CWE coverage for Red Hat Customer Portal emphasized in the Developer View (CWE-699)
-
CWE-699: Development Concepts
-
CWE-629: Weaknesses in OWASP Top Ten
(2007)
-
CWE-631: Resource-specific Weaknesses
-
CWE-701: Weaknesses Introduced During
Design
-
CWE-702: Weaknesses Introduced During
Implementation
-
CWE-1: Location
-
CWE-16: Configuration
-
CWE-17: Code
-
CWE-18: Source Code
-
CWE-19: Data Handling
-
CWE-133: String
Errors
-
CWE-136: Type
Errors
-
CWE-137:
Representation Errors
-
CWE-171:
Cleansing, Canonicalization, and Comparison Errors
-
CWE-172: Encoding Error
-
CWE-178: Improper Handling of Case Sensitivity
-
CWE-179: Incorrect Behavior Order: Early
Validation
-
CWE-180: Incorrect Behavior Order: Validate Before
Canonicalize
-
CWE-181: Incorrect Behavior Order: Validate Before
Filter
-
CWE-182: Collapse of Data into Unsafe Value
-
CWE-183: Permissive Whitelist
-
CWE-184: Incomplete Blacklist
-
CWE-185: Incorrect Regular
Expression
-
CWE-187: Partial Comparison
-
CWE-478: Missing Default Case in Switch
Statement
-
CWE-486: Comparison of Classes by
Name
-
CWE-595: Comparison of Object References
Instead of Object Contents
-
CWE-596: Incorrect Semantic Object Comparison
-
CWE-697: Insufficient
Comparison
-
CWE-768: Incorrect Short Circuit Evaluation
-
-
CWE-138:
Improper Neutralization of Special Elements
-
CWE-169: Technology-Specific Special Elements
-
CWE-140: Improper Neutralization of Delimiters
-
CWE-141: Improper Neutralization of
Parameter/Argument Delimiters
-
CWE-142: Improper Neutralization of Value
Delimiters
-
CWE-143: Improper Neutralization of Record
Delimiters
-
CWE-144: Improper Neutralization of Line
Delimiters
-
CWE-145: Improper Neutralization of Section
Delimiters
-
CWE-146: Improper Neutralization of
Expression/Command Delimiters
-
-
CWE-147: Improper Neutralization of Input
Terminators
-
CWE-148: Improper Neutralization of Input
Leaders
-
CWE-149: Improper Neutralization of Quoting
Syntax
-
CWE-150: Improper Neutralization of Escape, Meta, or
Control Sequences
-
CWE-151: Improper Neutralization of Comment
Delimiters
-
CWE-152: Improper Neutralization of Macro
Symbols
-
CWE-153: Improper Neutralization of Substitution
Characters
-
CWE-154: Improper Neutralization of Variable
Name Delimiters
-
CWE-155: Improper Neutralization of Wildcards or
Matching Symbols
-
CWE-156: Improper Neutralization of Whitespace
-
CWE-157: Failure to Sanitize Paired Delimiters
-
CWE-158: Improper Neutralization of Null Byte or NUL
Character
-
CWE-159: Failure to Sanitize Special Element
-
CWE-160: Improper Neutralization of Leading
Special Elements
-
CWE-162: Improper Neutralization of Trailing
Special Elements
-
CWE-164: Improper Neutralization of Internal
Special Elements
-
CWE-166: Improper Handling of Missing Special
Element
-
CWE-167: Improper Handling of Additional
Special Element
-
CWE-168: Improper Handling of Inconsistent
Special Elements
-
-
-
CWE-188:
Reliance on Data/Memory Layout
-
CWE-228: Improper Handling of
Syntactically Invalid Structure
-
-
CWE-189:
Numeric Errors
-
CWE-128:
Wrap-around Error
-
CWE-129: Improper Validation of Array
Index
-
CWE-190: Integer Overflow or
Wraparound
-
CWE-195: Signed to Unsigned Conversion Error
-
CWE-198:
Use of Incorrect Byte Ordering
-
CWE-681: Incorrect Conversion between Numeric
Types
-
CWE-682: Incorrect
Calculation
-
CWE-839: Numeric Range Comparison Without
Minimum Check
-
-
CWE-199:
Information Management Errors
-
CWE-200:
Information Exposure
-
CWE-201: Information Exposure Through
Sent Data
-
CWE-202: Exposure of Sensitive Data Through Data
Queries
-
CWE-203: Information Exposure Through
Discrepancy
-
CWE-209: Information Exposure Through an
Error Message
-
CWE-212: Improper Cross-boundary
Removal of Sensitive Data
-
CWE-213: Intentional Information Exposure
-
CWE-214: Information Exposure Through Process
Environment
-
CWE-215: Information Exposure Through Debug
Information
-
CWE-226: Sensitive Information Uncleared Before
Release
-
CWE-497: Exposure of System Data to an Unauthorized
Control Sphere
-
CWE-524: Information Exposure Through Caching
-
CWE-526: Information Exposure Through
Environmental Variables
-
CWE-538: File and Directory Information Exposure
-
CWE-527: Exposure of CVS Repository to an
Unauthorized Control Sphere
-
CWE-528: Exposure of Core Dump File to an
Unauthorized Control Sphere
-
CWE-529: Exposure of Access Control List Files
to an Unauthorized Control Sphere
-
CWE-530: Exposure of Backup File to an
Unauthorized Control Sphere
-
CWE-532: Information Exposure Through Log
Files
-
CWE-539: Information Exposure Through
Persistent Cookies
-
CWE-540: Information Exposure Through Source
Code
-
CWE-548: Information Exposure Through
Directory Listing
-
CWE-651: Information Exposure Through WSDL
File
-
-
CWE-598: Information Exposure Through Query
Strings in GET Request
-
CWE-612: Information Exposure Through Indexing
of Private Data
-
-
CWE-216:
Containment Errors (Container Errors)
-
CWE-221:
Information Loss or Omission
-
CWE-779:
Logging of Excessive Data
-
-
CWE-461: Data
Structure Issues
-
CWE-116:
Improper Encoding or Escaping of Output
-
CWE-118: Improper Access of Indexable Resource ('Range
Error')
-
CWE-119: Improper Restriction of Operations
within the Bounds of a Memory Buffer
-
CWE-120: Buffer Copy without Checking Size
of Input ('Classic Buffer Overflow')
-
CWE-123: Write-what-where Condition
-
CWE-125: Out-of-bounds Read
-
CWE-130: Improper Handling of Length
Parameter Inconsistency
-
CWE-786: Access of Memory Location
Before Start of Buffer
-
CWE-787: Out-of-bounds Write
-
CWE-788: Access of Memory Location
After End of Buffer
-
CWE-805: Buffer Access with Incorrect
Length Value
-
CWE-822: Untrusted Pointer
Dereference
-
CWE-823: Use of Out-of-range Pointer Offset
-
CWE-824: Access of Uninitialized Pointer
-
CWE-825: Expired Pointer
Dereference
-
-
-
CWE-20:
Improper Input Validation
-
CWE-100:
Technology-Specific Input Validation Problems
-
CWE-101: Struts Validation Problems
-
CWE-102: Struts: Duplicate Validation Forms
-
CWE-103: Struts: Incomplete validate()
Method Definition
-
CWE-104: Struts: Form Bean Does Not Extend
Validation Class
-
CWE-105: Struts: Form Field Without
Validator
-
CWE-106: Struts: Plug-in Framework not in
Use
-
CWE-107: Struts: Unused Validation Form
-
CWE-108: Struts: Unvalidated Action Form
-
CWE-109: Struts: Validator Turned Off
-
CWE-110: Struts: Validator Without Form
Field
-
CWE-608: Struts: Non-private Field in
ActionForm Class
-
-
-
CWE-21:
Pathname Traversal and Equivalence Errors
-
CWE-22: Improper Limitation of a Pathname
to a Restricted Directory ('Path Traversal')
-
CWE-23: Relative Path Traversal
-
CWE-24: Path Traversal: '../filedir'
-
CWE-25: Path Traversal: '/../filedir'
-
CWE-26: Path Traversal:
'/dir/../filename'
-
CWE-27: Path Traversal:
'dir/../../filename'
-
CWE-28: Path Traversal: '..\filedir'
-
CWE-29: Path Traversal: '\..\filename'
-
CWE-30: Path Traversal:
'\dir\..\filename'
-
CWE-31: Path Traversal:
'dir\..\..\filename'
-
CWE-32: Path Traversal: '...' (Triple
Dot)
-
CWE-33: Path Traversal: '....' (Multiple
Dot)
-
CWE-34: Path Traversal: '....//'
-
CWE-35: Path Traversal: '.../...//'
-
-
CWE-36: Absolute Path Traversal
-
-
CWE-41: Improper Resolution of Path
Equivalence
-
CWE-42: Path Equivalence: 'filename.'
