CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > Reports > Differences between Version 2.11 and Version 2.12  
ID

Differences between Version 2.11 and Version 2.12

Summary
Summary
Total (Version 2.12) 1023
Total (Version 2.11) 1006
Total new 17
Total deprecated 24
Total shared 1006
Total important changes 447
Total major changes 756
Total minor changes 118
Total minor changes (no major) 12
Total unchanged 238

Summary of Entry Types

Type Version 2.11 Version 2.12
Category 243 237
Chain 3 3
Composite 5 5
Deprecated 17 41
View 33 31
Weakness 705 706

Field Change Summary
Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field Major Minor
Name 56 1
Description 69 0
Applicable_Platforms 344 110
Time_of_Introduction 12 0
Demonstrative_Examples 99 0
Detection_Factors 8 0
Likelihood_of_Exploit 67 0
Common_Consequences 14 0
Relationships 417 0
References 162 0
Potential_Mitigations 15 0
Observed_Examples 40 0
Terminology_Notes 2 0
Alternate_Terms 4 0
Related_Attack_Patterns 24 0
Relationship_Notes 15 0
Taxonomy_Mappings 202 0
Maintenance_Notes 13 0
Modes_of_Introduction 226 0
Affected_Resources 22 0
Functional_Areas 13 11
Research_Gaps 4 0
Background_Details 1 0
Theoretical_Notes 0 0
Weakness_Ordinalities 2 0
White_Box_Definitions 31 0
Enabling_Factors_for_Exploitation 23 0
Other_Notes 5 0
Relevant_Properties 19 0
View_Type 0 0
View_Structure 2 0
View_Filter 1 0
View_Audience 0 0
Common_Methods_of_Exploitation 0 0
Type 37 0
Causal_Nature 76 0
Source_Taxonomy 0 0
Context_Notes 0 0
Black_Box_Definitions 0 0

Form and Abstraction Changes

From To Total CWE IDs
Unchanged 969
Category Deprecated 20 1, 3, 10, 60, 63, 68, 70, 100, 101, 169, 418, 503, 504, 505, 513, 517, 518, 632, 633, 634
Category Weakness/Base 1 769
Category Weakness/Class 1 192
View Deprecated 3 630, 631, 679
Weakness/Base Weakness/Class 4 269, 451, 681, 684
Weakness/Base Weakness/Variant 1 370
Weakness/Class Category 3 227, 398, 485
Weakness/Class Weakness/Base 1 335
Weakness/Variant Deprecated 1 71
Weakness/Variant Weakness/Base 2 240, 299

Status Changes

From To Total
Unchanged 982
Draft Deprecated 16
Incomplete Deprecated 8

Relationship Changes

The "Version 2.12 Total" lists the total number of relationships in Version 2.12. The "Shared" value is the total number of relationships in entries that were in both Version 2.12 and Version 2.11. The "New" value is the total number of relationships involving entries that did not exist in Version 2.11. Thus, the total number of relationships in Version 2.12 would combine stats from Shared entries and New entries.

Relationship Version 2.12 Total Version 2.11 Total Version 2.12 Shared Unchanged Added to Version 2.12 Removed from Version 2.11 Version 2.12 New
ALL 8132 7935 7592 7360 232 575 540
ChildOf 3490 3375 3233 3131 102 244 257
ParentOf 3490 3375 3233 3131 102 244 257
MemberOf 349 365 336 332 4 33 13
HasMember 349 365 336 332 4 33 13
CanPrecede 130 122 130 121 9 1
CanFollow 130 122 130 121 9 1
StartsWith 3 3 3 3
Requires 17 17 17 16 1 1
RequiredBy 17 17 17 16 1 1
CanAlsoBe 29 34 29 29 5
PeerOf 128 140 128 128 12

Nodes Removed from Version 2.11

CWE-ID CWE Name
None.

Nodes Added to Version 2.12

CWE-ID CWE Name
1006 Bad Coding Practices
1007 Insufficient Visual Distinction of Homoglyphs Presented to User
1008 Architectural Concepts
1009 Audit
1010 Authenticate Actors
1011 Authorize Actors
1012 Cross Cutting
1013 Encrypt Data
1014 Identify Actors
1015 Limit Access
1016 Limit Exposure
1017 Lock Computer
1018 Manage User Sessions
1019 Validate Inputs
1020 Verify Message Integrity
1021 Improper Restriction of Rendered UI Layers or Frames
1022 Improper Restriction of Cross-Origin Permission to window.opener.location

Nodes Deprecated in Version 2.12

CWE-ID CWE Name
1 DEPRECATED: Location
3 DEPRECATED: Technology-specific Environment Issues
10 DEPRECATED: ASP.NET Environment Issues
60 DEPRECATED: UNIX Path Link Problems
63 DEPRECATED: Windows Path Link Problems
68 DEPRECATED: Windows Virtual File Problems
70 DEPRECATED: Mac Virtual File Problems
71 DEPRECATED: Apple '.DS_Store'
100 DEPRECATED: Technology-Specific Input Validation Problems
101 DEPRECATED: Struts Validation Problems
169 DEPRECATED: Technology-Specific Special Elements
418 DEPRECATED: Channel Errors
503 DEPRECATED: Byte/Object Code
504 DEPRECATED: Motivation/Intent
505 DEPRECATED: Intentionally Introduced Weakness
513 DEPRECATED: Intentionally Introduced Nonmalicious Weakness
517 DEPRECATED: Other Intentional, Nonmalicious Weakness
518 DEPRECATED: Inadvertently Introduced Weakness
630 DEPRECATED: Weaknesses Examined by SAMATE
631 DEPRECATED: Resource-specific Weaknesses
632 DEPRECATED: Weaknesses that Affect Files or Directories
633 DEPRECATED: Weaknesses that Affect Memory
634 DEPRECATED: Weaknesses that Affect System Processes
679 DEPRECATED: Chain Elements
Important Changes
Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D Description
N Name
R Relationships

