CWE coverage for Red Hat Customer Portal emphasized in the Developer View (CWE-699)
-
CWE-699: Development Concepts
-
CWE-629: Weaknesses in OWASP Top Ten
(2007)
-
CWE-631: Resource-specific Weaknesses
-
CWE-701: Weaknesses Introduced During
Design
-
CWE-702: Weaknesses Introduced During
Implementation
-
CWE-1: Location
-
CWE-16: Configuration
-
CWE-17: Code
-
CWE-18: Source Code
-
CWE-19: Data Handling
- CWE-133: String Errors
- CWE-136: Type Errors
-
CWE-137:
Representation Errors
-
CWE-171:
Cleansing, Canonicalization, and Comparison Errors
- CWE-172: Encoding Error
-
CWE-178: Improper Handling of Case Sensitivity
-
CWE-179: Incorrect Behavior Order: Early
Validation
-
CWE-180: Incorrect Behavior Order: Validate Before
Canonicalize
-
CWE-181: Incorrect Behavior Order: Validate Before
Filter
-
CWE-182: Collapse of Data into Unsafe Value
-
CWE-183: Permissive Whitelist
-
CWE-184: Incomplete Blacklist
- CWE-185: Incorrect Regular Expression
-
CWE-187: Partial Comparison
-
CWE-478: Missing Default Case in Switch
Statement
-
CWE-486: Comparison of Classes by
Name
- CWE-595: Comparison of Object References Instead of Object Contents
-
CWE-596: Incorrect Semantic Object Comparison
-
CWE-697: Insufficient
Comparison
-
CWE-768: Incorrect Short Circuit Evaluation
-
CWE-138:
Improper Neutralization of Special Elements
- CWE-169: Technology-Specific Special Elements
-
CWE-140: Improper Neutralization of Delimiters
-
CWE-141: Improper Neutralization of
Parameter/Argument Delimiters
-
CWE-142: Improper Neutralization of Value
Delimiters
-
CWE-143: Improper Neutralization of Record
Delimiters
-
CWE-144: Improper Neutralization of Line
Delimiters
-
CWE-145: Improper Neutralization of Section
Delimiters
-
CWE-146: Improper Neutralization of
Expression/Command Delimiters
-
CWE-141: Improper Neutralization of
Parameter/Argument Delimiters
-
CWE-147: Improper Neutralization of Input
Terminators
-
CWE-148: Improper Neutralization of Input
Leaders
-
CWE-149: Improper Neutralization of Quoting
Syntax
-
CWE-150: Improper Neutralization of Escape, Meta, or
Control Sequences
-
CWE-151: Improper Neutralization of Comment
Delimiters
-
CWE-152: Improper Neutralization of Macro
Symbols
-
CWE-153: Improper Neutralization of Substitution
Characters
-
CWE-154: Improper Neutralization of Variable
Name Delimiters
-
CWE-155: Improper Neutralization of Wildcards or
Matching Symbols
-
CWE-156: Improper Neutralization of Whitespace
-
CWE-157: Failure to Sanitize Paired Delimiters
-
CWE-158: Improper Neutralization of Null Byte or NUL
Character
-
CWE-159: Failure to Sanitize Special Element
- CWE-160: Improper Neutralization of Leading Special Elements
- CWE-162: Improper Neutralization of Trailing Special Elements
- CWE-164: Improper Neutralization of Internal Special Elements
-
CWE-166: Improper Handling of Missing Special
Element
-
CWE-167: Improper Handling of Additional
Special Element
-
CWE-168: Improper Handling of Inconsistent
Special Elements
-
CWE-188:
Reliance on Data/Memory Layout
- CWE-228: Improper Handling of Syntactically Invalid Structure
-
CWE-171:
Cleansing, Canonicalization, and Comparison Errors
-
CWE-189:
Numeric Errors
-
CWE-128:
Wrap-around Error
-
CWE-129: Improper Validation of Array
Index
-
CWE-190: Integer Overflow or
Wraparound
-
CWE-195: Signed to Unsigned Conversion Error
-
CWE-198:
Use of Incorrect Byte Ordering
- CWE-681: Incorrect Conversion between Numeric Types
- CWE-682: Incorrect Calculation
-
CWE-839: Numeric Range Comparison Without
Minimum Check
-
CWE-128:
Wrap-around Error
-
CWE-199:
Information Management Errors
-
CWE-200:
Information Exposure
-
CWE-201: Information Exposure Through
Sent Data
-
CWE-202: Exposure of Sensitive Data Through Data
Queries
- CWE-203: Information Exposure Through Discrepancy
- CWE-209: Information Exposure Through an Error Message
-
CWE-212: Improper Cross-boundary
Removal of Sensitive Data
-
CWE-213: Intentional Information Exposure
-
CWE-214: Information Exposure Through Process
Environment
-
CWE-215: Information Exposure Through Debug
Information
-
CWE-226: Sensitive Information Uncleared Before
Release
-
CWE-497: Exposure of System Data to an Unauthorized
Control Sphere
- CWE-524: Information Exposure Through Caching
-
CWE-526: Information Exposure Through
Environmental Variables
-
CWE-538: File and Directory Information Exposure
-
CWE-527: Exposure of CVS Repository to an
Unauthorized Control Sphere
-
CWE-528: Exposure of Core Dump File to an
Unauthorized Control Sphere
-
CWE-529: Exposure of Access Control List Files
to an Unauthorized Control Sphere
-
CWE-530: Exposure of Backup File to an
Unauthorized Control Sphere
- CWE-532: Information Exposure Through Log Files
-
CWE-539: Information Exposure Through
Persistent Cookies
- CWE-540: Information Exposure Through Source Code
-
CWE-548: Information Exposure Through
Directory Listing
-
CWE-651: Information Exposure Through WSDL
File
-
CWE-527: Exposure of CVS Repository to an
Unauthorized Control Sphere
-
CWE-598: Information Exposure Through Query
Strings in GET Request
-
CWE-612: Information Exposure Through Indexing
of Private Data
-
CWE-201: Information Exposure Through
Sent Data
- CWE-216: Containment Errors (Container Errors)
- CWE-221: Information Loss or Omission
-
CWE-779:
Logging of Excessive Data
-
CWE-200:
Information Exposure
- CWE-461: Data Structure Issues
- CWE-116: Improper Encoding or Escaping of Output
-
CWE-118: Improper Access of Indexable Resource ('Range
Error')
-
CWE-119: Improper Restriction of Operations
within the Bounds of a Memory Buffer
- CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
-
CWE-123: Write-what-where Condition
- CWE-125: Out-of-bounds Read
-
CWE-130: Improper Handling of Length
Parameter Inconsistency
- CWE-786: Access of Memory Location Before Start of Buffer
- CWE-787: Out-of-bounds Write
- CWE-788: Access of Memory Location After End of Buffer
- CWE-805: Buffer Access with Incorrect Length Value
-
CWE-822: Untrusted Pointer
Dereference
-
CWE-823: Use of Out-of-range Pointer Offset
-
CWE-824: Access of Uninitialized Pointer
-
CWE-825: Expired Pointer
Dereference
-
CWE-119: Improper Restriction of Operations
within the Bounds of a Memory Buffer
-
CWE-20:
Improper Input Validation
-
CWE-100:
Technology-Specific Input Validation Problems
-
CWE-101: Struts Validation Problems
-
CWE-102: Struts: Duplicate Validation Forms
-
CWE-103: Struts: Incomplete validate()
Method Definition
-
CWE-104: Struts: Form Bean Does Not Extend
Validation Class
-
CWE-105: Struts: Form Field Without
Validator
-
CWE-106: Struts: Plug-in Framework not in
Use
-
CWE-107: Struts: Unused Validation Form
-
CWE-108: Struts: Unvalidated Action Form
-
CWE-109: Struts: Validator Turned Off
-
CWE-110: Struts: Validator Without Form
Field
-
CWE-608: Struts: Non-private Field in
ActionForm Class
-
CWE-102: Struts: Duplicate Validation Forms
-
CWE-101: Struts Validation Problems
-
CWE-21:
Pathname Traversal and Equivalence Errors
-
CWE-22: Improper Limitation of a Pathname
to a Restricted Directory ('Path Traversal')
-
CWE-23: Relative Path Traversal
-
CWE-24: Path Traversal: '../filedir'
-
CWE-25: Path Traversal: '/../filedir'
-
CWE-26: Path Traversal:
'/dir/../filename'
-
CWE-27: Path Traversal:
'dir/../../filename'
-
CWE-28: Path Traversal: '..\filedir'
