The product does not use a standardized method for handling errors throughout the code, which might introduce inconsistent error handling and resultant weaknesses.
abstraction Base
status Draft
This weakness has been deprecated because it partially overlaps CWE-470, it describes legitimate programmer behavior, and other portions will need to be integrated into other entries.
abstraction Variant
status Deprecated
The code contains comments that suggest the presence of bugs, incomplete functionality, or weaknesses.
abstraction Variant
status Draft
The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change.
abstraction Base
status Draft
The product inappropriately exposes a directory listing with an index of all the resources located inside of the directory.
abstraction Variant
status Draft
The product does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords.
abstraction Base
status Draft
Certain conditions, such as network failure, will cause a server error message to be displayed.
abstraction Variant
status Incomplete
If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.
abstraction Base
status Incomplete
The product makes files or directories accessible to unauthorized actors, even though they should not be.
abstraction Base
status Draft
A possible shell file exists in /cgi-bin/ or other accessible directories. This is extremely dangerous and can be used by an attacker to execute commands on the web server.
abstraction Variant
status Incomplete
The ASP.NET application does not use an input validation framework.
abstraction Variant
status Draft
The J2EE application stores a plaintext password in a configuration file.
abstraction Variant
status Draft
Configuring an ASP.NET application to run with impersonated credentials may give the application unnecessary privileges.
abstraction Variant
status Incomplete
The product uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values.
abstraction Variant
status Draft
The product calls umask() with an incorrect argument that is specified as if it is an argument to chmod().
abstraction Variant
status Draft
The product contains dead code, which can never be executed.
abstraction Base
status Draft
A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.
abstraction Base
status Draft
The variable's value is assigned but never used, making it a dead store.
abstraction Base
status Draft
Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.
abstraction Variant
status Incomplete
The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.
abstraction Base
status Incomplete
The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.
abstraction Variant
status Incomplete
The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.
abstraction Base
status Draft
The product contains a finalize() method that does not call super.finalize().
abstraction Variant
status Draft
The product contains an expression that will always evaluate to false.
abstraction Base
status Draft
The product contains an expression that will always evaluate to true.
abstraction Base
status Draft
The product calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee.
abstraction Variant
status Draft
The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.
abstraction Class
status Draft
The product violates the Enterprise JavaBeans (EJB) specification by using thread synchronization primitives.
abstraction Variant
status Draft
The product violates the Enterprise JavaBeans (EJB) specification by using AWT/Swing.
abstraction Variant
status Draft
The product violates the Enterprise JavaBeans (EJB) specification by using the java.io package.
abstraction Variant
status Draft
The product violates the Enterprise JavaBeans (EJB) specification by using sockets.
abstraction Variant
status Draft
The product violates the Enterprise JavaBeans (EJB) specification by using the class loader.
abstraction Variant
status Draft
The product stores a non-serializable object as an HttpSession attribute, which can hurt reliability.
abstraction Variant
status Draft
The product contains a clone() method that does not call super.clone() to obtain the new object.
abstraction Variant
status Draft
The product does not maintain equal hashcodes for equal objects.
abstraction Variant
status Draft
The product declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified.
abstraction Variant
status Draft
The product violates secure coding principles for mobile code by declaring a finalize() method public.
abstraction Variant
status Incomplete
The code has a return statement inside a finally block, which will cause any thrown exception in the try block to be discarded.
abstraction Base
status Draft
The product contains an empty synchronized block.
abstraction Variant
status Draft
The product makes an explicit call to the finalize() method from outside the finalizer.
abstraction Base
status Draft
The product sets a pointer to a specific address other than NULL or 0.
abstraction Variant
status Draft
Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption.
abstraction Variant
status Incomplete
The product uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allow denial of service or other consequences.
abstraction Variant
status Incomplete
The product calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc().
abstraction Variant
status Incomplete
The product stores sensitive data in memory that is not locked, or that has been incorrectly locked, which might cause the memory to be written to swap files on disk by the virtual memory manager. This can make the data more accessible to external actors.
abstraction Variant
status Draft
This weakness has been deprecated because it covered redundant concepts already described in CWE-287.
abstraction Class
status Deprecated
The product modifies the SSL context after connection creation has begun.
abstraction Variant
status Draft
When the J2EE container attempts to write unserializable objects to disk there is no guarantee that the process will complete successfully.
abstraction Variant
status Incomplete
The product compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects.
abstraction Variant
status Incomplete
This weakness has been deprecated. It was poorly described and difficult to distinguish from other entries. It was also inappropriate to assign a separate ID solely because of domain-specific considerations. Its closest equivalent is CWE-1023.
abstraction Base
status Deprecated
The product uses the wrong operator when comparing a string, such as using "==" when the .equals() method should be used instead.
abstraction Variant
status Draft
The web application uses an HTTP method to process a request, but the request includes sensitive information in the query string.
abstraction Variant
status Draft
The product uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all necessary security requirements.
abstraction Variant
status Incomplete
The Servlet does not catch all exceptions, which may reveal sensitive debugging information.
abstraction Variant
status Draft
The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
abstraction Base
status Draft
The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.
abstraction Class
status Draft
A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check.
abstraction Base
status Draft
When multiple sockets are allowed to bind to the same port, other services on that port may be stolen or spoofed.
abstraction Variant
status Draft
The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping.
abstraction Base
status Draft
A public or protected static final field references a mutable object, which allows the object to be changed by malicious code, or accidentally from another package.
abstraction Variant
status Draft
An ActionForm class contains a field that has not been declared private, which can be accessed without using a setter or getter.
abstraction Variant
status Draft
The product uses double-checked locking to access a resource without the overhead of explicit synchronization, but the locking is insufficient.
abstraction Base
status Draft
The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
abstraction Class
status Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
abstraction Base
status Draft
The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the original information.
abstraction Base
status Draft
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
abstraction Base
status Incomplete
The Secure attribute for sensitive cookies in HTTPS sessions is not set.
abstraction Variant
status Draft
While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc.
abstraction Variant
status Incomplete
The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files.
abstraction Variant
status Incomplete
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
abstraction Base
status Draft
An ActiveX control is intended for use in a web browser, but it exposes dangerous methods that perform actions that are outside of the browser's security model (e.g. the zone or domain).
abstraction Variant
status Incomplete
If a database cursor is not closed properly, then it could become accessible to other users while retaining the same privileges that were originally assigned, leaving the cursor "dangling."
abstraction Base
status Incomplete
When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
abstraction Base
status Draft
The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables.
abstraction Variant
status Incomplete
The product adds hooks to user-accessible API functions, but it does not properly validate the arguments. This could lead to resultant vulnerabilities.
abstraction Variant
status Draft
An ActiveX control is intended for restricted use, but it has been marked as safe-for-scripting.
abstraction Variant
status Draft
The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.
abstraction Base
status Incomplete
The product uses a regular expression that does not sufficiently restrict the set of allowed values.
abstraction Base
status Draft
The product does not properly handle null bytes or NUL characters when passing data between different representations or components.
abstraction Variant
status Draft
In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions.
abstraction Variant
status Incomplete