DN 1 DEPRECATED: Location
DN 2 7PK - Environment
DN 3 DEPRECATED: Technology-specific Environment Issues
D 5 J2EE Misconfiguration: Data Transmission Without Encryption
D R 6 J2EE Misconfiguration: Insufficient Session-ID Length
DNR 10 DEPRECATED: ASP.NET Environment Issues
R 11 ASP.NET Misconfiguration: Creating Debug Binary
R 12 ASP.NET Misconfiguration: Missing Custom Error Page
R 13 ASP.NET Misconfiguration: Password in Configuration File
R 14 Compiler Removal of Code to Clear Buffers
R 15 External Control of System or Configuration Setting
R 18 Source Code
R 19 Data Processing Errors
R 20 Improper Input Validation
D R 21 Pathname Traversal and Equivalence Errors
R 22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
R 41 Improper Resolution of Path Equivalence
R 59 Improper Link Resolution Before File Access ('Link Following')
DNR 60 DEPRECATED: UNIX Path Link Problems
R 61 UNIX Symbolic Link (Symlink) Following
R 62 UNIX Hard Link
DNR 63 DEPRECATED: Windows Path Link Problems
R 64 Windows Shortcut Following (.LNK)
R 65 Windows Hard Link
R 66 Improper Handling of File Names that Identify Virtual Resources
R 67 Improper Handling of Windows Device Names
DNR 68 DEPRECATED: Windows Virtual File Problems
R 69 Improper Handling of Windows ::DATA Alternate Data Stream
DNR 70 DEPRECATED: Mac Virtual File Problems
DNR 71 DEPRECATED: Apple '.DS_Store'
R 72 Improper Handling of Apple HFS+ Alternate Data Stream Path
R 73 External Control of File Name or Path
R 74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
R 75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
R 76 Improper Neutralization of Equivalent Special Elements
R 77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
R 78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
R 79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
R 80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
R 88 Argument Injection or Modification
R 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
R 90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
R 91 XML Injection (aka Blind XPath Injection)
R 93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
R 94 Improper Control of Generation of Code ('Code Injection')
R 95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
R 96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
R 97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
R 98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
R 99 Improper Control of Resource Identifiers ('Resource Injection')
DNR 100 DEPRECATED: Technology-Specific Input Validation Problems
DNR 101 DEPRECATED: Struts Validation Problems
R 102 Struts: Duplicate Validation Forms
R 103 Struts: Incomplete validate() Method Definition
R 104 Struts: Form Bean Does Not Extend Validation Class
R 105 Struts: Form Field Without Validator
R 106 Struts: Plug-in Framework not in Use
R 107 Struts: Unused Validation Form
R 108 Struts: Unvalidated Action Form
R 109 Struts: Validator Turned Off
R 110 Struts: Validator Without Form Field
R 112 Missing XML Validation
R 114 Process Control
R 117 Improper Output Neutralization for Logs
R 119 Improper Restriction of Operations within the Bounds of a Memory Buffer
R 120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
R 121 Stack-based Buffer Overflow
R 122 Heap-based Buffer Overflow
R 129 Improper Validation of Array Index
R 134 Use of Externally-Controlled Format String
R 138 Improper Neutralization of Special Elements
R 150 Improper Neutralization of Escape, Meta, or Control Sequences
R 159 Failure to Sanitize Special Element
R 160 Improper Neutralization of Leading Special Elements
R 162 Improper Neutralization of Trailing Special Elements
R 164 Improper Neutralization of Internal Special Elements
DNR 169 DEPRECATED: Technology-Specific Special Elements
R 170 Improper Null Termination
R 171 Cleansing, Canonicalization, and Comparison Errors
R 178 Improper Handling of Case Sensitivity
R 189 Numeric Errors
R 192 Integer Coercion Error
R 201 Information Exposure Through Sent Data
R 208 Information Exposure Through Timing Discrepancy
R 209 Information Exposure Through an Error Message
R 210 Information Exposure Through Self-generated Error Message
R 211 Information Exposure Through Externally-Generated Error Message
R 212 Improper Cross-boundary Removal of Sensitive Data
R 214 Information Exposure Through Process Environment
R 216 Containment Errors (Container Errors)
R 219 Sensitive Data Under Web Root
R 220 Sensitive Data Under FTP Root
R 223 Omission of Security-relevant Information
R 224 Obscured Security-relevant Information by Alternate Name
R 226 Sensitive Information Uncleared Before Release
DNR 227 7PK - API Abuse
R 242 Use of Inherently Dangerous Function
R 243 Creation of chroot Jail Without Changing Working Directory
R 244 Improper Clearing of Heap Memory Before Release ('Heap Inspection')
R 245 J2EE Bad Practices: Direct Management of Connections
R 246 J2EE Bad Practices: Direct Use of Sockets
R 248 Uncaught Exception
R 250 Execution with Unnecessary Privileges
R 251 Often Misused: String Management
R 252 Unchecked Return Value
R 253 Incorrect Check of Function Return Value
NR 254 7PK - Security Features
R 256 Plaintext Storage of a Password
R 257 Storing Passwords in a Recoverable Format
R 258 Empty Password in Configuration File
R 259 Use of Hard-coded Password
R 260 Password in Configuration File
R 261 Weak Cryptography for Passwords
R 262 Not Using Password Aging
R 263 Password Aging with Long Expiration
R 264 Permissions, Privileges, and Access Controls
R 265 Privilege / Sandbox Issues
R 266 Incorrect Privilege Assignment
R 267 Privilege Defined With Unsafe Actions
R 268 Privilege Chaining
R 269 Improper Privilege Management
R 270 Privilege Context Switching Error
R 271 Privilege Dropping / Lowering Errors
R 272 Least Privilege Violation
R 273 Improper Check for Dropped Privileges
R 274 Improper Handling of Insufficient Privileges
R 275 Permission Issues
R 276 Incorrect Default Permissions
R 277 Insecure Inherited Permissions
R 279 Incorrect Execution-Assigned Permissions
R 280 Improper Handling of Insufficient Permissions or Privileges
R 281 Improper Preservation of Permissions
R 282 Improper Ownership Management
R 283 Unverified Ownership
R 284 Improper Access Control
R 285 Improper Authorization
R 286 Incorrect User Management
R 287 Improper Authentication
R 288 Authentication Bypass Using an Alternate Path or Channel
R 289 Authentication Bypass by Alternate Name
R 290 Authentication Bypass by Spoofing
R 291 Reliance on IP Address for Authentication
R 293 Using Referer Field for Authentication
R 294 Authentication Bypass by Capture-replay
R 295 Improper Certificate Validation
R 296 Improper Following of a Certificate's Chain of Trust
R 297 Improper Validation of Certificate with Host Mismatch
R 298 Improper Validation of Certificate Expiration
R 299 Improper Check for Certificate Revocation
R 300 Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
R 301 Reflection Attack in an Authentication Protocol
R 302 Authentication Bypass by Assumed-Immutable Data
R 303 Incorrect Implementation of Authentication Algorithm
R 304 Missing Critical Step in Authentication
R 305 Authentication Bypass by Primary Weakness
R 306 Missing Authentication for Critical Function
R 307 Improper Restriction of Excessive Authentication Attempts
R 308 Use of Single-factor Authentication
R 311 Missing Encryption of Sensitive Data
R 312 Cleartext Storage of Sensitive Information
R 313 Cleartext Storage in a File or on Disk
R 314 Cleartext Storage in the Registry
R 315 Cleartext Storage of Sensitive Information in a Cookie
R 316 Cleartext Storage of Sensitive Information in Memory
R 317 Cleartext Storage of Sensitive Information in GUI
R 318 Cleartext Storage of Sensitive Information in Executable
R 319 Cleartext Transmission of Sensitive Information
R 321 Use of Hard-coded Cryptographic Key
R 322 Key Exchange without Entity Authentication
R 323 Reusing a Nonce, Key Pair in Encryption
R 324 Use of a Key Past its Expiration Date
R 325 Missing Required Cryptographic Step
R 326 Inadequate Encryption Strength
R 327 Use of a Broken or Risky Cryptographic Algorithm
R 328 Reversible One-Way Hash
R 330 Use of Insufficiently Random Values
R 331 Insufficient Entropy
R 332 Insufficient Entropy in PRNG
R 333 Improper Handling of Insufficient Entropy in TRNG
R 334 Small Space of Random Values
DNR 335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
DNR 336 Same Seed in Pseudo-Random Number Generator (PRNG)
DNR 337 Predictable Seed in Pseudo-Random Number Generator (PRNG)
D R 338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
R 339 Small Seed Space in PRNG
R 341 Predictable from Observable State
R 345 Insufficient Verification of Data Authenticity
R 346 Origin Validation Error
R 347 Improper Verification of Cryptographic Signature
R 349 Acceptance of Extraneous Untrusted Data With Trusted Data
R 350 Reliance on Reverse DNS Resolution for a Security-Critical Action
R 352 Cross-Site Request Forgery (CSRF)
R 353 Missing Support for Integrity Check
R 354 Improper Validation of Integrity Check Value
R 359 Exposure of Private Information ('Privacy Violation')
DN 361 7PK - Time and State
R 364 Signal Handler Race Condition
R 366 Race Condition within a Thread
R 367 Time-of-check Time-of-use (TOCTOU) Race Condition
R 370 Missing Check for Certificate Revocation after Initial Check
R 371 State Issues
R 376 Temporary File Issues
R 382 J2EE Bad Practices: Use of System.exit()
R 383 J2EE Bad Practices: Direct Use of Threads
R 384 Session Fixation
R 387 Signal Errors
DNR 388 7PK - Errors
D R 389 Error Conditions, Return Values, Status Codes
R 390 Detection of Error Condition Without Action
R 391 Unchecked Error Condition
R 392 Missing Report of Error Condition
DNR 398 7PK - Code Quality
R 399 Resource Management Errors
R 400 Uncontrolled Resource Consumption ('Resource Exhaustion')
R 401 Improper Release of Memory Before Removing Last Reference ('Memory Leak')
R 403 Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
R 404 Improper Resource Shutdown or Release
R 412 Unrestricted Externally Accessible Lock
R 415 Double Free
R 416 Use After Free
R 417 Channel and Path Errors
DNR 418 DEPRECATED: Channel Errors
R 419 Unprotected Primary Channel
R 420 Unprotected Alternate Channel
R 421 Race Condition During Access to Alternate Channel
R 422 Unprotected Windows Messaging Channel ('Shatter')
R 425 Direct Request ('Forced Browsing')
R 426 Untrusted Search Path
R 434 Unrestricted Upload of File with Dangerous Type
NR 435 Improper Interaction Between Multiple Entities
R 436 Interpretation Conflict
R 438 Behavioral Problems
R 441 Unintended Proxy or Intermediary ('Confused Deputy')
R 442 Web Problems
R 451 User Interface (UI) Misrepresentation of Critical Information
D 454 External Initialization of Trusted Variables or Data Stores
R 457 Use of Uninitialized Variable
R 460 Improper Cleanup on Thrown Exception
R 468 Incorrect Pointer Scaling
R 472 External Control of Assumed-Immutable Web Parameter
R 473 PHP External Variable Modification
R 474 Use of Function with Inconsistent Implementations
R 475 Undefined Behavior for Input to API
R 476 NULL Pointer Dereference
NR 477 Use of Obsolete Function
R 478 Missing Default Case in Switch Statement
R 479 Signal Handler Use of a Non-reentrant Function
R 483 Incorrect Block Delimitation
R 484 Omitted Break Statement in Switch
DNR 485 7PK - Encapsulation
R 486 Comparison of Classes by Name
R 487 Reliance on Package-level Scope
R 488 Exposure of Data Element to Wrong Session
R 489 Leftover Debug Code
R 490 Mobile Code Issues
R 494 Download of Code Without Integrity Check
R 495 Private Array-Typed Field Returned From A Public Method
R 496 Public Data Assigned to Private Array-Typed Field
R 498 Cloneable Class Containing Sensitive Information
R 499 Serializable Class Containing Sensitive Data
R 501 Trust Boundary Violation
R 502 Deserialization of Untrusted Data
DN 503 DEPRECATED: Byte/Object Code
DN 504 DEPRECATED: Motivation/Intent
DNR 505 DEPRECATED: Intentionally Introduced Weakness
R 506 Embedded Malicious Code
DNR 513 DEPRECATED: Intentionally Introduced Nonmalicious Weakness
R 514 Covert Channel
DNR 517 DEPRECATED: Other Intentional, Nonmalicious Weakness
DNR 518 DEPRECATED: Inadvertently Introduced Weakness
D R 519 .NET Environment Issues
R 521 Weak Password Requirements
R 522 Insufficiently Protected Credentials
R 523 Unprotected Transport of Credentials
R 527 Exposure of CVS Repository to an Unauthorized Control Sphere
R 528 Exposure of Core Dump File to an Unauthorized Control Sphere
R 529 Exposure of Access Control List Files to an Unauthorized Control Sphere
R 530 Exposure of Backup File to an Unauthorized Control Sphere
R 532 Information Exposure Through Log Files
R 533 Information Exposure Through Server Log Files
R 538 File and Directory Information Exposure
R 544 Missing Standardized Error Handling Mechanism
R 546 Suspicious Comment
R 547 Use of Hard-coded, Security-relevant Constants
R 550 Information Exposure Through Server Error Message
R 551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
R 552 Files or Directories Accessible to External Parties
R 554 ASP.NET Misconfiguration: Not Using Input Validation Framework
R 556 ASP.NET Misconfiguration: Use of Identity Impersonation
R 557 Concurrency Issues
R 559 Often Misused: Arguments and Parameters
R 561 Dead Code
R 562 Return of Stack Variable Address
NR 563 Assignment to Variable without Use
R 565 Reliance on Cookies without Validation and Integrity Checking
R 566 Authorization Bypass Through User-Controlled SQL Primary Key
R 570 Expression is Always False
R 571 Expression is Always True
R 572 Call to Thread run() instead of start()
R 573 Improper Following of Specification by Caller
R 579 J2EE Bad Practices: Non-serializable Object Stored in Session
R 580 clone() Method Without super.clone()
R 585 Empty Synchronized Block
R 586 Explicit Call to Finalize()
R 589 Call to Non-ubiquitous API
R 591 Sensitive Data Storage in Improperly Locked Memory
R 593 Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
R 594 J2EE Framework: Saving Unserializable Objects to Disk
R 599 Missing Validation of OpenSSL Certificate
R 600 Uncaught Exception in Servlet
R 601 URL Redirection to Untrusted Site ('Open Redirect')
R 602 Client-Side Enforcement of Server-Side Security
R 603 Use of Client-Side Authentication
D R 605 Multiple Binds to the Same Port
R 607 Public Static Final Field References Mutable Object
R 608 Struts: Non-private Field in ActionForm Class
R 610 Externally Controlled Reference to a Resource in Another Sphere
R 611 Improper Restriction of XML External Entity Reference ('XXE')
R 613 Insufficient Session Expiration
R 617 Reachable Assertion
R 618 Exposed Unsafe ActiveX Method
R 619 Dangling Database Cursor ('Cursor Injection')
R 620 Unverified Password Change
DNR 630 DEPRECATED: Weaknesses Examined by SAMATE
DNR 631 DEPRECATED: Resource-specific Weaknesses
DNR 632 DEPRECATED: Weaknesses that Affect Files or Directories
DNR 633 DEPRECATED: Weaknesses that Affect Memory
DNR 634 DEPRECATED: Weaknesses that Affect System Processes
DN 635 Weaknesses Originally Used by NVD from 2008 to 2016
R 636 Not Failing Securely ('Failing Open')
D R 639 Authorization Bypass Through User-Controlled Key