-
CWE-29: Path Traversal: '\..\filename'
-
CWE-30: Path Traversal:
'\dir\..\filename'
-
CWE-31: Path Traversal:
'dir\..\..\filename'
-
CWE-32: Path Traversal: '...' (Triple
Dot)
-
CWE-33: Path Traversal: '....' (Multiple
Dot)
-
CWE-34: Path Traversal: '....//'
-
CWE-35: Path Traversal: '.../...//'
-
CWE-24: Path Traversal: '../filedir'
- CWE-36: Absolute Path Traversal
-
CWE-23: Relative Path Traversal
-
CWE-41: Improper Resolution of Path
Equivalence
- CWE-42: Path Equivalence: 'filename.' (Trailing Dot)
- CWE-44: Path Equivalence: 'file.name' (Internal Dot)
-
CWE-46: Path Equivalence: 'filename '
(Trailing Space)
-
CWE-47: Path Equivalence: ' filename'
(Leading Space)
-
CWE-48: Path Equivalence: 'file name' (Internal
Whitespace)
-
CWE-49: Path Equivalence: 'filename/'
(Trailing Slash)
-
CWE-50: Path Equivalence:
'//multiple/leading/slash'
-
CWE-51: Path Equivalence:
'/multiple//internal/slash'
-
CWE-52: Path Equivalence:
'/multiple/trailing/slash//'
-
CWE-53: Path Equivalence:
'\multiple\\internal\backslash'
-
CWE-54: Path Equivalence: 'filedir\'
(Trailing Backslash)
-
CWE-55: Path Equivalence: '/./' (Single Dot
Directory)
-
CWE-56: Path Equivalence: 'filedir*'
(Wildcard)
-
CWE-57: Path Equivalence:
'fakedir/../realdir/filename'
-
CWE-58: Path Equivalence: Windows 8.3
Filename
- CWE-59: Improper Link Resolution Before File Access ('Link Following')
- CWE-66: Improper Handling of File Names that Identify Virtual Resources
-
CWE-22: Improper Limitation of a Pathname
to a Restricted Directory ('Path Traversal')
-
CWE-111:
Direct Use of Unsafe JNI
-
CWE-112:
Missing XML Validation
-
CWE-114:
Process Control
-
CWE-119: Improper Restriction of Operations
within the Bounds of a Memory Buffer
- CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
-
CWE-123: Write-what-where Condition
- CWE-125: Out-of-bounds Read
-
CWE-130: Improper Handling of Length
Parameter Inconsistency
- CWE-786: Access of Memory Location Before Start of Buffer
- CWE-787: Out-of-bounds Write
- CWE-788: Access of Memory Location After End of Buffer
- CWE-805: Buffer Access with Incorrect Length Value
-
CWE-822: Untrusted Pointer
Dereference
-
CWE-823: Use of Out-of-range Pointer Offset
-
CWE-824: Access of Uninitialized Pointer
-
CWE-825: Expired Pointer
Dereference
-
CWE-129: Improper Validation of Array
Index
-
CWE-470: Use of Externally-Controlled Input to
Select Classes or Code ('Unsafe Reflection')
-
CWE-554: ASP.NET Misconfiguration: Not Using Input
Validation Framework
-
CWE-601: URL Redirection to Untrusted Site
('Open Redirect')
-
CWE-606:
Unchecked Input for Loop Condition
-
CWE-622: Improper Validation of Function Hook
Arguments
-
CWE-626: Null Byte Interaction Error (Poison
Null Byte)
-
CWE-73: External Control of File Name or
Path
-
CWE-74: Improper Neutralization of Special Elements in
Output Used by a Downstream Component ('Injection')
-
CWE-134: Uncontrolled Format
String
-
CWE-138: Improper Neutralization of Special
Elements
- CWE-169: Technology-Specific Special Elements
-
CWE-140: Improper Neutralization of Delimiters
-
CWE-141: Improper Neutralization of
Parameter/Argument Delimiters
-
CWE-142: Improper Neutralization of
Value Delimiters
-
CWE-143: Improper Neutralization of
Record Delimiters
-
CWE-144: Improper Neutralization of Line
Delimiters
-
CWE-145: Improper Neutralization of Section
Delimiters
-
CWE-146: Improper Neutralization of
Expression/Command Delimiters
-
CWE-141: Improper Neutralization of
Parameter/Argument Delimiters
-
CWE-147: Improper Neutralization of Input
Terminators
-
CWE-148: Improper Neutralization of Input
Leaders
-
CWE-149: Improper Neutralization of Quoting
Syntax
-
CWE-150: Improper Neutralization of Escape,
Meta, or Control Sequences
-
CWE-151: Improper Neutralization of Comment
Delimiters
-
CWE-152: Improper Neutralization of Macro
Symbols
-
CWE-153: Improper Neutralization of
Substitution Characters
-
CWE-154: Improper Neutralization of Variable
Name Delimiters
-
CWE-155: Improper Neutralization of Wildcards or
Matching Symbols
-
CWE-156: Improper Neutralization of
Whitespace
-
CWE-157: Failure to Sanitize Paired
Delimiters
-
CWE-158: Improper Neutralization of Null Byte or
NUL Character
-
CWE-159: Failure to Sanitize Special Element
- CWE-160: Improper Neutralization of Leading Special Elements
- CWE-162: Improper Neutralization of Trailing Special Elements
- CWE-164: Improper Neutralization of Internal Special Elements
-
CWE-166: Improper Handling of Missing
Special Element
-
CWE-167: Improper Handling of Additional
Special Element
-
CWE-168: Improper Handling of Inconsistent
Special Elements
- CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
-
CWE-77: Improper Neutralization of Special
Elements used in a Command ('Command Injection')
-
CWE-624: Executable Regular Expression Error
-
CWE-78: Improper Neutralization of
Special Elements used in an OS Command ('OS Command
Injection')
-
CWE-88: Argument Injection or
Modification
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
-
CWE-90: Improper Neutralization of
Special Elements used in an LDAP Query ('LDAP
Injection')
-
CWE-917: Improper Neutralization of Special
Elements used in an Expression Language Statement ('Expression Language
Injection')
-
CWE-624: Executable Regular Expression Error
-
CWE-79: Improper Neutralization of Input
During Web Page Generation ('Cross-site Scripting')
-
CWE-80: Improper Neutralization of
Script-Related HTML Tags in a Web Page (Basic XSS)
-
CWE-81: Improper Neutralization of Script in an
Error Message Web Page
- CWE-83: Improper Neutralization of Script in Attributes in a Web Page
-
CWE-84: Improper Neutralization of Encoded URI
Schemes in a Web Page
-
CWE-85: Doubled Character XSS Manipulations
-
CWE-86: Improper Neutralization of Invalid
Characters in Identifiers in Web Pages
-
CWE-87: Improper Neutralization of Alternate
XSS Syntax
-
CWE-80: Improper Neutralization of
Script-Related HTML Tags in a Web Page (Basic XSS)
- CWE-91: XML Injection (aka Blind XPath Injection)
-
CWE-93: Improper Neutralization of CRLF Sequences
('CRLF Injection')
- CWE-94: Improper Control of Generation of Code ('Code Injection')
- CWE-99: Improper Control of Resource Identifiers ('Resource Injection')
-
CWE-134: Uncontrolled Format
String
-
CWE-781: Improper Address Validation in IOCTL with
METHOD_NEITHER I/O Control Code
-
CWE-785: Use of Path Manipulation Function without
Maximum-sized Buffer
-
CWE-100:
Technology-Specific Input Validation Problems
- CWE-228: Improper Handling of Syntactically Invalid Structure
- CWE-471: Modification of Assumed-Immutable Data (MAID)
-
CWE-254: Security
Features
-
CWE-255:
Credentials Management
-
CWE-261: Weak Cryptography for Passwords
-
CWE-262: Not Using Password Aging
-
CWE-263:
Password Aging with Long Expiration
-
CWE-521:
Weak Password Requirements
- CWE-522: Insufficiently Protected Credentials
-
CWE-549: Missing Password Field Masking
-
CWE-620: Unverified Password Change
-
CWE-640: Weak Password Recovery Mechanism for Forgotten
Password
- CWE-798: Use of Hard-coded Credentials
-
CWE-261: Weak Cryptography for Passwords
-
CWE-264:
Permissions, Privileges, and Access Controls
-
CWE-265:
Privilege / Sandbox Issues
-
CWE-250: Execution with Unnecessary
Privileges
-
CWE-266: Incorrect Privilege
Assignment
