CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > Community > Research > CONSPEC: Context-Specific Nodes  
ID

CONSPEC: Context-Specific Nodes
CONSPEC: Context-Specific Nodes

Total Nodes in this Report: 46    Report Generated On: 2007-09-12

ID: 5 Name: J2EE Misconfiguration: Insecure Transport
URL: http://cwe.mitre.org/data/definitions/5.html
Information sent over a network can be compromised while in transit. An attacker may be able to read/modify the contents if the data are sent in plaintext or are weakly encrypted.
ID: 8 Name: J2EE Misconfiguration: Unsafe Bean Declaration
URL: http://cwe.mitre.org/data/definitions/8.html
Entity beans should not be declared remote.
ID: 9 Name: J2EE Misconfiguration: Weak Access Permissions
URL: http://cwe.mitre.org/data/definitions/9.html
If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the software system.
ID: 102 Name: Struts: Duplicate Validation Forms
URL: http://cwe.mitre.org/data/definitions/102.html
Multiple validation forms with the same name indicate that validation logic is not up-to-date.
ID: 103 Name: Struts: Erroneous validate() Method
URL: http://cwe.mitre.org/data/definitions/103.html
The validator form either fails to define a validate() method, or defines a validate() method but fails to call super.validate().
ID: 104 Name: Struts: Form Bean Does Not Extend Validation Class
URL: http://cwe.mitre.org/data/definitions/104.html
All Struts forms should extend a Validator class.
ID: 105 Name: Struts: Form Field Without Validator
URL: http://cwe.mitre.org/data/definitions/105.html
Every field in a form should be validated in the corresponding validation form.
ID: 106 Name: Struts: Plug-in Framework Not In Use
URL: http://cwe.mitre.org/data/definitions/106.html
Use the Struts Validator to prevent vulnerabilities that result from unchecked input.
ID: 107 Name: Struts: Unused Validation Form
URL: http://cwe.mitre.org/data/definitions/107.html
An unused validation form indicates that validation logic is not up-to-date.
ID: 109 Name: Struts: Validator Turned Off
URL: http://cwe.mitre.org/data/definitions/109.html
Automatic filtering via a Struts bean has been turned off.
ID: 111 Name: Unsafe JNI
URL: http://cwe.mitre.org/data/definitions/111.html
Improper use of the Java Native Interface (JNI) can render Java applications vulnerable to security bugs in other languages. This results in dynamic loading of pre-compiled native code into the runtime environment.
ID: 114 Name: Process Control
URL: http://cwe.mitre.org/data/definitions/114.html
Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) on behalf of an attacker.
ID: 128 Name: Wrap-around error
URL: http://cwe.mitre.org/data/definitions/128.html
Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore "wraps around" to a very small, negative, or undefined value.
ID: 201 Name: Information Leak Through Sent Data
URL: http://cwe.mitre.org/data/definitions/201.html
The accidental leaking of sensitive information through sent data refers to the transmission of data which are either sensitive in and of itself or useful in the further exploitation of the system through standard data channels.
ID: 213 Name: Intended Information Leak
URL: http://cwe.mitre.org/data/definitions/213.html
A product's design or configuration explicitly requires the publication of information that is sensitive.
ID: 215 Name: Information Leak Through Debug Information
URL: http://cwe.mitre.org/data/definitions/215.html
ID: 467 Name: Use of sizeof() on a pointer type
URL: http://cwe.mitre.org/data/definitions/467.html
Running sizeof() on a malloced pointer type will always return the wordsize/8.
ID: 473 Name: PHP External Variable Modification
URL: http://cwe.mitre.org/data/definitions/473.html
A PHP product does not properly protect against the modification of variables from external sources. Note: this is a tech-specific instance of MAID.
ID: 480 Name: Using the wrong operator
URL: http://cwe.mitre.org/data/definitions/480.html
This is a common error given when an operator is used which does not make sense for the context appears.
ID: 481 Name: Assigning instead of comparing
URL: http://cwe.mitre.org/data/definitions/481.html
In many languages the compare statement is very close in appearance to the assignment statement and are often confused.
ID: 482 Name: Comparing instead of assigning
URL: http://cwe.mitre.org/data/definitions/482.html
In many languages, the compare statement is very close in appearance to the assignment statement; they are often confused.
ID: 484 Name: Omitted break statement
URL: http://cwe.mitre.org/data/definitions/484.html
Omitting a break statement so that one may fall through is often indistinguishable from an error, and therefore should not be used.
ID: 491 Name: Mobile Code: Object Hijack
URL: http://cwe.mitre.org/data/definitions/491.html
Attackers can use Cloneable objects to create new instances of an object without calling its constructor.