D R 640 Weak Password Recovery Mechanism for Forgotten Password
D R 641 Improper Restriction of Names for Files and Other Resources
R 642 External Control of Critical State Data
R 643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')
D R 645 Overly Restrictive Account Lockout Mechanism
R 647 Use of Non-Canonical URL Paths for Authorization Decisions
R 648 Incorrect Use of Privileged APIs
D R 649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
D R 650 Trusting HTTP Permission Methods on the Server Side
D 651 Information Exposure Through WSDL File
R 652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
R 653 Insufficient Compartmentalization
R 656 Reliance on Security Through Obscurity
R 664 Improper Control of a Resource Through its Lifetime
R 668 Exposure of Resource to Wrong Sphere
R 669 Incorrect Resource Transfer Between Spheres
R 670 Always-Incorrect Control Flow Implementation
R 671 Lack of Administrator Control over Security
R 673 External Influence of Sphere Definition
R 674 Uncontrolled Recursion
R 675 Duplicate Operations on Resource
R 676 Use of Potentially Dangerous Function
D 678 Composites
DN 679 DEPRECATED: Chain Elements
R 680 Integer Overflow to Buffer Overflow
R 684 Incorrect Provision of Specified Functionality
R 689 Permission Race Condition During Resource Copy
R 690 Unchecked Return Value to NULL Pointer Dereference
R 691 Insufficient Control Flow Management
R 692 Incomplete Blacklist to Cross-Site Scripting
R 695 Use of Low-Level Functionality
R 699 Development Concepts
R 703 Improper Check or Handling of Exceptional Conditions
R 705 Incorrect Control Flow Scoping
R 707 Improper Enforcement of Message or Data Structure
R 708 Incorrect Ownership Assignment
D 709 Named Chains
NR 710 Improper Adherence to Coding Standards
R 728 OWASP Top Ten 2004 Category A7 - Improper Error Handling
R 731 OWASP Top Ten 2004 Category A10 - Insecure Configuration Management
R 732 Incorrect Permission Assignment for Critical Resource
R 733 Compiler Optimization Removal or Modification of Security-critical Code
DN 734 Weaknesses Addressed by the CERT C Secure Coding Standard (2008 Version)
DN 735 CERT C Secure Coding (2008 Version) Section 01 - Preprocessor (PRE)
DN 736 CERT C Secure Coding (2008 Version) Section 02 - Declarations and Initialization (DCL)
DN 737 CERT C Secure Coding (2008 Version) Section 03 - Expressions (EXP)
DN 738 CERT C Secure Coding (2008 Version) Section 04 - Integers (INT)
DN 739 CERT C Secure Coding (2008 Version) Section 05 - Floating Point (FLP)
DN 740 CERT C Secure Coding (2008 Version) Section 06 - Arrays (ARR)
DN 741 CERT C Secure Coding (2008 Version) Section 07 - Characters and Strings (STR)
DN 742 CERT C Secure Coding (2008 Version) Section 08 - Memory Management (MEM)
DN 743 CERT C Secure Coding (2008 Version) Section 09 - Input Output (FIO)
DN 744 CERT C Secure Coding (2008 Version) Section 10 - Environment (ENV)
DN 745 CERT C Secure Coding (2008 Version) Section 11 - Signals (SIG)
DN 746 CERT C Secure Coding (2008 Version) Section 12 - Error Handling (ERR)
DN 747 CERT C Secure Coding (2008 Version) Section 49 - Miscellaneous (MSC)
DN 748 CERT C Secure Coding (2008 Version) Section 50 - POSIX (POS)
R 749 Exposed Dangerous Method or Function
R 754 Improper Check for Unusual or Exceptional Conditions
R 755 Improper Handling of Exceptional Conditions
R 756 Missing Custom Error Page
R 757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
R 758 Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
R 759 Use of a One-Way Hash without a Salt
R 760 Use of a One-Way Hash with a Predictable Salt
R 763 Release of Invalid Pointer or Reference
R 766 Critical Variable Declared Public
R 767 Access to Critical Private Variable via Public Method
DNR 769 Uncontrolled File Descriptor Consumption
R 770 Allocation of Resources Without Limits or Throttling
R 773 Missing Reference to Active File Descriptor or Handle
R 774 Allocation of File Descriptors or Handles Without Limits or Throttling
R 775 Missing Release of File Descriptor or Handle after Effective Lifetime
R 778 Insufficient Logging
R 779 Logging of Excessive Data
R 780 Use of RSA Algorithm without OAEP
R 782 Exposed IOCTL with Insufficient Access Control
R 784 Reliance on Cookies without Validation and Integrity Checking in a Security Decision
R 785 Use of Path Manipulation Function without Maximum-sized Buffer
R 790 Improper Filtering of Special Elements
R 791 Incomplete Filtering of Special Elements
R 792 Incomplete Filtering of One or More Instances of Special Elements
R 793 Only Filtering One Instance of a Special Element
R 794 Incomplete Filtering of Multiple Instances of Special Elements
R 795 Only Filtering Special Elements at a Specified Location
R 796 Only Filtering Special Elements Relative to a Marker
R 797 Only Filtering Special Elements at an Absolute Position
R 798 Use of Hard-coded Credentials
R 807 Reliance on Untrusted Inputs in a Security Decision
R 827 Improper Control of Document Type Definition
R 829 Inclusion of Functionality from Untrusted Control Sphere
R 830 Inclusion of Web Functionality from an Untrusted Source
R 834 Excessive Iteration
R 836 Use of Password Hash Instead of Password for Authentication
D 840 Business Logic Errors
R 841 Improper Enforcement of Behavioral Workflow
R 862 Missing Authorization
R 863 Incorrect Authorization
R 881 CERT C++ Secure Coding Section 13 - Object Oriented Programming (OOP)
R 912 Hidden Functionality
R 913 Improper Control of Dynamically-Managed Code Resources
R 916 Use of Password Hash With Insufficient Computational Effort
R 921 Storage of Sensitive Data in a Mechanism without Access Control
R 922 Insecure Storage of Sensitive Information
R 923 Improper Restriction of Communication Channel to Intended Endpoints
R 924 Improper Enforcement of Message Integrity During Transmission in a Communication Channel
R 939 Improper Authorization in Handler for Custom URL Scheme
R 940 Improper Verification of Source of a Communication Channel
R 941 Incorrectly Specified Destination in a Communication Channel
R 942 Overly Permissive Cross-domain Whitelist
R 943 Improper Neutralization of Special Elements in Data Query Logic
R 966 SFP Secondary Cluster: Other Exposures
R 980 SFP Secondary Cluster: Link in Resource Name Resolution
R 990 SFP Secondary Cluster: Tainted Input to Command
R 1004 Sensitive Cookie Without 'HttpOnly' Flag
DN 1005 7PK - Input Validation and Representation
Detailed Difference Report
Detailed Difference Report
1 DEPRECATED: Location
Major Description, Maintenance_Notes, Name, Type
Minor None
2 7PK - Environment
Major Description, Maintenance_Notes, Name
Minor None
3 DEPRECATED: Technology-specific Environment Issues
Major Description, Maintenance_Notes, Name, Type
Minor None
5 J2EE Misconfiguration: Data Transmission Without Encryption
Major Common_Consequences, Description
Minor None
6 J2EE Misconfiguration: Insufficient Session-ID Length
Major Description, Enabling_Factors_for_Exploitation, Modes_of_Introduction, References, Relationships
Minor None
7 J2EE Misconfiguration: Missing Custom Error Page
Major References
Minor None
8 J2EE Misconfiguration: Entity Bean Declared Remote
Major Demonstrative_Examples
Minor None
10 DEPRECATED: ASP.NET Environment Issues
Major Description, Name, Relationships, Taxonomy_Mappings, Type
Minor None
11 ASP.NET Misconfiguration: Creating Debug Binary
Major Relationships
Minor None
12 ASP.NET Misconfiguration: Missing Custom Error Page
Major Demonstrative_Examples, Potential_Mitigations, References, Relationships
Minor None
13 ASP.NET Misconfiguration: Password in Configuration File
Major Relationships
Minor None
14 Compiler Removal of Code to Clear Buffers
Major References, Relationships, Taxonomy_Mappings
Minor None
15 External Control of System or Configuration Setting
Major Modes_of_Introduction, Relationships
Minor None
16 Configuration
Major Detection_Factors
Minor None
18 Source Code
Major Relationships
Minor None
19 Data Processing Errors
Major Related_Attack_Patterns, Relationships
Minor None
20 Improper Input Validation
Major Modes_of_Introduction, References, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
21 Pathname Traversal and Equivalence Errors
Major Applicable_Platforms, Description, Potential_Mitigations, Related_Attack_Patterns, Relationships
Minor None
22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Major Affected_Resources, Causal_Nature, Likelihood_of_Exploit, References, Relationships, Relevant_Properties, Taxonomy_Mappings
Minor Applicable_Platforms, Functional_Areas
23 Relative Path Traversal
Major Applicable_Platforms
Minor None
24 Path Traversal: '../filedir'
Major Applicable_Platforms
Minor None
25 Path Traversal: '/../filedir'
Major Applicable_Platforms
Minor None
26 Path Traversal: '/dir/../filename'
Major Applicable_Platforms
Minor None
27 Path Traversal: 'dir/../../filename'
Major Applicable_Platforms
Minor None
28 Path Traversal: '..\filedir'
Major Applicable_Platforms
Minor None
29 Path Traversal: '\..\filename'
Major Applicable_Platforms
Minor None
30 Path Traversal: '\dir\..\filename'
Major Applicable_Platforms
Minor None
31 Path Traversal: 'dir\..\..\filename'
Major Applicable_Platforms
Minor None
32 Path Traversal: '...' (Triple Dot)
Major Applicable_Platforms
Minor None
33 Path Traversal: '....' (Multiple Dot)
Major Applicable_Platforms
Minor None
34 Path Traversal: '....//'
Major Applicable_Platforms
Minor None
35 Path Traversal: '.../...//'
Major Applicable_Platforms
Minor None
36 Absolute Path Traversal
Major Applicable_Platforms
Minor None
37 Path Traversal: '/absolute/pathname/here'
Major Applicable_Platforms, Taxonomy_Mappings
Minor None
38 Path Traversal: '\absolute\pathname\here'
Major Applicable_Platforms, Taxonomy_Mappings
Minor None
39 Path Traversal: 'C:dirname'
Major Applicable_Platforms, Taxonomy_Mappings
Minor None
40 Path Traversal: '\\UNC\share\name\' (Windows UNC Share)
Major Applicable_Platforms
Minor None
41 Improper Resolution of Path Equivalence
Major Affected_Resources, Applicable_Platforms, Relationships, Taxonomy_Mappings
Minor None
42 Path Equivalence: 'filename.' (Trailing Dot)
Major Applicable_Platforms
Minor None
43 Path Equivalence: 'filename....' (Multiple Trailing Dot)
Major Applicable_Platforms, Observed_Examples
Minor None
44 Path Equivalence: 'file.name' (Internal Dot)
Major Applicable_Platforms
Minor None
45 Path Equivalence: 'file...name' (Multiple Internal Dot)
Major Applicable_Platforms
Minor None
46 Path Equivalence: 'filename ' (Trailing Space)
Major Applicable_Platforms
Minor None
47 Path Equivalence: ' filename' (Leading Space)
Major Applicable_Platforms
Minor None
48 Path Equivalence: 'file name' (Internal Whitespace)
Major None
Minor Applicable_Platforms
49 Path Equivalence: 'filename/' (Trailing Slash)
Major Applicable_Platforms
Minor None
50 Path Equivalence: '//multiple/leading/slash'
Major Applicable_Platforms
Minor None
51 Path Equivalence: '/multiple//internal/slash'
Major Applicable_Platforms
Minor None
52 Path Equivalence: '/multiple/trailing/slash//'
Major Applicable_Platforms
Minor None
53 Path Equivalence: '\multiple\\internal\backslash'
Major Applicable_Platforms
Minor None
54 Path Equivalence: 'filedir\' (Trailing Backslash)
Major Applicable_Platforms
Minor None
55 Path Equivalence: '/./' (Single Dot Directory)
Major Applicable_Platforms
Minor None
56 Path Equivalence: 'filedir*' (Wildcard)
Major Applicable_Platforms
Minor None
57 Path Equivalence: 'fakedir/../realdir/filename'
Major Applicable_Platforms
Minor None
58 Path Equivalence: Windows 8.3 Filename
Major Applicable_Platforms, References
Minor Functional_Areas
59 Improper Link Resolution Before File Access ('Link Following')
Major Affected_Resources, Applicable_Platforms, Causal_Nature, Common_Consequences, Functional_Areas, Likelihood_of_Exploit, Modes_of_Introduction, Relationships, Taxonomy_Mappings
Minor None
60 DEPRECATED: UNIX Path Link Problems
Major Applicable_Platforms, Description, Name, Relationships, Type
Minor None
61 UNIX Symbolic Link (Symlink) Following
Major Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, References, Relationships
Minor None
62 UNIX Hard Link
Major Applicable_Platforms, Causal_Nature, Observed_Examples, Relationships, Taxonomy_Mappings
Minor None
63 DEPRECATED: Windows Path Link Problems
Major Applicable_Platforms, Description, Name, Relationships, Type
Minor None
64 Windows Shortcut Following (.LNK)
Major Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, Relationships, Taxonomy_Mappings
Minor None
65 Windows Hard Link
Major Applicable_Platforms, Relationships, Taxonomy_Mappings
Minor None
66 Improper Handling of File Names that Identify Virtual Resources
Major Affected_Resources, Applicable_Platforms, Relationships
Minor Functional_Areas
67 Improper Handling of Windows Device Names
Major Affected_Resources, Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, References, Relationships, Taxonomy_Mappings
Minor None
68 DEPRECATED: Windows Virtual File Problems
Major Applicable_Platforms, Description, Name, Relationships, Type
Minor None
69 Improper Handling of Windows ::DATA Alternate Data Stream
Major Applicable_Platforms, References, Relationships
Minor None
70 DEPRECATED: Mac Virtual File Problems
Major Affected_Resources, Applicable_Platforms, Description, Name, Relationships, Type
Minor None
71 DEPRECATED: Apple '.DS_Store'
Major Applicable_Platforms, Common_Consequences, Description, Maintenance_Notes, Name, Observed_Examples, Relationships, Research_Gaps, Time_of_Introduction, Type
Minor None
72 Improper Handling of Apple HFS+ Alternate Data Stream Path
Major Applicable_Platforms, References, Relationships, Taxonomy_Mappings
Minor None
73 External Control of File Name or Path
Major Applicable_Platforms, Likelihood_of_Exploit, Modes_of_Introduction, Relationships, Taxonomy_Mappings
Minor None
74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Major Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, Modes_of_Introduction, Relationships
Minor None
75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
Major Applicable_Platforms, Modes_of_Introduction, Relationships
Minor None
76 Improper Neutralization of Equivalent Special Elements
Major Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, Modes_of_Introduction, Relationships
Minor None
77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Major Causal_Nature, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Major Modes_of_Introduction, References, Relationships, Taxonomy_Mappings, White_Box_Definitions
Minor Applicable_Platforms, Functional_Areas
79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Major Applicable_Platforms, Causal_Nature, Demonstrative_Examples, Enabling_Factors_for_Exploitation, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships
Minor None
80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Major Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, Relationships, White_Box_Definitions
Minor None
81 Improper Neutralization of Script in an Error Message Web Page
Major Applicable_Platforms, Causal_Nature
Minor None
82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
Major Applicable_Platforms
Minor None
83 Improper Neutralization of Script in Attributes in a Web Page
Major Applicable_Platforms, Causal_Nature
Minor None