- CWE-267: Privilege Defined With Unsafe Actions
-
CWE-268: Privilege
Chaining
- CWE-269: Improper Privilege Management
- CWE-271: Privilege Dropping / Lowering Errors
-
CWE-274: Improper Handling of Insufficient
Privileges
-
CWE-610: Externally Controlled Reference to a Resource
in Another Sphere
-
CWE-648: Incorrect Use of Privileged
APIs
-
CWE-250: Execution with Unnecessary
Privileges
-
CWE-275:
Permission Issues
-
CWE-276: Incorrect Default Permissions
-
CWE-277: Insecure Inherited Permissions
-
CWE-278: Insecure Preserved Inherited
Permissions
-
CWE-279: Incorrect Execution-Assigned
Permissions
-
CWE-280: Improper Handling of Insufficient Permissions
or Privileges
-
CWE-281: Improper Preservation of Permissions
-
CWE-618: Exposed Unsafe ActiveX Method
-
CWE-732: Incorrect Permission
Assignment for Critical Resource
-
CWE-689: Permission Race Condition During Resource
Copy
-
CWE-276: Incorrect Default Permissions
- CWE-282: Improper Ownership Management
-
CWE-284: Improper Access
Control
- CWE-269: Improper Privilege Management
- CWE-285: Improper Authorization
- CWE-286: Incorrect User Management
-
CWE-287: Improper Authentication
-
CWE-300: Channel Accessible by
Non-Endpoint ('Man-in-the-Middle')
-
CWE-301: Reflection Attack in an
Authentication Protocol
-
CWE-303: Incorrect Implementation of
Authentication Algorithm
-
CWE-304: Missing Critical Step in
Authentication
-
CWE-306: Missing Authentication for
Critical Function
-
CWE-307: Improper Restriction of Excessive
Authentication Attempts
-
CWE-308: Use of Single-factor Authentication
-
CWE-309: Use of Password System for Primary
Authentication
-
CWE-592: Authentication Bypass Issues
- CWE-288: Authentication Bypass Using an Alternate Path or Channel
-
CWE-289: Authentication Bypass by
Alternate Name
- CWE-290: Authentication Bypass by Spoofing
-
CWE-294: Authentication Bypass
by Capture-replay
-
CWE-302: Authentication Bypass by
Assumed-Immutable Data
-
CWE-305: Authentication Bypass
by Primary Weakness
-
CWE-593: Authentication Bypass: OpenSSL CTX
Object Modified after SSL Objects are Created
-
CWE-603: Use of Client-Side Authentication
-
CWE-620: Unverified Password Change
-
CWE-645: Overly Restrictive Account Lockout
Mechanism
-
CWE-804: Guessable CAPTCHA
-
CWE-836: Use of Password Hash Instead of Password
for Authentication
- CWE-923: Improper Authentication of Endpoint in a Communication Channel
-
CWE-384: Session Fixation
-
CWE-300: Channel Accessible by
Non-Endpoint ('Man-in-the-Middle')
-
CWE-782: Exposed IOCTL with Insufficient Access
Control
-
CWE-265:
Privilege / Sandbox Issues
-
CWE-310:
Cryptographic Issues
- CWE-320: Key Management Errors
-
CWE-311:
Missing Encryption of Sensitive Data
-
CWE-312: Cleartext Storage of Sensitive
Information
-
CWE-313: Cleartext Storage in a File or on
Disk
-
CWE-314: Cleartext Storage in the Registry
-
CWE-315: Cleartext Storage of Sensitive
Information in a Cookie
-
CWE-316: Cleartext Storage of Sensitive
Information in Memory
-
CWE-317: Cleartext Storage of Sensitive
Information in GUI
-
CWE-318: Cleartext Storage of Sensitive
Information in Executable
-
CWE-313: Cleartext Storage in a File or on
Disk
-
CWE-319: Cleartext Transmission of
Sensitive Information
-
CWE-614: Sensitive Cookie in HTTPS Session Without
'Secure' Attribute
-
CWE-312: Cleartext Storage of Sensitive
Information
-
CWE-325: Missing Required Cryptographic
Step
- CWE-326: Inadequate Encryption Strength
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
-
CWE-328:
Reversible One-Way Hash
-
CWE-329: Not Using a Random IV with CBC Mode
-
CWE-780: Use of RSA Algorithm without OAEP
- CWE-355: User Interface Security Issues
- CWE-260: Password in Configuration File
-
CWE-287:
Improper Authentication
-
CWE-300: Channel Accessible by
Non-Endpoint ('Man-in-the-Middle')
-
CWE-301: Reflection Attack in an
Authentication Protocol
-
CWE-303:
Incorrect Implementation of Authentication Algorithm
-
CWE-304: Missing Critical Step in
Authentication
-
CWE-306: Missing Authentication for Critical
Function
-
CWE-307: Improper Restriction of Excessive
Authentication Attempts
-
CWE-308:
Use of Single-factor Authentication
-
CWE-309:
Use of Password System for Primary Authentication
-
CWE-592:
Authentication Bypass Issues
- CWE-288: Authentication Bypass Using an Alternate Path or Channel
-
CWE-289: Authentication Bypass by Alternate Name
- CWE-290: Authentication Bypass by Spoofing
-
CWE-294: Authentication Bypass by
Capture-replay
-
CWE-302: Authentication Bypass by
Assumed-Immutable Data
-
CWE-305: Authentication Bypass by Primary
Weakness
-
CWE-593: Authentication Bypass: OpenSSL CTX Object
Modified after SSL Objects are Created
-
CWE-603:
Use of Client-Side Authentication
-
CWE-620: Unverified Password Change
-
CWE-645:
Overly Restrictive Account Lockout Mechanism
-
CWE-804:
Guessable CAPTCHA
-
CWE-836: Use of Password Hash Instead of Password for
Authentication
- CWE-923: Improper Authentication of Endpoint in a Communication Channel
-
CWE-384: Session Fixation
-
CWE-300: Channel Accessible by
Non-Endpoint ('Man-in-the-Middle')
- CWE-295: Improper Certificate Validation
-
CWE-330: Use of Insufficiently Random
Values
- CWE-331: Insufficient Entropy
-
CWE-334: Small Space of Random
Values
- CWE-335: PRNG Seed Error
-
CWE-338: Use of Cryptographically Weak
PRNG
-
CWE-340:
Predictability Problems
-
CWE-341: Predictable from Observable
State
-
CWE-342:
Predictable Exact Value from Previous Values
-
CWE-343:
Predictable Value Range from Previous Values
-
CWE-344: Use of Invariant Value in Dynamically Changing
Context
-
CWE-804:
Guessable CAPTCHA
-
CWE-345:
Insufficient Verification of Data Authenticity
-
CWE-346:
Origin Validation Error
-
CWE-347: Improper Verification of Cryptographic
Signature
-
CWE-348: Use of Less Trusted
Source
-
CWE-349: Acceptance of Extraneous Untrusted
Data With Trusted Data
-
CWE-351:
Insufficient Type Distinction
-
CWE-353: Missing Support for Integrity
Check
-
CWE-354: Improper Validation of Integrity Check
Value
-
CWE-360:
Trust of System Event Data
-
CWE-646: Reliance on File Name or Extension of
Externally-Supplied File
-
CWE-649: Reliance on Obfuscation or Encryption of
Security-Relevant Inputs without Integrity Checking
-
CWE-924: Improper Enforcement of Message Integrity During
Transmission in a Communication Channel
-
CWE-352: Cross-Site Request Forgery
(CSRF)
-
CWE-346:
Origin Validation Error
-
CWE-358:
Improperly Implemented Security Check for Standard
-
CWE-359:
Privacy Violation
- CWE-565: Reliance on Cookies without Validation and Integrity Checking
-
CWE-602: Client-Side Enforcement of Server-Side
Security
-
CWE-653:
Insufficient Compartmentalization
-
CWE-654:
Reliance on a Single Factor in a Security Decision
-
CWE-655:
Insufficient Psychological Acceptability
-
CWE-656:
Reliance on Security Through Obscurity
-
CWE-693:
Protection Mechanism Failure
-
CWE-778:
Insufficient Logging
-
CWE-779:
Logging of Excessive Data
-
CWE-784: Reliance on Cookies without Validation and
Integrity Checking in a Security Decision
-
CWE-807: Reliance on Untrusted Inputs in a Security
Decision
-
CWE-255:
Credentials Management
-
CWE-361: Time and
State
- CWE-371: State Issues
- CWE-376: Temporary File Issues
- CWE-380: Technology-Specific Time and State Issues