ID: 560 Name: Often Misused: umask
URL: http://cwe.mitre.org/data/definitions/560.html
The mask specified by the argument umask() is often confused with the argument to chmod()
ID: 562 Name: Stack Address Returned
URL: http://cwe.mitre.org/data/definitions/562.html
Returning the address of a stack variable will cause unintended program behavior, typically in the form of a crash.
ID: 565 Name: Use of Cookies
URL: http://cwe.mitre.org/data/definitions/565.html
Attackers can easily modify cookies, and reliance without detailed validation can lead to problems like SQL injection and other errors.
ID: 568 Name: Erroneous Finalize Method
URL: http://cwe.mitre.org/data/definitions/568.html
The software contains a finalize() method that does not call super.finalize().
ID: 570 Name: Expression is Always False
URL: http://cwe.mitre.org/data/definitions/570.html
The software contains an expression that will always evaluate to false.
ID: 571 Name: Expression is Always True
URL: http://cwe.mitre.org/data/definitions/571.html
The software contains an expression that will always evaluate to true.
ID: 574 Name: EJB Bad Practices: Use of Synchronization Primitives
URL: http://cwe.mitre.org/data/definitions/574.html
The program violates the Enterprise JavaBeans specification by using thread synchronization primitives.
ID: 575 Name: EJB Bad Practices: Use of AWT Swing
URL: http://cwe.mitre.org/data/definitions/575.html
The program violates the Enterprise JavaBeans specification by using AWT/Swing.
ID: 576 Name: EJB Bad Practices: Use of JAVA I/O
URL: http://cwe.mitre.org/data/definitions/576.html
The program violates the Enterprise JavaBeans specification by using the java.io package.
ID: 577 Name: EJB Bad Practices: Use of Sockets
URL: http://cwe.mitre.org/data/definitions/577.html
The program violates the Enterprise JavaBeans specification by using sockets.
ID: 578 Name: EJB Bad Practices: Use of Class Loader
URL: http://cwe.mitre.org/data/definitions/578.html
The program violates the Enterprise JavaBeans specification by using the class loader.
ID: 580 Name: Erroneous Clone Method
URL: http://cwe.mitre.org/data/definitions/580.html
The software contains a clone() method that fails to call super.clone() to obtain the new object.
ID: 581 Name: Object Model Violation: Just One of Equals and Haschode Defined
URL: http://cwe.mitre.org/data/definitions/581.html
Software fails to maintain equal hashcodes for equal objects.
ID: 582 Name: Mobile Code: Unsafe Array Declaration
URL: http://cwe.mitre.org/data/definitions/582.html
The program violates secure coding principles for mobile code by declaring an array public, final and static.
ID: 583 Name: Mobile Code: Public Finalize Method
URL: http://cwe.mitre.org/data/definitions/583.html
The program violates secure coding principles for mobile code by declaring a finalize() method public.
ID: 584 Name: Return Inside Finally Block
URL: http://cwe.mitre.org/data/definitions/584.html
A return statement inside a finally block will cause any exception that might be thrown in the try block to be discarded.
ID: 586 Name: Explicit Call to Finalize
URL: http://cwe.mitre.org/data/definitions/586.html
The software makes an explicit call to the finalize() method from outside the finalizer.
ID: 587 Name: Assignment of a Fixed Address to a Pointer
URL: http://cwe.mitre.org/data/definitions/587.html
If a pointer is set to a specific address, other than 0(Which is almost always NULL), that address will probably not be valid.
ID: 588 Name: Attempt to Access Child of a Non-structure Pointer
URL: http://cwe.mitre.org/data/definitions/588.html
Casting a non-stucture type to a structure type and accessing a field can lead to memory access errors or data corruption.
ID: 589 Name: Call to Limited API
URL: http://cwe.mitre.org/data/definitions/589.html
An API function that does not exist on all versions of the target platform was identified. Some functions that offer security features supported by the OS are not available on all versions of the OS in common use. Likewise, functions are often deprecated or made obsolete for security reasons and should not be used.
ID: 595 Name: Incorrect Object Comparison: Syntactic
URL: http://cwe.mitre.org/data/definitions/595.html
Object references are compared rather than objects themselves
ID: 597 Name: Erroneous String Compare
URL: http://cwe.mitre.org/data/definitions/597.html
Strings should be compared with the equals() method, not == or !=
ID: 598 Name: Information Leak Through GET Request
URL: http://cwe.mitre.org/data/definitions/598.html
An area of the web application that possibly contains sensitive information or access to privileged functionality such as remote site administration functionality utilizes query strings to pass information between pages. Information in query strings is directly visible to the end user via the browser interface, which can cause security issues.
Page Last Updated: January 17, 2017