84 Improper Neutralization of Encoded URI Schemes in a Web Page
Major Applicable_Platforms, Causal_Nature
Minor None
85 Doubled Character XSS Manipulations
Major Applicable_Platforms, Causal_Nature
Minor None
86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages
Major Applicable_Platforms
Minor None
87 Improper Neutralization of Alternate XSS Syntax
Major Applicable_Platforms
Minor None
88 Argument Injection or Modification
Major Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships, Taxonomy_Mappings
Minor None
89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Major Applicable_Platforms, Demonstrative_Examples, Enabling_Factors_for_Exploitation, Likelihood_of_Exploit, Modes_of_Introduction, Observed_Examples, References, Relationships, White_Box_Definitions
Minor None
90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Major Applicable_Platforms, Modes_of_Introduction, Relationships
Minor None
91 XML Injection (aka Blind XPath Injection)
Major Applicable_Platforms, Modes_of_Introduction, References, Relationships
Minor None
93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Major Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships
Minor None
94 Improper Control of Generation of Code ('Code Injection')
Major Demonstrative_Examples, Modes_of_Introduction, Relationships
Minor None
95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Major Causal_Nature, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings
Minor None
96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
Major Affected_Resources, Applicable_Platforms, Causal_Nature, Demonstrative_Examples, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Relationships
Minor None
97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
Major Applicable_Platforms, Modes_of_Introduction, Relationships
Minor None
98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Major Affected_Resources, Demonstrative_Examples, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships
Minor None
99 Improper Control of Resource Identifiers ('Resource Injection')
Major Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships, White_Box_Definitions
Minor None
100 DEPRECATED: Technology-Specific Input Validation Problems
Major Description, Name, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type
Minor None
101 DEPRECATED: Struts Validation Problems
Major Applicable_Platforms, Description, Name, Relationships, Type
Minor None
102 Struts: Duplicate Validation Forms
Major Causal_Nature, Relationships
Minor None
103 Struts: Incomplete validate() Method Definition
Major Causal_Nature, Relationships
Minor None
104 Struts: Form Bean Does Not Extend Validation Class
Major Causal_Nature, Relationships
Minor None
105 Struts: Form Field Without Validator
Major Causal_Nature, Relationships
Minor None
106 Struts: Plug-in Framework not in Use
Major Causal_Nature, Relationships
Minor None
107 Struts: Unused Validation Form
Major Causal_Nature, Relationships
Minor None
108 Struts: Unvalidated Action Form
Major Causal_Nature, Relationships
Minor None
109 Struts: Validator Turned Off
Major Causal_Nature, Relationships
Minor None
110 Struts: Validator Without Form Field
Major Causal_Nature, Demonstrative_Examples, Detection_Factors, Potential_Mitigations, Relationships
Minor None
111 Direct Use of Unsafe JNI
Major Causal_Nature, Potential_Mitigations, References
Minor None
112 Missing XML Validation
Major Applicable_Platforms, Causal_Nature, Relationships
Minor None
113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
Major Applicable_Platforms, Demonstrative_Examples
Minor None
114 Process Control
Major Applicable_Platforms, Modes_of_Introduction, Relationships
Minor None
115 Misinterpretation of Input
Major Applicable_Platforms
Minor None
116 Improper Encoding or Escaping of Output
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Likelihood_of_Exploit, References, Taxonomy_Mappings
Minor None
117 Improper Output Neutralization for Logs
Major Applicable_Platforms, Causal_Nature, Modes_of_Introduction, References, Relationships
Minor None
118 Incorrect Access of Indexable Resource ('Range Error')
Major Applicable_Platforms
Minor None
119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Relationships, Taxonomy_Mappings
Minor None
120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Major Applicable_Platforms, Causal_Nature, Demonstrative_Examples, Likelihood_of_Exploit, References, Relationships, Taxonomy_Mappings, White_Box_Definitions
Minor None
121 Stack-based Buffer Overflow
Major Background_Details, Causal_Nature, Likelihood_of_Exploit, References, Relationships, Taxonomy_Mappings, White_Box_Definitions
Minor None
122 Heap-based Buffer Overflow
Major Causal_Nature, Likelihood_of_Exploit, Observed_Examples, References, Relationships, Taxonomy_Mappings, White_Box_Definitions
Minor None
123 Write-what-where Condition
Major Causal_Nature, Common_Consequences, Demonstrative_Examples, Taxonomy_Mappings
Minor None
124 Buffer Underwrite ('Buffer Underflow')
Major Causal_Nature, Demonstrative_Examples, References
Minor None
125 Out-of-bounds Read
Major Causal_Nature, Observed_Examples, Taxonomy_Mappings
Minor None
126 Buffer Over-read
Major Causal_Nature, Demonstrative_Examples
Minor None
127 Buffer Under-read
Major Causal_Nature
Minor None
128 Wrap-around Error
Major Causal_Nature, Taxonomy_Mappings
Minor None
129 Improper Validation of Array Index
Major Causal_Nature, References, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
130 Improper Handling of Length Parameter Inconsistency
Major Applicable_Platforms, Causal_Nature, Demonstrative_Examples
Minor None
131 Incorrect Calculation of Buffer Size
Major Likelihood_of_Exploit, References, Taxonomy_Mappings
Minor None
133 String Errors
Major Related_Attack_Patterns
Minor None
134 Use of Externally-Controlled Format String
Major Applicable_Platforms, Causal_Nature, Functional_Areas, Likelihood_of_Exploit, Other_Notes, References, Relationships, Taxonomy_Mappings, White_Box_Definitions
Minor None
135 Incorrect Calculation of Multi-Byte String Length
Major Enabling_Factors_for_Exploitation, Modes_of_Introduction, References, Taxonomy_Mappings
Minor None
138 Improper Neutralization of Special Elements
Major Modes_of_Introduction, Potential_Mitigations, Relationships
Minor Applicable_Platforms
141 Improper Neutralization of Parameter/Argument Delimiters
Major Applicable_Platforms
Minor None
142 Improper Neutralization of Value Delimiters
Major Applicable_Platforms
Minor None
143 Improper Neutralization of Record Delimiters
Major Applicable_Platforms
Minor None
144 Improper Neutralization of Line Delimiters
Major Applicable_Platforms
Minor None
145 Improper Neutralization of Section Delimiters
Major Applicable_Platforms
Minor None
146 Improper Neutralization of Expression/Command Delimiters
Major None
Minor Applicable_Platforms
147 Improper Neutralization of Input Terminators
Major Applicable_Platforms
Minor None
150 Improper Neutralization of Escape, Meta, or Control Sequences
Major Applicable_Platforms, Modes_of_Introduction, Relationships
Minor None
151 Improper Neutralization of Comment Delimiters
Major Applicable_Platforms
Minor None
152 Improper Neutralization of Macro Symbols
Major Applicable_Platforms
Minor None
153 Improper Neutralization of Substitution Characters
Major Applicable_Platforms
Minor None
154 Improper Neutralization of Variable Name Delimiters
Major Applicable_Platforms
Minor None
155 Improper Neutralization of Wildcards or Matching Symbols
Major Applicable_Platforms
Minor None
156 Improper Neutralization of Whitespace
Major Applicable_Platforms
Minor None
157 Failure to Sanitize Paired Delimiters
Major None
Minor Applicable_Platforms
158 Improper Neutralization of Null Byte or NUL Character
Major Applicable_Platforms
Minor None
159 Failure to Sanitize Special Element
Major Applicable_Platforms, Relationships
Minor None
160 Improper Neutralization of Leading Special Elements
Major Applicable_Platforms, Relationships
Minor None
161 Improper Neutralization of Multiple Leading Special Elements
Major Applicable_Platforms
Minor None
162 Improper Neutralization of Trailing Special Elements
Major Applicable_Platforms, Relationships
Minor None
163 Improper Neutralization of Multiple Trailing Special Elements
Major Applicable_Platforms
Minor None
164 Improper Neutralization of Internal Special Elements
Major Applicable_Platforms, Relationships
Minor None
165 Improper Neutralization of Multiple Internal Special Elements
Major Applicable_Platforms
Minor None
166 Improper Handling of Missing Special Element
Major Applicable_Platforms
Minor None
167 Improper Handling of Additional Special Element
Major Applicable_Platforms
Minor None
168 Improper Handling of Inconsistent Special Elements
Major Applicable_Platforms
Minor None
169 DEPRECATED: Technology-Specific Special Elements
Major Applicable_Platforms, Description, Modes_of_Introduction, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings, Type
Minor None
170 Improper Null Termination
Major Causal_Nature, Observed_Examples, Relationships, Taxonomy_Mappings, White_Box_Definitions
Minor None
171 Cleansing, Canonicalization, and Comparison Errors
Major Applicable_Platforms, References, Related_Attack_Patterns, Relationships
Minor None
172 Encoding Error
Major Applicable_Platforms
Minor None
173 Improper Handling of Alternate Encoding
Major Applicable_Platforms
Minor None
174 Double Decoding of the Same Data
Major Applicable_Platforms
Minor None
175 Improper Handling of Mixed Encoding
Major Applicable_Platforms
Minor None
176 Improper Handling of Unicode Encoding
Major Applicable_Platforms, Taxonomy_Mappings
Minor None
177 Improper Handling of URL Encoding (Hex Encoding)
Major Applicable_Platforms
Minor None
178 Improper Handling of Case Sensitivity
Major Affected_Resources, Applicable_Platforms, Functional_Areas, Relationships
Minor None
179 Incorrect Behavior Order: Early Validation
Major Applicable_Platforms
Minor None
180 Incorrect Behavior Order: Validate Before Canonicalize
Major Applicable_Platforms, Functional_Areas
Minor None
181 Incorrect Behavior Order: Validate Before Filter
Major Applicable_Platforms
Minor None
182 Collapse of Data into Unsafe Value
Major Applicable_Platforms, Relevant_Properties
Minor None
183 Permissive Whitelist
Major Applicable_Platforms
Minor None
184 Incomplete Blacklist
Major Applicable_Platforms, References
Minor None
185 Incorrect Regular Expression
Major References
Minor Applicable_Platforms
186 Overly Restrictive Regular Expression
Major Applicable_Platforms
Minor None
187 Partial Comparison
Major Applicable_Platforms
Minor None
189 Numeric Errors
Major Applicable_Platforms, Relationships, Taxonomy_Mappings
Minor None
190 Integer Overflow or Wraparound
Major Functional_Areas, Observed_Examples, References, Taxonomy_Mappings
Minor Applicable_Platforms
191 Integer Underflow (Wrap or Wraparound)
Major Taxonomy_Mappings
Minor None
192 Integer Coercion Error
Major Relationships, Taxonomy_Mappings, Type
Minor None
193 Off-by-one Error
Major Applicable_Platforms, References, Taxonomy_Mappings
Minor None
194 Unexpected Sign Extension
Major References, Taxonomy_Mappings
Minor None
195 Signed to Unsigned Conversion Error
Major Observed_Examples, Taxonomy_Mappings
Minor None
197 Numeric Truncation Error
Major Taxonomy_Mappings
Minor None
198 Use of Incorrect Byte Ordering
Major Applicable_Platforms
Minor None
199 Information Management Errors
Major Applicable_Platforms
Minor None
200 Information Exposure
Major References
Minor Applicable_Platforms
201 Information Exposure Through Sent Data
Major Applicable_Platforms, Modes_of_Introduction, Relationships
Minor None
202 Exposure of Sensitive Data Through Data Queries
Major Applicable_Platforms
Minor None
203 Information Exposure Through Discrepancy
Major Applicable_Platforms
Minor None
204 Response Discrepancy Information Exposure
Major Applicable_Platforms
Minor None
205 Information Exposure Through Behavioral Discrepancy
Major Applicable_Platforms
Minor None
206 Information Exposure of Internal State Through Behavioral Inconsistency
Major Applicable_Platforms
Minor None
207 Information Exposure Through an External Behavioral Inconsistency
Major Applicable_Platforms
Minor None
208 Information Exposure Through Timing Discrepancy
Major Applicable_Platforms, Modes_of_Introduction, Relationships
Minor Functional_Areas
209 Information Exposure Through an Error Message
Major Applicable_Platforms, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings
Minor None
210 Information Exposure Through Self-generated Error Message
Major Applicable_Platforms, Functional_Areas, Modes_of_Introduction, Relationships
Minor None
211 Information Exposure Through Externally-Generated Error Message
Major Applicable_Platforms, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Relationships
Minor Functional_Areas, Name
212 Improper Cross-boundary Removal of Sensitive Data
Major Modes_of_Introduction, Relationships
Minor Applicable_Platforms
213 Intentional Information Exposure
Major Applicable_Platforms
Minor None
214 Information Exposure Through Process Environment
Major Applicable_Platforms, Modes_of_Introduction, Relationships
Minor None
215 Information Exposure Through Debug Information
Major Applicable_Platforms
Minor None
216 Containment Errors (Container Errors)
Major Applicable_Platforms, Relationships
Minor None
219 Sensitive Data Under Web Root
Major Applicable_Platforms, Modes_of_Introduction, Relationships
Minor None
220 Sensitive Data Under FTP Root
Major Applicable_Platforms, Modes_of_Introduction, Relationships
Minor None
221 Information Loss or Omission
Major Applicable_Platforms
Minor None
222 Truncation of Security-relevant Information
Major Applicable_Platforms
Minor None
223 Omission of Security-relevant Information
Major Applicable_Platforms, Demonstrative_Examples, Modes_of_Introduction, Relationships
Minor None
224 Obscured Security-relevant Information by Alternate Name
Major Applicable_Platforms, Demonstrative_Examples, Modes_of_Introduction, References, Relationships
Minor None
226 Sensitive Information Uncleared Before Release
Major Causal_Nature, Functional_Areas, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
227 7PK - API Abuse
Major Alternate_Terms, Common_Consequences, Description, Name, Observed_Examples, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type
Minor None
228 Improper Handling of Syntactically Invalid Structure
Major Relevant_Properties
Minor None
230 Improper Handling of Missing Values
Major Applicable_Platforms
Minor None
231 Improper Handling of Extra Values
Major Applicable_Platforms, Time_of_Introduction
Minor None
232 Improper Handling of Undefined Values
Major Applicable_Platforms
Minor None
234 Failure to Handle Missing Parameter
Major Applicable_Platforms, Demonstrative_Examples
Minor None
235 Improper Handling of Extra Parameters
Major Applicable_Platforms, Time_of_Introduction
Minor None
236 Improper Handling of Undefined Parameters
Major Applicable_Platforms
Minor None
238 Improper Handling of Incomplete Structural Elements
Major Applicable_Platforms, Causal_Nature
Minor None
239 Failure to Handle Incomplete Element
Major Applicable_Platforms
Minor None
240 Improper Handling of Inconsistent Structural Elements
Major Applicable_Platforms, Type
Minor None