(Trailing Dot)
-
CWE-44: Path Equivalence: 'file.name'
(Internal Dot)
-
CWE-46: Path Equivalence: 'filename '
(Trailing Space)
-
CWE-47: Path Equivalence: ' filename'
(Leading Space)
-
CWE-48: Path Equivalence: 'file name' (Internal
Whitespace)
-
CWE-49: Path Equivalence: 'filename/'
(Trailing Slash)
-
CWE-50: Path Equivalence:
'//multiple/leading/slash'
-
CWE-51: Path Equivalence:
'/multiple//internal/slash'
-
CWE-52: Path Equivalence:
'/multiple/trailing/slash//'
-
CWE-53: Path Equivalence:
'\multiple\\internal\backslash'
-
CWE-54: Path Equivalence: 'filedir\'
(Trailing Backslash)
-
CWE-55: Path Equivalence: '/./' (Single Dot
Directory)
-
CWE-56: Path Equivalence: 'filedir*'
(Wildcard)
-
CWE-57: Path Equivalence:
'fakedir/../realdir/filename'
-
CWE-58: Path Equivalence: Windows 8.3
Filename
-
-
CWE-59: Improper Link Resolution Before
File Access ('Link Following')
-
CWE-66: Improper Handling of File Names that Identify
Virtual Resources
-
-
CWE-111:
Direct Use of Unsafe JNI
-
CWE-112:
Missing XML Validation
-
CWE-114:
Process Control
-
CWE-119: Improper Restriction of Operations
within the Bounds of a Memory Buffer
-
CWE-120: Buffer Copy without Checking Size
of Input ('Classic Buffer Overflow')
-
CWE-123: Write-what-where Condition
-
CWE-125: Out-of-bounds Read
-
CWE-130: Improper Handling of Length
Parameter Inconsistency
-
CWE-786: Access of Memory Location
Before Start of Buffer
-
CWE-787: Out-of-bounds Write
-
CWE-788: Access of Memory Location
After End of Buffer
-
CWE-805: Buffer Access with Incorrect
Length Value
-
CWE-822: Untrusted Pointer
Dereference
-
CWE-823: Use of Out-of-range Pointer Offset
-
CWE-824: Access of Uninitialized Pointer
-
CWE-825: Expired Pointer
Dereference
-
-
CWE-129: Improper Validation of Array
Index
-
CWE-470: Use of Externally-Controlled Input to
Select Classes or Code ('Unsafe Reflection')
-
CWE-554: ASP.NET Misconfiguration: Not Using Input
Validation Framework
-
CWE-601: URL Redirection to Untrusted Site
('Open Redirect')
-
CWE-606:
Unchecked Input for Loop Condition
-
CWE-622: Improper Validation of Function Hook
Arguments
-
CWE-626: Null Byte Interaction Error (Poison
Null Byte)
-
CWE-73: External Control of File Name or
Path
-
CWE-74: Improper Neutralization of Special Elements in
Output Used by a Downstream Component ('Injection')
-
CWE-134: Uncontrolled Format
String
-
CWE-138: Improper Neutralization of Special
Elements
-
CWE-169: Technology-Specific Special Elements
-
CWE-140: Improper Neutralization of Delimiters
-
CWE-141: Improper Neutralization of
Parameter/Argument Delimiters
-
CWE-142: Improper Neutralization of
Value Delimiters
-
CWE-143: Improper Neutralization of
Record Delimiters
-
CWE-144: Improper Neutralization of Line
Delimiters
-
CWE-145: Improper Neutralization of Section
Delimiters
-
CWE-146: Improper Neutralization of
Expression/Command Delimiters
-
-
CWE-147: Improper Neutralization of Input
Terminators
-
CWE-148: Improper Neutralization of Input
Leaders
-
CWE-149: Improper Neutralization of Quoting
Syntax
-
CWE-150: Improper Neutralization of Escape,
Meta, or Control Sequences
-
CWE-151: Improper Neutralization of Comment
Delimiters
-
CWE-152: Improper Neutralization of Macro
Symbols
-
CWE-153: Improper Neutralization of
Substitution Characters
-
CWE-154: Improper Neutralization of Variable
Name Delimiters
-
CWE-155: Improper Neutralization of Wildcards or
Matching Symbols
-
CWE-156: Improper Neutralization of
Whitespace
-
CWE-157: Failure to Sanitize Paired
Delimiters
-
CWE-158: Improper Neutralization of Null Byte or
NUL Character
-
CWE-159: Failure to Sanitize Special Element
-
CWE-160: Improper Neutralization of Leading
Special Elements
-
CWE-162: Improper Neutralization of Trailing
Special Elements
-
CWE-164: Improper Neutralization of Internal
Special Elements
-
CWE-166: Improper Handling of Missing
Special Element
-
CWE-167: Improper Handling of Additional
Special Element
-
CWE-168: Improper Handling of Inconsistent
Special Elements
-
-
-
CWE-75: Failure to Sanitize Special Elements into a
Different Plane (Special Element Injection)
-
CWE-77: Improper Neutralization of Special
Elements used in a Command ('Command Injection')
-
CWE-624: Executable Regular Expression Error
-
CWE-78: Improper Neutralization of
Special Elements used in an OS Command ('OS Command
Injection')
-
CWE-88: Argument Injection or
Modification
-
CWE-89: Improper Neutralization of
Special Elements used in an SQL Command ('SQL
Injection')
-
CWE-90: Improper Neutralization of
Special Elements used in an LDAP Query ('LDAP
Injection')
-
CWE-917: Improper Neutralization of Special
Elements used in an Expression Language Statement ('Expression Language
Injection')
-
-
CWE-79: Improper Neutralization of Input
During Web Page Generation ('Cross-site Scripting')
-
CWE-80: Improper Neutralization of
Script-Related HTML Tags in a Web Page (Basic XSS)
-
CWE-81: Improper Neutralization of Script in an
Error Message Web Page
-
CWE-83: Improper Neutralization of Script in
Attributes in a Web Page
-
CWE-84: Improper Neutralization of Encoded URI
Schemes in a Web Page
-
CWE-85: Doubled Character XSS Manipulations
-
CWE-86: Improper Neutralization of Invalid
Characters in Identifiers in Web Pages
-
CWE-87: Improper Neutralization of Alternate
XSS Syntax
-
-
CWE-91: XML Injection (aka Blind XPath Injection)
-
CWE-93: Improper Neutralization of CRLF Sequences
('CRLF Injection')
-
CWE-94: Improper Control of Generation
of Code ('Code Injection')
-
CWE-99: Improper Control of Resource
Identifiers ('Resource Injection')
-
-
CWE-781: Improper Address Validation in IOCTL with
METHOD_NEITHER I/O Control Code
-
CWE-785: Use of Path Manipulation Function without
Maximum-sized Buffer
-
-
CWE-228: Improper Handling of Syntactically
Invalid Structure
-
CWE-471:
Modification of Assumed-Immutable Data (MAID)
-
-
CWE-254: Security
Features
-
CWE-255:
Credentials Management
-
CWE-261: Weak Cryptography for Passwords
-
CWE-262: Not Using Password Aging
-
CWE-263:
Password Aging with Long Expiration
-
CWE-521:
Weak Password Requirements
-
CWE-522: Insufficiently Protected
Credentials
-
CWE-549: Missing Password Field Masking
-
CWE-620: Unverified Password Change
-
CWE-640: Weak Password Recovery Mechanism for Forgotten
Password
-
CWE-798: Use of Hard-coded
Credentials
-
-
CWE-264:
Permissions, Privileges, and Access Controls
-
CWE-265:
Privilege / Sandbox Issues
-
CWE-250: Execution with Unnecessary
Privileges
-
CWE-266: Incorrect Privilege
Assignment
-
CWE-267: Privilege Defined With Unsafe
Actions
-
CWE-268: Privilege
Chaining
-
CWE-269: Improper Privilege Management
-
CWE-271: Privilege Dropping / Lowering
Errors
-
CWE-274: Improper Handling of Insufficient
Privileges
-
CWE-610: Externally Controlled Reference to a Resource
in Another Sphere
-
CWE-648: Incorrect Use of Privileged
APIs
-
-
CWE-275:
Permission Issues
-
CWE-276: Incorrect Default Permissions
-
CWE-277: Insecure Inherited Permissions
-
CWE-278: Insecure Preserved Inherited
Permissions
-
CWE-279: Incorrect Execution-Assigned
Permissions
-
CWE-280: Improper Handling of Insufficient Permissions
or Privileges
-
CWE-281: Improper Preservation of Permissions
-
CWE-618: Exposed Unsafe ActiveX Method
-
CWE-732: Incorrect Permission
Assignment for Critical Resource
-
CWE-689: Permission Race Condition During Resource
Copy
-
-
CWE-282:
Improper Ownership Management
-
CWE-284: Improper Access
Control
-
CWE-269: Improper Privilege Management
-
CWE-285: Improper Authorization
-
CWE-286: Incorrect User Management
-
CWE-287: Improper Authentication
-
CWE-300: Channel Accessible by
Non-Endpoint ('Man-in-the-Middle')
-
CWE-301: Reflection Attack in an
Authentication Protocol
-
CWE-303: Incorrect Implementation of
Authentication Algorithm
-
CWE-304: Missing Critical Step in
Authentication
-
CWE-306: Missing Authentication for
Critical Function
-
CWE-307: Improper Restriction of Excessive
Authentication Attempts
-
CWE-308: Use of Single-factor Authentication
-
CWE-309: Use of Password System for Primary
Authentication
-
CWE-592: Authentication Bypass Issues
-
CWE-288: Authentication Bypass Using an
Alternate Path or Channel
-
CWE-289: Authentication Bypass by
Alternate Name
-
CWE-290: Authentication Bypass by
Spoofing
-
CWE-294: Authentication Bypass
by Capture-replay
-
CWE-302: Authentication Bypass by
Assumed-Immutable Data
-
CWE-305: Authentication Bypass
by Primary Weakness
-
CWE-593: Authentication Bypass: OpenSSL CTX
Object Modified after SSL Objects are Created
-
-
CWE-603: Use of Client-Side Authentication
-
CWE-620: Unverified Password Change
-
CWE-645: Overly Restrictive Account Lockout
Mechanism
-
CWE-804: Guessable CAPTCHA
-
CWE-836: Use of Password Hash Instead of Password
for Authentication
-
CWE-923: Improper Authentication of Endpoint in a
Communication Channel