- CWE-387: Signal Errors
- CWE-557: Concurrency Issues
- CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
-
CWE-385:
Covert Timing Channel
-
CWE-386:
Symbolic Name not Mapping to Correct Object
-
CWE-412:
Unrestricted Externally Accessible Lock
-
CWE-609:
Double-Checked Locking
-
CWE-613:
Insufficient Session Expiration
- CWE-662: Improper Synchronization
- CWE-663: Use of a Non-reentrant Function in a Concurrent Context
-
CWE-664:
Improper Control of a Resource Through its Lifetime
- CWE-704: Incorrect Type Conversion or Cast
-
CWE-922:
Insecure Storage of Sensitive Information
-
CWE-312: Cleartext Storage of Sensitive
Information
-
CWE-313: Cleartext Storage in a File or on
Disk
-
CWE-314: Cleartext Storage in the Registry
-
CWE-315: Cleartext Storage of Sensitive
Information in a Cookie
-
CWE-316: Cleartext Storage of Sensitive
Information in Memory
-
CWE-317: Cleartext Storage of Sensitive
Information in GUI
-
CWE-318: Cleartext Storage of Sensitive
Information in Executable
-
CWE-313: Cleartext Storage in a File or on
Disk
-
CWE-921: Storage of Sensitive Data in a Mechanism
without Access Control
-
CWE-312: Cleartext Storage of Sensitive
Information
-
CWE-668:
Exposure of Resource to Wrong Sphere
- CWE-669: Incorrect Resource Transfer Between Spheres
- CWE-672: Operation on a Resource after Expiration or Release
-
CWE-673:
External Influence of Sphere Definition
- CWE-674: Uncontrolled Recursion
- CWE-691: Insufficient Control Flow Management
-
CWE-698: Execution After Redirect
(EAR)
-
CWE-384: Session Fixation
-
CWE-388: Error
Handling
-
CWE-389: Error
Conditions, Return Values, Status Codes
-
CWE-248: Uncaught Exception
-
CWE-252: Unchecked Return
Value
-
CWE-253: Incorrect Check of Function Return
Value
-
CWE-390: Detection of Error Condition Without
Action
-
CWE-391:
Unchecked Error Condition
-
CWE-392: Missing Report of Error
Condition
-
CWE-393: Return of Wrong Status
Code
-
CWE-394:
Unexpected Status Code or Return Value
-
CWE-395: Use of NullPointerException Catch to Detect NULL
Pointer Dereference
-
CWE-396:
Declaration of Catch for Generic Exception
-
CWE-397:
Declaration of Throws for Generic Exception
-
CWE-584:
Return Inside Finally Block
-
CWE-248: Uncaught Exception
-
CWE-544:
Missing Standardized Error Handling Mechanism
-
CWE-600:
Uncaught Exception in Servlet
-
CWE-636: Not
Failing Securely ('Failing Open')
-
CWE-754: Improper Check for Unusual or Exceptional
Conditions
- CWE-756: Missing Custom Error Page
-
CWE-389: Error
Conditions, Return Values, Status Codes
- CWE-417: Channel and Path Errors
-
CWE-429: Handler
Errors
-
CWE-430:
Deployment of Wrong Handler
-
CWE-431:
Missing Handler
-
CWE-432: Dangerous Signal Handler not Disabled During
Sensitive Operations
-
CWE-433:
Unparsed Raw Web Content Delivery
-
CWE-434: Unrestricted Upload of File with Dangerous
Type
-
CWE-479:
Signal Handler Use of a Non-reentrant Function
-
CWE-616: Incomplete Identification of Uploaded File
Variables (PHP)
-
CWE-430:
Deployment of Wrong Handler
-
CWE-438: Behavioral
Problems
-
CWE-840:
Business Logic Errors
-
CWE-200:
Information Exposure
-
CWE-201: Information Exposure Through
Sent Data
-
CWE-202: Exposure of Sensitive Data Through Data
Queries
- CWE-203: Information Exposure Through Discrepancy
- CWE-209: Information Exposure Through an Error Message
-
CWE-212: Improper Cross-boundary
Removal of Sensitive Data
-
CWE-213: Intentional Information Exposure
-
CWE-214: Information Exposure Through Process
Environment
-
CWE-215: Information Exposure Through Debug
Information
-
CWE-226: Sensitive Information Uncleared Before
Release
-
CWE-497: Exposure of System Data to an Unauthorized
Control Sphere
- CWE-524: Information Exposure Through Caching
-
CWE-526: Information Exposure Through
Environmental Variables
-
CWE-538: File and Directory Information Exposure
-
CWE-527: Exposure of CVS Repository to an
Unauthorized Control Sphere
-
CWE-528: Exposure of Core Dump File to an
Unauthorized Control Sphere
-
CWE-529: Exposure of Access Control List Files
to an Unauthorized Control Sphere
-
CWE-530: Exposure of Backup File to an
Unauthorized Control Sphere
- CWE-532: Information Exposure Through Log Files
-
CWE-539: Information Exposure Through
Persistent Cookies
- CWE-540: Information Exposure Through Source Code
-
CWE-548: Information Exposure Through
Directory Listing
-
CWE-651: Information Exposure Through WSDL
File
-
CWE-527: Exposure of CVS Repository to an
Unauthorized Control Sphere
-
CWE-598: Information Exposure Through Query
Strings in GET Request
-
CWE-612: Information Exposure Through Indexing
of Private Data
-
CWE-201: Information Exposure Through
Sent Data
- CWE-282: Improper Ownership Management
- CWE-285: Improper Authorization
- CWE-288: Authentication Bypass Using an Alternate Path or Channel
-
CWE-408: Incorrect Behavior Order: Early
Amplification
-
CWE-596:
Incorrect Semantic Object Comparison
- CWE-639: Authorization Bypass Through User-Controlled Key
-
CWE-640: Weak Password Recovery Mechanism for Forgotten
Password
- CWE-666: Operation on Resource in Wrong Phase of Lifetime
-
CWE-696:
Incorrect Behavior Order
-
CWE-732: Incorrect Permission Assignment
for Critical Resource
-
CWE-754: Improper Check for Unusual or Exceptional
Conditions
- CWE-770: Allocation of Resources Without Limits or Throttling
- CWE-799: Improper Control of Interaction Frequency
-
CWE-841: Improper Enforcement of Behavioral
Workflow
-
CWE-200:
Information Exposure
-
CWE-439:
Behavioral Change in New Version or Environment
-
CWE-440:
Expected Behavior Violation
- CWE-799: Improper Control of Interaction Frequency
-
CWE-841: Improper Enforcement of Behavioral
Workflow
-
CWE-840:
Business Logic Errors
-
CWE-442: Web Problems
-
CWE-113: Improper Neutralization of CRLF Sequences
in HTTP Headers ('HTTP Response Splitting')
-
CWE-425:
Direct Request ('Forced Browsing')
-
CWE-444: Inconsistent Interpretation of HTTP
Requests ('HTTP Request Smuggling')
-
CWE-601: URL Redirection to Untrusted Site
('Open Redirect')
-
CWE-611: Improper Restriction of XML External Entity
Reference ('XXE')
-
CWE-644: Improper Neutralization of HTTP Headers for
Scripting Syntax
-
CWE-646: Reliance on File Name or Extension of
Externally-Supplied File
-
CWE-647: Use of Non-Canonical URL Paths for
Authorization Decisions
-
CWE-776: Improper Restriction of Recursive Entity References
in DTDs ('XML Entity Expansion')
-
CWE-784: Reliance on Cookies without Validation and
Integrity Checking in a Security Decision
-
CWE-79: Improper Neutralization of Input During Web
Page Generation ('Cross-site Scripting')
-
CWE-80: Improper Neutralization of Script-Related HTML
Tags in a Web Page (Basic XSS)
-
CWE-81: Improper Neutralization of Script in an Error
Message Web Page
- CWE-83: Improper Neutralization of Script in Attributes in a Web Page
-
CWE-84: Improper Neutralization of Encoded URI
Schemes in a Web Page
-
CWE-85: Doubled Character XSS Manipulations
-
CWE-86: Improper Neutralization of Invalid Characters in
Identifiers in Web Pages
-
CWE-87: Improper Neutralization of Alternate XSS
Syntax
-
CWE-80: Improper Neutralization of Script-Related HTML
Tags in a Web Page (Basic XSS)
-
CWE-827:
Improper Control of Document Type Definition
-
CWE-352: Cross-Site Request Forgery
(CSRF)
-