241 Improper Handling of Unexpected Data Type
Major Applicable_Platforms, Taxonomy_Mappings
Minor None
242 Use of Inherently Dangerous Function
Major Causal_Nature, References, Relationships, Taxonomy_Mappings
Minor None
243 Creation of chroot Jail Without Changing Working Directory
Major Affected_Resources, Causal_Nature, Modes_of_Introduction, Relationships
Minor None
244 Improper Clearing of Heap Memory Before Release ('Heap Inspection')
Major Relationships, Taxonomy_Mappings, White_Box_Definitions
Minor None
245 J2EE Bad Practices: Direct Management of Connections
Major Causal_Nature, Relationships
Minor None
246 J2EE Bad Practices: Direct Use of Sockets
Major Causal_Nature, Relationships
Minor None
248 Uncaught Exception
Major Relationships, Taxonomy_Mappings
Minor None
250 Execution with Unnecessary Privileges
Major Modes_of_Introduction, References, Relationships
Minor Applicable_Platforms
251 Often Misused: String Management
Major Affected_Resources, Applicable_Platforms, Demonstrative_Examples, Relationships, White_Box_Definitions
Minor None
252 Unchecked Return Value
Major Applicable_Platforms, References, Relationships, Taxonomy_Mappings
Minor None
253 Incorrect Check of Function Return Value
Major Applicable_Platforms, Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor None
254 7PK - Security Features
Major Name, Relationships
Minor None
255 Credentials Management
Major Applicable_Platforms, Detection_Factors
Minor None
256 Plaintext Storage of a Password
Major Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, Modes_of_Introduction, Relationships
Minor None
257 Storing Passwords in a Recoverable Format
Major Applicable_Platforms, Causal_Nature, Demonstrative_Examples, Likelihood_of_Exploit, Modes_of_Introduction, Relationships
Minor None
258 Empty Password in Configuration File
Major Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, Modes_of_Introduction, Relationships
Minor None
259 Use of Hard-coded Password
Major Causal_Nature, Demonstrative_Examples, Likelihood_of_Exploit, Modes_of_Introduction, Relationships, White_Box_Definitions
Minor Applicable_Platforms
260 Password in Configuration File
Major Affected_Resources, Applicable_Platforms, Modes_of_Introduction, Relationships
Minor None
261 Weak Cryptography for Passwords
Major Applicable_Platforms, Modes_of_Introduction, Relationships
Minor None
262 Not Using Password Aging
Major Applicable_Platforms, Likelihood_of_Exploit, Modes_of_Introduction, Relationships
Minor None
263 Password Aging with Long Expiration
Major Applicable_Platforms, Likelihood_of_Exploit, Modes_of_Introduction, Relationships
Minor None
264 Permissions, Privileges, and Access Controls
Major Applicable_Platforms, Detection_Factors, Potential_Mitigations, References, Related_Attack_Patterns, Relationships
Minor None
265 Privilege / Sandbox Issues
Major Detection_Factors, Potential_Mitigations, Relationships
Minor None
266 Incorrect Privilege Assignment
Major Causal_Nature, Modes_of_Introduction, References, Relationships
Minor Applicable_Platforms
267 Privilege Defined With Unsafe Actions
Major Applicable_Platforms, Modes_of_Introduction, References, Relationships
Minor None
268 Privilege Chaining
Major Applicable_Platforms, Causal_Nature, Modes_of_Introduction, References, Relationships
Minor None
269 Improper Privilege Management
Major Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships, Type
Minor None
270 Privilege Context Switching Error
Major Applicable_Platforms, Modes_of_Introduction, References, Relationships
Minor None
271 Privilege Dropping / Lowering Errors
Major Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships
Minor None
272 Least Privilege Violation
Major Applicable_Platforms, Causal_Nature, Common_Consequences, Demonstrative_Examples, Modes_of_Introduction, Relationships
Minor None
273 Improper Check for Dropped Privileges
Major Applicable_Platforms, Causal_Nature, Demonstrative_Examples, Modes_of_Introduction, Relationships, Taxonomy_Mappings
Minor None
274 Improper Handling of Insufficient Privileges
Major Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships
Minor None
275 Permission Issues
Major Affected_Resources, Detection_Factors, Functional_Areas, Related_Attack_Patterns, Relationships
Minor None
276 Incorrect Default Permissions
Major Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships, Taxonomy_Mappings
Minor None
277 Insecure Inherited Permissions
Major Applicable_Platforms, Modes_of_Introduction, Relationships
Minor None
278 Insecure Preserved Inherited Permissions
Major Applicable_Platforms
Minor None
279 Incorrect Execution-Assigned Permissions
Major Applicable_Platforms, Modes_of_Introduction, Relationships, Taxonomy_Mappings
Minor None
280 Improper Handling of Insufficient Permissions or Privileges
Major Applicable_Platforms, Modes_of_Introduction, Observed_Examples, Relationships
Minor None
281 Improper Preservation of Permissions
Major Applicable_Platforms, Modes_of_Introduction, Relationships
Minor None
282 Improper Ownership Management
Major Affected_Resources, Applicable_Platforms, Modes_of_Introduction, Relationships
Minor None
283 Unverified Ownership
Major Applicable_Platforms, Modes_of_Introduction, Relationships
Minor None
284 Improper Access Control
Major Affected_Resources, Modes_of_Introduction, Observed_Examples, References, Relationships
Minor None
285 Improper Authorization
Major Applicable_Platforms, Modes_of_Introduction, References, Relationships
Minor None
286 Incorrect User Management
Major Modes_of_Introduction, Relationships
Minor Applicable_Platforms
287 Improper Authentication
Major Demonstrative_Examples, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships
Minor Applicable_Platforms
288 Authentication Bypass Using an Alternate Path or Channel
Major Applicable_Platforms, Modes_of_Introduction, Relationships
Minor None
289 Authentication Bypass by Alternate Name
Major Applicable_Platforms, Modes_of_Introduction, Relationships
Minor None
290 Authentication Bypass by Spoofing
Major Demonstrative_Examples, Modes_of_Introduction, Relationships
Minor None
291 Reliance on IP Address for Authentication
Major Causal_Nature, Demonstrative_Examples, Modes_of_Introduction, Relationships
Minor Applicable_Platforms
293 Using Referer Field for Authentication
Major Applicable_Platforms, Modes_of_Introduction, Relationships, Relevant_Properties
Minor None
294 Authentication Bypass by Capture-replay
Major Applicable_Platforms, Modes_of_Introduction, Relationships
Minor None
295 Improper Certificate Validation
Major Modes_of_Introduction, References, Relationships
Minor Applicable_Platforms
296 Improper Following of a Certificate's Chain of Trust
Major Demonstrative_Examples, Modes_of_Introduction, References, Relationships
Minor Applicable_Platforms
297 Improper Validation of Certificate with Host Mismatch
Major Demonstrative_Examples, Modes_of_Introduction, References, Relationships
Minor Applicable_Platforms
298 Improper Validation of Certificate Expiration
Major Demonstrative_Examples, Modes_of_Introduction, Relationships
Minor Applicable_Platforms
299 Improper Check for Certificate Revocation
Major Demonstrative_Examples, Modes_of_Introduction, Relationships, Type
Minor Applicable_Platforms
300 Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
Major Applicable_Platforms, Modes_of_Introduction, Relationships
Minor None
301 Reflection Attack in an Authentication Protocol
Major Applicable_Platforms, Demonstrative_Examples, Modes_of_Introduction, Relationships
Minor None
302 Authentication Bypass by Assumed-Immutable Data
Major Applicable_Platforms, Modes_of_Introduction, Relationships
Minor None
303 Incorrect Implementation of Authentication Algorithm
Major Applicable_Platforms, Modes_of_Introduction, Relationships
Minor None
304 Missing Critical Step in Authentication
Major Applicable_Platforms, Modes_of_Introduction, Relationships
Minor None
305 Authentication Bypass by Primary Weakness
Major Applicable_Platforms, Modes_of_Introduction, Relationships
Minor None
306 Missing Authentication for Critical Function
Major Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships
Minor Applicable_Platforms
307 Improper Restriction of Excessive Authentication Attempts
Major Demonstrative_Examples, Modes_of_Introduction, Relationships
Minor Applicable_Platforms
308 Use of Single-factor Authentication
Major Applicable_Platforms, Modes_of_Introduction, Relationships
Minor None
309 Use of Password System for Primary Authentication
Major Applicable_Platforms, Likelihood_of_Exploit
Minor None
310 Cryptographic Issues
Major Applicable_Platforms, Functional_Areas, References, Related_Attack_Patterns, Relationship_Notes
Minor None
311 Missing Encryption of Sensitive Data
Major Likelihood_of_Exploit, Modes_of_Introduction, Potential_Mitigations, References, Relationships
Minor Applicable_Platforms
312 Cleartext Storage of Sensitive Information
Major Modes_of_Introduction, References, Relationships
Minor Applicable_Platforms
313 Cleartext Storage in a File or on Disk
Major Modes_of_Introduction, Relationships
Minor Applicable_Platforms
314 Cleartext Storage in the Registry
Major Modes_of_Introduction, Relationships
Minor Applicable_Platforms
315 Cleartext Storage of Sensitive Information in a Cookie
Major Modes_of_Introduction, Relationships
Minor Applicable_Platforms
316 Cleartext Storage of Sensitive Information in Memory
Major Modes_of_Introduction, Observed_Examples, Relationships
Minor Applicable_Platforms
317 Cleartext Storage of Sensitive Information in GUI
Major Modes_of_Introduction, Relationships
Minor Applicable_Platforms
318 Cleartext Storage of Sensitive Information in Executable
Major Modes_of_Introduction, Observed_Examples, Relationships
Minor Applicable_Platforms
319 Cleartext Transmission of Sensitive Information
Major Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships
Minor Applicable_Platforms
320 Key Management Errors
Major Applicable_Platforms, Observed_Examples
Minor None
321 Use of Hard-coded Cryptographic Key
Major Applicable_Platforms, Demonstrative_Examples, Modes_of_Introduction, Relationships
Minor None
322 Key Exchange without Entity Authentication
Major Modes_of_Introduction, Relationships
Minor Applicable_Platforms
323 Reusing a Nonce, Key Pair in Encryption
Major Applicable_Platforms, Modes_of_Introduction, Relationships
Minor None
324 Use of a Key Past its Expiration Date
Major Demonstrative_Examples, Modes_of_Introduction, Relationships
Minor Applicable_Platforms
325 Missing Required Cryptographic Step
Major Applicable_Platforms, Modes_of_Introduction, Relationships
Minor None
326 Inadequate Encryption Strength
Major Applicable_Platforms, Modes_of_Introduction, References, Relationships
Minor None
327 Use of a Broken or Risky Cryptographic Algorithm
Major Demonstrative_Examples, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
328 Reversible One-Way Hash
Major Applicable_Platforms, Modes_of_Introduction, References, Relationships
Minor None
329 Not Using a Random IV with CBC Mode
Major Applicable_Platforms, Demonstrative_Examples
Minor None
330 Use of Insufficiently Random Values
Major Functional_Areas, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
331 Insufficient Entropy
Major Applicable_Platforms, Modes_of_Introduction, Relationships, Taxonomy_Mappings
Minor None
332 Insufficient Entropy in PRNG
Major Applicable_Platforms, Modes_of_Introduction, References, Relationships
Minor None
333 Improper Handling of Insufficient Entropy in TRNG
Major Applicable_Platforms, Likelihood_of_Exploit, Modes_of_Introduction, Relationships
Minor None
334 Small Space of Random Values
Major Applicable_Platforms, Modes_of_Introduction, References, Relationships
Minor None
335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
Major Applicable_Platforms, Description, Modes_of_Introduction, Name, Relationships, Type
Minor None
336 Same Seed in Pseudo-Random Number Generator (PRNG)
Major Applicable_Platforms, Description, Modes_of_Introduction, Name, References, Relationships
Minor None
337 Predictable Seed in Pseudo-Random Number Generator (PRNG)
Major Applicable_Platforms, Demonstrative_Examples, Description, Modes_of_Introduction, Name, References, Relationships
Minor None
338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Major Demonstrative_Examples, Description, Modes_of_Introduction, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
339 Small Seed Space in PRNG
Major Applicable_Platforms, Modes_of_Introduction, References, Relationships
Minor None
341 Predictable from Observable State
Major Applicable_Platforms, Modes_of_Introduction, References, Relationships
Minor None
342 Predictable Exact Value from Previous Values
Major Applicable_Platforms, References
Minor None
343 Predictable Value Range from Previous Values
Major Applicable_Platforms, References
Minor None
344 Use of Invariant Value in Dynamically Changing Context
Major Applicable_Platforms, References, Relevant_Properties
Minor None
345 Insufficient Verification of Data Authenticity
Major Applicable_Platforms, Modes_of_Introduction, Relationships
Minor None
346 Origin Validation Error
Major Modes_of_Introduction, References, Relationships
Minor Applicable_Platforms
347 Improper Verification of Cryptographic Signature
Major Applicable_Platforms, Modes_of_Introduction, Relationships
Minor None
348 Use of Less Trusted Source
Major Applicable_Platforms
Minor None
349 Acceptance of Extraneous Untrusted Data With Trusted Data
Major Applicable_Platforms, Modes_of_Introduction, Relationships
Minor None
350 Reliance on Reverse DNS Resolution for a Security-Critical Action
Major Demonstrative_Examples, Relationships
Minor Applicable_Platforms
351 Insufficient Type Distinction
Major Applicable_Platforms
Minor None
352 Cross-Site Request Forgery (CSRF)
Major Applicable_Platforms, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships
Minor None
353 Missing Support for Integrity Check
Major Applicable_Platforms, Modes_of_Introduction, Relationships
Minor None
354 Improper Validation of Integrity Check Value
Major Applicable_Platforms, Demonstrative_Examples, Modes_of_Introduction, Relationships
Minor None
356 Product UI does not Warn User of Unsafe Actions
Major Applicable_Platforms
Minor None
357 Insufficient UI Warning of Dangerous Operations
Major Applicable_Platforms
Minor None
358 Improperly Implemented Security Check for Standard
Major Applicable_Platforms
Minor None
359 Exposure of Private Information ('Privacy Violation')
Major Modes_of_Introduction, References, Relationships
Minor Applicable_Platforms
360 Trust of System Event Data
Major Applicable_Platforms
Minor None
361 7PK - Time and State
Major Description, Name, References, Related_Attack_Patterns, Taxonomy_Mappings
Minor None
362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Major Demonstrative_Examples, References, Research_Gaps, Taxonomy_Mappings
Minor Applicable_Platforms
363 Race Condition Enabling Link Following
Major Applicable_Platforms, Taxonomy_Mappings
Minor None
364 Signal Handler Race Condition
Major Observed_Examples, Relationships
Minor Functional_Areas
365 Race Condition in Switch
Major Demonstrative_Examples
Minor None
366 Race Condition within a Thread
Major Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor None
367 Time-of-check Time-of-use (TOCTOU) Race Condition