-
CWE-384: Session Fixation
-
-
CWE-782: Exposed IOCTL with Insufficient Access
Control
-
-
-
CWE-310:
Cryptographic Issues
-
CWE-320:
Key Management Errors
-
CWE-311:
Missing Encryption of Sensitive Data
-
CWE-312: Cleartext Storage of Sensitive
Information
-
CWE-313: Cleartext Storage in a File or on
Disk
-
CWE-314: Cleartext Storage in the Registry
-
CWE-315: Cleartext Storage of Sensitive
Information in a Cookie
-
CWE-316: Cleartext Storage of Sensitive
Information in Memory
-
CWE-317: Cleartext Storage of Sensitive
Information in GUI
-
CWE-318: Cleartext Storage of Sensitive
Information in Executable
-
-
CWE-319: Cleartext Transmission of
Sensitive Information
-
CWE-614: Sensitive Cookie in HTTPS Session Without
'Secure' Attribute
-
-
CWE-325: Missing Required Cryptographic
Step
-
CWE-326:
Inadequate Encryption Strength
-
CWE-327: Use of a Broken or Risky Cryptographic
Algorithm
-
CWE-328:
Reversible One-Way Hash
-
CWE-329: Not Using a Random IV with CBC Mode
-
CWE-780: Use of RSA Algorithm without OAEP
-
-
CWE-355: User
Interface Security Issues
-
CWE-260:
Password in Configuration File
-
CWE-287:
Improper Authentication
-
CWE-300: Channel Accessible by
Non-Endpoint ('Man-in-the-Middle')
-
CWE-301: Reflection Attack in an
Authentication Protocol
-
CWE-303:
Incorrect Implementation of Authentication Algorithm
-
CWE-304: Missing Critical Step in
Authentication
-
CWE-306: Missing Authentication for Critical
Function
-
CWE-307: Improper Restriction of Excessive
Authentication Attempts
-
CWE-308:
Use of Single-factor Authentication
-
CWE-309:
Use of Password System for Primary Authentication
-
CWE-592:
Authentication Bypass Issues
-
CWE-288: Authentication Bypass Using an Alternate Path
or Channel
-
CWE-289: Authentication Bypass by Alternate Name
-
CWE-290: Authentication Bypass by
Spoofing
-
CWE-294: Authentication Bypass by
Capture-replay
-
CWE-302: Authentication Bypass by
Assumed-Immutable Data
-
CWE-305: Authentication Bypass by Primary
Weakness
-
CWE-593: Authentication Bypass: OpenSSL CTX Object
Modified after SSL Objects are Created
-
-
CWE-603:
Use of Client-Side Authentication
-
CWE-620: Unverified Password Change
-
CWE-645:
Overly Restrictive Account Lockout Mechanism
-
CWE-804:
Guessable CAPTCHA
-
CWE-836: Use of Password Hash Instead of Password for
Authentication
-
CWE-923: Improper Authentication of Endpoint in a
Communication Channel
-
CWE-384: Session Fixation
-
-
CWE-295:
Improper Certificate Validation
-
CWE-330: Use of Insufficiently Random
Values
-
CWE-331: Insufficient Entropy
-
CWE-334: Small Space of Random
Values
-
CWE-335: PRNG Seed Error
-
CWE-338: Use of Cryptographically Weak
PRNG
-
CWE-340:
Predictability Problems
-
CWE-341: Predictable from Observable
State
-
CWE-342:
Predictable Exact Value from Previous Values
-
CWE-343:
Predictable Value Range from Previous Values
-
CWE-344: Use of Invariant Value in Dynamically Changing
Context
-
CWE-804:
Guessable CAPTCHA
-
-
CWE-345:
Insufficient Verification of Data Authenticity
-
CWE-346:
Origin Validation Error
-
CWE-347: Improper Verification of Cryptographic
Signature
-
CWE-348: Use of Less Trusted
Source
-
CWE-349: Acceptance of Extraneous Untrusted
Data With Trusted Data
-
CWE-351:
Insufficient Type Distinction
-
CWE-353: Missing Support for Integrity
Check
-
CWE-354: Improper Validation of Integrity Check
Value
-
CWE-360:
Trust of System Event Data
-
CWE-646: Reliance on File Name or Extension of
Externally-Supplied File
-
CWE-649: Reliance on Obfuscation or Encryption of
Security-Relevant Inputs without Integrity Checking
-
CWE-924: Improper Enforcement of Message Integrity During
Transmission in a Communication Channel
-
CWE-352: Cross-Site Request Forgery
(CSRF)
-
-
CWE-358:
Improperly Implemented Security Check for Standard
-
CWE-359:
Privacy Violation
-
CWE-565: Reliance on Cookies without Validation and Integrity
Checking
-
CWE-602: Client-Side Enforcement of Server-Side
Security
-
CWE-653:
Insufficient Compartmentalization
-
CWE-654:
Reliance on a Single Factor in a Security Decision
-
CWE-655:
Insufficient Psychological Acceptability
-
CWE-656:
Reliance on Security Through Obscurity
-
CWE-693:
Protection Mechanism Failure
-
CWE-778:
Insufficient Logging
-
CWE-779:
Logging of Excessive Data
-
CWE-784: Reliance on Cookies without Validation and
Integrity Checking in a Security Decision
-
CWE-807: Reliance on Untrusted Inputs in a Security
Decision
-
-
CWE-361: Time and
State
-
CWE-371: State
Issues
-
CWE-376:
Temporary File Issues
-
CWE-380:
Technology-Specific Time and State Issues
-
CWE-387: Signal
Errors
-
CWE-557:
Concurrency Issues
-
CWE-362: Concurrent Execution using Shared
Resource with Improper Synchronization ('Race Condition')
-
CWE-385:
Covert Timing Channel
-
CWE-386:
Symbolic Name not Mapping to Correct Object
-
CWE-412:
Unrestricted Externally Accessible Lock
-
CWE-609:
Double-Checked Locking
-
CWE-613:
Insufficient Session Expiration
-
CWE-662: Improper Synchronization
-
CWE-663: Use
of a Non-reentrant Function in a Concurrent Context
-
CWE-664:
Improper Control of a Resource Through its Lifetime
-
CWE-704: Incorrect Type Conversion or
Cast
-
CWE-922:
Insecure Storage of Sensitive Information
-
CWE-312: Cleartext Storage of Sensitive
Information
-
CWE-313: Cleartext Storage in a File or on
Disk
-
CWE-314: Cleartext Storage in the Registry
-
CWE-315: Cleartext Storage of Sensitive
Information in a Cookie
-
CWE-316: Cleartext Storage of Sensitive
Information in Memory
-
CWE-317: Cleartext Storage of Sensitive
Information in GUI
-
CWE-318: Cleartext Storage of Sensitive
Information in Executable
-
-
CWE-921: Storage of Sensitive Data in a Mechanism
without Access Control
-
-
-
CWE-668:
Exposure of Resource to Wrong Sphere
-
CWE-669:
Incorrect Resource Transfer Between Spheres
-
CWE-672: Operation on a Resource after Expiration
or Release
-
CWE-673:
External Influence of Sphere Definition
-
CWE-674: Uncontrolled Recursion
-
CWE-691:
Insufficient Control Flow Management
-
CWE-698: Execution After Redirect
(EAR)
-
CWE-384: Session Fixation
-
-
CWE-388: Error
Handling
-
CWE-389: Error
Conditions, Return Values, Status Codes
-
CWE-248: Uncaught Exception
-
CWE-252: Unchecked Return
Value
-
CWE-253: Incorrect Check of Function Return
Value
-
CWE-390: Detection of Error Condition Without
Action
-
CWE-391:
Unchecked Error Condition
-
CWE-392: Missing Report of Error
Condition
-
CWE-393: Return of Wrong Status
Code
-
CWE-394:
Unexpected Status Code or Return Value
-
CWE-395: Use of NullPointerException Catch to Detect NULL
Pointer Dereference
-
CWE-396:
Declaration of Catch for Generic Exception
-
CWE-397:
Declaration of Throws for Generic Exception
-
CWE-584:
Return Inside Finally Block
-
-
CWE-544:
Missing Standardized Error Handling Mechanism
-
CWE-600:
Uncaught Exception in Servlet
-
CWE-636: Not
Failing Securely ('Failing Open')
-
CWE-754: Improper Check for Unusual or Exceptional
Conditions
-
CWE-756: Missing Custom Error
Page
-
-
CWE-417: Channel
and Path Errors
-
CWE-429: Handler
Errors
-
CWE-430:
Deployment of Wrong Handler
-
CWE-431:
Missing Handler
-
CWE-432: Dangerous Signal Handler not Disabled During
Sensitive Operations
-
CWE-433:
Unparsed Raw Web Content Delivery
-
CWE-434: Unrestricted Upload of File with Dangerous
Type
-
CWE-479:
Signal Handler Use of a Non-reentrant Function
-
CWE-616: Incomplete Identification of Uploaded File
Variables (PHP)
-
-
CWE-438: Behavioral
Problems
-
CWE-840:
Business Logic Errors
-
CWE-200:
Information Exposure
-
CWE-201: Information Exposure Through
Sent Data
-
CWE-202: Exposure of Sensitive Data Through Data
Queries
-
CWE-203: Information Exposure Through
Discrepancy
-
CWE-209: Information Exposure Through an
Error Message
-
CWE-212: Improper Cross-boundary
Removal of Sensitive Data
-
CWE-213: Intentional Information Exposure
-
CWE-214: Information Exposure Through Process
Environment
-
CWE-215: Information Exposure Through Debug
Information
-
CWE-226: Sensitive Information Uncleared Before
Release
-
CWE-497: Exposure of System Data to an Unauthorized
Control Sphere
-
CWE-524: Information Exposure Through Caching
-
CWE-526: Information Exposure Through
Environmental Variables
-
CWE-538: File and Directory Information Exposure
-
CWE-527: Exposure of CVS Repository to an
Unauthorized Control Sphere
-
CWE-528: Exposure of Core Dump File to an
Unauthorized Control Sphere
-
CWE-529: Exposure of Access Control List Files
to an Unauthorized Control Sphere
-
CWE-530: Exposure of Backup File to an
Unauthorized Control Sphere
-
CWE-532: Information Exposure Through Log
Files
-
CWE-539: Information Exposure Through
Persistent Cookies
-
CWE-540: Information Exposure Through Source
Code
-
CWE-548: Information Exposure Through
Directory Listing
-
CWE-651: Information Exposure Through WSDL
File
-
-