CWE-113: Improper Neutralization of CRLF Sequences
in HTTP Headers ('HTTP Response Splitting')
- CWE-445: User Interface Errors
-
CWE-452:
Initialization and Cleanup Errors
-
CWE-453: Insecure Default Variable
Initialization
-
CWE-454: External Initialization of Trusted
Variables or Data Stores
-
CWE-455: Non-exit on Failed
Initialization
-
CWE-456: Missing Initialization of a
Variable
-
CWE-459:
Incomplete Cleanup
-
CWE-460:
Improper Cleanup on Thrown Exception
- CWE-665: Improper Initialization
-
CWE-908: Use
of Uninitialized Resource
-
CWE-909:
Missing Initialization of Resource
-
CWE-910: Use
of Expired File Descriptor
-
CWE-911:
Improper Update of Reference Count
-
CWE-453: Insecure Default Variable
Initialization
-
CWE-465: Pointer
Issues
-
CWE-466:
Return of Pointer Value Outside of Expected Range
-
CWE-467: Use of sizeof() on a Pointer
Type
-
CWE-468: Incorrect Pointer
Scaling
-
CWE-469: Use of Pointer Subtraction to Determine
Size
-
CWE-476: NULL Pointer Dereference
-
CWE-587: Assignment of a Fixed Address to a
Pointer
-
CWE-588:
Attempt to Access Child of a Non-structure Pointer
-
CWE-761:
Free of Pointer not at Start of Buffer
-
CWE-763: Release of Invalid Pointer or
Reference
-
CWE-781: Improper Address Validation in IOCTL with
METHOD_NEITHER I/O Control Code
-
CWE-822: Untrusted Pointer
Dereference
-
CWE-823: Use
of Out-of-range Pointer Offset
-
CWE-824:
Access of Uninitialized Pointer
-
CWE-825: Expired Pointer
Dereference
-
CWE-466:
Return of Pointer Value Outside of Expected Range
-
CWE-227:
Improper Fulfillment of API Contract ('API Abuse')
-
CWE-251: Often
Misused: String Management
-
CWE-559: Often
Misused: Arguments and Parameters
-
CWE-560: Use of umask() with chmod-style Argument
-
CWE-628: Function Call with Incorrectly
Specified Arguments
-
CWE-683: Function Call With Incorrect Order of
Arguments
-
CWE-685: Function Call With Incorrect Number of
Arguments
-
CWE-686: Function Call With Incorrect Argument
Type
-
CWE-687: Function Call With Incorrectly
Specified Argument Value
-
CWE-688: Function Call With Incorrect Variable or
Reference as Argument
-
CWE-683: Function Call With Incorrect Order of
Arguments
-
CWE-560: Use of umask() with chmod-style Argument
-
CWE-242: Use
of Inherently Dangerous Function
-
CWE-243: Creation of chroot Jail Without Changing
Working Directory
-
CWE-244: Improper Clearing of Heap Memory Before
Release ('Heap Inspection')
-
CWE-245:
J2EE Bad Practices: Direct Management of Connections
-
CWE-246:
J2EE Bad Practices: Direct Use of Sockets
-
CWE-248: Uncaught Exception
-
CWE-250: Execution with Unnecessary
Privileges
-
CWE-252: Unchecked Return Value
-
CWE-253: Incorrect Check of Function Return
Value
-
CWE-350: Reliance on Reverse DNS Resolution for a
Security-Critical Action
-
CWE-382:
J2EE Bad Practices: Use of System.exit()
-
CWE-573:
Improper Following of Specification by Caller
-
CWE-577: EJB Bad Practices: Use of Sockets
-
CWE-578: EJB Bad Practices: Use of Class Loader
-
CWE-579: J2EE Bad Practices: Non-serializable Object
Stored in Session
-
CWE-580: clone() Method Without super.clone()
-
CWE-581: Object Model Violation: Just One of Equals and
Hashcode Defined
-
CWE-694: Use of Multiple Resources with Duplicate
Identifier
- CWE-695: Use of Low-Level Functionality
-
CWE-577: EJB Bad Practices: Use of Sockets
-
CWE-589:
Call to Non-ubiquitous API
-
CWE-605: Multiple Binds to the Same
Port
-
CWE-684:
Incorrect Provision of Specified Functionality
-
CWE-251: Often
Misused: String Management
-
CWE-398:
Indicator of Poor Code Quality
-
CWE-399:
Resource Management Errors
- CWE-411: Resource Locking Problems
- CWE-417: Channel and Path Errors
- CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
-
CWE-401: Improper Release of Memory Before Removing Last
Reference ('Memory Leak')
- CWE-402: Transmission of Private Resources into a New Sphere ('Resource Leak')
- CWE-404: Improper Resource Shutdown or Release
- CWE-405: Asymmetric Resource Consumption (Amplification)
-
CWE-410:
Insufficient Resource Pool
-
CWE-415: Double Free
-
CWE-416:
Use After Free
-
CWE-568: finalize() Method Without super.finalize()
-
CWE-590: Free of Memory not on the Heap
-
CWE-761: Free of Pointer not at Start of Buffer
-
CWE-762: Mismatched Memory Management Routines
-
CWE-763: Release of Invalid Pointer or
Reference
-
CWE-569:
Expression Issues
- CWE-480: Use of Incorrect Operator
-
CWE-481: Assigning instead of Comparing
-
CWE-482: Comparing instead of Assigning
-
CWE-570: Expression is Always False
-
CWE-571: Expression is Always True
-
CWE-588: Attempt to Access Child of a Non-structure
Pointer
- CWE-595: Comparison of Object References Instead of Object Contents
-
CWE-596:
Incorrect Semantic Object Comparison
-
CWE-783: Operator Precedence Logic
Error
- CWE-404: Improper Resource Shutdown or Release
-
CWE-474: Use
of Function with Inconsistent Implementations
-
CWE-475:
Undefined Behavior for Input to API
-
CWE-476: NULL Pointer Dereference
-
CWE-477: Use
of Obsolete Functions
-
CWE-478: Missing Default Case in Switch
Statement
-
CWE-483: Incorrect Block
Delimitation
-
CWE-484: Omitted Break Statement in
Switch
-
CWE-546:
Suspicious Comment
-
CWE-547: Use of Hard-coded, Security-relevant
Constants
- CWE-561: Dead Code
-
CWE-562:
Return of Stack Variable Address
-
CWE-563:
Unused Variable
-
CWE-585:
Empty Synchronized Block
-
CWE-586:
Explicit Call to Finalize()
-
CWE-617: Reachable Assertion
-
CWE-676: Use of Potentially Dangerous
Function
-
CWE-399:
Resource Management Errors
-
CWE-485:
Insufficient Encapsulation
-
CWE-490: Mobile
Code Issues
-
CWE-491: Public cloneable() Method Without Final
('Object Hijack')
-
CWE-492: Use of Inner Class Containing Sensitive
Data
- CWE-493: Critical Public Variable Without Final Modifier
-
CWE-494: Download of Code Without Integrity
Check
-
CWE-582: Array Declared Public, Final, and Static
-
CWE-583: finalize() Method Declared Public
-
CWE-491: Public cloneable() Method Without Final
('Object Hijack')
-
CWE-486: Comparison of Classes by
Name
-
CWE-487:
Reliance on Package-level Scope
-
CWE-488:
Exposure of Data Element to Wrong Session
-
CWE-489:
Leftover Debug Code
-
CWE-495: Private Array-Typed Field Returned From
A Public Method
-
CWE-496: Public Data Assigned to Private
Array-Typed Field
-
CWE-498: Cloneable Class Containing Sensitive
Information
-
CWE-499: Serializable Class Containing Sensitive
Data
-
CWE-501: Trust
Boundary Violation
-
CWE-545: Use of Dynamic Class
Loading
-
CWE-580:
clone() Method Without super.clone()
-
CWE-594: J2EE Framework: Saving Unserializable Objects
to Disk
-
CWE-607:
Public Static Final Field References Mutable Object
- CWE-749: Exposed Dangerous Method or Function
-
CWE-766:
Critical Variable Declared Public
-
CWE-767: Access to Critical Private Variable via Public
Method
-
CWE-490: Mobile
Code Issues
-
CWE-19: Data Handling
-
CWE-503: Byte/Object Code
-
CWE-490: Mobile
Code Issues
-
CWE-491: Public cloneable() Method Without Final
('Object Hijack')
-
CWE-492:
Use of Inner Class Containing Sensitive Data
- CWE-493: Critical Public Variable Without Final Modifier
-
CWE-494: Download of Code Without Integrity
Check
-
CWE-582:
Array Declared Public, Final, and Static
-
CWE-583:
finalize() Method Declared Public
-
CWE-491: Public cloneable() Method Without Final
