CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  
ID

CWE VIEW: Resource-specific Weaknesses

View ID: 631
Structure: Graph
Status: Draft
Presentation Filter:
+ View Data

View Objective

CWE nodes in this view (graph) occur when the application handles particular system resources.

+ Relationships
Show Details:
631 - Resource-specific Weaknesses
+CategoryCategoryWeaknesses that Affect Files or Directories - (632)
631 (Resource-specific Weaknesses) > 632 (Weaknesses that Affect Files or Directories)
Weaknesses in this category affect file or directory resources.
*Weakness VariantWeakness VariantCreation of chroot Jail Without Changing Working Directory - (243)
631 (Resource-specific Weaknesses) > 632 (Weaknesses that Affect Files or Directories) > 243 (Creation of chroot Jail Without Changing Working Directory)
The program uses the chroot() system call to create a jail, but does not change the working directory afterward. This does not prevent access to files outside of the jail.
*Weakness BaseWeakness BaseFiles or Directories Accessible to External Parties - (552)
631 (Resource-specific Weaknesses) > 632 (Weaknesses that Affect Files or Directories) > 552 (Files or Directories Accessible to External Parties)
Files or directories are accessible in the environment that should not be.
*Weakness ClassWeakness ClassImproper Access Control - (284)
631 (Resource-specific Weaknesses) > 632 (Weaknesses that Affect Files or Directories) > 284 (Improper Access Control)
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.Authorization
*Weakness BaseWeakness BaseImproper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') - (98)
631 (Resource-specific Weaknesses) > 632 (Weaknesses that Affect Files or Directories) > 98 (Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion'))
The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.Remote file includeRFILocal file inclusion
*Weakness BaseWeakness BaseImproper Handling of Case Sensitivity - (178)
631 (Resource-specific Weaknesses) > 632 (Weaknesses that Affect Files or Directories) > 178 (Improper Handling of Case Sensitivity)
The software does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.
*Weakness VariantWeakness VariantImproper Handling of Windows Device Names - (67)
631 (Resource-specific Weaknesses) > 632 (Weaknesses that Affect Files or Directories) > 67 (Improper Handling of Windows Device Names)
The software constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.
*Weakness ClassWeakness ClassImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - (22)
631 (Resource-specific Weaknesses) > 632 (Weaknesses that Affect Files or Directories) > 22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Directory traversalPath traversal
*Weakness BaseWeakness BaseImproper Link Resolution Before File Access ('Link Following') - (59)
631 (Resource-specific Weaknesses) > 632 (Weaknesses that Affect Files or Directories) > 59 (Improper Link Resolution Before File Access ('Link Following'))
The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.insecure temporary file
*Weakness BaseWeakness BaseImproper Neutralization of Directives in Statically Saved Code ('Static Code Injection') - (96)
631 (Resource-specific Weaknesses) > 632 (Weaknesses that Affect Files or Directories) > 96 (Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection'))
The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.
*Weakness ClassWeakness ClassImproper Ownership Management - (282)
631 (Resource-specific Weaknesses) > 632 (Weaknesses that Affect Files or Directories) > 282 (Improper Ownership Management)
The software assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.
*Weakness BaseWeakness BaseImproper Resolution of Path Equivalence - (41)
631 (Resource-specific Weaknesses) > 632 (Weaknesses that Affect Files or Directories) > 41 (Improper Resolution of Path Equivalence)
The system or application is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object.
*Weakness VariantWeakness VariantInformation Exposure Through Server Log Files - (533)
631 (Resource-specific Weaknesses) > 632 (Weaknesses that Affect Files or Directories) > 533 (Information Exposure Through Server Log Files)
A server.log file was found. This can give information on whatever application left the file. Usually this can give full path names and system information, and sometimes usernames and passwords.
+CategoryCategoryMac Virtual File Problems - (70)
631 (Resource-specific Weaknesses) > 632 (Weaknesses that Affect Files or Directories) > 70 (Mac Virtual File Problems)
Weaknesses in this category are related to improper handling of virtual files within Mac-based operating systems.
*Weakness VariantWeakness VariantApple '.DS_Store' - (71)
631 (Resource-specific Weaknesses) > 632 (Weaknesses that Affect Files or Directories) > 70 (Mac Virtual File Problems) > 71 (Apple '.DS_Store')
Software operating in a MAC OS environment, where .DS_Store is in effect, must carefully manage hard links, otherwise an attacker may be able to leverage a hard link from .DS_Store to overwrite arbitrary files and gain privileges.
*Weakness VariantWeakness VariantImproper Handling of Apple HFS+ Alternate Data Stream Path - (72)
631 (Resource-specific Weaknesses) > 632 (Weaknesses that Affect Files or Directories) > 70 (Mac Virtual File Problems) > 72 (Improper Handling of Apple HFS+ Alternate Data Stream Path)
The software does not properly handle special paths that may identify the data or resource fork of a file on the HFS+ file system.
*Weakness VariantWeakness VariantPassword in Configuration File - (260)