CWE-598: Information Exposure Through Query
Strings in GET Request
-
CWE-612: Information Exposure Through Indexing
of Private Data
-
-
CWE-282:
Improper Ownership Management
-
CWE-285:
Improper Authorization
-
CWE-288: Authentication Bypass Using an Alternate Path
or Channel
-
CWE-408: Incorrect Behavior Order: Early
Amplification
-
CWE-596:
Incorrect Semantic Object Comparison
-
CWE-639: Authorization Bypass Through User-Controlled
Key
-
CWE-640: Weak Password Recovery Mechanism for Forgotten
Password
-
CWE-666:
Operation on Resource in Wrong Phase of Lifetime
-
CWE-696:
Incorrect Behavior Order
-
CWE-732: Incorrect Permission Assignment
for Critical Resource
-
CWE-754: Improper Check for Unusual or Exceptional
Conditions
-
CWE-770: Allocation of Resources Without
Limits or Throttling
-
CWE-799:
Improper Control of Interaction Frequency
-
CWE-841: Improper Enforcement of Behavioral
Workflow
-
-
CWE-439:
Behavioral Change in New Version or Environment
-
CWE-440:
Expected Behavior Violation
-
CWE-799:
Improper Control of Interaction Frequency
-
CWE-841: Improper Enforcement of Behavioral
Workflow
-
-
CWE-442: Web Problems
-
CWE-113: Improper Neutralization of CRLF Sequences
in HTTP Headers ('HTTP Response Splitting')
-
CWE-425:
Direct Request ('Forced Browsing')
-
CWE-444: Inconsistent Interpretation of HTTP
Requests ('HTTP Request Smuggling')
-
CWE-601: URL Redirection to Untrusted Site
('Open Redirect')
-
CWE-611: Improper Restriction of XML External Entity
Reference ('XXE')
-
CWE-644: Improper Neutralization of HTTP Headers for
Scripting Syntax
-
CWE-646: Reliance on File Name or Extension of
Externally-Supplied File
-
CWE-647: Use of Non-Canonical URL Paths for
Authorization Decisions
-
CWE-776: Improper Restriction of Recursive Entity References
in DTDs ('XML Entity Expansion')
-
CWE-784: Reliance on Cookies without Validation and
Integrity Checking in a Security Decision
-
CWE-79: Improper Neutralization of Input During Web
Page Generation ('Cross-site Scripting')
-
CWE-80: Improper Neutralization of Script-Related HTML
Tags in a Web Page (Basic XSS)
-
CWE-81: Improper Neutralization of Script in an Error
Message Web Page
-
CWE-83: Improper Neutralization of Script in
Attributes in a Web Page
-
CWE-84: Improper Neutralization of Encoded URI
Schemes in a Web Page
-
CWE-85: Doubled Character XSS Manipulations
-
CWE-86: Improper Neutralization of Invalid Characters in
Identifiers in Web Pages
-
CWE-87: Improper Neutralization of Alternate XSS
Syntax
-
-
CWE-827:
Improper Control of Document Type Definition
-
CWE-352: Cross-Site Request Forgery
(CSRF)
-
-
CWE-445: User
Interface Errors
-
CWE-452:
Initialization and Cleanup Errors
-
CWE-453: Insecure Default Variable
Initialization
-
CWE-454: External Initialization of Trusted
Variables or Data Stores
-
CWE-455: Non-exit on Failed
Initialization
-
CWE-456: Missing Initialization of a
Variable
-
CWE-459:
Incomplete Cleanup
-
CWE-460:
Improper Cleanup on Thrown Exception
-
CWE-665:
Improper Initialization
-
CWE-908: Use
of Uninitialized Resource
-
CWE-909:
Missing Initialization of Resource
-
CWE-910: Use
of Expired File Descriptor
-
CWE-911:
Improper Update of Reference Count
-
-
CWE-465: Pointer
Issues
-
CWE-466:
Return of Pointer Value Outside of Expected Range
-
CWE-467: Use of sizeof() on a Pointer
Type
-
CWE-468: Incorrect Pointer
Scaling
-
CWE-469: Use of Pointer Subtraction to Determine
Size
-
CWE-476: NULL Pointer Dereference
-
CWE-587: Assignment of a Fixed Address to a
Pointer
-
CWE-588:
Attempt to Access Child of a Non-structure Pointer
-
CWE-761:
Free of Pointer not at Start of Buffer
-
CWE-763: Release of Invalid Pointer or
Reference
-
CWE-781: Improper Address Validation in IOCTL with
METHOD_NEITHER I/O Control Code
-
CWE-822: Untrusted Pointer
Dereference
-
CWE-823: Use
of Out-of-range Pointer Offset
-
CWE-824:
Access of Uninitialized Pointer
-
CWE-825: Expired Pointer
Dereference
-
-
CWE-227:
Improper Fulfillment of API Contract ('API Abuse')
-
CWE-251: Often
Misused: String Management
-
CWE-559: Often
Misused: Arguments and Parameters
-
CWE-560: Use of umask() with chmod-style Argument
-
CWE-628: Function Call with Incorrectly
Specified Arguments
-
CWE-683: Function Call With Incorrect Order of
Arguments
-
CWE-685: Function Call With Incorrect Number of
Arguments
-
CWE-686: Function Call With Incorrect Argument
Type
-
CWE-687: Function Call With Incorrectly
Specified Argument Value
-
CWE-688: Function Call With Incorrect Variable or
Reference as Argument
-
-
-
CWE-242: Use
of Inherently Dangerous Function
-
CWE-243: Creation of chroot Jail Without Changing
Working Directory
-
CWE-244: Improper Clearing of Heap Memory Before
Release ('Heap Inspection')
-
CWE-245:
J2EE Bad Practices: Direct Management of Connections
-
CWE-246:
J2EE Bad Practices: Direct Use of Sockets
-
CWE-248: Uncaught Exception
-
CWE-250: Execution with Unnecessary
Privileges
-
CWE-252: Unchecked Return Value
-
CWE-253: Incorrect Check of Function Return
Value
-
CWE-350: Reliance on Reverse DNS Resolution for a
Security-Critical Action
-
CWE-382:
J2EE Bad Practices: Use of System.exit()
-
CWE-573:
Improper Following of Specification by Caller
-
CWE-577: EJB Bad Practices: Use of Sockets
-
CWE-578: EJB Bad Practices: Use of Class Loader
-
CWE-579: J2EE Bad Practices: Non-serializable Object
Stored in Session
-
CWE-580: clone() Method Without super.clone()
-
CWE-581: Object Model Violation: Just One of Equals and
Hashcode Defined
-
CWE-694: Use of Multiple Resources with Duplicate
Identifier
-
CWE-695:
Use of Low-Level Functionality
-
-
CWE-589:
Call to Non-ubiquitous API
-
CWE-605: Multiple Binds to the Same
Port
-
CWE-684:
Incorrect Provision of Specified Functionality
-
-
CWE-398:
Indicator of Poor Code Quality
-
CWE-399:
Resource Management Errors
-
CWE-411:
Resource Locking Problems
-
CWE-417:
Channel and Path Errors
-
CWE-400: Uncontrolled Resource Consumption
('Resource Exhaustion')
-
CWE-401: Improper Release of Memory Before Removing Last
Reference ('Memory Leak')
-
CWE-402: Transmission of Private Resources into a New
Sphere ('Resource Leak')
-
CWE-404:
Improper Resource Shutdown or Release
-
CWE-405:
Asymmetric Resource Consumption (Amplification)
-
CWE-410:
Insufficient Resource Pool
-
CWE-415: Double Free
-
CWE-416:
Use After Free
-
CWE-568: finalize() Method Without super.finalize()
-
CWE-590: Free of Memory not on the Heap
-
CWE-761: Free of Pointer not at Start of Buffer
-
CWE-762: Mismatched Memory Management Routines
-
CWE-763: Release of Invalid Pointer or
Reference
-
-
CWE-569:
Expression Issues
-
CWE-480: Use of Incorrect
Operator
-
CWE-481: Assigning instead of Comparing
-
CWE-482: Comparing instead of Assigning
-
CWE-570: Expression is Always False
-
CWE-571: Expression is Always True
-
CWE-588: Attempt to Access Child of a Non-structure
Pointer
-
CWE-595: Comparison of Object References
Instead of Object Contents
-
CWE-596:
Incorrect Semantic Object Comparison
-
CWE-783: Operator Precedence Logic
Error
-
-
CWE-404:
Improper Resource Shutdown or Release
-
CWE-474: Use
of Function with Inconsistent Implementations
-
CWE-475:
Undefined Behavior for Input to API
-
CWE-476: NULL Pointer Dereference
-
CWE-477: Use
of Obsolete Functions
-
CWE-478: Missing Default Case in Switch
Statement
-
CWE-483: Incorrect Block
Delimitation
-
CWE-484: Omitted Break Statement in
Switch
-
CWE-546:
Suspicious Comment
-
CWE-547: Use of Hard-coded, Security-relevant
Constants
-
CWE-561: Dead Code
-
CWE-562:
Return of Stack Variable Address
-
CWE-563:
Unused Variable
-
CWE-585:
Empty Synchronized Block
-
CWE-586:
Explicit Call to Finalize()
-
CWE-617: Reachable Assertion
-
CWE-676: Use of Potentially Dangerous
Function
-
-
CWE-485:
Insufficient Encapsulation
-
CWE-490: Mobile
Code Issues
-
CWE-491: Public cloneable() Method Without Final
('Object Hijack')
-
CWE-492: Use of Inner Class Containing Sensitive
Data
-
CWE-493: Critical Public Variable Without Final
Modifier
-
CWE-494: Download of Code Without Integrity
Check
-
CWE-582: Array Declared Public, Final, and Static
-
CWE-583: finalize() Method Declared Public
-
-
CWE-486: Comparison of Classes by
Name
-
CWE-487:
Reliance on Package-level Scope
-
CWE-488:
Exposure of Data Element to Wrong Session
-
CWE-489:
Leftover Debug Code
-
CWE-495: Private Array-Typed Field Returned From
A Public Method
-
CWE-496: Public Data Assigned to Private
Array-Typed Field
-
CWE-498: Cloneable Class Containing Sensitive
Information
-
CWE-499: Serializable Class Containing Sensitive
Data
-
CWE-501: Trust
Boundary Violation
-
CWE-545: Use of Dynamic Class
Loading
-
CWE-580:
clone() Method Without super.clone()
-
CWE-594: J2EE Framework: Saving Unserializable Objects
to Disk
-
CWE-607:
Public Static Final Field References Mutable Object
-
CWE-749:
Exposed Dangerous Method or Function