('Object Hijack')
-
CWE-14: Compiler Removal of Code to Clear
Buffers
-
CWE-490: Mobile
Code Issues
-
CWE-657: Violation
of Secure Design Principles
-
CWE-250: Execution with Unnecessary
Privileges
-
CWE-636: Not
Failing Securely ('Failing Open')
-
CWE-637: Unnecessary Complexity in Protection Mechanism (Not Using
'Economy of Mechanism')
-
CWE-638: Not
Using Complete Mediation
-
CWE-653:
Insufficient Compartmentalization
-
CWE-654: Reliance
on a Single Factor in a Security Decision
-
CWE-655:
Insufficient Psychological Acceptability
-
CWE-656: Reliance
on Security Through Obscurity
-
CWE-671: Lack of
Administrator Control over Security
-
CWE-250: Execution with Unnecessary
Privileges
-
CWE-18: Source Code
-
CWE-2: Environment
-
CWE-3:
Technology-specific Environment Issues
-
CWE-4: J2EE
Environment Issues
-
CWE-5: J2EE Misconfiguration: Data Transmission Without
Encryption
-
CWE-555: J2EE Misconfiguration: Plaintext Password in
Configuration File
-
CWE-6:
J2EE Misconfiguration: Insufficient Session-ID Length
-
CWE-7:
J2EE Misconfiguration: Missing Custom Error Page
-
CWE-8:
J2EE Misconfiguration: Entity Bean Declared Remote
-
CWE-9: J2EE Misconfiguration: Weak Access Permissions
for EJB Methods
-
CWE-5: J2EE Misconfiguration: Data Transmission Without
Encryption
-
CWE-519: .NET
Environment Issues
-
CWE-10: ASP.NET
Environment Issues
-
CWE-11: ASP.NET Misconfiguration: Creating Debug
Binary
-
CWE-12: ASP.NET Misconfiguration: Missing Custom Error
Page
-
CWE-13: ASP.NET Misconfiguration: Password in
Configuration File
-
CWE-554: ASP.NET Misconfiguration: Not Using Input
Validation Framework
-
CWE-556: ASP.NET Misconfiguration: Use of Identity
Impersonation
-
CWE-11: ASP.NET Misconfiguration: Creating Debug
Binary
-
CWE-520:
.NET Misconfiguration: Use of Impersonation
-
CWE-10: ASP.NET
Environment Issues
-
CWE-4: J2EE
Environment Issues
-
CWE-14:
Compiler Removal of Code to Clear Buffers
-
CWE-15: External
Control of System or Configuration Setting
- CWE-435: Interaction Error
-
CWE-552: Files or
Directories Accessible to External Parties
-
CWE-527: Exposure of CVS Repository to an Unauthorized
Control Sphere
-
CWE-528:
Exposure of Core Dump File to an Unauthorized Control Sphere
-
CWE-529: Exposure of Access Control List Files to an
Unauthorized Control Sphere
- CWE-532: Information Exposure Through Log Files
-
CWE-533:
Information Exposure Through Server Log Files
-
CWE-534:
Information Exposure Through Debug Log Files
- CWE-540: Information Exposure Through Source Code
-
CWE-542:
Information Exposure Through Cleanup Log Files
-
CWE-553:
Command Shell in Externally Accessible Directory
-
CWE-527: Exposure of CVS Repository to an Unauthorized
Control Sphere
-
CWE-650:
Trusting HTTP Permission Methods on the Server Side
-
CWE-3:
Technology-specific Environment Issues
-
CWE-16: Configuration
- CWE-504: Motivation/Intent
-
CWE-629: Weaknesses in OWASP Top Ten
(2007)
CWE coverage for Red Hat Customer Portal emphasized in the Research View (CWE-1000)
-
CWE-1000: Research Concepts
-
CWE-118: Improper Access of
Indexable Resource ('Range Error')
-
CWE-119: Improper Restriction of Operations within the
Bounds of a Memory Buffer
- CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
-
CWE-123:
Write-what-where Condition
- CWE-125: Out-of-bounds Read
-
CWE-466: Return of
Pointer Value Outside of Expected Range
- CWE-786: Access of Memory Location Before Start of Buffer
- CWE-787: Out-of-bounds Write
- CWE-788: Access of Memory Location After End of Buffer
- CWE-805: Buffer Access with Incorrect Length Value
-
CWE-822:
Untrusted Pointer Dereference
-
CWE-823: Use of
Out-of-range Pointer Offset
-
CWE-824: Access of
Uninitialized Pointer
- CWE-825: Expired Pointer Dereference
-
CWE-119: Improper Restriction of Operations within the
Bounds of a Memory Buffer
-
CWE-330: Use of
Insufficiently Random Values
-
CWE-329: Not Using a
Random IV with CBC Mode
- CWE-331: Insufficient Entropy
- CWE-334: Small Space of Random Values
- CWE-335: PRNG Seed Error
-
CWE-338: Use
of Cryptographically Weak PRNG
-
CWE-340: Predictability
Problems
-
CWE-341:
Predictable from Observable State
-
CWE-342: Predictable Exact
Value from Previous Values
-
CWE-343: Predictable Value
Range from Previous Values
- CWE-344: Use of Invariant Value in Dynamically Changing Context
-
CWE-804: Guessable CAPTCHA
-
CWE-329: Not Using a
Random IV with CBC Mode
-
CWE-435: Interaction Error
- CWE-188: Reliance on Data/Memory Layout
-
CWE-436: Interpretation
Conflict
-
CWE-115:
Misinterpretation of Input
-
CWE-437: Incomplete
Model of Endpoint Features
-
CWE-444: Inconsistent Interpretation of HTTP Requests
('HTTP Request Smuggling')
-
CWE-626: Null Byte Interaction Error (Poison Null
Byte)
-
CWE-650:
Trusting HTTP Permission Methods on the Server Side
-
CWE-86: Improper Neutralization of Invalid Characters in
Identifiers in Web Pages
-
CWE-115:
Misinterpretation of Input
-
CWE-439: Behavioral Change
in New Version or Environment
- CWE-733: Compiler Optimization Removal or Modification of Security-critical Code
-
CWE-664: Improper Control of
a Resource Through its Lifetime
-
CWE-221: Information
Loss or Omission
-
CWE-222:
Truncation of Security-relevant Information
- CWE-223: Omission of Security-relevant Information
-
CWE-224: Obscured
Security-relevant Information by Alternate Name
-
CWE-356: Product UI
does not Warn User of Unsafe Actions
-
CWE-396: Declaration
of Catch for Generic Exception
-
CWE-397: Declaration
of Throws for Generic Exception
-
CWE-451:
UI Misrepresentation of Critical Information
-
CWE-222:
Truncation of Security-relevant Information
-
CWE-284:
Improper Access Control
-
CWE-269: Improper
Privilege Management
-
CWE-250: Execution with Unnecessary
Privileges
- CWE-266: Incorrect Privilege Assignment
- CWE-267: Privilege Defined With Unsafe Actions
-
CWE-268: Privilege Chaining
-
CWE-270: Privilege Context Switching
Error
- CWE-271: Privilege Dropping / Lowering Errors
-
CWE-274: Improper
Handling of Insufficient Privileges
-
CWE-648: Incorrect Use of Privileged
APIs
-
CWE-250: Execution with Unnecessary
Privileges
- CWE-282: Improper Ownership Management
-
CWE-285: Improper
Authorization
- CWE-219: Sensitive Data Under Web Root
- CWE-732: Incorrect Permission Assignment for Critical Resource
- CWE-862: Missing Authorization
- CWE-863: Incorrect Authorization
-
CWE-926: Improper Restriction of Content Provider Export to
Other Applications
-
CWE-927: Use
of Implicit Intent for Sensitive Communication
- CWE-286: Incorrect User Management
-
CWE-287: Improper
Authentication
-
CWE-261:
Weak Cryptography for Passwords
-
CWE-262: Not
Using Password Aging
-
CWE-263: Password
Aging with Long Expiration
-
CWE-300: Channel Accessible by Non-Endpoint
('Man-in-the-Middle')
-
CWE-301: Reflection Attack in an Authentication
Protocol
-
CWE-303: Incorrect
Implementation of Authentication Algorithm
-
CWE-306: Missing Authentication for Critical
Function
-
CWE-307: Improper
Restriction of Excessive Authentication Attempts
-
CWE-308: Use of
Single-factor Authentication
-
CWE-309: Use of
Password System for Primary Authentication
- CWE-521: Weak Password Requirements
- CWE-522: Insufficiently Protected Credentials
-
CWE-592:
Authentication Bypass Issues
- CWE-288: Authentication Bypass Using an Alternate Path or Channel
