The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.
abstraction Base
status Draft
The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
abstraction Base
status Draft
The product specifies a regular expression in a way that causes data to be improperly matched or compared.
abstraction Class
status Draft
A regular expression is overly restrictive, which prevents dangerous values from being detected.
abstraction Base
status Draft
The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.
abstraction Variant
status Incomplete
The product makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior.
abstraction Base
status Draft
The product performs a calculation that can
produce an integer overflow or wraparound when the logic
assumes that the resulting value will always be larger than
the original value. This occurs when an integer value is
incremented to a value that is too large to store in the
associated representation. When this occurs, the value may
become a very small or negative number.
abstraction Base
status Stable
The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
abstraction Base
status Draft
Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types.
abstraction Variant
status Incomplete
A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.
abstraction Base
status Draft
The product performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses.
abstraction Variant
status Incomplete
The product uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive.
abstraction Variant
status Draft
The product uses an unsigned primitive and performs a cast to a signed primitive, which can produce an unexpected value if the value of the unsigned primitive can not be represented using a signed primitive.
abstraction Variant
status Draft
Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion.
abstraction Base
status Incomplete
The product receives input from an upstream component, but it does not account for byte ordering (e.g. big-endian and little-endian) when processing the input, causing an incorrect number or value to be used.
abstraction Variant
status Draft
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
abstraction Class
status Draft
The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
abstraction Base
status Draft
When trying to keep information confidential, an attacker can often infer some of the information by using statistics.
abstraction Base
status Draft
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.
abstraction Base
status Incomplete
The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
abstraction Base
status Incomplete
The product's behaviors indicate important differences that may be observed by unauthorized actors in a way that reveals (1) its internal state or decision process, or (2) differences from other products with equivalent functionality.
abstraction Base
status Incomplete
The product performs multiple behaviors that are combined to produce a single result, but the individual behaviors are observable separately in a way that allows attackers to reveal internal state or internal decision points.
abstraction Variant
status Incomplete
The product operates in an environment in which its existence or specific identity should not be known, but it behaves differently than other products with equivalent functionality, in a way that is observable to an attacker.
abstraction Variant
status Draft
Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
abstraction Base
status Incomplete
The product generates an error message that includes sensitive information about its environment, users, or associated data.
abstraction Base
status Draft
The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.
abstraction Base
status Draft
The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information.
abstraction Base
status Incomplete
The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.
abstraction Base
status Incomplete
The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product's administrator, users, or others whose information is being processed.
abstraction Base
status Draft
A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system.
abstraction Base
status Incomplete
The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.
abstraction Base
status Draft
This entry has been deprecated, as it was not effective as a weakness and was structured more like a category. In addition, the name is inappropriate, since the "container" term is widely understood by developers in different ways than originally intended by PLOVER, the original source for this entry.
abstraction Class
status Deprecated
This entry has been deprecated because it incorporated and confused multiple weaknesses. The issues formerly covered in this entry can be found at CWE-766 and CWE-767.
abstraction Base
status Deprecated
This weakness has been deprecated because it was a duplicate of CWE-493. All content has been transferred to CWE-493.
abstraction Base
status Deprecated
The product stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties.
abstraction Variant
status Draft
The product stores sensitive data under the FTP server root with insufficient access control, which might make it accessible to untrusted parties.
abstraction Variant
status Draft
The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.
abstraction Class
status Incomplete
The product truncates the display, recording, or processing of security-relevant information in a way that can obscure the source or nature of an attack.
abstraction Base
status Draft
The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.
abstraction Base
status Draft
The product records security-relevant information according to an alternate name of the affected entity, instead of the canonical name.
abstraction Base
status Incomplete
This weakness can be found at CWE-199.
abstraction Base
status Deprecated
The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.
abstraction Base
status Draft
The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification.
abstraction Class
status Incomplete
The product does not properly handle when the expected number of values for parameters, fields, or arguments is not provided in input, or if those values are undefined.
abstraction Base
status Incomplete
The product does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empty, blank, or null.
abstraction Variant
status Draft
The product does not handle or incorrectly handles when more values are provided than expected.
abstraction Variant
status Draft
The product does not handle or incorrectly handles when a value is not defined or supported for the associated parameter, field, or argument name.
abstraction Variant
status Draft
The product does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined.
abstraction Base
status Incomplete
If too few arguments are sent to a function, the function will still pop the expected number of arguments from the stack. Potentially, a variable number of arguments could be exhausted in a function as well.
abstraction Variant
status Incomplete
The product does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount.
abstraction Variant
status Draft
The product does not handle or incorrectly handles when a particular parameter, field, or argument name is not defined or supported by the product.
abstraction Variant
status Draft
The product does not handle or incorrectly handles inputs that are related to complex structures.
abstraction Base
status Incomplete
The product does not handle or incorrectly handles when a particular structural element is not completely specified.
abstraction Variant
status Draft
The product does not properly handle when a particular element is not completely specified.
abstraction Variant
status Draft
The product does not handle or incorrectly handles when two or more structural elements should be consistent, but are not.
abstraction Base
status Draft
The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).
abstraction Base
status Draft
The product calls a function that can never be guaranteed to work safely.
abstraction Base
status Draft
The product uses the chroot() system call to create a jail, but does not change the working directory afterward. This does not prevent access to files outside of the jail.
abstraction Variant
status Draft
Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory.
abstraction Variant
status Draft
The J2EE application directly manages connections, instead of using the container's connection management facilities.
abstraction Variant
status Draft
The J2EE application directly uses sockets instead of using framework method calls.
abstraction Variant
status Draft
This entry has been deprecated because it was a duplicate of CWE-350. All content has been transferred to CWE-350.
abstraction Base
status Deprecated
An exception is thrown from a function, but it is not caught.
abstraction Base
status Draft
This entry has been deprecated because of name
confusion and an accidental combination of multiple
weaknesses. Most of its content has been transferred to
CWE-785.
abstraction Variant
status Deprecated
The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.
abstraction Base
status Draft
The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.
abstraction Base
status Draft
The product incorrectly checks a return value from a function, which prevents it from detecting errors or exceptional conditions.
abstraction Base
status Incomplete
The product stores a password in plaintext within resources such as memory or files.
abstraction Base
status Incomplete
The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.
abstraction Base
status Incomplete
Using an empty string as a password is insecure.
abstraction Variant
status Incomplete
The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.
abstraction Variant
status Draft
The product stores a password in a configuration file that might be accessible to actors who do not know the password.
abstraction Base
status Incomplete
Obscuring a password with a trivial encoding does not protect the password.
abstraction Base
status Incomplete
The product does not have a mechanism in place for managing password aging.
abstraction Base
status Draft
The product supports password aging, but the expiration period is too long.
abstraction Base
status Draft
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
abstraction Base
status Draft
A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity.
abstraction Base
status Incomplete
Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination.
abstraction Base
status Draft
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
abstraction Class
status Draft
The product does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control.
abstraction Base
status Draft