-
CWE-766:
Critical Variable Declared Public
-
CWE-767: Access to Critical Private Variable via Public
Method
-
-
-
CWE-503: Byte/Object Code
-
CWE-490: Mobile
Code Issues
-
CWE-491: Public cloneable() Method Without Final
('Object Hijack')
-
CWE-492:
Use of Inner Class Containing Sensitive Data
-
CWE-493:
Critical Public Variable Without Final Modifier
-
CWE-494: Download of Code Without Integrity
Check
-
CWE-582:
Array Declared Public, Final, and Static
-
CWE-583:
finalize() Method Declared Public
-
-
CWE-14: Compiler Removal of Code to Clear
Buffers
-
-
CWE-657: Violation
of Secure Design Principles
-
CWE-250: Execution with Unnecessary
Privileges
-
CWE-636: Not
Failing Securely ('Failing Open')
-
CWE-637: Unnecessary Complexity in Protection Mechanism (Not Using
'Economy of Mechanism')
-
CWE-638: Not
Using Complete Mediation
-
CWE-653:
Insufficient Compartmentalization
-
CWE-654: Reliance
on a Single Factor in a Security Decision
-
CWE-655:
Insufficient Psychological Acceptability
-
CWE-656: Reliance
on Security Through Obscurity
-
CWE-671: Lack of
Administrator Control over Security
-
-
-
CWE-2: Environment
-
CWE-3:
Technology-specific Environment Issues
-
CWE-4: J2EE
Environment Issues
-
CWE-5: J2EE Misconfiguration: Data Transmission Without
Encryption
-
CWE-555: J2EE Misconfiguration: Plaintext Password in
Configuration File
-
CWE-6:
J2EE Misconfiguration: Insufficient Session-ID Length
-
CWE-7:
J2EE Misconfiguration: Missing Custom Error Page
-
CWE-8:
J2EE Misconfiguration: Entity Bean Declared Remote
-
CWE-9: J2EE Misconfiguration: Weak Access Permissions
for EJB Methods
-
-
CWE-519: .NET
Environment Issues
-
CWE-10: ASP.NET
Environment Issues
-
CWE-11: ASP.NET Misconfiguration: Creating Debug
Binary
-
CWE-12: ASP.NET Misconfiguration: Missing Custom Error
Page
-
CWE-13: ASP.NET Misconfiguration: Password in
Configuration File
-
CWE-554: ASP.NET Misconfiguration: Not Using Input
Validation Framework
-
CWE-556: ASP.NET Misconfiguration: Use of Identity
Impersonation
-
-
CWE-520:
.NET Misconfiguration: Use of Impersonation
-
-
-
CWE-14:
Compiler Removal of Code to Clear Buffers
-
CWE-15: External
Control of System or Configuration Setting
-
CWE-435: Interaction Error
-
CWE-552: Files or
Directories Accessible to External Parties
-
CWE-527: Exposure of CVS Repository to an Unauthorized
Control Sphere
-
CWE-528:
Exposure of Core Dump File to an Unauthorized Control Sphere
-
CWE-529: Exposure of Access Control List Files to an
Unauthorized Control Sphere
-
CWE-532:
Information Exposure Through Log Files
-
CWE-533:
Information Exposure Through Server Log Files
-
CWE-534:
Information Exposure Through Debug Log Files
-
CWE-540:
Information Exposure Through Source Code
-
CWE-542:
Information Exposure Through Cleanup Log Files
-
CWE-553:
Command Shell in Externally Accessible Directory
-
-
CWE-650:
Trusting HTTP Permission Methods on the Server Side
-
-
-
CWE-504: Motivation/Intent
-
CWE coverage for Red Hat Customer Portal emphasized in the Research View (CWE-1000)
-
CWE-1000: Research Concepts
-
CWE-118: Improper Access of
Indexable Resource ('Range Error')
-
CWE-119: Improper Restriction of Operations within the
Bounds of a Memory Buffer
-
CWE-120: Buffer Copy without Checking Size of Input
('Classic Buffer Overflow')
-
CWE-123:
Write-what-where Condition
-
CWE-125: Out-of-bounds Read
-
CWE-466: Return of
Pointer Value Outside of Expected Range
-
CWE-786:
Access of Memory Location Before Start of Buffer
-
CWE-787: Out-of-bounds
Write
-
CWE-788:
Access of Memory Location After End of Buffer
-
CWE-805:
Buffer Access with Incorrect Length Value
-
CWE-822:
Untrusted Pointer Dereference
-
CWE-823: Use of
Out-of-range Pointer Offset
-
CWE-824: Access of
Uninitialized Pointer
-
CWE-825:
Expired Pointer Dereference
-
-
-
CWE-330: Use of
Insufficiently Random Values
-
CWE-329: Not Using a
Random IV with CBC Mode
-
CWE-331: Insufficient Entropy
-
CWE-334: Small
Space of Random Values
-
CWE-335: PRNG Seed Error
-
CWE-338: Use
of Cryptographically Weak PRNG
-
CWE-340: Predictability
Problems
-
CWE-341:
Predictable from Observable State
-
CWE-342: Predictable Exact
Value from Previous Values
-
CWE-343: Predictable Value
Range from Previous Values
-
CWE-344: Use of Invariant
Value in Dynamically Changing Context
-
CWE-804: Guessable CAPTCHA
-
-
CWE-435: Interaction Error
-
CWE-188: Reliance on
Data/Memory Layout
-
CWE-436: Interpretation
Conflict
-
CWE-115:
Misinterpretation of Input
-
CWE-437: Incomplete
Model of Endpoint Features
-
CWE-444: Inconsistent Interpretation of HTTP Requests
('HTTP Request Smuggling')
-
CWE-626: Null Byte Interaction Error (Poison Null
Byte)
-
CWE-650:
Trusting HTTP Permission Methods on the Server Side
-
CWE-86: Improper Neutralization of Invalid Characters in
Identifiers in Web Pages
-
-
CWE-439: Behavioral Change
in New Version or Environment
-
CWE-733: Compiler Optimization Removal or Modification of
Security-critical Code
-
-
CWE-664: Improper Control of
a Resource Through its Lifetime
-
CWE-221: Information
Loss or Omission
-
CWE-222:
Truncation of Security-relevant Information
-
CWE-223:
Omission of Security-relevant Information
-
CWE-224: Obscured
Security-relevant Information by Alternate Name
-
CWE-356: Product UI
does not Warn User of Unsafe Actions
-
CWE-396: Declaration
of Catch for Generic Exception
-
CWE-397: Declaration
of Throws for Generic Exception
-
CWE-451:
UI Misrepresentation of Critical Information
-
-
CWE-284:
Improper Access Control
-
CWE-269: Improper
Privilege Management
-
CWE-250: Execution with Unnecessary
Privileges
-
CWE-266: Incorrect Privilege
Assignment
-
CWE-267: Privilege Defined With Unsafe
Actions
-
CWE-268: Privilege Chaining
-
CWE-270: Privilege Context Switching
Error
-
CWE-271: Privilege Dropping / Lowering
Errors
-
CWE-274: Improper
Handling of Insufficient Privileges
-
CWE-648: Incorrect Use of Privileged
APIs
-
-
CWE-282: Improper
Ownership Management
-
CWE-285: Improper
Authorization
-
CWE-219:
Sensitive Data Under Web Root
-
CWE-732: Incorrect Permission Assignment for Critical
Resource
-
CWE-862: Missing Authorization
-
CWE-863: Incorrect Authorization
-
CWE-926: Improper Restriction of Content Provider Export to
Other Applications
-
CWE-927: Use
of Implicit Intent for Sensitive Communication
-
-
CWE-286: Incorrect
User Management
-
CWE-287: Improper
Authentication
-
CWE-261:
Weak Cryptography for Passwords
-
CWE-262: Not
Using Password Aging
-
CWE-263: Password
Aging with Long Expiration
-
CWE-300: Channel Accessible by Non-Endpoint
('Man-in-the-Middle')
-
CWE-301: Reflection Attack in an Authentication
Protocol
-
CWE-303: Incorrect
Implementation of Authentication Algorithm
-
CWE-306: Missing Authentication for Critical
Function
-
CWE-307: Improper
Restriction of Excessive Authentication Attempts
-
CWE-308: Use of
Single-factor Authentication
-
CWE-309: Use of
Password System for Primary Authentication
-
CWE-521: Weak
Password Requirements
-
CWE-522: Insufficiently Protected
Credentials
-
CWE-592:
Authentication Bypass Issues
-
CWE-288: Authentication Bypass Using an Alternate Path or
Channel
-
CWE-289:
Authentication Bypass by Alternate Name
-
CWE-290: Authentication Bypass by
Spoofing
-
CWE-294: Authentication Bypass by
Capture-replay
-
CWE-302:
Authentication Bypass by Assumed-Immutable Data
-
CWE-305: Authentication Bypass by Primary
Weakness
-
CWE-593: Authentication Bypass: OpenSSL CTX Object Modified
after SSL Objects are Created
-
-
CWE-603: Use of
Client-Side Authentication
-
CWE-620:
Unverified Password Change
-
CWE-640: Weak
Password Recovery Mechanism for Forgotten Password
-
CWE-645: Overly
Restrictive Account Lockout Mechanism
-
CWE-798: Use of Hard-coded
Credentials
-
CWE-804: Guessable
CAPTCHA
-
CWE-836: Use of Password Hash Instead of Password for
Authentication
-
CWE-923: Improper Authentication of Endpoint in a
Communication Channel
-
CWE-384:
Session Fixation
-
-
-
CWE-400:
Uncontrolled Resource Consumption ('Resource Exhaustion')
-
CWE-404: Improper Resource
Shutdown or Release
-
CWE-262: Not
Using Password Aging
-
CWE-263: Password
Aging with Long Expiration
-
CWE-299: Improper Check for Certificate
Revocation
-
CWE-459: Incomplete Cleanup
-
CWE-619: Dangling
Database Cursor ('Cursor Injection')
-
CWE-763:
Release of Invalid Pointer or Reference
-
CWE-772:
Missing Release of Resource after Effective Lifetime
-
-
CWE-405: Asymmetric
Resource Consumption (Amplification)
-
CWE-410: Insufficient
Resource Pool
-
CWE-471: Modification of
Assumed-Immutable Data (MAID)
-
CWE-485: Insufficient
Encapsulation
-
CWE-216: Containment
Errors (Container Errors)
-
CWE-486: Comparison of Classes by Name
-
CWE-487:
Reliance on Package-level Scope
-
CWE-488:
Exposure of Data Element to Wrong Session
-
CWE-489: Leftover Debug Code
-
CWE-495: Private Array-Typed Field Returned From A