-
CWE-289:
Authentication Bypass by Alternate Name
- CWE-290: Authentication Bypass by Spoofing
-
CWE-294: Authentication Bypass by
Capture-replay
-
CWE-302:
Authentication Bypass by Assumed-Immutable Data
-
CWE-305: Authentication Bypass by Primary
Weakness
-
CWE-593: Authentication Bypass: OpenSSL CTX Object Modified
after SSL Objects are Created
-
CWE-603: Use of
Client-Side Authentication
-
CWE-620:
Unverified Password Change
-
CWE-640: Weak
Password Recovery Mechanism for Forgotten Password
-
CWE-645: Overly
Restrictive Account Lockout Mechanism
- CWE-798: Use of Hard-coded Credentials
-
CWE-804: Guessable
CAPTCHA
-
CWE-836: Use of Password Hash Instead of Password for
Authentication
- CWE-923: Improper Authentication of Endpoint in a Communication Channel
-
CWE-384:
Session Fixation
-
CWE-261:
Weak Cryptography for Passwords
-
CWE-269: Improper
Privilege Management
- CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
-
CWE-404: Improper Resource
Shutdown or Release
-
CWE-262: Not
Using Password Aging
-
CWE-263: Password
Aging with Long Expiration
- CWE-299: Improper Check for Certificate Revocation
- CWE-459: Incomplete Cleanup
-
CWE-619: Dangling
Database Cursor ('Cursor Injection')
- CWE-763: Release of Invalid Pointer or Reference
- CWE-772: Missing Release of Resource after Effective Lifetime
-
CWE-262: Not
Using Password Aging
- CWE-405: Asymmetric Resource Consumption (Amplification)
-
CWE-410: Insufficient
Resource Pool
- CWE-471: Modification of Assumed-Immutable Data (MAID)
-
CWE-485: Insufficient
Encapsulation
- CWE-216: Containment Errors (Container Errors)
-
CWE-486: Comparison of Classes by Name
-
CWE-487:
Reliance on Package-level Scope
-
CWE-488:
Exposure of Data Element to Wrong Session
-
CWE-489: Leftover Debug Code
-
CWE-495: Private Array-Typed Field Returned From A
Public Method
-
CWE-496: Public Data Assigned to Private Array-Typed
Field
-
CWE-498: Cloneable Class Containing Sensitive
Information
-
CWE-499: Serializable Class Containing Sensitive
Data
-
CWE-501: Trust
Boundary Violation
-
CWE-545: Use of Dynamic Class Loading
-
CWE-580: clone()
Method Without super.clone()
-
CWE-594: J2EE
Framework: Saving Unserializable Objects to Disk
- CWE-749: Exposed Dangerous Method or Function
-
CWE-766:
Critical Variable Declared Public
-
CWE-767: Access
to Critical Private Variable via Public Method
-
CWE-610: Externally
Controlled Reference to a Resource in Another Sphere
-
CWE-15: External
Control of System or Configuration Setting
- CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')
-
CWE-470: Use of Externally-Controlled Input to Select
Classes or Code ('Unsafe Reflection')
-
CWE-601: URL Redirection to Untrusted Site ('Open
Redirect')
-
CWE-611:
Improper Restriction of XML External Entity Reference ('XXE')
-
CWE-73:
External Control of File Name or Path
-
CWE-15: External
Control of System or Configuration Setting
-
CWE-662: Improper Synchronization
- CWE-663: Use of a Non-reentrant Function in a Concurrent Context
-
CWE-667: Improper Locking
-
CWE-412:
Unrestricted Externally Accessible Lock
- CWE-413: Improper Resource Locking
-
CWE-414: Missing
Lock Check
-
CWE-609:
Double-Checked Locking
-
CWE-764:
Multiple Locks of a Critical Resource
-
CWE-765:
Multiple Unlocks of a Critical Resource
-
CWE-832: Unlock of
a Resource that is not Locked
-
CWE-833: Deadlock
-
CWE-412:
Unrestricted Externally Accessible Lock
- CWE-820: Missing Synchronization
- CWE-821: Incorrect Synchronization
-
CWE-665: Improper Initialization
-
CWE-453:
Insecure Default Variable Initialization
-
CWE-454:
External Initialization of Trusted Variables or Data Stores
-
CWE-455:
Non-exit on Failed Initialization
-
CWE-457: Use of
Uninitialized Variable
- CWE-770: Allocation of Resources Without Limits or Throttling
- CWE-909: Missing Initialization of Resource
-
CWE-453:
Insecure Default Variable Initialization
-
CWE-666: Operation on
Resource in Wrong Phase of Lifetime
-
CWE-415: Double Free
-
CWE-593: Authentication Bypass: OpenSSL CTX Object Modified after
SSL Objects are Created
-
CWE-605:
Multiple Binds to the Same Port
- CWE-672: Operation on a Resource after Expiration or Release
-
CWE-826: Premature
Release of Resource During Expected Lifetime
-
CWE-415: Double Free
-
CWE-668: Exposure of
Resource to Wrong Sphere
-
CWE-200: Information
Exposure
-
CWE-201: Information Exposure Through Sent
Data
- CWE-203: Information Exposure Through Discrepancy
- CWE-209: Information Exposure Through an Error Message
-
CWE-212: Improper Cross-boundary Removal of Sensitive
Data
-
CWE-213:
Intentional Information Exposure
-
CWE-214:
Information Exposure Through Process Environment
- CWE-215: Information Exposure Through Debug Information
- CWE-226: Sensitive Information Uncleared Before Release
- CWE-359: Privacy Violation
-
CWE-497: Exposure of System Data to an Unauthorized Control
Sphere
- CWE-524: Information Exposure Through Caching
-
CWE-526:
Information Exposure Through Environmental Variables
-
CWE-538: File and
Directory Information Exposure
-
CWE-527: Exposure of CVS Repository to an Unauthorized
Control Sphere
-
CWE-528: Exposure of Core Dump File to an Unauthorized
Control Sphere
-
CWE-529: Exposure of Access Control List Files to an
Unauthorized Control Sphere
-
CWE-530: Exposure of Backup File to an Unauthorized
Control Sphere
- CWE-532: Information Exposure Through Log Files
-
CWE-539:
Information Exposure Through Persistent Cookies
- CWE-540: Information Exposure Through Source Code
-
CWE-548:
Information Exposure Through Directory Listing
-
CWE-651:
Information Exposure Through WSDL File
-
CWE-527: Exposure of CVS Repository to an Unauthorized
Control Sphere
-
CWE-598:
Information Exposure Through Query Strings in GET Request
-
CWE-612:
Information Exposure Through Indexing of Private Data
-
CWE-201: Information Exposure Through Sent
Data
-
CWE-22: Improper Limitation of a Pathname to a Restricted
Directory ('Path Traversal')
-
CWE-23: Relative
Path Traversal
-
CWE-24:
Path Traversal: '../filedir'
-
CWE-25:
Path Traversal: '/../filedir'
-
CWE-26:
Path Traversal: '/dir/../filename'
-
CWE-27:
Path Traversal: 'dir/../../filename'
-
CWE-28:
Path Traversal: '..\filedir'
-
CWE-29:
Path Traversal: '\..\filename'
-
CWE-30:
Path Traversal: '\dir\..\filename'
-
CWE-31:
Path Traversal: 'dir\..\..\filename'
-
CWE-32:
Path Traversal: '...' (Triple Dot)
-
CWE-33:
Path Traversal: '....' (Multiple Dot)
-
CWE-34:
Path Traversal: '....//'
-
CWE-35:
Path Traversal: '.../...//'
-
CWE-24:
Path Traversal: '../filedir'
- CWE-36: Absolute Path Traversal
-
CWE-23: Relative
Path Traversal
-
CWE-220:
Sensitive Data Under FTP Root
-
CWE-374: Passing
Mutable Objects to an Untrusted Method
-
CWE-375: Returning a
Mutable Object to an Untrusted Caller
- CWE-377: Insecure Temporary File
- CWE-402: Transmission of Private Resources into a New Sphere ('Resource Leak')
-
CWE-427: Uncontrolled
Search Path Element
-
CWE-428:
Unquoted Search Path or Element
-
CWE-491: Public
cloneable() Method Without Final ('Object Hijack')
-
CWE-492: Use of
Inner Class Containing Sensitive Data
- CWE-493: Critical Public Variable Without Final Modifier
- CWE-514: Covert Channel
- CWE-522: Insufficiently Protected Credentials
-
CWE-552: Files or
Directories Accessible to External Parties
