for Certificate Revocation after Initial Check",{"point":"32l","priority":"6","details":"r4","howto":"275"},"CWE-ID:372 Incomplete Internal State Distinction",{"point":"32n","priority":"6","details":"r7","howto":"275"},"CWE-ID:374 Passing Mutable Objects to an Untrusted Method",{"point":"32p","priority":"6","details":"ra","howto":"275"},"CWE-ID:375 Returning a Mutable Object to an Untrusted Caller",{"point":"32r","priority":"6","details":"rd","howto":"275"},"CWE-ID:377 Insecure Temporary File",{"point":"32t","priority":"6","details":"rg","howto":"26r"},"CWE-ID:378 Creation of Temporary File With Insecure Permissions",{"point":"32v","priority":"6","details":"rj","howto":"275"},"CWE-ID:379 Creation of Temporary File in Directory with Insecure Permissions",{"point":"32x","priority":"6","details":"rm","howto":"26r"},"CWE-ID:382 J2EE Bad Practices: Use of System.exit()",{"point":"32z","priority":"6","details":"rp","howto":"26r"},"CWE-ID:383 J2EE Bad Practices: Direct Use of Threads",{"point":"331","priority":"6","details":"rs","howto":"26r"},"CWE-ID:384 Session Fixation",{"point":"333","priority":"6","details":"rv","howto":"275"},{"point":"2bn","priority":"6","details":"ry","howto":"275"},{"point":"2bp","priority":"6","details":"s1","howto":"275"},"CWE-ID:390 Detection of Error Condition Without Action",{"point":"337","priority":"6","details":"s4","howto":"26r"},"CWE-ID:391 Unchecked Error Condition",{"point":"339","priority":"6","details":"s7","howto":"26r"},"CWE-ID:392 Missing Report of Error Condition",{"point":"33b","priority":"6","details":"sa","howto":"275"},"CWE-ID:393 Return of Wrong Status Code",{"point":"33d","priority":"6","details":"sd","howto":"26u"},"CWE-ID:394 Unexpected Status Code or Return Value",{"point":"33f","priority":"6","details":"sg","howto":"275"},"CWE-ID:395 Use of NullPointerException Catch to Detect NULL Pointer Dereference","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Framework-based Fuzzer:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"33h","priority":"6","details":"sj","howto":"33i"},"CWE-ID:396 Declaration of Catch for Generic Exception",{"point":"33k","priority":"6","details":"sm","howto":"26r"},"CWE-ID:397 Declaration of Throws for Generic Exception",{"point":"33m","priority":"6","details":"sp","howto":"26r"},{"point":"2br","priority":"6","details":"ss","howto":"2bs"},"CWE-ID:401 Missing Release of Memory after Effective Lifetime",{"point":"33p","priority":"6","details":"sv","howto":"2tj"},{"point":"2bu","priority":"6","details":"sy","howto":"26r"},"CWE-ID:403 Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')",{"point":"33s","priority":"6","details":"t1","howto":"275"},"CWE-ID:404 Improper Resource Shutdown or Release","::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Resource clean up errors might be detected with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the product under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"33u","priority":"6","details":"t4","howto":"33v"},{"point":"2bw","priority":"6","details":"t7","howto":"275"},{"point":"2by","priority":"6","details":"ta","howto":"275"},{"point":"2c0","priority":"6","details":"td","howto":"275"},{"point":"2c2","priority":"6","details":"tg","howto":"275"},{"point":"2c4","priority":"6","details":"tj","howto":"275"},{"point":"2c6","priority":"6","details":"tm","howto":"275"},{"point":"2c8","priority":"6","details":"tp","howto":"2c9"},{"point":"2cb","priority":"6","details":"ts","howto":"26r"},{"point":"2cd","priority":"6","details":"tv","howto":"275"},"CWE-ID:415 Double Free",{"point":"346","priority":"6","details":"ty","howto":"2tj"},"CWE-ID:416 Use After Free",{"point":"348","priority":"6","details":"u1","howto":"2tj"},{"point":"2cf","priority":"6","details":"u4","howto":"275"},{"point":"2ch","priority":"6","details":"u7","howto":"275"},"CWE-ID:425 Direct Request ('Forced Browsing')",{"point":"34c","priority":"6","details":"uj","howto":"275"},"CWE-ID:426 Untrusted Search Path","::METHOD:Black Box:DESCRIPTION:Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and look for library functions and system calls that suggest when a search path is being used. One pattern is when the program performs multiple accesses of the same file but in different directories, with repeated failures until the proper filename is found. Library calls such as getenv() or their equivalent can be checked to see if any path-related variables are being accessed.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::METHOD:Manual Analysis:DESCRIPTION:Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.::",{"point":"34e","priority":"6","details":"um","howto":"34f"},"CWE-ID:427 Uncontrolled Search Path Element",{"point":"34h","priority":"6","details":"up","howto":"26r"},"CWE-ID:428 Unquoted Search Path or Element",{"point":"34j","priority":"6","details":"us","howto":"275"},"CWE-ID:430 Deployment of Wrong Handler",{"point":"34l","priority":"6","details":"uv","howto":"275"},"CWE-ID:431 Missing Handler",{"point":"34n","priority":"6","details":"uy","howto":"275"},"CWE-ID:432 Dangerous Signal Handler not Disabled During Sensitive Operations",{"point":"34p","priority":"6","details":"v1","howto":"275"},"CWE-ID:433 Unparsed Raw Web Content Delivery",{"point":"34r","priority":"6","details":"v4","howto":"275"},{"point":"2cn","priority":"6","details":"v7","howto":"2co"},"CWE-ID:435 Improper Interaction Between Multiple Correctly-Behaving Entities",{"point":"34u","priority":"6","details":"va","howto":"275"},{"point":"2cq","priority":"6","details":"vd","howto":"275"},{"point":"2cs","priority":"6","details":"vg","howto":"275"},{"point":"2cu","priority":"6","details":"vj","howto":"275"},{"point":"2cw","priority":"6","details":"vm","howto":"275"},"CWE-ID:444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')",{"point":"350","priority":"6","details":"vs","howto":"275"},{"point":"2d0","priority":"6","details":"vv","howto":"275"},"CWE-ID:447 Unimplemented or Unsupported Feature in UI",{"point":"353","priority":"6","details":"vy","howto":"275"},"CWE-ID:448 Obsolete Feature in UI",{"point":"355","priority":"6","details":"w1","howto":"275"},"CWE-ID:449 The UI Performs the Wrong Action",{"point":"357","priority":"6","details":"w4","howto":"275"},"CWE-ID:450 Multiple Interpretations of UI Input",{"point":"359","priority":"6","details":"w7","howto":"275"},{"point":"2d2","priority":"6","details":"wa","howto":"275"},"CWE-ID:453 Insecure Default Variable Initialization",{"point":"35c","priority":"6","details":"wd","howto":"275"},{"point":"2d4","priority":"6","details":"wg","howto":"275"},"CWE-ID:455 Non-exit on Failed Initialization",{"point":"35f","priority":"6","details":"wj","howto":"275"},"CWE-ID:456 Missing Initialization of a Variable",{"point":"35h","priority":"6","details":"wm","howto":"26r"},"CWE-ID:457 Use of Uninitialized Variable",{"point":"35j","priority":"6","details":"wp","howto":"2tj"},"CWE-ID:459 Incomplete Cleanup",{"point":"35l","priority":"6","details":"ws","howto":"26r"},"CWE-ID:460 Improper Cleanup on Thrown Exception",{"point":"35n","priority":"6","details":"wv","howto":"26r"},"CWE-ID:462 Duplicate Key in Associative List (Alist)",{"point":"35p","priority":"6","details":"wy","howto":"275"},"CWE-ID:463 Deletion of Data Structure Sentinel",{"point":"35r","priority":"6","details":"x1","howto":"275"},"CWE-ID:464 Addition of Data Structure Sentinel",{"point":"35t","priority":"6","details":"x4","howto":"275"},"CWE-ID:466 Return of Pointer Value Outside of Expected Range",{"point":"35v","priority":"6","details":"x7","howto":"275"},"CWE-ID:467 Use of sizeof() on a Pointer Type",{"point":"35x","priority":"6","details":"xa","howto":"26r"},"CWE-ID:468 Incorrect Pointer Scaling",{"point":"35z","priority":"6","details":"xd","howto":"275"},"CWE-ID:469 Use of Pointer Subtraction to Determine Size",{"point":"361","priority":"6","details":"xg","howto":"2tj"},{"point":"2d6","priority":"6","details":"xj","howto":"26r"},{"point":"2d8","priority":"6","details":"xm","howto":"275"},"CWE-ID:472 External Control of Assumed-Immutable Web Parameter",{"point":"365","priority":"6","details":"xp","howto":"26r"},"CWE-ID:473 PHP External Variable Modification",{"point":"367","priority":"6","details":"xs","howto":"275"},"CWE-ID:474 Use of Function with Inconsistent Implementations",{"point":"369","priority":"6","details":"xv","howto":"26r"},{"point":"2da","priority":"6","details":"xy","howto":"26r"},"CWE-ID:476 NULL Pointer Dereference","::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"36c","priority":"6","details":"y1","howto":"36d"},"CWE-ID:477 Use of Obsolete Function","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Binary / Bytecode Quality Analysis Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Debugger:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source Code Quality Analyzer Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Origin Analysis:EFFECTIVENESS:High::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"36f","priority":"6","details":"y4","howto":"36g"},"CWE-ID:478 Missing Default Case in Multiple Condition Expression",{"point":"36i","priority":"6","details":"y7","howto":"26r"},"CWE-ID:479 Signal Handler Use of a Non-reentrant Function",{"point":"36k","priority":"6","details":"ya","howto":"26r"},"CWE-ID:480 Use of Incorrect Operator","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can be found easily using static analysis. However in some cases an operator might appear to be incorrect, but is actually correct and reflects unusual logic within the program.::METHOD:Manual Static Analysis:DESCRIPTION:This weakness can be found easily using static analysis. However in some cases an operator might appear to be incorrect, but is actually correct and reflects unusual logic within the program.::",{"point":"36m","priority":"6","details":"yd","howto":"36n"},"CWE-ID:481 Assigning instead of Comparing",{"point":"36p","priority":"6","details":"yg","howto":"26r"},"CWE-ID:482 Comparing instead of Assigning",{"point":"36r","priority":"6","details":"yj","howto":"26r"},"CWE-ID:483 Incorrect Block Delimitation",{"point":"36t","priority":"6","details":"ym","howto":"26r"},"CWE-ID:484 Omitted Break Statement in Switch","::METHOD:White Box:DESCRIPTION:Omission of a break statement might be intentional, in order to support fallthrough. Automated detection methods might therefore be erroneous. Semantic understanding of expected product behavior is required to interpret whether the code is correct.::METHOD:Black Box:DESCRIPTION:Since this weakness is associated with a code construct, it would be indistinguishable from other errors that produce the same behavior.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"36v","priority":"6","details":"yp","howto":"36w"},"CWE-ID:486 Comparison of Classes by Name",{"point":"36y","priority":"6","details":"ys","howto":"26r"},"CWE-ID:487 Reliance on Package-level Scope",{"point":"370","priority":"6","details":"yv","howto":"275"},"CWE-ID:488 Exposure of Data Element to Wrong Session",{"point":"372","priority":"6","details":"yy","howto":"26r"},"CWE-ID:489 Active Debug Code",{"point":"374","priority":"6","details":"z1","howto":"26r"},"CWE-ID:491 Public cloneable() Method Without Final ('Object Hijack')",{"point":"376","priority":"6","details":"z4","howto":"275"},"CWE-ID:492 Use of Inner Class Containing Sensitive Data",{"point":"378","priority":"6","details":"z7","howto":"26r"},"CWE-ID:493 Critical Public Variable Without Final Modifier",{"point":"37a","priority":"6","details":"za","howto":"26r"},{"point":"2dc","priority":"6","details":"zd","howto":"2dd"},"CWE-ID:495 Private Data Structure Returned From A Public Method",{"point":"37d","priority":"6","details":"zg","howto":"26r"},"CWE-ID:496 Public Data Assigned to Private Array-Typed Field",{"point":"37f","priority":"6","details":"zj","howto":"26r"},"CWE-ID:497 Exposure of Sensitive System Information to an Unauthorized Control Sphere",{"point":"37h","priority":"6","details":"zm","howto":"26r"},"CWE-ID:498 Cloneable Class Containing Sensitive Information",{"point":"37j","priority":"6","details":"zp","howto":"275"},"CWE-ID:499 Serializable Class Containing Sensitive Data",{"point":"37l","priority":"6","details":"zs","howto":"26r"},"CWE-ID:500 Public Static Field Not Marked Final",{"point":"37n","priority":"6","details":"zv","howto":"26r"},{"point":"2dh","priority":"6","details":"101","howto":"26r"},"CWE-ID:506 Embedded Malicious Code","::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies Generated Code Inspection:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Automated Monitored Execution:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Manual Source Code Review (not inspections):EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Origin Analysis:EFFECTIVENESS:SOAR Partial::",{"point":"37q","priority":"6","details":"104","howto":"37r"},"CWE-ID:507 Trojan Horse",{"point":"37t","priority":"6","details":"107","howto":"275"},"CWE-ID:508 Non-Replicating Malicious Code",{"point":"37v","priority":"6","details":"10a","howto":"275"},"CWE-ID:509 Replicating Malicious Code (Virus or Worm)",{"point":"37x","priority":"6","details":"10d","howto":"275"},{"point":"2dj","priority":"6","details":"10g","howto":"2dk"},{"point":"2dm","priority":"6","details":"10j","howto":"275"},{"point":"2do","priority":"6","details":"10m","howto":"275"},"CWE-ID:514 Covert Channel","::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:SOAR Partial::",{"point":"382","priority":"6","details":"10p","howto":"383"},"CWE-ID:515 Covert Storage Channel",{"point":"385","priority":"6","details":"10s","howto":"275"},"CWE-ID:520 .NET Misconfiguration: Use of Impersonation",{"point":"387","priority":"6","details":"10v","howto":"275"},{"point":"2dq","priority":"6","details":"10y","howto":"26r"},{"point":"2ds","priority":"6","details":"111","howto":"26r"},"CWE-ID:524 Use of Cache Containing Sensitive Information",{"point":"38b","priority":"6","details":"117","howto":"26r"},"CWE-ID:525 Use of Web Browser Cache Containing Sensitive Information",{"point":"38d","priority":"6","details":"11a","howto":"275"},"CWE-ID:526 Cleartext Storage of Sensitive Information in an Environment Variable",{"point":"38f","priority":"6","details":"11d","howto":"26r"},{"point":"2dw","priority":"6","details":"11v","howto":"26r"},"CWE-ID:535 Exposure of Information Through Shell Error Message",{"point":"38i","priority":"6","details":"11y","howto":"26r"},"CWE-ID:536 Servlet Runtime Error Message Containing Sensitive Information",{"point":"38k","priority":"6","details":"121","howto":"275"},"CWE-ID:537 Java Runtime Error Message Containing Sensitive Information",{"point":"38m","priority":"6","details":"124","howto":"275"},"CWE-ID:538 Insertion of Sensitive Information into Externally-Accessible File or Directory",{"point":"38o","priority":"6","details":"127","howto":"26r"},"CWE-ID:539 Use of Persistent Cookies Containing Sensitive Information",{"point":"38q","priority":"6","details":"12a","howto":"26r"},"CWE-ID:540 Inclusion of Sensitive Information in Source Code",{"point":"38s","priority":"6","details":"12d","howto":"275"},"CWE-ID:541 Inclusion of Sensitive Information in an Include File",{"point":"38u","priority":"6","details":"12g","howto":"275"},"CWE-ID:543 Use of Singleton Pattern Without Synchronization in a Multithreaded Context",{"point":"38w","priority":"6","details":"12j","howto":"275"},"CWE-ID:546 Suspicious Comment",{"point":"38y","priority":"6","details":"12p","howto":"275"},"CWE-ID:547 Use of Hard-coded, Security-relevant Constants",{"point":"390","priority":"6","details":"12s","howto":"26r"},"CWE-ID:548 Exposure of Information Through Directory Listing",{"point":"392","priority":"6","details":"12v","howto":"26r"},"CWE-ID:549 Missing Password Field Masking",{"point":"394","priority":"6","details":"12y","howto":"26r"},"CWE-ID:550 Server-generated Error Message Containing Sensitive Information",{"point":"396","priority":"6","details":"131","howto":"275"},"CWE-ID:551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization",{"point":"398","priority":"6","details":"134","howto":"275"},{"point":"2e0","priority":"6","details":"137","howto":"26r"},"CWE-ID:553 Command Shell in Externally Accessible Directory",{"point":"39b","priority":"6","details":"13a","howto":"275"},"CWE-ID:554 ASP.NET Misconfiguration: Not Using Input Validation Framework",{"point":"39d","priority":"6","details":"13d","howto":"275"},"CWE-ID:555 J2EE Misconfiguration: Plaintext Password in Configuration File",{"point":"39f","priority":"6","details":"13g","howto":"275"},"CWE-ID:556 ASP.NET Misconfiguration: Use of Identity Impersonation",{"point":"39h","priority":"6","details":"13j","howto":"275"},"CWE-ID:558 Use of getlogin() in Multithreaded Application",{"point":"39j","priority":"6","details":"13m","howto":"275"},"CWE-ID:560 Use of umask() with chmod-style Argument",{"point":"39l","priority":"6","details":"13p","howto":"275"},"CWE-ID:561 Dead Code","::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Binary / Bytecode Quality Analysis Compare binary / bytecode to application permission manifest:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Automated Monitored Execution:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Permission