Public Method
-
CWE-496: Public Data Assigned to Private Array-Typed
Field
-
CWE-498: Cloneable Class Containing Sensitive
Information
-
CWE-499: Serializable Class Containing Sensitive
Data
-
CWE-501: Trust
Boundary Violation
-
CWE-545: Use of Dynamic Class Loading
-
CWE-580: clone()
Method Without super.clone()
-
CWE-594: J2EE
Framework: Saving Unserializable Objects to Disk
-
CWE-749: Exposed
Dangerous Method or Function
-
CWE-766:
Critical Variable Declared Public
-
CWE-767: Access
to Critical Private Variable via Public Method
-
-
CWE-610: Externally
Controlled Reference to a Resource in Another Sphere
-
CWE-15: External
Control of System or Configuration Setting
-
CWE-441: Unintended
Proxy or Intermediary ('Confused Deputy')
-
CWE-470: Use of Externally-Controlled Input to Select
Classes or Code ('Unsafe Reflection')
-
CWE-601: URL Redirection to Untrusted Site ('Open
Redirect')
-
CWE-611:
Improper Restriction of XML External Entity Reference ('XXE')
-
CWE-73:
External Control of File Name or Path
-
-
CWE-662: Improper Synchronization
-
CWE-663: Use of a
Non-reentrant Function in a Concurrent Context
-
CWE-667: Improper Locking
-
CWE-412:
Unrestricted Externally Accessible Lock
-
CWE-413: Improper
Resource Locking
-
CWE-414: Missing
Lock Check
-
CWE-609:
Double-Checked Locking
-
CWE-764:
Multiple Locks of a Critical Resource
-
CWE-765:
Multiple Unlocks of a Critical Resource
-
CWE-832: Unlock of
a Resource that is not Locked
-
CWE-833: Deadlock
-
-
CWE-820: Missing
Synchronization
-
CWE-821: Incorrect
Synchronization
-
-
CWE-665: Improper Initialization
-
CWE-453:
Insecure Default Variable Initialization
-
CWE-454:
External Initialization of Trusted Variables or Data Stores
-
CWE-455:
Non-exit on Failed Initialization
-
CWE-457: Use of
Uninitialized Variable
-
CWE-770:
Allocation of Resources Without Limits or Throttling
-
CWE-909: Missing
Initialization of Resource
-
-
CWE-666: Operation on
Resource in Wrong Phase of Lifetime
-
CWE-415: Double Free
-
CWE-593: Authentication Bypass: OpenSSL CTX Object Modified after
SSL Objects are Created
-
CWE-605:
Multiple Binds to the Same Port
-
CWE-672:
Operation on a Resource after Expiration or Release
-
CWE-826: Premature
Release of Resource During Expected Lifetime
-
-
CWE-668: Exposure of
Resource to Wrong Sphere
-
CWE-200: Information
Exposure
-
CWE-201: Information Exposure Through Sent
Data
-
CWE-203: Information Exposure Through
Discrepancy
-
CWE-209: Information Exposure Through an Error
Message
-
CWE-212: Improper Cross-boundary Removal of Sensitive
Data
-
CWE-213:
Intentional Information Exposure
-
CWE-214:
Information Exposure Through Process Environment
-
CWE-215:
Information Exposure Through Debug Information
-
CWE-226: Sensitive
Information Uncleared Before Release
-
CWE-359: Privacy
Violation
-
CWE-497: Exposure of System Data to an Unauthorized Control
Sphere
-
CWE-524:
Information Exposure Through Caching
-
CWE-526:
Information Exposure Through Environmental Variables
-
CWE-538: File and
Directory Information Exposure
-
CWE-527: Exposure of CVS Repository to an Unauthorized
Control Sphere
-
CWE-528: Exposure of Core Dump File to an Unauthorized
Control Sphere
-
CWE-529: Exposure of Access Control List Files to an
Unauthorized Control Sphere
-
CWE-530: Exposure of Backup File to an Unauthorized
Control Sphere
-
CWE-532:
Information Exposure Through Log Files
-
CWE-539:
Information Exposure Through Persistent Cookies
-
CWE-540:
Information Exposure Through Source Code
-
CWE-548:
Information Exposure Through Directory Listing
-
CWE-651:
Information Exposure Through WSDL File
-
-
CWE-598:
Information Exposure Through Query Strings in GET Request
-
CWE-612:
Information Exposure Through Indexing of Private Data
-
-
CWE-22: Improper Limitation of a Pathname to a Restricted
Directory ('Path Traversal')
-
CWE-23: Relative
Path Traversal
-
CWE-24:
Path Traversal: '../filedir'
-
CWE-25:
Path Traversal: '/../filedir'
-
CWE-26:
Path Traversal: '/dir/../filename'
-
CWE-27:
Path Traversal: 'dir/../../filename'
-
CWE-28:
Path Traversal: '..\filedir'
-
CWE-29:
Path Traversal: '\..\filename'
-
CWE-30:
Path Traversal: '\dir\..\filename'
-
CWE-31:
Path Traversal: 'dir\..\..\filename'
-
CWE-32:
Path Traversal: '...' (Triple Dot)
-
CWE-33:
Path Traversal: '....' (Multiple Dot)
-
CWE-34:
Path Traversal: '....//'
-
CWE-35:
Path Traversal: '.../...//'
-
-
CWE-36: Absolute
Path Traversal
-
-
CWE-220:
Sensitive Data Under FTP Root
-
CWE-374: Passing
Mutable Objects to an Untrusted Method
-
CWE-375: Returning a
Mutable Object to an Untrusted Caller
-
CWE-377:
Insecure Temporary File
-
CWE-402: Transmission of Private Resources into a New Sphere
('Resource Leak')
-
CWE-427: Uncontrolled
Search Path Element
-
CWE-428:
Unquoted Search Path or Element
-
CWE-491: Public
cloneable() Method Without Final ('Object Hijack')
-
CWE-492: Use of
Inner Class Containing Sensitive Data
-
CWE-493:
Critical Public Variable Without Final Modifier
-
CWE-514: Covert Channel
-
CWE-522:
Insufficiently Protected Credentials
-
CWE-552: Files or
Directories Accessible to External Parties
-
CWE-527: Exposure of CVS Repository to an Unauthorized
Control Sphere
-
CWE-528:
Exposure of Core Dump File to an Unauthorized Control Sphere
-
CWE-529: Exposure of Access Control List Files to an
Unauthorized Control Sphere
-
CWE-530: Exposure of Backup File to an Unauthorized Control
Sphere
-
CWE-532:
Information Exposure Through Log Files
-
CWE-540:
Information Exposure Through Source Code
-
CWE-548:
Information Exposure Through Directory Listing
-
CWE-553:
Command Shell in Externally Accessible Directory
-
-
CWE-582: Array
Declared Public, Final, and Static
-
CWE-583:
finalize() Method Declared Public
-
CWE-608: Struts:
Non-private Field in ActionForm Class
-
CWE-642:
External Control of Critical State Data
-
CWE-732:
Incorrect Permission Assignment for Critical Resource
-
CWE-766:
Critical Variable Declared Public
-
CWE-767: Access
to Critical Private Variable via Public Method
-
CWE-8: J2EE
Misconfiguration: Entity Bean Declared Remote
-
CWE-927: Use of
Implicit Intent for Sensitive Communication
-
-
CWE-669: Incorrect
Resource Transfer Between Spheres
-
CWE-212:
Improper Cross-boundary Removal of Sensitive Data
-
CWE-243:
Creation of chroot Jail Without Changing Working Directory
-
CWE-434:
Unrestricted Upload of File with Dangerous Type
-
CWE-494:
Download of Code Without Integrity Check
-
CWE-602:
Client-Side Enforcement of Server-Side Security
-
CWE-829:
Inclusion of Functionality from Untrusted Control Sphere
-
-
CWE-673: External
Influence of Sphere Definition
-
CWE-704:
Incorrect Type Conversion or Cast
-
CWE-706: Use of
Incorrectly-Resolved Name or Reference
-
CWE-178: Improper
Handling of Case Sensitivity
-
CWE-22: Improper Limitation of a Pathname to a Restricted
Directory ('Path Traversal')
-
CWE-23: Relative
Path Traversal
-
CWE-24:
Path Traversal: '../filedir'
-
CWE-25:
Path Traversal: '/../filedir'
-
CWE-26:
Path Traversal: '/dir/../filename'
-
CWE-27:
Path Traversal: 'dir/../../filename'
-
CWE-28:
Path Traversal: '..\filedir'
-
CWE-29:
Path Traversal: '\..\filename'
-
CWE-30:
Path Traversal: '\dir\..\filename'
-
CWE-31:
Path Traversal: 'dir\..\..\filename'
-
CWE-32:
Path Traversal: '...' (Triple Dot)
-
CWE-33:
Path Traversal: '....' (Multiple Dot)
-
CWE-34:
Path Traversal: '....//'
-
CWE-35:
Path Traversal: '.../...//'
-
-
CWE-36: Absolute
Path Traversal
-
-
CWE-386: Symbolic Name
not Mapping to Correct Object
-
CWE-41:
Improper Resolution of Path Equivalence
-
CWE-42: Path
Equivalence: 'filename.' (Trailing Dot)
-
CWE-44: Path
Equivalence: 'file.name' (Internal Dot)
-
CWE-46: Path
Equivalence: 'filename ' (Trailing Space)
-
CWE-47: Path
Equivalence: ' filename' (Leading Space)
-
CWE-48: Path
Equivalence: 'file name' (Internal Whitespace)
-
CWE-49: Path
Equivalence: 'filename/' (Trailing Slash)
-
CWE-50: Path
Equivalence: '//multiple/leading/slash'
-
CWE-51: Path
Equivalence: '/multiple//internal/slash'
-
CWE-52: Path
Equivalence: '/multiple/trailing/slash//'
-
CWE-53: Path
Equivalence: '\multiple\\internal\backslash'
-
CWE-54: Path
Equivalence: 'filedir\' (Trailing Backslash)
-
CWE-55: Path
Equivalence: '/./' (Single Dot Directory)
-
CWE-56: Path
Equivalence: 'filedir*' (Wildcard)
-
CWE-57: Path
Equivalence: 'fakedir/../realdir/filename'
-
CWE-58: Path
Equivalence: Windows 8.3 Filename
-
-
CWE-59:
Improper Link Resolution Before File Access ('Link Following')
-
CWE-66: Improper
Handling of File Names that Identify Virtual Resources
-
CWE-827: Improper
Control of Document Type Definition
-
CWE-98: Improper Control of Filename for Include/Require
Statement in PHP Program ('PHP Remote File Inclusion')
-
-
CWE-908: Use of
Uninitialized Resource
-
CWE-911: Improper Update
of Reference Count
-