Major Applicable_Platforms, Demonstrative_Examples, Likelihood_of_Exploit, References, Relationships, Taxonomy_Mappings, White_Box_Definitions
Minor None
368 Context Switching Race Condition
Major Applicable_Platforms
Minor None
369 Divide By Zero
Major Demonstrative_Examples, Taxonomy_Mappings
Minor None
370 Missing Check for Certificate Revocation after Initial Check
Major Demonstrative_Examples, Modes_of_Introduction, Relationships, Type
Minor Applicable_Platforms
371 State Issues
Major Related_Attack_Patterns, Relationships
Minor None
372 Incomplete Internal State Distinction
Major Applicable_Platforms
Minor None
374 Passing Mutable Objects to an Untrusted Method
Major Demonstrative_Examples
Minor None
375 Returning a Mutable Object to an Untrusted Caller
Major Taxonomy_Mappings
Minor None
376 Temporary File Issues
Major Affected_Resources, Relationships
Minor None
377 Insecure Temporary File
Major Applicable_Platforms, References, Taxonomy_Mappings
Minor None
378 Creation of Temporary File With Insecure Permissions
Major Applicable_Platforms, Demonstrative_Examples
Minor None
379 Creation of Temporary File in Directory with Incorrect Permissions
Major Applicable_Platforms, Demonstrative_Examples, Taxonomy_Mappings
Minor None
382 J2EE Bad Practices: Use of System.exit()
Major Relationships
Minor None
383 J2EE Bad Practices: Direct Use of Threads
Major Relationships
Minor None
384 Session Fixation
Major Applicable_Platforms, Modes_of_Introduction, Relationships
Minor None
385 Covert Timing Channel
Major Applicable_Platforms, Demonstrative_Examples
Minor None
386 Symbolic Name not Mapping to Correct Object
Major Applicable_Platforms
Minor None
387 Signal Errors
Major Affected_Resources, Applicable_Platforms, Observed_Examples, Relationships
Minor None
388 7PK - Errors
Major Common_Consequences, Demonstrative_Examples, Description, Name, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
Minor None
389 Error Conditions, Return Values, Status Codes
Major Applicable_Platforms, Description, Other_Notes, References, Relationships, Research_Gaps, Taxonomy_Mappings, Weakness_Ordinalities
Minor None
390 Detection of Error Condition Without Action
Major Applicable_Platforms, Modes_of_Introduction, Relationships, Taxonomy_Mappings
Minor None
391 Unchecked Error Condition
Major Applicable_Platforms, Modes_of_Introduction, Relationships, Taxonomy_Mappings, White_Box_Definitions
Minor None
392 Missing Report of Error Condition
Major Applicable_Platforms, Modes_of_Introduction, Relationships
Minor None
393 Return of Wrong Status Code
Major Applicable_Platforms
Minor None
394 Unexpected Status Code or Return Value
Major Applicable_Platforms, Taxonomy_Mappings
Minor None
398 7PK - Code Quality
Major Common_Consequences, Description, Detection_Factors, Name, References, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type
Minor None
399 Resource Management Errors
Major Applicable_Platforms, Detection_Factors, Relationships
Minor None
400 Uncontrolled Resource Consumption ('Resource Exhaustion')
Major Applicable_Platforms, Demonstrative_Examples, Likelihood_of_Exploit, Potential_Mitigations, References, Relationships
Minor None
401 Improper Release of Memory Before Removing Last Reference ('Memory Leak')
Major References, Relationships, Taxonomy_Mappings, White_Box_Definitions
Minor Functional_Areas
403 Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
Major Affected_Resources, Applicable_Platforms, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings
Minor None
404 Improper Resource Shutdown or Release
Major Applicable_Platforms, Functional_Areas, Likelihood_of_Exploit, Relationships, Taxonomy_Mappings
Minor None
405 Asymmetric Resource Consumption (Amplification)
Major Applicable_Platforms, Functional_Areas
Minor None
406 Insufficient Control of Network Message Volume (Network Amplification)
Major Applicable_Platforms, Enabling_Factors_for_Exploitation, Modes_of_Introduction
Minor None
407 Algorithmic Complexity
Major Likelihood_of_Exploit
Minor Applicable_Platforms
408 Incorrect Behavior Order: Early Amplification
Major Applicable_Platforms
Minor None
409 Improper Handling of Highly Compressed Data (Data Amplification)
Major Applicable_Platforms
Minor None
410 Insufficient Resource Pool
Major Applicable_Platforms, Functional_Areas, References
Minor None
412 Unrestricted Externally Accessible Lock
Major Applicable_Platforms, Relationships, White_Box_Definitions
Minor None
413 Improper Resource Locking
Major Applicable_Platforms
Minor None
414 Missing Lock Check
Major Applicable_Platforms
Minor None
415 Double Free
Major Likelihood_of_Exploit, Relationships, Taxonomy_Mappings, White_Box_Definitions
Minor None
416 Use After Free
Major Demonstrative_Examples, Relationships, Taxonomy_Mappings, White_Box_Definitions
Minor None
417 Channel and Path Errors
Major Applicable_Platforms, Maintenance_Notes, Relationships
Minor None
418 DEPRECATED: Channel Errors
Major Applicable_Platforms, Description, Name, Relationships, Taxonomy_Mappings, Type
Minor None
419 Unprotected Primary Channel
Major Modes_of_Introduction, Relationships
Minor Applicable_Platforms
420 Unprotected Alternate Channel
Major Modes_of_Introduction, Relationships
Minor Applicable_Platforms
421 Race Condition During Access to Alternate Channel
Major Applicable_Platforms, Relationships
Minor None
422 Unprotected Windows Messaging Channel ('Shatter')
Major Applicable_Platforms, Relationships
Minor None
424 Improper Protection of Alternate Path
Major Applicable_Platforms
Minor None
425 Direct Request ('Forced Browsing')
Major Modes_of_Introduction, Relationships
Minor Applicable_Platforms
426 Untrusted Search Path
Major Demonstrative_Examples, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms, Functional_Areas
427 Uncontrolled Search Path Element
Major None
Minor Applicable_Platforms
428 Unquoted Search Path or Element
Major Applicable_Platforms, Demonstrative_Examples
Minor Functional_Areas
430 Deployment of Wrong Handler
Major Applicable_Platforms
Minor None
431 Missing Handler
Major Applicable_Platforms
Minor None
432 Dangerous Signal Handler not Disabled During Sensitive Operations
Major None
Minor Applicable_Platforms
433 Unparsed Raw Web Content Delivery
Major Applicable_Platforms, Observed_Examples
Minor None
434 Unrestricted Upload of File with Dangerous Type
Major Affected_Resources, Applicable_Platforms, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships, Weakness_Ordinalities
Minor None
435 Improper Interaction Between Multiple Entities
Major Applicable_Platforms, Name, Relationships
Minor None
436 Interpretation Conflict
Major Demonstrative_Examples, Observed_Examples, References, Relationships
Minor Applicable_Platforms
437 Incomplete Model of Endpoint Features
Major Applicable_Platforms
Minor None
438 Behavioral Problems
Major Relationships
Minor None
439 Behavioral Change in New Version or Environment
Major Applicable_Platforms
Minor None
440 Expected Behavior Violation
Major Applicable_Platforms, Relevant_Properties
Minor None
441 Unintended Proxy or Intermediary ('Confused Deputy')
Major Modes_of_Introduction, Relationships
Minor Applicable_Platforms
442 Web Problems
Major Relationships
Minor None
444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Major Applicable_Platforms
Minor None
446 UI Discrepancy for Security Feature
Major Applicable_Platforms
Minor None
447 Unimplemented or Unsupported Feature in UI
Major Applicable_Platforms
Minor None
448 Obsolete Feature in UI
Major Applicable_Platforms
Minor None
449 The UI Performs the Wrong Action
Major Applicable_Platforms
Minor None
450 Multiple Interpretations of UI Input
Major Applicable_Platforms
Minor None
451 User Interface (UI) Misrepresentation of Critical Information
Major Observed_Examples, References, Relationships, Type
Minor Applicable_Platforms
452 Initialization and Cleanup Errors
Major Applicable_Platforms, Research_Gaps
Minor None
453 Insecure Default Variable Initialization
Major Applicable_Platforms
Minor None
454 External Initialization of Trusted Variables or Data Stores
Major Description
Minor Applicable_Platforms
455 Non-exit on Failed Initialization
Major Applicable_Platforms
Minor None
456 Missing Initialization of a Variable
Major Taxonomy_Mappings
Minor Applicable_Platforms
457 Use of Uninitialized Variable
Major References, Relationships, Taxonomy_Mappings, White_Box_Definitions
Minor Applicable_Platforms
459 Incomplete Cleanup
Major Applicable_Platforms, Taxonomy_Mappings
Minor Functional_Areas
460 Improper Cleanup on Thrown Exception
Major Demonstrative_Examples, Modes_of_Introduction, Relationships, Taxonomy_Mappings
Minor None
462 Duplicate Key in Associative List (Alist)
Major Taxonomy_Mappings
Minor None
463 Deletion of Data Structure Sentinel
Major Demonstrative_Examples
Minor None
464 Addition of Data Structure Sentinel
Major Demonstrative_Examples, Likelihood_of_Exploit, Taxonomy_Mappings
Minor None
466 Return of Pointer Value Outside of Expected Range
Major Taxonomy_Mappings, White_Box_Definitions
Minor None
467 Use of sizeof() on a Pointer Type
Major Demonstrative_Examples, Taxonomy_Mappings, White_Box_Definitions
Minor None
468 Incorrect Pointer Scaling
Major Relationships, Taxonomy_Mappings, White_Box_Definitions
Minor None
469 Use of Pointer Subtraction to Determine Size
Major Demonstrative_Examples, Taxonomy_Mappings, White_Box_Definitions
Minor None
470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Major White_Box_Definitions
Minor None
471 Modification of Assumed-Immutable Data (MAID)
Major None
Minor Applicable_Platforms
472 External Control of Assumed-Immutable Web Parameter
Major Applicable_Platforms, Demonstrative_Examples, Modes_of_Introduction, Relationships
Minor None
473 PHP External Variable Modification
Major Modes_of_Introduction, Relationships
Minor None
474 Use of Function with Inconsistent Implementations
Major Relationships
Minor Applicable_Platforms
475 Undefined Behavior for Input to API
Major Applicable_Platforms, Relationships
Minor None
476 NULL Pointer Dereference
Major Relationships, Taxonomy_Mappings, White_Box_Definitions
Minor None
477 Use of Obsolete Function
Major Applicable_Platforms, Name, Relationships, Taxonomy_Mappings
Minor None
478 Missing Default Case in Switch Statement
Major Relationships
Minor None
479 Signal Handler Use of a Non-reentrant Function
Major Observed_Examples, Relationships, Taxonomy_Mappings
Minor None
480 Use of Incorrect Operator
Major Demonstrative_Examples, Taxonomy_Mappings
Minor Applicable_Platforms
481 Assigning instead of Comparing
Major Demonstrative_Examples, Taxonomy_Mappings
Minor None
482 Comparing instead of Assigning
Major Demonstrative_Examples, Taxonomy_Mappings
Minor None
483 Incorrect Block Delimitation
Major Relationships
Minor None
484 Omitted Break Statement in Switch
Major Demonstrative_Examples, Relationships
Minor None
485 7PK - Encapsulation
Major Common_Consequences, Description, Maintenance_Notes, Name, Other_Notes, References, Relationships, Taxonomy_Mappings, Terminology_Notes, Time_of_Introduction, Type
Minor None
486 Comparison of Classes by Name
Major Relationships, Relevant_Properties
Minor None
487 Reliance on Package-level Scope
Major Demonstrative_Examples, Relationships
Minor None
488 Exposure of Data Element to Wrong Session
Major Applicable_Platforms, Modes_of_Introduction, Relationships, Taxonomy_Mappings
Minor None
489 Leftover Debug Code
Major Applicable_Platforms, Relationships, White_Box_Definitions
Minor None
490 Mobile Code Issues
Major Other_Notes, Relationships
Minor None
494 Download of Code Without Integrity Check
Major Modes_of_Introduction, References, Relationships
Minor Applicable_Platforms
495 Private Array-Typed Field Returned From A Public Method
Major Relationships, White_Box_Definitions
Minor None
496 Public Data Assigned to Private Array-Typed Field
Major Relationships, White_Box_Definitions
Minor None
497 Exposure of System Data to an Unauthorized Control Sphere
Major Applicable_Platforms, Taxonomy_Mappings
Minor None
498 Cloneable Class Containing Sensitive Information
Major Demonstrative_Examples, Potential_Mitigations, Relationships
Minor None
499 Serializable Class Containing Sensitive Data
Major Relationships
Minor None
500 Public Static Field Not Marked Final
Major White_Box_Definitions
Minor None
501 Trust Boundary Violation
Major Applicable_Platforms, Relationships
Minor None
502 Deserialization of Untrusted Data
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Modes_of_Introduction, Potential_Mitigations, References, Relationships
Minor None
503 DEPRECATED: Byte/Object Code
Major Description, Maintenance_Notes, Name, Type
Minor None
504 DEPRECATED: Motivation/Intent
Major Description, Maintenance_Notes, Name, Type
Minor None
505 DEPRECATED: Intentionally Introduced Weakness
Major Demonstrative_Examples, Description, Maintenance_Notes, Name, Relationships, Taxonomy_Mappings, Type
Minor None
506 Embedded Malicious Code
Major Demonstrative_Examples, Relationships
Minor None
507 Trojan Horse
Major References, Terminology_Notes
Minor None
511 Logic/Time Bomb
Major References
Minor Applicable_Platforms
513 DEPRECATED: Intentionally Introduced Nonmalicious Weakness
Major Description, Name, Relationships, Taxonomy_Mappings, Type
Minor None
514 Covert Channel
Major Relationships
Minor None
517 DEPRECATED: Other Intentional, Nonmalicious Weakness
Major Description, Name, Relationships, Taxonomy_Mappings, Type
Minor None
518 DEPRECATED: Inadvertently Introduced Weakness
Major Description, Maintenance_Notes, Name, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type
Minor None
519 .NET Environment Issues
Major Description, Relationships, Taxonomy_Mappings
Minor None
520 .NET Misconfiguration: Use of Impersonation
Major Taxonomy_Mappings
Minor None
521 Weak Password Requirements
Major Modes_of_Introduction, Relationships, Taxonomy_Mappings
Minor None
522 Insufficiently Protected Credentials
Major Demonstrative_Examples, Modes_of_Introduction, Relationships, Taxonomy_Mappings
Minor None
523 Unprotected Transport of Credentials
Major Modes_of_Introduction, Relationships, Taxonomy_Mappings
Minor None
524 Information Exposure Through Caching
Major Taxonomy_Mappings
Minor None
525 Information Exposure Through Browser Caching
Major Taxonomy_Mappings
Minor None
527 Exposure of CVS Repository to an Unauthorized Control Sphere
Major Modes_of_Introduction, Relationships, Taxonomy_Mappings
Minor None
528 Exposure of Core Dump File to an Unauthorized Control Sphere
Major Modes_of_Introduction, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
529 Exposure of Access Control List Files to an Unauthorized Control Sphere
Major Modes_of_Introduction, Relationships, Taxonomy_Mappings
Minor None
530 Exposure of Backup File to an Unauthorized Control Sphere
Major Modes_of_Introduction, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
531 Information Exposure Through Test Code
Major Taxonomy_Mappings
Minor None
532 Information Exposure Through Log Files
Major Modes_of_Introduction, Relationships, Taxonomy_Mappings
Minor None
533 Information Exposure Through Server Log Files
Major Affected_Resources, Relationships, Taxonomy_Mappings
Minor None
534 Information Exposure Through Debug Log Files
Major Taxonomy_Mappings
Minor None