Manifest Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source Code Quality Analyzer Cost effective for partial coverage: Warning Flags Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Automated Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::",{"point":"39n","priority":"6","details":"13s","howto":"39o"},"CWE-ID:562 Return of Stack Variable Address",{"point":"39q","priority":"6","details":"13v","howto":"2tj"},"CWE-ID:563 Assignment to Variable without Use",{"point":"39s","priority":"6","details":"13y","howto":"26r"},"CWE-ID:564 SQL Injection: Hibernate",{"point":"39u","priority":"6","details":"141","howto":"275"},{"point":"2e2","priority":"6","details":"144","howto":"26r"},"CWE-ID:566 Authorization Bypass Through User-Controlled SQL Primary Key",{"point":"39x","priority":"6","details":"147","howto":"26r"},"CWE-ID:567 Unsynchronized Access to Shared Data in a Multithreaded Context",{"point":"39z","priority":"6","details":"14a","howto":"26r"},"CWE-ID:568 finalize() Method Without super.finalize()",{"point":"3a1","priority":"6","details":"14d","howto":"26r"},"CWE-ID:570 Expression is Always False",{"point":"3a3","priority":"6","details":"14g","howto":"26r"},"CWE-ID:571 Expression is Always True",{"point":"3a5","priority":"6","details":"14j","howto":"26r"},"CWE-ID:572 Call to Thread run() instead of start()",{"point":"3a7","priority":"6","details":"14m","howto":"26r"},"CWE-ID:573 Improper Following of Specification by Caller",{"point":"3a9","priority":"6","details":"14p","howto":"275"},"CWE-ID:574 EJB Bad Practices: Use of Synchronization Primitives",{"point":"3ab","priority":"6","details":"14s","howto":"275"},"CWE-ID:575 EJB Bad Practices: Use of AWT Swing",{"point":"3ad","priority":"6","details":"14v","howto":"275"},"CWE-ID:576 EJB Bad Practices: Use of Java I/O",{"point":"3af","priority":"6","details":"14y","howto":"275"},"CWE-ID:577 EJB Bad Practices: Use of Sockets",{"point":"3ah","priority":"6","details":"151","howto":"275"},"CWE-ID:578 EJB Bad Practices: Use of Class Loader",{"point":"3aj","priority":"6","details":"154","howto":"275"},"CWE-ID:579 J2EE Bad Practices: Non-serializable Object Stored in Session",{"point":"3al","priority":"6","details":"157","howto":"26r"},"CWE-ID:580 clone() Method Without super.clone()",{"point":"3an","priority":"6","details":"15a","howto":"26r"},"CWE-ID:581 Object Model Violation: Just One of Equals and Hashcode Defined",{"point":"3ap","priority":"6","details":"15d","howto":"26r"},"CWE-ID:582 Array Declared Public, Final, and Static",{"point":"3ar","priority":"6","details":"15g","howto":"275"},"CWE-ID:583 finalize() Method Declared Public",{"point":"3at","priority":"6","details":"15j","howto":"26r"},"CWE-ID:584 Return Inside Finally Block",{"point":"3av","priority":"6","details":"15m","howto":"26r"},"CWE-ID:585 Empty Synchronized Block",{"point":"3ax","priority":"6","details":"15p","howto":"26r"},"CWE-ID:586 Explicit Call to Finalize()",{"point":"3az","priority":"6","details":"15s","howto":"26r"},"CWE-ID:587 Assignment of a Fixed Address to a Pointer",{"point":"3b1","priority":"6","details":"15v","howto":"275"},"CWE-ID:588 Attempt to Access Child of a Non-structure Pointer",{"point":"3b3","priority":"6","details":"15y","howto":"275"},"CWE-ID:589 Call to Non-ubiquitous API",{"point":"3b5","priority":"6","details":"161","howto":"26r"},"CWE-ID:590 Free of Memory not on the Heap",{"point":"3b7","priority":"6","details":"164","howto":"2tj"},"CWE-ID:591 Sensitive Data Storage in Improperly Locked Memory",{"point":"3b9","priority":"6","details":"167","howto":"275"},"CWE-ID:593 Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created",{"point":"3bb","priority":"6","details":"16a","howto":"275"},"CWE-ID:594 J2EE Framework: Saving Unserializable Objects to Disk",{"point":"3bd","priority":"6","details":"16d","howto":"275"},"CWE-ID:595 Comparison of Object References Instead of Object Contents",{"point":"3bf","priority":"6","details":"16g","howto":"26r"},"CWE-ID:597 Use of Wrong Operator in String Comparison",{"point":"3bh","priority":"6","details":"16j","howto":"26r"},"CWE-ID:598 Use of GET Request Method With Sensitive Query Strings",{"point":"3bj","priority":"6","details":"16m","howto":"26r"},"CWE-ID:599 Missing Validation of OpenSSL Certificate",{"point":"3bl","priority":"6","details":"16p","howto":"275"},"CWE-ID:600 Uncaught Exception in Servlet ",{"point":"3bn","priority":"6","details":"16s","howto":"275"},{"point":"2e4","priority":"6","details":"16v","howto":"2e5"},{"point":"2e9","priority":"6","details":"171","howto":"275"},"CWE-ID:605 Multiple Binds to the Same Port",{"point":"3br","priority":"6","details":"174","howto":"275"},"CWE-ID:606 Unchecked Input for Loop Condition",{"point":"3bt","priority":"6","details":"177","howto":"26r"},"CWE-ID:607 Public Static Final Field References Mutable Object",{"point":"3bv","priority":"6","details":"17a","howto":"26r"},"CWE-ID:608 Struts: Non-private Field in ActionForm Class",{"point":"3bx","priority":"6","details":"17d","howto":"275"},"CWE-ID:609 Double-Checked Locking",{"point":"3bz","priority":"6","details":"17g","howto":"275"},"CWE-ID:611 Improper Restriction of XML External Entity Reference",{"point":"3c1","priority":"6","details":"17m","howto":"26r"},{"point":"2ed","priority":"6","details":"17p","howto":"275"},{"point":"2ef","priority":"6","details":"17s","howto":"26r"},"CWE-ID:614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute",{"point":"3c5","priority":"6","details":"17v","howto":"26r"},"CWE-ID:615 Inclusion of Sensitive Information in Source Code Comments",{"point":"3c7","priority":"6","details":"17y","howto":"26r"},"CWE-ID:616 Incomplete Identification of Uploaded File Variables (PHP)",{"point":"3c9","priority":"6","details":"181","howto":"275"},"CWE-ID:617 Reachable Assertion",{"point":"3cb","priority":"6","details":"184","howto":"26r"},"CWE-ID:618 Exposed Unsafe ActiveX Method",{"point":"3cd","priority":"6","details":"187","howto":"26r"},"CWE-ID:619 Dangling Database Cursor ('Cursor Injection')",{"point":"3cf","priority":"6","details":"18a","howto":"275"},{"point":"2eh","priority":"6","details":"18d","howto":"275"},"CWE-ID:621 Variable Extraction Error",{"point":"3ci","priority":"6","details":"18g","howto":"275"},"CWE-ID:622 Improper Validation of Function Hook Arguments",{"point":"3ck","priority":"6","details":"18j","howto":"275"},"CWE-ID:623 Unsafe ActiveX Control Marked Safe For Scripting",{"point":"3cm","priority":"6","details":"18m","howto":"275"},"CWE-ID:624 Executable Regular Expression Error",{"point":"3co","priority":"6","details":"18p","howto":"275"},"CWE-ID:625 Permissive Regular Expression",{"point":"3cq","priority":"6","details":"18s","howto":"26r"},"CWE-ID:626 Null Byte Interaction Error (Poison Null Byte)",{"point":"3cs","priority":"6","details":"18v","howto":"275"},"CWE-ID:627 Dynamic Variable Evaluation",{"point":"3cu","priority":"6","details":"18y","howto":"275"},"CWE-ID:628 Function Call with Incorrectly Specified Arguments","::METHOD:Other:DESCRIPTION:Since these bugs typically introduce incorrect behavior that is obvious to users, they are found quickly, unless they occur in rarely-tested code paths. Managing the correct number of arguments can be made more difficult in cases where format strings are used, or when variable numbers of arguments are supported.::",{"point":"3cw","priority":"6","details":"191","howto":"3cx"},{"point":"2ej","priority":"6","details":"194","howto":"275"},{"point":"2el","priority":"6","details":"197","howto":"275"},"CWE-ID:638 Not Using Complete Mediation",{"point":"3d1","priority":"6","details":"19a","howto":"275"},{"point":"2ep","priority":"6","details":"19g","howto":"275"},{"point":"2er","priority":"6","details":"19j","howto":"275"},{"point":"2et","priority":"6","details":"19m","howto":"26r"},"CWE-ID:643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')",{"point":"3d6","priority":"6","details":"19p","howto":"26r"},"CWE-ID:644 Improper Neutralization of HTTP Headers for Scripting Syntax",{"point":"3d8","priority":"6","details":"19s","howto":"275"},"CWE-ID:646 Reliance on File Name or Extension of Externally-Supplied File",{"point":"3da","priority":"6","details":"19y","howto":"275"},"CWE-ID:647 Use of Non-Canonical URL Paths for Authorization Decisions",{"point":"3dc","priority":"6","details":"1a1","howto":"26r"},{"point":"2ex","priority":"6","details":"1a4","howto":"275"},{"point":"2ez","priority":"6","details":"1a7","howto":"275"},"CWE-ID:650 Trusting HTTP Permission Methods on the Server Side",{"point":"3dg","priority":"6","details":"1aa","howto":"275"},"CWE-ID:651 Exposure of WSDL File Containing Sensitive