CWE-913: Improper
Control of Dynamically-Managed Code Resources
-
CWE-470: Use of Externally-Controlled Input to Select
Classes or Code ('Unsafe Reflection')
-
CWE-502: Deserialization of Untrusted
Data
-
CWE-914: Improper
Control of Dynamically-Identified Variables
-
CWE-915:
Improperly Controlled Modification of Dynamically-Determined Object Attributes
-
CWE-94:
Improper Control of Generation of Code ('Code Injection')
-
-
CWE-922: Insecure
Storage of Sensitive Information
-
CWE-312:
Cleartext Storage of Sensitive Information
-
CWE-313:
Cleartext Storage in a File or on Disk
-
CWE-314:
Cleartext Storage in the Registry
-
CWE-315:
Cleartext Storage of Sensitive Information in a Cookie
-
CWE-316:
Cleartext Storage of Sensitive Information in Memory
-
CWE-317:
Cleartext Storage of Sensitive Information in GUI
-
CWE-318:
Cleartext Storage of Sensitive Information in Executable
-
-
CWE-921: Storage of Sensitive Data in a Mechanism without Access
Control
-
-
-
CWE-682: Incorrect Calculation
-
CWE-128: Wrap-around Error
-
CWE-131:
Incorrect Calculation of Buffer Size
-
CWE-135:
Incorrect Calculation of Multi-Byte String Length
-
CWE-190:
Integer Overflow or Wraparound
-
CWE-191: Integer Underflow
(Wrap or Wraparound)
-
CWE-193: Off-by-one Error
-
CWE-369: Divide By Zero
-
CWE-467:
Use of sizeof() on a Pointer Type
-
CWE-468:
Incorrect Pointer Scaling
-
CWE-469: Use
of Pointer Subtraction to Determine Size
-
CWE-839:
Numeric Range Comparison Without Minimum Check
-
-
CWE-691: Insufficient
Control Flow Management
-
CWE-362: Concurrent Execution using Shared Resource with
Improper Synchronization ('Race Condition')
-
CWE-430: Deployment of
Wrong Handler
-
CWE-431: Missing Handler
-
CWE-623: Unsafe
ActiveX Control Marked Safe For Scripting
-
CWE-662: Improper Synchronization
-
CWE-663: Use of a
Non-reentrant Function in a Concurrent Context
-
CWE-667: Improper Locking
-
CWE-412:
Unrestricted Externally Accessible Lock
-
CWE-413: Improper
Resource Locking
-
CWE-414: Missing
Lock Check
-
CWE-609:
Double-Checked Locking
-
CWE-764:
Multiple Locks of a Critical Resource
-
CWE-765:
Multiple Unlocks of a Critical Resource
-
CWE-832: Unlock of
a Resource that is not Locked
-
CWE-833: Deadlock
-
-
CWE-820: Missing
Synchronization
-
CWE-821: Incorrect
Synchronization
-
-
CWE-670:
Always-Incorrect Control Flow Implementation
-
CWE-696: Incorrect
Behavior Order
-
CWE-705: Incorrect
Control Flow Scoping
-
CWE-248: Uncaught Exception
-
CWE-382: J2EE
Bad Practices: Use of System.exit()
-
CWE-395: Use of NullPointerException Catch to Detect NULL Pointer
Dereference
-
CWE-396: Declaration
of Catch for Generic Exception
-
CWE-397: Declaration
of Throws for Generic Exception
-
CWE-455:
Non-exit on Failed Initialization
-
CWE-584: Return Inside
Finally Block
-
CWE-698:
Execution After Redirect (EAR)
-
-
CWE-749: Exposed Dangerous
Method or Function
-
CWE-768: Incorrect
Short Circuit Evaluation
-
CWE-799: Improper
Control of Interaction Frequency
-
CWE-834: Excessive Iteration
-
CWE-841:
Improper Enforcement of Behavioral Workflow
-
CWE-94:
Improper Control of Generation of Code ('Code Injection')
-
-
CWE-693: Protection
Mechanism Failure
-
CWE-179:
Incorrect Behavior Order: Early Validation
-
CWE-182: Collapse of Data
into Unsafe Value
-
CWE-183: Permissive Whitelist
-
CWE-184: Incomplete Blacklist
-
CWE-20: Improper Input
Validation
-
CWE-105: Struts:
Form Field Without Validator
-
CWE-106: Struts:
Plug-in Framework not in Use
-
CWE-108: Struts:
Unvalidated Action Form
-
CWE-109: Struts:
Validator Turned Off
-
CWE-112: Missing XML
Validation
-
CWE-114: Process Control
-
CWE-129:
Improper Validation of Array Index
-
CWE-554: ASP.NET
Misconfiguration: Not Using Input Validation Framework
-
CWE-606: Unchecked
Input for Loop Condition
-
CWE-622:
Improper Validation of Function Hook Arguments
-
CWE-626: Null Byte Interaction Error (Poison Null
Byte)
-
CWE-781: Improper Address Validation in IOCTL with
METHOD_NEITHER I/O Control Code
-
CWE-789:
Uncontrolled Memory Allocation
-
CWE-680:
Integer Overflow to Buffer Overflow
-
CWE-690:
Unchecked Return Value to NULL Pointer Dereference
-
CWE-692:
Incomplete Blacklist to Cross-Site Scripting
-
-
CWE-284:
Improper Access Control
-
CWE-269: Improper
Privilege Management
-
CWE-250: Execution with Unnecessary
Privileges
-
CWE-266: Incorrect Privilege
Assignment
-
CWE-267: Privilege Defined With Unsafe
Actions
-
CWE-268: Privilege Chaining
-
CWE-270: Privilege Context Switching
Error
-
CWE-271: Privilege Dropping / Lowering
Errors
-
CWE-274: Improper
Handling of Insufficient Privileges
-
CWE-648: Incorrect Use of Privileged
APIs
-
-
CWE-282: Improper
Ownership Management
-
CWE-285: Improper
Authorization
-
CWE-219:
Sensitive Data Under Web Root
-
CWE-732: Incorrect Permission Assignment for Critical
Resource
-
CWE-862: Missing Authorization
-
CWE-863: Incorrect Authorization
-
CWE-926: Improper Restriction of Content Provider Export to
Other Applications
-
CWE-927: Use
of Implicit Intent for Sensitive Communication
-
-
CWE-286: Incorrect
User Management
-
CWE-287: Improper
Authentication
-
CWE-261:
Weak Cryptography for Passwords
-
CWE-262: Not
Using Password Aging
-
CWE-263: Password
Aging with Long Expiration
-
CWE-300: Channel Accessible by Non-Endpoint
('Man-in-the-Middle')
-
CWE-301: Reflection Attack in an Authentication
Protocol
-
CWE-303: Incorrect
Implementation of Authentication Algorithm
-
CWE-306: Missing Authentication for Critical
Function
-
CWE-307: Improper
Restriction of Excessive Authentication Attempts
-
CWE-308: Use of
Single-factor Authentication
-
CWE-309: Use of
Password System for Primary Authentication
-
CWE-521: Weak
Password Requirements
-
CWE-522: Insufficiently Protected
Credentials
-
CWE-592:
Authentication Bypass Issues
-
CWE-288: Authentication Bypass Using an Alternate Path or
Channel
-
CWE-289:
Authentication Bypass by Alternate Name
-
CWE-290: Authentication Bypass by
Spoofing
-
CWE-294: Authentication Bypass by
Capture-replay
-
CWE-302:
Authentication Bypass by Assumed-Immutable Data
-
CWE-305: Authentication Bypass by Primary
Weakness
-
CWE-593: Authentication Bypass: OpenSSL CTX Object Modified
after SSL Objects are Created
-
-
CWE-603: Use of
Client-Side Authentication
-
CWE-620:
Unverified Password Change
-
CWE-640: Weak
Password Recovery Mechanism for Forgotten Password
-
CWE-645: Overly
Restrictive Account Lockout Mechanism
-
CWE-798: Use of Hard-coded
Credentials
-
CWE-804: Guessable
CAPTCHA
-
CWE-836: Use of Password Hash Instead of Password for
Authentication
-
CWE-923: Improper Authentication of Endpoint in a
Communication Channel
-
CWE-384:
Session Fixation
-
-
-
CWE-295: Improper
Certificate Validation
-
CWE-311: Missing
Encryption of Sensitive Data
-
CWE-312:
Cleartext Storage of Sensitive Information
-
CWE-313:
Cleartext Storage in a File or on Disk
-
CWE-314:
Cleartext Storage in the Registry
-
CWE-315:
Cleartext Storage of Sensitive Information in a Cookie
-
CWE-316:
Cleartext Storage of Sensitive Information in Memory
-
CWE-317:
Cleartext Storage of Sensitive Information in GUI
-
CWE-318:
Cleartext Storage of Sensitive Information in Executable
-
-
CWE-319:
Cleartext Transmission of Sensitive Information
-
CWE-614:
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
-
-
CWE-326: Inadequate
Encryption Strength
-
CWE-327: Use
of a Broken or Risky Cryptographic Algorithm
-
CWE-345: Insufficient
Verification of Data Authenticity
-
CWE-346: Origin
Validation Error
-
CWE-347:
Improper Verification of Cryptographic Signature
-
CWE-348:
Use of Less Trusted Source
-
CWE-349:
Acceptance of Extraneous Untrusted Data With Trusted Data
-
CWE-351: Insufficient
Type Distinction
-
CWE-353:
Missing Support for Integrity Check
-
CWE-354:
Improper Validation of Integrity Check Value
-
CWE-360: Trust of
System Event Data
-
CWE-616:
Incomplete Identification of Uploaded File Variables (PHP)
-
CWE-646: Reliance on File Name or Extension of
Externally-Supplied File
-
CWE-649:
Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity
Checking
-
CWE-924:
Improper Enforcement of Message Integrity During Transmission in a Communication Channel
-
CWE-352: Cross-Site Request Forgery
(CSRF)
-
-
CWE-357: Insufficient UI
Warning of Dangerous Operations
-
CWE-358: Improperly
Implemented Security Check for Standard
-
CWE-424: Improper
Protection of Alternate Path
-
CWE-602:
Client-Side Enforcement of Server-Side Security
-
CWE-653: Insufficient
Compartmentalization
-
CWE-654: Reliance on a
Single Factor in a Security Decision
-
CWE-655: Insufficient
Psychological Acceptability
-
CWE-656: Reliance on
Security Through Obscurity
-
CWE-757:
Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
-
CWE-778: Insufficient Logging
-
CWE-807:
Reliance on Untrusted Inputs in a Security Decision
-
-
CWE-697:
Insufficient Comparison