535 Information Exposure Through Shell Error Message
Major Taxonomy_Mappings
Minor None
536 Information Exposure Through Servlet Runtime Error Message
Major Taxonomy_Mappings
Minor None
537 Information Exposure Through Java Runtime Error Message
Major Taxonomy_Mappings
Minor None
538 File and Directory Information Exposure
Major Applicable_Platforms, Modes_of_Introduction, Relationships
Minor None
539 Information Exposure Through Persistent Cookies
Major Taxonomy_Mappings
Minor None
540 Information Exposure Through Source Code
Major Taxonomy_Mappings
Minor None
541 Information Exposure Through Include Source Code
Major Taxonomy_Mappings
Minor None
542 Information Exposure Through Cleanup Log Files
Major Taxonomy_Mappings
Minor None
544 Missing Standardized Error Handling Mechanism
Major Modes_of_Introduction, Relationships, Taxonomy_Mappings
Minor None
546 Suspicious Comment
Major Relationships, Taxonomy_Mappings
Minor None
547 Use of Hard-coded, Security-relevant Constants
Major Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor None
548 Information Exposure Through Directory Listing
Major Taxonomy_Mappings
Minor None
549 Missing Password Field Masking
Major Taxonomy_Mappings
Minor None
550 Information Exposure Through Server Error Message
Major Modes_of_Introduction, Relationships, Taxonomy_Mappings
Minor None
551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
Major Modes_of_Introduction, Relationships, Taxonomy_Mappings
Minor None
552 Files or Directories Accessible to External Parties
Major Affected_Resources, Modes_of_Introduction, Relationships, Taxonomy_Mappings
Minor None
553 Command Shell in Externally Accessible Directory
Major Taxonomy_Mappings
Minor None
554 ASP.NET Misconfiguration: Not Using Input Validation Framework
Major Relationships, Taxonomy_Mappings
Minor None
555 J2EE Misconfiguration: Plaintext Password in Configuration File
Major Taxonomy_Mappings
Minor None
556 ASP.NET Misconfiguration: Use of Identity Impersonation
Major Relationships, Taxonomy_Mappings
Minor None
557 Concurrency Issues
Major Relationships
Minor None
559 Often Misused: Arguments and Parameters
Major Related_Attack_Patterns, Relationships
Minor None
560 Use of umask() with chmod-style Argument
Major Taxonomy_Mappings
Minor None
561 Dead Code
Major Relationships, Taxonomy_Mappings
Minor None
562 Return of Stack Variable Address
Major Relationships, Taxonomy_Mappings
Minor None
563 Assignment to Variable without Use
Major Alternate_Terms, Name, Relationships, Taxonomy_Mappings
Minor None
564 SQL Injection: Hibernate
Major Taxonomy_Mappings
Minor None
565 Reliance on Cookies without Validation and Integrity Checking
Major Modes_of_Introduction, Relationships
Minor None
566 Authorization Bypass Through User-Controlled SQL Primary Key
Major Applicable_Platforms, Modes_of_Introduction, Relationships
Minor None
567 Unsynchronized Access to Shared Data in a Multithreaded Context
Major Applicable_Platforms
Minor None
570 Expression is Always False
Major Applicable_Platforms, Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor None
571 Expression is Always True
Major Applicable_Platforms, Relationships, Taxonomy_Mappings
Minor None
572 Call to Thread run() instead of start()
Major Relationships
Minor None
573 Improper Following of Specification by Caller
Major Observed_Examples, Relationships
Minor None
579 J2EE Bad Practices: Non-serializable Object Stored in Session
Major Modes_of_Introduction, Relationships
Minor None
580 clone() Method Without super.clone()
Major Relationships
Minor None
585 Empty Synchronized Block
Major Relationships
Minor None
586 Explicit Call to Finalize()
Major Relationships
Minor None
587 Assignment of a Fixed Address to a Pointer
Major Applicable_Platforms, Taxonomy_Mappings, White_Box_Definitions
Minor None
588 Attempt to Access Child of a Non-structure Pointer
Major Demonstrative_Examples
Minor None
589 Call to Non-ubiquitous API
Major Relationships
Minor None
590 Free of Memory not on the Heap
Major Taxonomy_Mappings
Minor None
591 Sensitive Data Storage in Improperly Locked Memory
Major Relationships, Taxonomy_Mappings
Minor None
593 Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
Major Demonstrative_Examples, Modes_of_Introduction, Relationships
Minor None
594 J2EE Framework: Saving Unserializable Objects to Disk
Major Relationships
Minor None
595 Comparison of Object References Instead of Object Contents
Major None
Minor Applicable_Platforms
597 Use of Wrong Operator in String Comparison
Major Taxonomy_Mappings
Minor None
599 Missing Validation of OpenSSL Certificate
Major Modes_of_Introduction, Relationships
Minor None
600 Uncaught Exception in Servlet
Major Relationships
Minor None
601 URL Redirection to Untrusted Site ('Open Redirect')
Major Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
602 Client-Side Enforcement of Server-Side Security
Major Applicable_Platforms, Enabling_Factors_for_Exploitation, Modes_of_Introduction, References, Relationships
Minor None
603 Use of Client-Side Authentication
Major Modes_of_Introduction, Relationships, Taxonomy_Mappings
Minor None
605 Multiple Binds to the Same Port
Major Applicable_Platforms, Description, Enabling_Factors_for_Exploitation, Relationships, Taxonomy_Mappings
Minor None
606 Unchecked Input for Loop Condition
Major Demonstrative_Examples, Taxonomy_Mappings
Minor None
607 Public Static Final Field References Mutable Object
Major Relationships, Taxonomy_Mappings
Minor None
608 Struts: Non-private Field in ActionForm Class
Major Causal_Nature, Relationships, Taxonomy_Mappings
Minor None
610 Externally Controlled Reference to a Resource in Another Sphere
Major Modes_of_Introduction, Relationships, Taxonomy_Mappings
Minor None
611 Improper Restriction of XML External Entity Reference ('XXE')
Major Modes_of_Introduction, References, Relationships, Relevant_Properties
Minor None
612 Information Exposure Through Indexing of Private Data
Major Applicable_Platforms, Taxonomy_Mappings
Minor None
613 Insufficient Session Expiration
Major Modes_of_Introduction, Relationships
Minor None
614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Major Taxonomy_Mappings
Minor None
615 Information Exposure Through Comments
Major Demonstrative_Examples
Minor None
617 Reachable Assertion
Major Relationships
Minor None
618 Exposed Unsafe ActiveX Method
Major References, Relationships
Minor None
619 Dangling Database Cursor ('Cursor Injection')
Major Relationships
Minor None
620 Unverified Password Change
Major Applicable_Platforms, Modes_of_Introduction, Relationships
Minor None
622 Improper Validation of Function Hook Arguments
Major Applicable_Platforms
Minor None
623 Unsafe ActiveX Control Marked Safe For Scripting
Major References
Minor None
624 Executable Regular Expression Error
Major Observed_Examples
Minor None
625 Permissive Regular Expression
Major Demonstrative_Examples, Observed_Examples
Minor None
627 Dynamic Variable Evaluation
Major References
Minor None
628 Function Call with Incorrectly Specified Arguments
Major Applicable_Platforms, Taxonomy_Mappings
Minor None
629 Weaknesses in OWASP Top Ten (2007)
Major References
Minor None
630 DEPRECATED: Weaknesses Examined by SAMATE
Major Description, Name, References, Relationships, Type
Minor None
631 DEPRECATED: Resource-specific Weaknesses
Major Description, Name, Relationships, Type
Minor None
632 DEPRECATED: Weaknesses that Affect Files or Directories
Major Description, Name, Relationships, Type
Minor None
633 DEPRECATED: Weaknesses that Affect Memory
Major Description, Name, Relationships, Type
Minor None
634 DEPRECATED: Weaknesses that Affect System Processes
Major Description, Name, Relationships, Type
Minor None
635 Weaknesses Originally Used by NVD from 2008 to 2016
Major Description, Maintenance_Notes, Name
Minor None
636 Not Failing Securely ('Failing Open')
Major Applicable_Platforms, Causal_Nature, Relationships
Minor None
637 Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')
Major Applicable_Platforms, Causal_Nature
Minor None
638 Not Using Complete Mediation
Major Applicable_Platforms, Causal_Nature
Minor None
639 Authorization Bypass Through User-Controlled Key
Major Description, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Relationships
Minor Applicable_Platforms
640 Weak Password Recovery Mechanism for Forgotten Password
Major Applicable_Platforms, Demonstrative_Examples, Description, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Observed_Examples, Relationships
Minor None
641 Improper Restriction of Names for Files and Other Resources
Major Applicable_Platforms, Description, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Relationships
Minor None
642 External Control of Critical State Data
Major Applicable_Platforms, Demonstrative_Examples, Enabling_Factors_for_Exploitation, Modes_of_Introduction, References, Relationships, Relevant_Properties
Minor None
643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')
Major Applicable_Platforms, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Relationships
Minor None
644 Improper Neutralization of HTTP Headers for Scripting Syntax
Major Applicable_Platforms, Enabling_Factors_for_Exploitation
Minor None
645 Overly Restrictive Account Lockout Mechanism
Major Applicable_Platforms, Demonstrative_Examples, Description, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Observed_Examples, Relationships
Minor None
646 Reliance on File Name or Extension of Externally-Supplied File
Major Enabling_Factors_for_Exploitation
Minor Applicable_Platforms
647 Use of Non-Canonical URL Paths for Authorization Decisions
Major Demonstrative_Examples, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Observed_Examples, Relationships
Minor Applicable_Platforms
648 Incorrect Use of Privileged APIs
Major Applicable_Platforms, Enabling_Factors_for_Exploitation, Observed_Examples, Relationships
Minor None
649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
Major Applicable_Platforms, Description, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Observed_Examples, Relationships
Minor None
650 Trusting HTTP Permission Methods on the Server Side
Major Applicable_Platforms, Description, Enabling_Factors_for_Exploitation, Observed_Examples, Relationships
Minor None
651 Information Exposure Through WSDL File
Major Applicable_Platforms, Demonstrative_Examples, Description, Enabling_Factors_for_Exploitation, Observed_Examples
Minor None
652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
Major Applicable_Platforms, Demonstrative_Examples, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Observed_Examples, Relationships
Minor None
653 Insufficient Compartmentalization
Major Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships
Minor None
654 Reliance on a Single Factor in a Security Decision
Major Applicable_Platforms, Causal_Nature
Minor None
655 Insufficient Psychological Acceptability
Major Applicable_Platforms, Causal_Nature
Minor None
656 Reliance on Security Through Obscurity
Major Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships
Minor None
662 Improper Synchronization
Major Taxonomy_Mappings
Minor None
663 Use of a Non-reentrant Function in a Concurrent Context
Major Observed_Examples
Minor None
664 Improper Control of a Resource Through its Lifetime
Major Relationships, Taxonomy_Mappings
Minor None
665 Improper Initialization
Major References, Taxonomy_Mappings
Minor Applicable_Platforms
666 Operation on Resource in Wrong Phase of Lifetime
Major Taxonomy_Mappings
Minor None
667 Improper Locking
Major Taxonomy_Mappings
Minor None
668 Exposure of Resource to Wrong Sphere
Major Modes_of_Introduction, Relationships, Relevant_Properties
Minor None
669 Incorrect Resource Transfer Between Spheres
Major Modes_of_Introduction, Relationships, Relevant_Properties
Minor None
670 Always-Incorrect Control Flow Implementation
Major Relationships
Minor None
671 Lack of Administrator Control over Security
Major Modes_of_Introduction, Relationships, Relevant_Properties
Minor None
672 Operation on a Resource after Expiration or Release
Major Demonstrative_Examples, Taxonomy_Mappings
Minor Applicable_Platforms
673 External Influence of Sphere Definition
Major Modes_of_Introduction, Relationships, Relevant_Properties
Minor None
674 Uncontrolled Recursion
Major Applicable_Platforms, Relationships
Minor None
675 Duplicate Operations on Resource
Major Applicable_Platforms, Relationships, Relevant_Properties, Taxonomy_Mappings
Minor None
676 Use of Potentially Dangerous Function
Major Causal_Nature, References, Relationships, Taxonomy_Mappings
Minor None
678 Composites
Major Description, View_Structure
Minor None
679 DEPRECATED: Chain Elements
Major Description, Name, Type, View_Filter
Minor None
680 Integer Overflow to Buffer Overflow
Major Applicable_Platforms, Observed_Examples, Relationships, Relevant_Properties, Taxonomy_Mappings
Minor None
681 Incorrect Conversion between Numeric Types
Major Likelihood_of_Exploit, Observed_Examples, Taxonomy_Mappings, Type
Minor Applicable_Platforms
682 Incorrect Calculation
Major Taxonomy_Mappings
Minor Applicable_Platforms
684 Incorrect Provision of Specified Functionality
Major Relationships, Type
Minor None
685 Function Call With Incorrect Number of Arguments
Major Taxonomy_Mappings
Minor None
686 Function Call With Incorrect Argument Type
Major Taxonomy_Mappings
Minor None
687 Function Call With Incorrectly Specified Argument Value
Major Taxonomy_Mappings
Minor None
689 Permission Race Condition During Resource Copy
Major Relationships
Minor None
690 Unchecked Return Value to NULL Pointer Dereference
Major Relationships, Relevant_Properties, Taxonomy_Mappings, Time_of_Introduction
Minor None
691 Insufficient Control Flow Management
Major Applicable_Platforms, Relationships, Relevant_Properties
Minor None
692 Incomplete Blacklist to Cross-Site Scripting
Major Relationships, Relevant_Properties
Minor Applicable_Platforms
693 Protection Mechanism Failure
Major Applicable_Platforms
Minor None
694 Use of Multiple Resources with Duplicate Identifier
Major Relevant_Properties
Minor Applicable_Platforms
695 Use of Low-Level Functionality
Major Relationships
Minor None
696 Incorrect Behavior Order
Major Taxonomy_Mappings
Minor None
697 Insufficient Comparison
Major Taxonomy_Mappings
Minor None
699 Development Concepts
Major Maintenance_Notes, Relationships
Minor None
700 Seven Pernicious Kingdoms
Major Alternate_Terms, Other_Notes
Minor None
703 Improper Check or Handling of Exceptional Conditions
Major Applicable_Platforms, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings
Minor None
704 Incorrect Type Conversion or Cast
Major Applicable_Platforms, Taxonomy_Mappings
Minor None
705 Incorrect Control Flow Scoping
Major Applicable_Platforms, Relationships, Taxonomy_Mappings
Minor None
706 Use of Incorrectly-Resolved Name or Reference
Major Applicable_Platforms
Minor None
707 Improper Enforcement of Message or Data Structure
Major Modes_of_Introduction, Relationships
Minor Applicable_Platforms
708 Incorrect Ownership Assignment
Major Applicable_Platforms, Modes_of_Introduction, Relationships
Minor None
709 Named Chains
Major Description, View_Structure
Minor None
710 Improper Adherence to Coding Standards
Major Applicable_Platforms, Name, Relationships
Minor None
711 Weaknesses in OWASP Top Ten (2004)