Information",{"point":"3di","priority":"6","details":"1ad","howto":"275"},"CWE-ID:652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')",{"point":"3dk","priority":"6","details":"1ag","howto":"275"},{"point":"2f1","priority":"6","details":"1aj","howto":"2f2"},{"point":"2f4","priority":"6","details":"1am","howto":"275"},{"point":"2f8","priority":"6","details":"1as","howto":"275"},{"point":"2fa","priority":"6","details":"1av","howto":"275"},{"point":"2fc","priority":"6","details":"1ay","howto":"275"},"CWE-ID:663 Use of a Non-reentrant Function in a Concurrent Context",{"point":"3dr","priority":"6","details":"1b1","howto":"275"},"CWE-ID:664 Improper Control of a Resource Through its Lifetime",{"point":"3dt","priority":"6","details":"1b4","howto":"275"},"CWE-ID:665 Improper Initialization","::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Initialization problems may be detected with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect sources (origins of input) with sinks (destinations where the data interacts with external components, a lower layer such as the OS, etc.):EFFECTIVENESS:High::",{"point":"3dv","priority":"6","details":"1b7","howto":"3dw"},"CWE-ID:666 Operation on Resource in Wrong Phase of Lifetime",{"point":"3dy","priority":"6","details":"1ba","howto":"275"},{"point":"2fe","priority":"6","details":"1bd","howto":"26r"},{"point":"2fg","priority":"6","details":"1bg","howto":"275"},{"point":"2fi","priority":"6","details":"1bj","howto":"275"},"CWE-ID:670 Always-Incorrect Control Flow Implementation",{"point":"3e3","priority":"6","details":"1bm","howto":"275"},{"point":"2fk","priority":"6","details":"1bp","howto":"275"},"CWE-ID:672 Operation on a Resource after Expiration or Release",{"point":"3e6","priority":"6","details":"1bs","howto":"275"},{"point":"2fm","priority":"6","details":"1bv","howto":"275"},"CWE-ID:674 Uncontrolled Recursion",{"point":"3e9","priority":"6","details":"1by","howto":"26r"},"CWE-ID:675 Multiple Operations on Resource in Single-Operation Context",{"point":"3eb","priority":"6","details":"1c1","howto":"275"},"CWE-ID:676 Use of Potentially Dangerous Function","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary / Bytecode Quality Analysis Binary / Bytecode simple extractor - strings, ELF readers, etc.:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Debugger Cost effective for partial coverage: Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Warning Flags Source Code Quality Analyzer:EFFECTIVENESS:High::METHOD:Automated Static Analysis:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Origin Analysis:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.):EFFECTIVENESS:High::",{"point":"3ed","priority":"6","details":"1c4","howto":"3ee"},"CWE-ID:681 Incorrect Conversion between Numeric Types",{"point":"3eg","priority":"6","details":"1ca","howto":"275"},"CWE-ID:682 Incorrect Calculation","::METHOD:Manual Analysis:DESCRIPTION:This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of allocation calculations. This can be useful for detecting overflow conditions (CWE-190) or similar weaknesses that might have serious security impacts on the program.:EFFECTIVENESS:High::",{"point":"3ei","priority":"6","details":"1cd","howto":"3ej"},"CWE-ID:683 Function Call With Incorrect Order of Arguments",{"point":"3el","priority":"6","details":"1cg","howto":"275"},"CWE-ID:684 Incorrect Provision of Specified Functionality",{"point":"3en","priority":"6","details":"1cj","howto":"275"},"CWE-ID:685 Function Call With Incorrect Number of Arguments","::METHOD:Other:DESCRIPTION:While this weakness might be caught by the compiler in some languages, it can occur more frequently in cases in which the called function accepts variable numbers of arguments, such as format strings in C. It also can occur in languages or environments that do not require that functions always be called with the correct number of arguments, such as Perl.::",{"point":"3ep","priority":"6","details":"1cm","howto":"3eq"},"CWE-ID:686 Function Call With Incorrect Argument Type",{"point":"3es","priority":"6","details":"1cp","howto":"275"},"CWE-ID:687 Function Call With Incorrectly Specified Argument Value","::METHOD:Manual Static Analysis:DESCRIPTION:This might require an understanding of intended program behavior or design to determine whether the value is incorrect.::",{"point":"3eu","priority":"6","details":"1cs","howto":"3ev"},"CWE-ID:688 Function Call With Incorrect Variable or Reference as Argument","::METHOD:Other:DESCRIPTION:While this weakness might be caught by the compiler in some languages, it can occur more frequently in cases in which the called function accepts variable numbers of arguments, such as format strings in C. It also can occur in loosely typed languages or environments. This might require an understanding of intended program behavior or design to determine whether the value is incorrect.::",{"point":"3ex","priority":"6","details":"1cv","howto":"3ey"},"CWE-ID:689 Permission Race Condition During Resource Copy",{"point":"3f0","priority":"6","details":"1cy","howto":"275"},"CWE-ID:690 Unchecked Return Value to NULL Pointer Dereference","::METHOD:Black Box:DESCRIPTION:This typically occurs in rarely-triggered error conditions, reducing the chances of detection during black box testing.::METHOD:White Box:DESCRIPTION:Code analysis can require knowledge of API behaviors for library functions that might return NULL, reducing the chances of detection when unknown libraries are used.::",{"point":"3f2","priority":"6","details":"1d1","howto":"3f3"},"CWE-ID:691 Insufficient Control Flow Management",{"point":"3f5","priority":"6","details":"1d4","howto":"275"},"CWE-ID:693 Protection Mechanism Failure",{"point":"3f7","priority":"6","details":"1da","howto":"275"},{"point":"2fo","priority":"6","details":"1dd","howto":"275"},"CWE-ID:695 Use of Low-Level Functionality",{"point":"3fa","priority":"6","details":"1dg","howto":"26r"},{"point":"2fq","priority":"6","details":"1dj","howto":"275"},"CWE-ID:697 Incorrect Comparison",{"point":"3fd","priority":"6","details":"1dm","howto":"275"},"CWE-ID:698 Execution After Redirect (EAR)","::METHOD:Black Box:DESCRIPTION:This issue might not be detected if testing is performed using a web browser, because the browser might obey the redirect and move the user to a different page before the application has produced outputs that indicate something is amiss.::",{"point":"3ff","priority":"6","details":"1dp","howto":"3fg"},"CWE-ID:703 Improper Check or Handling of Exceptional Conditions","::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Fault Injection - source code Fault Injection - binary Cost effective for partial coverage: Forced Path Execution:EFFECTIVENESS:High::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction:EFFECTIVENESS:High::",{"point":"3fi","priority":"6","details":"1ds","howto":"3fj"},"CWE-ID:704 Incorrect Type Conversion or Cast",{"point":"3fl","priority":"6","details":"1dv","howto":"26u"},"CWE-ID:705 Incorrect Control Flow Scoping",{"point":"3fn","priority":"6","details":"1dy","howto":"275"},{"point":"2fs","priority":"6","details":"1e1","howto":"275"},"CWE-ID:707 Improper Neutralization",{"point":"3fq","priority":"6","details":"1e4","howto":"275"},{"point":"2fu","priority":"6","details":"1e7","howto":"275"},"CWE-ID:710 Improper Adherence to Coding Standards",{"point":"3ft","priority":"6","details":"1ea","howto":"275"},{"point":"2fw","priority":"6","details":"1ed","howto":"2fx"},{"point":"2fz","priority":"6","details":"1ej","howto":"26r"},"CWE-ID:754 Improper Check for Unusual or Exceptional Conditions","::METHOD:Automated Static Analysis:DESCRIPTION:Automated static analysis may be useful for detecting unusual conditions involving system resources or common programming idioms, but not for violations of business rules.:EFFECTIVENESS:Moderate::METHOD:Manual Dynamic Analysis:DESCRIPTION:Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.::",{"point":"3fx","priority":"6","details":"1em","howto":"3fy"},"CWE-ID:755 Improper Handling of Exceptional Conditions",{"point":"3g0","priority":"6","details":"1ep","howto":"275"},"CWE-ID:759 Use of a One-Way Hash without a Salt",{"point":"3g2","priority":"6","details":"1f1","howto":"2gt"},"CWE-ID:760 Use of a One-Way Hash with a Predictable Salt",{"point":"3g4","priority":"6","details":"1f4","howto":"26r"},"CWE-ID:761 Free of Pointer not at Start of Buffer",{"point":"3g6","priority":"6","details":"1f7","howto":"275"},"CWE-ID:762 Mismatched Memory Management Routines",{"point":"3g8","priority":"6","details":"1fa","howto":"275"},"CWE-ID:763 Release of Invalid Pointer or