-
CWE-183: Permissive Whitelist
-
CWE-184: Incomplete Blacklist
-
CWE-185:
Incorrect Regular Expression
-
CWE-187: Partial Comparison
-
CWE-372: Incomplete
Internal State Distinction
-
CWE-478:
Missing Default Case in Switch Statement
-
CWE-486:
Comparison of Classes by Name
-
CWE-595:
Comparison of Object References Instead of Object Contents
-
CWE-596: Incorrect
Semantic Object Comparison
-
-
CWE-703: Improper Check or
Handling of Exceptional Conditions
-
CWE-166: Improper Handling
of Missing Special Element
-
CWE-167: Improper Handling
of Additional Special Element
-
CWE-168: Improper Handling
of Inconsistent Special Elements
-
CWE-228:
Improper Handling of Syntactically Invalid Structure
-
CWE-248: Uncaught Exception
-
CWE-274: Improper Handling
of Insufficient Privileges
-
CWE-280: Improper Handling
of Insufficient Permissions or Privileges
-
CWE-333: Improper
Handling of Insufficient Entropy in TRNG
-
CWE-391: Unchecked Error
Condition
-
CWE-392:
Missing Report of Error Condition
-
CWE-393:
Return of Wrong Status Code
-
CWE-397: Declaration of
Throws for Generic Exception
-
CWE-754: Improper Check
for Unusual or Exceptional Conditions
-
CWE-755: Improper
Handling of Exceptional Conditions
-
CWE-209:
Information Exposure Through an Error Message
-
CWE-390:
Detection of Error Condition Without Action
-
CWE-395: Use of NullPointerException Catch to Detect NULL Pointer
Dereference
-
CWE-396: Declaration
of Catch for Generic Exception
-
CWE-460:
Improper Cleanup on Thrown Exception
-
CWE-544: Missing
Standardized Error Handling Mechanism
-
CWE-636: Not Failing
Securely ('Failing Open')
-
CWE-756:
Missing Custom Error Page
-
-
-
CWE-707: Improper
Enforcement of Message or Data Structure
-
CWE-116: Improper
Encoding or Escaping of Output
-
CWE-138: Improper
Neutralization of Special Elements
-
CWE-140: Improper
Neutralization of Delimiters
-
CWE-141:
Improper Neutralization of Parameter/Argument Delimiters
-
CWE-142:
Improper Neutralization of Value Delimiters
-
CWE-143:
Improper Neutralization of Record Delimiters
-
CWE-144:
Improper Neutralization of Line Delimiters
-
CWE-145:
Improper Neutralization of Section Delimiters
-
CWE-146: Improper Neutralization of Expression/Command
Delimiters
-
-
CWE-147:
Improper Neutralization of Input Terminators
-
CWE-148:
Improper Neutralization of Input Leaders
-
CWE-149:
Improper Neutralization of Quoting Syntax
-
CWE-150: Improper Neutralization of Escape, Meta, or Control
Sequences
-
CWE-151:
Improper Neutralization of Comment Delimiters
-
CWE-152:
Improper Neutralization of Macro Symbols
-
CWE-153:
Improper Neutralization of Substitution Characters
-
CWE-154:
Improper Neutralization of Variable Name Delimiters
-
CWE-155:
Improper Neutralization of Wildcards or Matching Symbols
-
CWE-156:
Improper Neutralization of Whitespace
-
CWE-157: Failure
to Sanitize Paired Delimiters
-
CWE-158:
Improper Neutralization of Null Byte or NUL Character
-
CWE-159: Failure to
Sanitize Special Element
-
CWE-160:
Improper Neutralization of Leading Special Elements
-
CWE-162:
Improper Neutralization of Trailing Special Elements
-
CWE-164:
Improper Neutralization of Internal Special Elements
-
CWE-166: Improper
Handling of Missing Special Element
-
CWE-167: Improper
Handling of Additional Special Element
-
CWE-168: Improper
Handling of Inconsistent Special Elements
-
-
CWE-464: Addition of
Data Structure Sentinel
-
CWE-790: Improper
Filtering of Special Elements
-
-
CWE-170:
Improper Null Termination
-
CWE-172: Encoding Error
-
CWE-228:
Improper Handling of Syntactically Invalid Structure
-
CWE-240: Improper
Handling of Inconsistent Structural Elements
-
CWE-463: Deletion of Data
Structure Sentinel
-
CWE-74:
Improper Neutralization of Special Elements in Output Used by a Downstream Component
('Injection')
-
CWE-134:
Uncontrolled Format String
-
CWE-75:
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
-
CWE-77: Improper Neutralization of Special Elements used
in a Command ('Command Injection')
-
CWE-624:
Executable Regular Expression Error
-
CWE-78: Improper Neutralization of Special Elements
used in an OS Command ('OS Command Injection')
-
CWE-88: Argument Injection or
Modification
-
CWE-89: Improper Neutralization of Special Elements
used in an SQL Command ('SQL Injection')
-
CWE-90: Improper Neutralization of Special Elements
used in an LDAP Query ('LDAP Injection')
-
CWE-917:
Improper Neutralization of Special Elements used in an Expression Language Statement
('Expression Language Injection')
-
-
CWE-79: Improper Neutralization of Input During Web Page
Generation ('Cross-site Scripting')
-
CWE-80: Improper Neutralization of Script-Related HTML Tags in a
Web Page (Basic XSS)
-
CWE-81: Improper Neutralization of Script in an Error
Message Web Page
-
CWE-83:
Improper Neutralization of Script in Attributes in a Web Page
-
CWE-84:
Improper Neutralization of Encoded URI Schemes in a Web Page
-
CWE-85:
Doubled Character XSS Manipulations
-
CWE-86: Improper Neutralization of Invalid Characters in
Identifiers in Web Pages
-
CWE-87:
Improper Neutralization of Alternate XSS Syntax
-
-
CWE-91: XML Injection
(aka Blind XPath Injection)
-
CWE-93: Improper
Neutralization of CRLF Sequences ('CRLF Injection')
-
CWE-94:
Improper Control of Generation of Code ('Code Injection')
-
CWE-99:
Improper Control of Resource Identifiers ('Resource Injection')
-
-
-
CWE-710: Coding Standards
Violation
-
CWE-227: Improper
Fulfillment of API Contract ('API Abuse')
-
CWE-573: Improper
Following of Specification by Caller
-
CWE-103:
Struts: Incomplete validate() Method Definition
-
CWE-104:
Struts: Form Bean Does Not Extend Validation Class
-
CWE-243:
Creation of chroot Jail Without Changing Working Directory
-
CWE-253: Incorrect Check of Function Return
Value
-
CWE-296: Improper Following of a Certificate's Chain of
Trust
-
CWE-304: Missing Critical Step in
Authentication
-
CWE-325: Missing Required Cryptographic
Step
-
CWE-329: Not
Using a Random IV with CBC Mode
-
CWE-358:
Improperly Implemented Security Check for Standard
-
CWE-475: Undefined
Behavior for Input to API
-
CWE-568:
finalize() Method Without super.finalize()
-
CWE-577: EJB
Bad Practices: Use of Sockets
-
CWE-578: EJB
Bad Practices: Use of Class Loader
-
CWE-579: J2EE Bad Practices: Non-serializable Object Stored
in Session
-
CWE-580:
clone() Method Without super.clone()
-
CWE-581: Object Model Violation: Just One of Equals and
Hashcode Defined
-
CWE-628: Function Call with Incorrectly Specified
Arguments
-
CWE-683:
Function Call With Incorrect Order of Arguments
-
CWE-685:
Function Call With Incorrect Number of Arguments
-
CWE-686:
Function Call With Incorrect Argument Type
-
CWE-687:
Function Call With Incorrectly Specified Argument Value
-
CWE-688: Function Call With Incorrect Variable or
Reference as Argument
-
-
CWE-675:
Duplicate Operations on Resource
-
CWE-694: Use of
Multiple Resources with Duplicate Identifier
-
CWE-695: Use of
Low-Level Functionality
-
CWE-111:
Direct Use of Unsafe JNI
-
CWE-245:
J2EE Bad Practices: Direct Management of Connections
-
CWE-246:
J2EE Bad Practices: Direct Use of Sockets
-
CWE-383:
J2EE Bad Practices: Direct Use of Threads
-
CWE-574:
EJB Bad Practices: Use of Synchronization Primitives
-
CWE-575:
EJB Bad Practices: Use of AWT Swing
-
CWE-576:
EJB Bad Practices: Use of Java I/O
-
-
-
CWE-586:
Explicit Call to Finalize()
-
CWE-648:
Incorrect Use of Privileged APIs
-
CWE-650:
Trusting HTTP Permission Methods on the Server Side
-
CWE-684: Incorrect
Provision of Specified Functionality
-
-
CWE-242: Use of Inherently
Dangerous Function
-
CWE-398: Indicator of
Poor Code Quality
-
CWE-107: Struts:
Unused Validation Form
-
CWE-110: Struts:
Validator Without Form Field
-
CWE-474: Use of
Function with Inconsistent Implementations
-
CWE-476:
NULL Pointer Dereference
-
CWE-477: Use of
Obsolete Functions
-
CWE-484:
Omitted Break Statement in Switch
-
CWE-546:
Suspicious Comment
-
CWE-547: Use of Hard-coded, Security-relevant
Constants
-
CWE-561: Dead Code
-
CWE-562: Return of
Stack Variable Address
-
CWE-563: Unused Variable
-
CWE-585: Empty
Synchronized Block
-
CWE-676:
Use of Potentially Dangerous Function
-
-
CWE-657: Violation of
Secure Design Principles
-
CWE-250:
Execution with Unnecessary Privileges
-
CWE-636: Not Failing
Securely ('Failing Open')
-
CWE-637:
Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')
-
CWE-638: Not Using
Complete Mediation
-
CWE-653: Insufficient
Compartmentalization
-
CWE-654: Reliance on a
Single Factor in a Security Decision
-
CWE-655: Insufficient
Psychological Acceptability
-
CWE-656: Reliance on
Security Through Obscurity
-
CWE-671: Lack of
Administrator Control over Security
-
-
CWE-758: Reliance on Undefined, Unspecified, or Implementation-Defined
Behavior
-
CWE-912: Hidden
Functionality
-
-