Major References
Minor None
712 OWASP Top Ten 2007 Category A1 - Cross Site Scripting (XSS)
Major Related_Attack_Patterns
Minor None
713 OWASP Top Ten 2007 Category A2 - Injection Flaws
Major Related_Attack_Patterns
Minor None
714 OWASP Top Ten 2007 Category A3 - Malicious File Execution
Major Related_Attack_Patterns
Minor None
715 OWASP Top Ten 2007 Category A4 - Insecure Direct Object Reference
Major Related_Attack_Patterns
Minor None
716 OWASP Top Ten 2007 Category A5 - Cross Site Request Forgery (CSRF)
Major Related_Attack_Patterns
Minor None
717 OWASP Top Ten 2007 Category A6 - Information Leakage and Improper Error Handling
Major Related_Attack_Patterns
Minor None
718 OWASP Top Ten 2007 Category A7 - Broken Authentication and Session Management
Major Related_Attack_Patterns
Minor None
719 OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage
Major Related_Attack_Patterns
Minor None
721 OWASP Top Ten 2007 Category A10 - Failure to Restrict URL Access
Major Related_Attack_Patterns
Minor None
724 OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management
Major Related_Attack_Patterns
Minor None
728 OWASP Top Ten 2004 Category A7 - Improper Error Handling
Major Relationships
Minor None
731 OWASP Top Ten 2004 Category A10 - Insecure Configuration Management
Major Relationships
Minor None
732 Incorrect Permission Assignment for Critical Resource
Major Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
733 Compiler Optimization Removal or Modification of Security-critical Code
Major References, Relationships
Minor None
734 Weaknesses Addressed by the CERT C Secure Coding Standard (2008 Version)
Major Description, Maintenance_Notes, Name, References
Minor None
735 CERT C Secure Coding (2008 Version) Section 01 - Preprocessor (PRE)
Major Description, Name, Relationship_Notes
Minor None
736 CERT C Secure Coding (2008 Version) Section 02 - Declarations and Initialization (DCL)
Major Description, Name, Relationship_Notes
Minor None
737 CERT C Secure Coding (2008 Version) Section 03 - Expressions (EXP)
Major Description, Name, Relationship_Notes
Minor None
738 CERT C Secure Coding (2008 Version) Section 04 - Integers (INT)
Major Description, Name, Relationship_Notes
Minor None
739 CERT C Secure Coding (2008 Version) Section 05 - Floating Point (FLP)
Major Description, Name, References, Relationship_Notes
Minor None
740 CERT C Secure Coding (2008 Version) Section 06 - Arrays (ARR)
Major Description, Name, Relationship_Notes
Minor None
741 CERT C Secure Coding (2008 Version) Section 07 - Characters and Strings (STR)
Major Description, Name, Relationship_Notes
Minor None
742 CERT C Secure Coding (2008 Version) Section 08 - Memory Management (MEM)
Major Description, Name, Relationship_Notes
Minor None
743 CERT C Secure Coding (2008 Version) Section 09 - Input Output (FIO)
Major Description, Name, Relationship_Notes
Minor None
744 CERT C Secure Coding (2008 Version) Section 10 - Environment (ENV)
Major Description, Name, Relationship_Notes
Minor None
745 CERT C Secure Coding (2008 Version) Section 11 - Signals (SIG)
Major Description, Name, Relationship_Notes
Minor None
746 CERT C Secure Coding (2008 Version) Section 12 - Error Handling (ERR)
Major Description, Name, Relationship_Notes
Minor None
747 CERT C Secure Coding (2008 Version) Section 49 - Miscellaneous (MSC)
Major Description, Name, Relationship_Notes
Minor None
748 CERT C Secure Coding (2008 Version) Section 50 - POSIX (POS)
Major Description, Name, Relationship_Notes
Minor None
749 Exposed Dangerous Method or Function
Major Likelihood_of_Exploit, References, Relationships
Minor Applicable_Platforms
750 Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors
Major References
Minor None
751 2009 Top 25 - Insecure Interaction Between Components
Major References
Minor None
752 2009 Top 25 - Risky Resource Management
Major References
Minor None
753 2009 Top 25 - Porous Defenses
Major References
Minor None
754 Improper Check for Unusual or Exceptional Conditions
Major Modes_of_Introduction, References, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
755 Improper Handling of Exceptional Conditions
Major Likelihood_of_Exploit, Modes_of_Introduction, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
756 Missing Custom Error Page
Major Relationships
Minor None
757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
Major Modes_of_Introduction, Relationships
Minor None
758 Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
Major Relationships, Taxonomy_Mappings
Minor None
759 Use of a One-Way Hash without a Salt
Major Modes_of_Introduction, References, Relationships
Minor None
760 Use of a One-Way Hash with a Predictable Salt
Major Modes_of_Introduction, References, Relationships
Minor None
762 Mismatched Memory Management Routines
Major Applicable_Platforms, References, Taxonomy_Mappings
Minor None
763 Release of Invalid Pointer or Reference
Major Relationships
Minor None
766 Critical Variable Declared Public
Major Likelihood_of_Exploit, Relationships
Minor None
767 Access to Critical Private Variable via Public Method
Major Likelihood_of_Exploit, Relationships, Taxonomy_Mappings
Minor None
768 Incorrect Short Circuit Evaluation
Major Likelihood_of_Exploit, Taxonomy_Mappings
Minor None
769 Uncontrolled File Descriptor Consumption
Major Alternate_Terms, Description, Likelihood_of_Exploit, Name, Relationships, Type
Minor None
770 Allocation of Resources Without Limits or Throttling
Major Demonstrative_Examples, Likelihood_of_Exploit, Modes_of_Introduction, Potential_Mitigations, References, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
771 Missing Reference to Active Allocated Resource
Major Likelihood_of_Exploit, Taxonomy_Mappings
Minor None
772 Missing Release of Resource after Effective Lifetime
Major Likelihood_of_Exploit, Taxonomy_Mappings
Minor None
773 Missing Reference to Active File Descriptor or Handle
Major Likelihood_of_Exploit, Relationships, Taxonomy_Mappings
Minor None
774 Allocation of File Descriptors or Handles Without Limits or Throttling
Major Likelihood_of_Exploit, Relationships
Minor None
775 Missing Release of File Descriptor or Handle after Effective Lifetime
Major Likelihood_of_Exploit, Relationships, Taxonomy_Mappings
Minor None
776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Major Likelihood_of_Exploit, References
Minor None
777 Regular Expression without Anchors
Major Likelihood_of_Exploit
Minor None
778 Insufficient Logging
Major Modes_of_Introduction, Relationships
Minor Applicable_Platforms
779 Logging of Excessive Data
Major Likelihood_of_Exploit, Modes_of_Introduction, Relationships
Minor Applicable_Platforms
780 Use of RSA Algorithm without OAEP
Major Modes_of_Introduction, References, Relationships
Minor None
781 Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code
Major Applicable_Platforms, Likelihood_of_Exploit, References
Minor None
782 Exposed IOCTL with Insufficient Access Control
Major Likelihood_of_Exploit, Modes_of_Introduction, Relationships
Minor None
783 Operator Precedence Logic Error
Major Taxonomy_Mappings, Time_of_Introduction
Minor None
784 Reliance on Cookies without Validation and Integrity Checking in a Security Decision
Major Modes_of_Introduction, References, Relationships
Minor Applicable_Platforms
785 Use of Path Manipulation Function without Maximum-sized Buffer
Major Affected_Resources, Demonstrative_Examples, Relationships, White_Box_Definitions
Minor None
786 Access of Memory Location Before Start of Buffer
Major Common_Consequences, Demonstrative_Examples, Taxonomy_Mappings
Minor None
788 Access of Memory Location After End of Buffer
Major Common_Consequences, Demonstrative_Examples, Observed_Examples
Minor None
789 Uncontrolled Memory Allocation
Major Applicable_Platforms, Taxonomy_Mappings
Minor None
790 Improper Filtering of Special Elements
Major Modes_of_Introduction, Relationships
Minor None
791 Incomplete Filtering of Special Elements
Major Modes_of_Introduction, Relationships
Minor None
792 Incomplete Filtering of One or More Instances of Special Elements
Major Modes_of_Introduction, Relationships
Minor None
793 Only Filtering One Instance of a Special Element
Major Modes_of_Introduction, Relationships
Minor None
794 Incomplete Filtering of Multiple Instances of Special Elements
Major Modes_of_Introduction, Relationships
Minor None
795 Only Filtering Special Elements at a Specified Location
Major Modes_of_Introduction, Relationships
Minor None
796 Only Filtering Special Elements Relative to a Marker
Major Modes_of_Introduction, Relationships
Minor None
797 Only Filtering Special Elements at an Absolute Position
Major Modes_of_Introduction, Relationships
Minor None
798 Use of Hard-coded Credentials
Major Causal_Nature, Demonstrative_Examples, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships
Minor Applicable_Platforms
799 Improper Control of Interaction Frequency
Major Demonstrative_Examples
Minor Applicable_Platforms
800 Weaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors
Major References
Minor None
801 2010 Top 25 - Insecure Interaction Between Components
Major References
Minor None
802 2010 Top 25 - Risky Resource Management
Major References
Minor None
803 2010 Top 25 - Porous Defenses
Major References
Minor None
804 Guessable CAPTCHA
Major Applicable_Platforms, Likelihood_of_Exploit
Minor None
805 Buffer Access with Incorrect Length Value
Major Applicable_Platforms, Causal_Nature, Demonstrative_Examples, Likelihood_of_Exploit, References, Taxonomy_Mappings
Minor None
806 Buffer Access Using Size of Source Buffer
Major Causal_Nature, Demonstrative_Examples, Likelihood_of_Exploit, References
Minor None
807 Reliance on Untrusted Inputs in a Security Decision
Major Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
808 2010 Top 25 - Weaknesses On the Cusp
Major References
Minor None
809 Weaknesses in OWASP Top Ten (2010)
Major References
Minor None
820 Missing Synchronization
Major Demonstrative_Examples
Minor None
822 Untrusted Pointer Dereference
Major Taxonomy_Mappings
Minor None
827 Improper Control of Document Type Definition
Major Modes_of_Introduction, Relationships
Minor None
828 Signal Handler with Functionality that is not Asynchronous-Safe
Major Observed_Examples
Minor None
829 Inclusion of Functionality from Untrusted Control Sphere
Major Modes_of_Introduction, Relationships
Minor None
830 Inclusion of Web Functionality from an Untrusted Source
Major Modes_of_Introduction, Relationships
Minor None
834 Excessive Iteration
Major Relationships
Minor None
835 Loop with Unreachable Exit Condition ('Infinite Loop')
Major Demonstrative_Examples
Minor Applicable_Platforms
836 Use of Password Hash Instead of Password for Authentication
Major Modes_of_Introduction, Relationships
Minor Applicable_Platforms
837 Improper Enforcement of a Single, Unique Action
Major None
Minor Applicable_Platforms
838 Inappropriate Encoding for Output Context
Major References, Taxonomy_Mappings
Minor Applicable_Platforms
840 Business Logic Errors
Major Description, Observed_Examples, References, Taxonomy_Mappings
Minor None
841 Improper Enforcement of Behavioral Workflow
Major Modes_of_Introduction, References, Relationships
Minor None
842 Placement of User into Incorrect Group
Major None
Minor Applicable_Platforms
843 Access of Resource Using Incompatible Type ('Type Confusion')
Major Applicable_Platforms, Taxonomy_Mappings
Minor None
862 Missing Authorization
Major Applicable_Platforms, Modes_of_Introduction, References, Relationships
Minor None
863 Incorrect Authorization
Major Applicable_Platforms, Modes_of_Introduction, References, Relationships
Minor None
864 2011 Top 25 - Insecure Interaction Between Components
Major References
Minor None
865 2011 Top 25 - Risky Resource Management
Major References
Minor None
866 2011 Top 25 - Porous Defenses
Major References
Minor None
867 2011 Top 25 - Weaknesses On the Cusp
Major References
Minor None
881 CERT C++ Secure Coding Section 13 - Object Oriented Programming (OOP)
Major Relationships
Minor None
893 SFP Primary Cluster: Path Resolution
Major Related_Attack_Patterns
Minor None
900 Weaknesses in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors
Major References
Minor None
908 Use of Uninitialized Resource
Major Taxonomy_Mappings
Minor Applicable_Platforms
909 Missing Initialization of Resource
Major None
Minor Applicable_Platforms
910 Use of Expired File Descriptor
Major Taxonomy_Mappings
Minor Applicable_Platforms
911 Improper Update of Reference Count
Major None
Minor Applicable_Platforms
912 Hidden Functionality
Major Relationships
Minor None
913 Improper Control of Dynamically-Managed Code Resources
Major Relationships
Minor None
915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
Major References
Minor Applicable_Platforms
916 Use of Password Hash With Insufficient Computational Effort
Major Modes_of_Introduction, References, Relationships
Minor Applicable_Platforms
917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Major References
Minor None
918 Server-Side Request Forgery (SSRF)
Major Applicable_Platforms, References
Minor None
920 Improper Restriction of Power Consumption
Major None
Minor Applicable_Platforms
921 Storage of Sensitive Data in a Mechanism without Access Control
Major Modes_of_Introduction, References, Relationships
Minor Applicable_Platforms
922 Insecure Storage of Sensitive Information
Major Modes_of_Introduction, Relationships
Minor Applicable_Platforms
923 Improper Restriction of Communication Channel to Intended Endpoints
Major Modes_of_Introduction, Relationships
Minor Applicable_Platforms
924 Improper Enforcement of Message Integrity During Transmission in a Communication Channel
Major Modes_of_Introduction, Relationships
Minor Applicable_Platforms
925 Improper Verification of Intent by Broadcast Receiver
Major Demonstrative_Examples
Minor Applicable_Platforms
926 Improper Export of Android Application Components
Major References
Minor Applicable_Platforms
927 Use of Implicit Intent for Sensitive Communication
Major References
Minor Applicable_Platforms
928 Weaknesses in OWASP Top Ten (2013)
Major References
Minor None
939 Improper Authorization in Handler for Custom URL Scheme
Major Modes_of_Introduction, References, Relationships
Minor None
940 Improper Verification of Source of a Communication Channel
Major Modes_of_Introduction, References, Relationships
Minor Applicable_Platforms
941 Incorrectly Specified Destination in a Communication Channel
Major Modes_of_Introduction, References, Relationships
Minor Applicable_Platforms
942 Overly Permissive Cross-domain Whitelist
Major Modes_of_Introduction, References, Relationships
Minor Applicable_Platforms
943 Improper Neutralization of Special Elements in Data Query Logic
Major Modes_of_Introduction, Observed_Examples, Relationships
Minor Applicable_Platforms
966 SFP Secondary Cluster: Other Exposures
Major Relationships
Minor None
980 SFP Secondary Cluster: Link in Resource Name Resolution
Major Relationships
Minor None
990 SFP Secondary Cluster: Tainted Input to Command
Major Relationships
Minor None
1004 Sensitive Cookie Without 'HttpOnly' Flag
Major Applicable_Platforms, References, Relationships
Minor None
1005 7PK - Input Validation and Representation
Major Description, Name, References
Minor None
Page Last Updated: November 09, 2017