Reference",{"point":"3ga","priority":"6","details":"1fd","howto":"26u"},"CWE-ID:764 Multiple Locks of a Critical Resource",{"point":"3gc","priority":"6","details":"1fg","howto":"275"},"CWE-ID:765 Multiple Unlocks of a Critical Resource",{"point":"3ge","priority":"6","details":"1fj","howto":"275"},"CWE-ID:766 Critical Data Element Declared Public",{"point":"3gg","priority":"6","details":"1fm","howto":"26r"},"CWE-ID:767 Access to Critical Private Variable via Public Method",{"point":"3gi","priority":"6","details":"1fp","howto":"275"},"CWE-ID:768 Incorrect Short Circuit Evaluation",{"point":"3gk","priority":"6","details":"1fs","howto":"275"},{"point":"2g3","priority":"6","details":"1fv","howto":"2g4"},"CWE-ID:771 Missing Reference to Active Allocated Resource",{"point":"3gn","priority":"6","details":"1fy","howto":"275"},"CWE-ID:772 Missing Release of Resource after Effective Lifetime",{"point":"3gp","priority":"6","details":"1g1","howto":"275"},"CWE-ID:773 Missing Reference to Active File Descriptor or Handle",{"point":"3gr","priority":"6","details":"1g4","howto":"275"},"CWE-ID:774 Allocation of File Descriptors or Handles Without Limits or Throttling",{"point":"3gt","priority":"6","details":"1g7","howto":"275"},"CWE-ID:775 Missing Release of File Descriptor or Handle after Effective Lifetime",{"point":"3gv","priority":"6","details":"1ga","howto":"275"},"CWE-ID:776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')",{"point":"3gx","priority":"6","details":"1gd","howto":"26r"},"CWE-ID:777 Regular Expression without Anchors",{"point":"3gz","priority":"6","details":"1gg","howto":"275"},"CWE-ID:780 Use of RSA Algorithm without OAEP",{"point":"3h1","priority":"6","details":"1gp","howto":"26r"},"CWE-ID:781 Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code",{"point":"3h3","priority":"6","details":"1gs","howto":"275"},"CWE-ID:782 Exposed IOCTL with Insufficient Access Control",{"point":"3h5","priority":"6","details":"1gv","howto":"275"},"CWE-ID:783 Operator Precedence Logic Error",{"point":"3h7","priority":"6","details":"1gy","howto":"275"},"CWE-ID:784 Reliance on Cookies without Validation and Integrity Checking in a Security Decision",{"point":"3h9","priority":"6","details":"1h1","howto":"275"},"CWE-ID:785 Use of Path Manipulation Function without Maximum-sized Buffer",{"point":"3hb","priority":"6","details":"1h4","howto":"275"},"CWE-ID:787 Out-of-bounds Write","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.::",{"point":"3hd","priority":"6","details":"1ha","howto":"3he"},"CWE-ID:789 Memory Allocation with Excessive Size Value",{"point":"3hg","priority":"6","details":"1hg","howto":"2tj"},"CWE-ID:790 Improper Filtering of Special Elements",{"point":"3hi","priority":"6","details":"1hj","howto":"275"},"CWE-ID:791 Incomplete Filtering of Special Elements",{"point":"3hk","priority":"6","details":"1hm","howto":"275"},"CWE-ID:792 Incomplete Filtering of One or More Instances of Special Elements",{"point":"3hm","priority":"6","details":"1hp","howto":"275"},"CWE-ID:793 Only Filtering One Instance of a Special Element",{"point":"3ho","priority":"6","details":"1hs","howto":"275"},"CWE-ID:794 Incomplete Filtering of Multiple Instances of Special Elements",{"point":"3hq","priority":"6","details":"1hv","howto":"275"},"CWE-ID:795 Only Filtering Special Elements at a Specified Location",{"point":"3hs","priority":"6","details":"1hy","howto":"275"},"CWE-ID:796 Only Filtering Special Elements Relative to a Marker",{"point":"3hu","priority":"6","details":"1i1","howto":"275"},"CWE-ID:797 Only Filtering Special Elements at an Absolute Position",{"point":"3hw","priority":"6","details":"1i4","howto":"275"},{"point":"2g9","priority":"6","details":"1ia","howto":"275"},{"point":"2gb","priority":"6","details":"1id","howto":"275"},"CWE-ID:805 Buffer Access with Incorrect Length Value","::METHOD:Automated Static Analysis:DESCRIPTION:This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.:EFFECTIVENESS:High::METHOD:Automated Dynamic Analysis:DESCRIPTION:This weakness can be detected using dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.::",{"point":"3i0","priority":"6","details":"1ig","howto":"3i1"},"CWE-ID:806 Buffer Access Using Size of Source Buffer",{"point":"3i3","priority":"6","details":"1ij","howto":"275"},{"point":"2gd","priority":"6","details":"1im","howto":"2ge"},"CWE-ID:827 Improper Control of Document Type Definition",{"point":"3i6","priority":"6","details":"1ja","howto":"275"},"CWE-ID:829 Inclusion of Functionality from Untrusted Control Sphere","::METHOD:Automated Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Bytecode Weakness Analysis - including disassembler + source code weakness analysis:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Binary or Bytecode:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies:EFFECTIVENESS:SOAR Partial::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Forced Path Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious:EFFECTIVENESS:SOAR Partial::METHOD:Manual Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source:EFFECTIVENESS:High::METHOD:Automated Static Analysis - Source Code:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer:EFFECTIVENESS:SOAR Partial::METHOD:Architecture or Design Review:DESCRIPTION:According to SOAR, the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction Cost effective for partial coverage: Attack Modeling:EFFECTIVENESS:High::",{"point":"3i8","priority":"6","details":"1jg","howto":"3i9"},"CWE-ID:830 Inclusion of Web Functionality from an Untrusted Source",{"point":"3ib","priority":"6","details":"1jj","howto":"275"},"CWE-ID:836 Use of Password Hash Instead of Password for Authentication",{"point":"3id","priority":"6","details":"1k1","howto":"275"},"CWE-ID:841 Improper Enforcement of Behavioral Workflow",{"point":"3if","priority":"6","details":"1kd","howto":"275"},"CWE-ID:842 Placement of User into Incorrect Group",{"point":"3ih","priority":"6","details":"1kg","howto":"275"},"CWE-ID:843 Access of Resource Using Incompatible Type ('Type Confusion')",{"point":"3ij","priority":"6","details":"1kj","howto":"275"},{"point":"2gg","priority":"6","details":"1km","howto":"2gh"},{"point":"2gj","priority":"6","details":"1kp","howto":"2gk"},"CWE-ID:908 Use of Uninitialized Resource",{"point":"3in","priority":"6","details":"1ks","howto":"275"},"CWE-ID:909 Missing Initialization of Resource",{"point":"3ip","priority":"6","details":"1kv","howto":"275"},"CWE-ID:910 Use of Expired File Descriptor",{"point":"3ir","priority":"6","details":"1ky","howto":"275"},"CWE-ID:911 Improper Update of Reference Count",{"point":"3it","priority":"6","details":"1l1","howto":"275"},{"point":"2gm","priority":"6","details":"1l4","howto":"275"},{"point":"2go","priority":"6","details":"1l7","howto":"26u"},"CWE-ID:914 Improper Control of Dynamically-Identified Variables",{"point":"3ix","priority":"6","details":"1la","howto":"275"},{"point":"2gq","priority":"6","details":"1ld","howto":"26r"},{"point":"2gv","priority":"6","details":"1lj","howto":"26r"},{"point":"2gx","priority":"6","details":"1lm","howto":"26r"},{"point":"2h3","priority":"6","details":"1lv","howto":"26r"},"CWE-ID:939 Improper Authorization in Handler for Custom URL Scheme",{"point":"3j3","priority":"6","details":"1md","howto":"275"},{"point":"2h9","priority":"6","details":"1mg","howto":"275"},{"point":"2hb","priority":"6","details":"1mj","howto":"275"},"CWE-ID:942 Permissive Cross-domain Policy with Untrusted Domains",{"point":"3j7","priority":"6","details":"1mm","howto":"26r"},"CWE-ID:943 Improper Neutralization of Special Elements in Data Query Logic",{"point":"3j9","priority":"6","details":"1mp","howto":"26r"},"CWE-ID:1004 Sensitive Cookie Without 'HttpOnly' Flag",{"point":"3jb","priority":"6","details":"1ms","howto":"26r"},{"point":"2hd","priority":"6","details":"1mv","howto":"2he"},"CWE-ID:1021 Improper Restriction of Rendered UI Layers or Frames",{"point":"3je","priority":"6","details":"1my","howto":"26r"},"CWE-ID:1022 Use of Web Link to Untrusted Target with window.opener Access",{"point":"3jg","priority":"6","details":"1n1","howto":"26r"},"CWE-ID:1023 Incomplete Comparison with Missing Factors",{"point":"3ji","priority":"6","details":"1n4","howto":"275"},"CWE-ID:1024 Comparison of Incompatible Types",{"point":"3jk","priority":"6","details":"1n7","howto":"275"},"CWE-ID:1025 Comparison Using Wrong Factors",{"point":"3jm","priority":"6","details":"1na","howto":"275"},"CWE-ID:1068 Inconsistency Between Implementation and Documented Design",{"point":"3jo","priority":"6","details":"1pv","howto":"275"},{"point":"2hr","priority":"6","details":"1uv","howto":"2hs"},"CWE-ID:1174 ASP.NET Misconfiguration: Improper Model Validation",{"point":"3jr","priority":"6","details":"1uy","howto":"275"},{"point":"2hu","priority":"6","details":"1v1","howto":"275"},"CWE-ID:1177 Use of Prohibited Code",{"point":"3ju","priority":"6","details":"1v4","howto":"275"},{"point":"2hw","priority":"6","details":"1va","howto":"2hx"},{"point":"2i1","priority":"6","details":"1vg","howto":"2i2"},{"point":"2i4","priority":"6","details":"1vj","howto":"275"},"CWE-ID:1204 Generation of Weak Initialization Vector (IV)",{"point":"3jz","priority":"6","details":"1vp","howto":"275"},{"point":"2i6","priority":"6","details":"1vs","howto":"275"},{"point":"2i8","priority":"6","details":"1vv","howto":"275"},"CWE-ID:1221 Incorrect Register Defaults or Module Parameters",{"point":"3k3","priority":"6","details":"1vy","howto":"275"},{"point":"2ic","priority":"6","details":"1w7","howto":"275"},{"point":"2ig","priority":"6","details":"1wg","howto":"2ih"},{"point":"2ij","priority":"6","details":"1wj","howto":"275"},{"point":"2il","priority":"6","details":"1wm","howto":"2im"},{"point":"2io","priority":"6","details":"1wp","howto":"275"},"CWE-ID:1235 Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations",{"point":"3ka","priority":"6","details":"1ws","howto":"275"},"CWE-ID:1236 Improper Neutralization of Formula Elements in a CSV File",{"point":"3kc","priority":"6","details":"1wv","howto":"275"},"CWE-ID:1239 Improper Zeroization of Hardware Register",{"point":"3ke","priority":"6","details":"1wy","howto":"275"},{"point":"2iq","priority":"6","details":"1x1","howto":"2ir"},{"point":"2it","priority":"6","details":"1x4","howto":"275"},{"point":"2iv","priority":"6","details":"1x7","howto":"275"},{"point":"2ix","priority":"6","details":"1xa","howto":"275"},{"point":"2iz","priority":"6","details":"1xd","howto":"2j0"},{"point":"2j2","priority":"6","details":"1xg","howto":"275"},{"point":"2j4","priority":"6","details":"1xj","howto":"275"},{"point":"2j6","priority":"6","details":"1xs","howto":"275"},{"point":"2ja","priority":"6","details":"1y4","howto":"275"},{"point":"2jc","priority":"6","details":"1y7","howto":"275"},"CWE-ID:1255 Comparison Logic is Vulnerable to Power Side-Channel Attacks",{"point":"3kq","priority":"6","details":"1ya","howto":"275"},{"point":"2je","priority":"6","details":"1yd","howto":"2jf"},{"point":"2jh","priority":"6","details":"1yg","howto":"275"},{"point":"2jj","priority":"6","details":"1yj","howto":"275"},{"point":"2jl","priority":"6","details":"1ym","howto":"275"},{"point":"2jn","priority":"6","details":"1yp","howto":"2jo"},{"point":"2jq","priority":"6","details":"1ys","howto":"275"},{"point":"2js","priority":"6","details":"1yv","howto":"2jt"},{"point":"2jx","priority":"6","details":"1z1","howto":"275"},{"point":"2jz","priority":"6","details":"1z7","howto":"275"},{"point":"2k1","priority":"6","details":"1za","howto":"275"},{"point":"2k3","priority":"6","details":"1zd","howto":"275"},"CWE-ID:1269 Product Released in Non-Release Configuration",{"point":"3l3","priority":"6","details":"1zg","howto":"275"},{"point":"2k5","priority":"6","details":"1zj","howto":"275"},"CWE-ID:1271 Uninitialized Value on Reset for Registers Holding Security Settings",{"point":"3l6","priority":"6","details":"1zm","howto":"275"},"CWE-ID:1275 Sensitive Cookie with Improper SameSite Attribute",{"point":"3l8","priority":"6","details":"1zy","howto":"26r"},"CWE-ID:1276 Hardware Child Block Incorrectly Connected to Parent System",{"point":"3la","priority":"6","details":"201","howto":"275"},{"point":"2kd","priority":"6","details":"204","howto":"2ke"},{"point":"2ki","priority":"6","details":"20a","howto":"275"},"CWE-ID:1280 Access Control Check Implemented After Asset is Accessed",{"point":"3le","priority":"6","details":"20d","howto":"275"},{"point":"2kk","priority":"6","details":"20g","howto":"275"},"CWE-ID:1282 Assumed-Immutable Data is Stored in Writable Memory",{"point":"3lh","priority":"6","details":"20j","howto":"275"},{"point":"2km","priority":"6","details":"20m","howto":"275"},"CWE-ID:1284 Improper Validation of Specified Quantity in Input",{"point":"3lk","priority":"6","details":"20p","howto":"275"},"CWE-ID:1285 Improper Validation of Specified Index, Position, or Offset in Input",{"point":"3lm","priority":"6","details":"20s","howto":"275"},"CWE-ID:1286 Improper Validation of Syntactic Correctness of Input",{"point":"3lo","priority":"6","details":"20v","howto":"275"},"CWE-ID:1287 Improper Validation of Specified Type of Input",{"point":"3lq","priority":"6","details":"20y","howto":"275"},"CWE-ID:1288 Improper Validation of Consistency within Input",{"point":"3ls","priority":"6","details":"211","howto":"275"},"CWE-ID:1289 Improper Validation of Unsafe Equivalence in Input",{"point":"3lu","priority":"6","details":"214","howto":"275"},{"point":"2ko","priority":"6","details":"217","howto":"275"},"CWE-ID:1291 Public Key Re-Use for Signing both Debug and Production Code","::METHOD:Architecture or Design Review:DESCRIPTION:Compare the debug key with the production key to make sure that they are not the same.:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Compare the debug key with the production key to make sure that they are not the same.:EFFECTIVENESS:High::",{"point":"3lx","priority":"6","details":"21a","howto":"3ly"},{"point":"2kq","priority":"6","details":"21d","howto":"275"},{"point":"2ks","priority":"6","details":"21g","howto":"275"},{"point":"2ku","priority":"6","details":"21j","howto":"275"},"CWE-ID:1295 Debug Messages Revealing Unnecessary Information",{"point":"3m3","priority":"6","details":"21m","howto":"275"},"CWE-ID:1296 Incorrect Chaining or Granularity of Debug Components","::METHOD:Architecture or Design Review:DESCRIPTION:Appropriate Post-Si tests should be carried out at various authorization levels to ensure that debug components are properly chained and accessible only to users with appropriate credentials.:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Appropriate Post-Si tests should be carried out at various authorization levels to ensure that debug components are properly chained and accessible only to users with appropriate credentials.:EFFECTIVENESS:High::",{"point":"3m5","priority":"6","details":"21p","howto":"3m6"},"CWE-ID:1297 Unprotected Confidential Information on Device is Accessible by OSAT Vendors","::METHOD:Architecture or Design Review:DESCRIPTION:Appropriate Post-Si tests should be carried out to ensure that residual confidential information is not left on parts leaving one facility for another facility.:EFFECTIVENESS:High::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Appropriate Post-Si tests should be carried out to ensure that residual confidential information is not left on parts leaving one facility for another facility.:EFFECTIVENESS:Moderate::",{"point":"3m8","priority":"6","details":"21s","howto":"3m9"},{"point":"2kw","priority":"6","details":"21v","howto":"275"},{"point":"2ky","priority":"6","details":"21y","howto":"275"},"CWE-ID:1300 Improper Protection of Physical Side Channels","::METHOD:Manual Analysis:DESCRIPTION:Perform a set of leakage detection tests such as the procedure outlined in the Test Vector Leakage Assessment (TVLA) test requirements for AES [REF-1230]. TVLA is the basis for the ISO standard 17825 [REF-1229]. A separate methodology is provided by [REF-1228]. Note that sole reliance on this method might not yield expected results [REF-1239] [REF-1240].:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Post-silicon, perform full side-channel attacks (penetration testing) covering as many known leakage models as possible against test code.:EFFECTIVENESS:Moderate::METHOD:Manual Analysis:DESCRIPTION:Pre-silicon - while the aforementioned TVLA methods can be performed post-silicon, models of device power consumption or other physical emanations can be built from information present at various stages of the hardware design process before fabrication. TVLA or known side-channel attacks can be applied to these simulated traces and countermeasures applied before tape-out. Academic research in this field includes [REF-1231] [REF-1232] [REF-1233].:EFFECTIVENESS:Moderate::",{"point":"3md","priority":"6","details":"221","howto":"3me"},"CWE-ID:1301 Insufficient or Incomplete Data Removal within Hardware