-
CWE-527: Exposure of CVS Repository to an Unauthorized
Control Sphere
-
CWE-528:
Exposure of Core Dump File to an Unauthorized Control Sphere
-
CWE-529: Exposure of Access Control List Files to an
Unauthorized Control Sphere
-
CWE-530: Exposure of Backup File to an Unauthorized Control
Sphere
- CWE-532: Information Exposure Through Log Files
- CWE-540: Information Exposure Through Source Code
-
CWE-548:
Information Exposure Through Directory Listing
-
CWE-553:
Command Shell in Externally Accessible Directory
-
CWE-527: Exposure of CVS Repository to an Unauthorized
Control Sphere
-
CWE-582: Array
Declared Public, Final, and Static
-
CWE-583:
finalize() Method Declared Public
-
CWE-608: Struts:
Non-private Field in ActionForm Class
- CWE-642: External Control of Critical State Data
- CWE-732: Incorrect Permission Assignment for Critical Resource
-
CWE-766:
Critical Variable Declared Public
-
CWE-767: Access
to Critical Private Variable via Public Method
-
CWE-8: J2EE
Misconfiguration: Entity Bean Declared Remote
-
CWE-927: Use of
Implicit Intent for Sensitive Communication
-
CWE-200: Information
Exposure
-
CWE-669: Incorrect
Resource Transfer Between Spheres
-
CWE-212:
Improper Cross-boundary Removal of Sensitive Data
-
CWE-243:
Creation of chroot Jail Without Changing Working Directory
-
CWE-434:
Unrestricted Upload of File with Dangerous Type
-
CWE-494:
Download of Code Without Integrity Check
- CWE-602: Client-Side Enforcement of Server-Side Security
- CWE-829: Inclusion of Functionality from Untrusted Control Sphere
-
CWE-212:
Improper Cross-boundary Removal of Sensitive Data
- CWE-673: External Influence of Sphere Definition
- CWE-704: Incorrect Type Conversion or Cast
-
CWE-706: Use of
Incorrectly-Resolved Name or Reference
-
CWE-178: Improper
Handling of Case Sensitivity
-
CWE-22: Improper Limitation of a Pathname to a Restricted
Directory ('Path Traversal')
-
CWE-23: Relative
Path Traversal
-
CWE-24:
Path Traversal: '../filedir'
-
CWE-25:
Path Traversal: '/../filedir'
-
CWE-26:
Path Traversal: '/dir/../filename'
-
CWE-27:
Path Traversal: 'dir/../../filename'
-
CWE-28:
Path Traversal: '..\filedir'
-
CWE-29:
Path Traversal: '\..\filename'
-
CWE-30:
Path Traversal: '\dir\..\filename'
-
CWE-31:
Path Traversal: 'dir\..\..\filename'
-
CWE-32:
Path Traversal: '...' (Triple Dot)
-
CWE-33:
Path Traversal: '....' (Multiple Dot)
-
CWE-34:
Path Traversal: '....//'
-
CWE-35:
Path Traversal: '.../...//'
-
CWE-24:
Path Traversal: '../filedir'
- CWE-36: Absolute Path Traversal
-
CWE-23: Relative
Path Traversal
-
CWE-386: Symbolic Name
not Mapping to Correct Object
-
CWE-41:
Improper Resolution of Path Equivalence
- CWE-42: Path Equivalence: 'filename.' (Trailing Dot)
- CWE-44: Path Equivalence: 'file.name' (Internal Dot)
-
CWE-46: Path
Equivalence: 'filename ' (Trailing Space)
-
CWE-47: Path
Equivalence: ' filename' (Leading Space)
-
CWE-48: Path
Equivalence: 'file name' (Internal Whitespace)
-
CWE-49: Path
Equivalence: 'filename/' (Trailing Slash)
-
CWE-50: Path
Equivalence: '//multiple/leading/slash'
-
CWE-51: Path
Equivalence: '/multiple//internal/slash'
-
CWE-52: Path
Equivalence: '/multiple/trailing/slash//'
-
CWE-53: Path
Equivalence: '\multiple\\internal\backslash'
-
CWE-54: Path
Equivalence: 'filedir\' (Trailing Backslash)
-
CWE-55: Path
Equivalence: '/./' (Single Dot Directory)
-
CWE-56: Path
Equivalence: 'filedir*' (Wildcard)
-
CWE-57: Path
Equivalence: 'fakedir/../realdir/filename'
-
CWE-58: Path
Equivalence: Windows 8.3 Filename
- CWE-59: Improper Link Resolution Before File Access ('Link Following')
- CWE-66: Improper Handling of File Names that Identify Virtual Resources
-
CWE-827: Improper
Control of Document Type Definition
-
CWE-98: Improper Control of Filename for Include/Require
Statement in PHP Program ('PHP Remote File Inclusion')
-
CWE-178: Improper
Handling of Case Sensitivity
-
CWE-908: Use of
Uninitialized Resource
-
CWE-911: Improper Update
of Reference Count
-
CWE-913: Improper
Control of Dynamically-Managed Code Resources
-
CWE-470: Use of Externally-Controlled Input to Select
Classes or Code ('Unsafe Reflection')
-
CWE-502: Deserialization of Untrusted
Data
- CWE-914: Improper Control of Dynamically-Identified Variables
-
CWE-915:
Improperly Controlled Modification of Dynamically-Determined Object Attributes
- CWE-94: Improper Control of Generation of Code ('Code Injection')
-
CWE-470: Use of Externally-Controlled Input to Select
Classes or Code ('Unsafe Reflection')
-
CWE-922: Insecure
Storage of Sensitive Information
-
CWE-312:
Cleartext Storage of Sensitive Information
-
CWE-313:
Cleartext Storage in a File or on Disk
-
CWE-314:
Cleartext Storage in the Registry
-
CWE-315:
Cleartext Storage of Sensitive Information in a Cookie
-
CWE-316:
Cleartext Storage of Sensitive Information in Memory
-
CWE-317:
Cleartext Storage of Sensitive Information in GUI
-
CWE-318:
Cleartext Storage of Sensitive Information in Executable
-
CWE-313:
Cleartext Storage in a File or on Disk
-
CWE-921: Storage of Sensitive Data in a Mechanism without Access
Control
-
CWE-312:
Cleartext Storage of Sensitive Information
-
CWE-221: Information
Loss or Omission
-
CWE-682: Incorrect Calculation
-
CWE-128: Wrap-around Error
-
CWE-131:
Incorrect Calculation of Buffer Size
-
CWE-135:
Incorrect Calculation of Multi-Byte String Length
-
CWE-190:
Integer Overflow or Wraparound
-
CWE-191: Integer Underflow
(Wrap or Wraparound)
-
CWE-193: Off-by-one Error
-
CWE-369: Divide By Zero
-
CWE-467:
Use of sizeof() on a Pointer Type
-
CWE-468:
Incorrect Pointer Scaling
-
CWE-469: Use
of Pointer Subtraction to Determine Size
-
CWE-839:
Numeric Range Comparison Without Minimum Check
-
CWE-128: Wrap-around Error
-
CWE-691: Insufficient
Control Flow Management
- CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
-
CWE-430: Deployment of
Wrong Handler
-
CWE-431: Missing Handler
-
CWE-623: Unsafe
ActiveX Control Marked Safe For Scripting
-
CWE-662: Improper Synchronization
- CWE-663: Use of a Non-reentrant Function in a Concurrent Context
-
CWE-667: Improper Locking
-
CWE-412:
Unrestricted Externally Accessible Lock
- CWE-413: Improper Resource Locking
-
CWE-414: Missing
Lock Check
-
CWE-609:
Double-Checked Locking
-
CWE-764:
Multiple Locks of a Critical Resource
-
CWE-765:
Multiple Unlocks of a Critical Resource
-
CWE-832: Unlock of
a Resource that is not Locked
-
CWE-833: Deadlock
-
CWE-412:
Unrestricted Externally Accessible Lock
- CWE-820: Missing Synchronization
- CWE-821: Incorrect Synchronization
- CWE-670: Always-Incorrect Control Flow Implementation
- CWE-696: Incorrect Behavior Order
-
CWE-705: Incorrect
Control Flow Scoping
- CWE-248: Uncaught Exception
-
CWE-382: J2EE
Bad Practices: Use of System.exit()
-
CWE-395: Use of NullPointerException Catch to Detect NULL Pointer
Dereference
-
CWE-396: Declaration
of Catch for Generic Exception
-
CWE-397: Declaration
of Throws for Generic Exception
-
CWE-455:
Non-exit on Failed Initialization
-
CWE-584: Return Inside
Finally Block
-
CWE-698:
Execution After Redirect (EAR)
- CWE-749: Exposed Dangerous Method or Function
-
CWE-768: Incorrect
Short Circuit Evaluation
- CWE-799: Improper Control of Interaction Frequency
- CWE-834: Excessive Iteration
-
CWE-118: Improper Access of
Indexable Resource ('Range Error')