Component",{"point":"3mg","priority":"6","details":"224","howto":"275"},{"point":"2l0","priority":"6","details":"227","howto":"275"},{"point":"2l2","priority":"6","details":"22a","howto":"275"},{"point":"2l6","priority":"6","details":"22g","howto":"275"},{"point":"2l8","priority":"6","details":"22j","howto":"275"},{"point":"2la","priority":"6","details":"22m","howto":"2lb"},{"point":"2ld","priority":"6","details":"22p","howto":"275"},{"point":"2lf","priority":"6","details":"22s","howto":"275"},{"point":"2lh","priority":"6","details":"22v","howto":"275"},{"point":"2lj","priority":"6","details":"22y","howto":"2lk"},{"point":"2lm","priority":"6","details":"231","howto":"2ln"},{"point":"2lp","priority":"6","details":"234","howto":"2lq"},{"point":"2ls","priority":"6","details":"237","howto":"275"},{"point":"2lu","priority":"6","details":"23a","howto":"275"},"CWE-ID:1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')",{"point":"3mv","priority":"6","details":"23d","howto":"275"},"CWE-ID:1322 Use of Blocking Code in Single-threaded, Non-blocking Context",{"point":"3mx","priority":"6","details":"23g","howto":"275"},{"point":"2lw","priority":"6","details":"23j","howto":"275"},"CWE-ID:1325 Improperly Controlled Sequential Memory Allocation",{"point":"3n0","priority":"6","details":"23m","howto":"275"},{"point":"2ly","priority":"6","details":"23p","howto":"2lz"},{"point":"2m1","priority":"6","details":"23v","howto":"2m2"},{"point":"2m4","priority":"6","details":"23y","howto":"2m5"},"CWE-ID:1330 Remanent Data Readable after Memory Erase","::METHOD:Architecture or Design Review:DESCRIPTION:Testing of memory-device contents after clearing or erase commands. Dynamic analysis of memory contents during device operation to detect specific, confidential assets. Architecture and design analysis of memory clear and erase operations.::METHOD:Dynamic Analysis with Manual Results Interpretation:DESCRIPTION:Testing of memory-device contents after clearing or erase commands. Dynamic analysis of memory contents during device operation to detect specific, confidential assets. Architecture and design analysis of memory clear and erase operations.::",{"point":"3n5","priority":"6","details":"241","howto":"3n6"},{"point":"2m7","priority":"6","details":"244","howto":"2m8"},{"point":"2ma","priority":"6","details":"247","howto":"2mb"},"CWE-ID:1333 Inefficient Regular Expression Complexity",{"point":"3na","priority":"6","details":"24a","howto":"275"},{"point":"2md","priority":"6","details":"24d","howto":"275"},"CWE-ID:1335 Incorrect Bitwise Shift of Integer",{"point":"3nd","priority":"6","details":"24g","howto":"275"},{"point":"2mf","priority":"6","details":"24j","howto":"275"},{"point":"2mh","priority":"6","details":"24m","howto":"2mi"},"CWE-ID:1339 Insufficient Precision or Accuracy of a Real Number",{"point":"3nh","priority":"6","details":"24p","howto":"275"},"CWE-ID:1341 Multiple Releases of Same Resource or Handle","::METHOD:Automated Static Analysis:DESCRIPTION:For commonly-used APIs and resource types, automated tools often have signatures that can spot this issue.::METHOD:Automated Dynamic Analysis:DESCRIPTION:Some compiler instrumentation tools such as AddressSanitizer (ASan) can indirectly detect some instances of this weakness.::",{"point":"3nj","priority":"6","details":"24s","howto":"3nk"},{"point":"2mm","priority":"6","details":"24y","howto":"275"},"CWE-ID:1385 Missing Origin Validation in WebSockets",{"point":"3nn","priority":"6","details":"257","howto":"275"},"CWE-ID:1386 Insecure Operation on Windows Junction / Mount Point",{"point":"3np","priority":"6","details":"25a","howto":"275"},"CWE-ID:1389 Incorrect Parsing of Numbers with Different Radices",{"point":"3nr","priority":"6","details":"25d","howto":"275"},{"point":"2ms","priority":"6","details":"25g","howto":"275"},{"point":"2n2","priority":"6","details":"25v","howto":"2n3"},"CWE-ID:1419 Incorrect Initialization of Resource",{"point":"3nv","priority":"6","details":"25y","howto":"275"},{"point":"2n5","priority":"6","details":"261","howto":"2n6"},{"point":"2n8","priority":"6","details":"264","howto":"2n9"},{"point":"2ne","priority":"6","details":"26a","howto":"2nf"},["2np","2nr","2nt","2nv","2nx","2nz","2o1","2o3","2o6","2o8","2o9","2oc","2oe","2og","2oi","2ok","2om","2oo","2oq","2os","2ou","2ow","2oy","2p1","2p3","2p5","2p7","2p9","2pb","2pd","2pg","2pi","2pk","2pm","2po","2pq","2ps","2pu","2pw","2py","2q0","2q2","2q4","2q6","2q8","2qa","2qc","2qe","2qg","2qi","2qk","2qm","2qo","2qq","2qs","2qu","2qv","2qx","2qz","2r1","2r3","2r6","2r9","2rb","2rd","2rf","2rh","2rj","2rl","2rn","2rp","2rr","2ru","2rw","2ry","2s0","2s2","2s4","2s6","2s8","2sb","2sc","2se","2sg","2si","2sk","2sm","2so","2sq","2ss","2sv","2sx","2sz","2t1","2t3","2t4","2t7","2t9","2tb","2te","2th","2tk","2tm","2to","2tq","2ts","2tu","2tw","2ty","2u1","2u3","2u6","2u9","2ub","2ud","2uf","2uh","2uj","2ul","2un","2up","2ur","2ut","2uv","2ux","2uz","2v1","2v3","2v5","2v7","2v9","2vb","2vd","2vf","2vh","2vj","2vl","2vn","2vp","2vr","2vt","2vv","2vx","2vz","2w1","2w3","2w5","2w7","2w9","2wb","2wd","2wf","2wh","2wj","2wl","2wn","2wp","2wq","2ws","2wu","2ww","2wy","2x1","2x3","2x5","2x7","2x9","2xb","2xd","2xf","2xi","2xj","2xk","2xl","2xm","2xn","2xo","2xq","2xs","2xt","2xu","2xv","2xw","2xx","2xy","2xz","2y1","2y3","2y4","2y6","2y7","2y9","2yc","2ye","2yg","2yi","2yk","2ym","2yo","2yq","2ys","2yu","2yw","2yy","2z0","2z2","2z4","2z6","2z8","2za","2zc","2ze","2zf","2zh","2zj","2zl","2zo","2zp","2zr","2zs","2zt","2zu","2zv","2zw","2zz","301","303","304","306","308","30a","30c","30e","30f","30g","30h","30i","30k","30l","30n","30q","30s","30u","30v","30x","30z","311","313","315","316","318","319","31a","31c","31e","31f","31h","31j","31l","31m","31o","31p","31q","31r","31s","31t","31u","31v","31w","31x","31z","321","322","323","324","325","326","327","328","329","32a","32c","32e","32g","32h","32k","32m","32o","32q","32s","32u","32w","32y","330","332","334","335","336","338","33a","33c","33e","33g","33j","33l","33n","33o","33q","33r","33t","33w","33x","33y","33z","340","341","342","343","344","345","347","349","34a","34b","34d","34g","34i","34k","34m","34o","34q","34s","34t","34v","34w","34x","34y","34z","351","352","354","356","358","35a","35b","35d","35e","35g","35i","35k","35m","35o","35q","35s","35u","35w","35y","360","362","363","364","366","368","36a","36b","36e","36h","36j","36l","36o","36q","36s","36u","36x","36z","371","373","375","377","379","37b","37c","37e","37g","37i","37k","37m","37o","37p","37s","37u","37w","37y","37z","380","381","384","386","388","389","38a","38c","38e","38g","38h","38j","38l","38n","38p","38r","38t","38v","38x","38z","391","393","395","397","399","39a","39c","39e","39g","39i","39k","39m","39p","39r","39t","39v","39w","39y","3a0","3a2","3a4","3a6","3a8","3aa","3ac","3ae","3ag","3ai","3ak","3am","3ao","3aq","3as","3au","3aw","3ay","3b0","3b2","3b4","3b6","3b8","3ba","3bc","3be","3bg","3bi","3bk","3bm","3bo","3bp","3bq","3bs","3bu","3bw","3by","3c0","3c2","3c3","3c4","3c6","3c8","3ca","3cc","3ce","3cg","3ch","3cj","3cl","3cn","3cp","3cr","3ct","3cv","3cy","3cz","3d0","3d2","3d3","3d4","3d5","3d7","3d9","3db","3dd","3de","3df","3dh","3dj","3dl","3dm","3dn","3do","3dp","3dq","3ds","3du","3dx","3dz","3e0","3e1","3e2","3e4","3e5","3e7","3e8","3ea","3ec","3ef","3eh","3ek","3em","3eo","3er","3et","3ew","3ez","3f1","3f4","3f6","3f8","3f9","3fb","3fc","3fe","3fh","3fk","3fm","3fo","3fp","3fr","3fs","3fu","3fv","3fw","3fz","3g1","3g3","3g5","3g7","3g9","3gb","3gd","3gf","3gh","3gj","3gl","3gm","3go","3gq","3gs","3gu","3gw","3gy","3h0","3h2","3h4","3h6","3h8","3ha","3hc","3hf","3hh","3hj","3hl","3hn","3hp","3hr","3ht","3hv","3hx","3hy","3hz","3i2","3i4","3i5","3i7","3ia","3ic","3ie","3ig","3ii","3ik","3il","3im","3io","3iq","3is","3iu","3iv","3iw","3iy","3iz","3j0","3j1","3j2","3j4","3j5","3j6","3j8","3ja","3jc","3jd","3jf","3jh","3jj","3jl","3jn","3jp","3jq","3js","3jt","3jv","3jw","3jx","3jy","3k0","3k1","3k2","3k4","3k5","3k6","3k7","3k8","3k9","3kb","3kd","3kf","3kg","3kh","3ki","3kj","3kk","3kl","3km","3kn","3ko","3kp","3kr","3ks","3kt","3ku","3kv","3kw","3kx","3ky","3kz","3l0","3l1","3l2","3l4","3l5","3l7","3l9","3lb","3lc","3ld","3lf","3lg","3li","3lj","3ll","3ln","3lp","3lr","3lt","3lv","3lw","3lz","3m0","3m1","3m2","3m4","3m7","3ma","3mb","3mc","3mf","3mh","3mi","3mj","3mk","3ml","3mm","3mn","3mo","3mp","3mq","3mr","3ms","3mt","3mu","3mw","3my","3mz","3n1","3n2","3n3","3n4","3n7","3n8","3n9","3nb","3nc","3ne","3nf","3ng","3ni","3nl","3nm","3no","3nq","3ns","3nt","3nu","3nw","3nx","3ny","3nz"],"pink",{"title":"2nk","slug":"2nl","description":"2nm","icon":"2nn","intro":"2nm","checklist":"3o0","color":"3o1"},["26e","2nj","3o2"],{"R4G1hVIrQpw":"3o3"},"\u0001",200,"/framework/",{"loaders":"3o4","action":"3o5","status":"3o6","href":"3o7"}]} \ No newline at end of file diff --git a/dist/index.html b/dist/index.html index 51e95c2..295bc37 100644 --- a/dist/index.html +++ b/dist/index.html @@ -1,14 +1,14 @@ -Quality Supervisor

AI Accelerated Quality -PRO

Settings

About

State of art quality advisory.

Automation Board

Total Checks
741
From June 1st to June 30st
Total Scanning Jobs
985
↗︎ 40 (2%)
New Issues Detected
22
↘︎ 27 (14%)
  • Core
  • Vision
  • TrainEnv
  • Agent Health
  • LLM Connector

Quality Supervisor

An out-of-box continous quality and security compliance framework

Setting up your dashboard

You'll see your progress here, once you start ticking items off the checklists

Get started, by selecting a checklist below

Quality Gate Qualification

You've completed 0 out of 0 items

Essential

Optional

Advanced

Risk Board

Ready for Development 3 out of 0 items

938 Items

CWE: Categorization for Assurance

Researchers can use this view to evaluate the breadth and depth of software assurance with respect to mitigating and managing weaknesses before they become vulnerabilities

Not yet started

272 Items

CWE: Weaknesses During Design

This view (slice) lists weaknesses that can be introduced during design.

Not yet started

732 Items

CWE :Weaknesses During Implementation

This view (slice) lists weaknesses that can be introduced during implementation.

Not yet started

AI Accelerated Quality -PRO

Settings

About

State of art quality advisory.

Automation Board

Total Checks
741
From June 1st to June 30st
Total Scanning Jobs
985
↗︎ 40 (2%)
New Issues Detected
22
↘︎ 27 (14%)
  • Core
  • Vision
  • TrainEnv
  • Agent Health
  • LLM Connector

Quality Supervisor

An out-of-box continous quality and security compliance framework

Setting up your dashboard

You'll see your progress here, once you start ticking items off the checklists

Get started, by selecting a checklist below

Quality Gate Qualification

You've completed 0 out of 0 items

Essential

Optional

Advanced

Risk Board

Ready for Development 3 out of 0 items

938 Items

CWE: Categorization for Assurance

Researchers can use this view to evaluate the breadth and depth of software assurance with respect to mitigating and managing weaknesses before they become vulnerabilities

Not yet started

272 Items

CWE: Weaknesses During Design

This view (slice) lists weaknesses that can be introduced during design.

Not yet started

732 Items

CWE :Weaknesses During Implementation

This view (slice) lists weaknesses that can be introduced during implementation.

Not yet started