631 (Resource-specific Weaknesses) > 632 (Weaknesses that Affect Files or Directories) > 260 (Password in Configuration File)
The software stores a password in a configuration file that might be accessible to actors who do not know the password.
*CategoryCategoryPermission Issues - (275)
631 (Resource-specific Weaknesses) > 632 (Weaknesses that Affect Files or Directories) > 275 (Permission Issues)
Weaknesses in this category are related to improper assignment or handling of permissions.
*CategoryCategoryTemporary File Issues - (376)
631 (Resource-specific Weaknesses) > 632 (Weaknesses that Affect Files or Directories) > 376 (Temporary File Issues)
Weaknesses in this category are related to improper handling of temporary files.
+CategoryCategoryUNIX Path Link Problems - (60)
631 (Resource-specific Weaknesses) > 632 (Weaknesses that Affect Files or Directories) > 60 (UNIX Path Link Problems)
Weaknesses in this category are related to improper handling of links within Unix-based operating systems.
*Weakness VariantWeakness VariantUNIX Hard Link - (62)
631 (Resource-specific Weaknesses) > 632 (Weaknesses that Affect Files or Directories) > 60 (UNIX Path Link Problems) > 62 (UNIX Hard Link)
The software, when opening a file or directory, does not sufficiently account for when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files.
+Compound Element: CompositeCompound Element: CompositeUNIX Symbolic Link (Symlink) Following - (61)
631 (Resource-specific Weaknesses) > 632 (Weaknesses that Affect Files or Directories) > 60 (UNIX Path Link Problems) > 61 (UNIX Symbolic Link (Symlink) Following)
The software, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files.Symlink followingsymlink vulnerability
*Weakness ClassWeakness ClassConcurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') - (362)
631 (Resource-specific Weaknesses) > 632 (Weaknesses that Affect Files or Directories) > 60 (UNIX Path Link Problems) > 61 (UNIX Symbolic Link (Symlink) Following) > 362 (Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition'))
The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.
*Weakness ClassWeakness ClassContainment Errors (Container Errors) - (216)
631 (Resource-specific Weaknesses) > 632 (Weaknesses that Affect Files or Directories) > 60 (UNIX Path Link Problems) > 61 (UNIX Symbolic Link (Symlink) Following) > 216 (Containment Errors (Container Errors))
This tries to cover various problems in which improper data are included within a "container."
*CategoryCategoryPermission Issues - (275)
631 (Resource-specific Weaknesses) > 632 (Weaknesses that Affect Files or Directories) > 60 (UNIX Path Link Problems) > 61 (UNIX Symbolic Link (Symlink) Following) > 275 (Permission Issues)
Weaknesses in this category are related to improper assignment or handling of permissions.
*Weakness ClassWeakness ClassPredictability Problems - (340)
631 (Resource-specific Weaknesses) > 632 (Weaknesses that Affect Files or Directories) > 60 (UNIX Path Link Problems) > 61 (UNIX Symbolic Link (Symlink) Following) > 340 (Predictability Problems)
Weaknesses in this category are related to schemes that generate numbers or identifiers that are more predictable than required by the application.
*Weakness BaseWeakness BaseSymbolic Name not Mapping to Correct Object - (386)
631 (Resource-specific Weaknesses) > 632 (Weaknesses that Affect Files or Directories) > 60 (UNIX Path Link Problems) > 61 (UNIX Symbolic Link (Symlink) Following) > 386 (Symbolic Name not Mapping to Correct Object)
A constant symbolic reference to an object is used, even though the reference can resolve to a different object over time.
*Weakness BaseWeakness BaseUnrestricted Upload of File with Dangerous Type - (434)
631 (Resource-specific Weaknesses) > 632 (Weaknesses that Affect Files or Directories) > 434 (Unrestricted Upload of File with Dangerous Type)
The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.Unrestricted File Upload
*Weakness VariantWeakness VariantUse of Path Manipulation Function without Maximum-sized Buffer - (785)
631 (Resource-specific Weaknesses) > 632 (Weaknesses that Affect Files or Directories) > 785 (Use of Path Manipulation Function without Maximum-sized Buffer)
The software invokes a function for normalizing paths or file names, but it provides an output buffer that is smaller than the maximum possible size, such as PATH_MAX.
+CategoryCategoryWindows Path Link Problems - (63)
631 (Resource-specific Weaknesses) > 632 (Weaknesses that Affect Files or Directories) > 63 (Windows Path Link Problems)
Weaknesses in this category are related to improper handling of links within Windows-based operating systems.
*Weakness VariantWeakness VariantWindows Hard Link - (65)
631 (Resource-specific Weaknesses) > 632 (Weaknesses that Affect Files or Directories) > 63 (Windows Path Link Problems) > 65 (Windows Hard Link)
The software, when opening a file or directory, does not sufficiently handle when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files.
*Weakness VariantWeakness VariantWindows Shortcut Following (.LNK) - (64)
631 (Resource-specific Weaknesses) > 632 (Weaknesses that Affect Files or Directories) > 63 (Windows Path Link Problems) > 64 (Windows Shortcut Following (.LNK))
The software, when opening a file or directory, does not sufficiently handle when the file is a Windows shortcut (.LNK) whose target is outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files.Windows symbolic link followingsymlink
+CategoryCategoryWindows Virtual File Problems - (68)
631 (Resource-specific Weaknesses) > 632 (Weaknesses that Affect Files or Directories) > 68 (Windows Virtual File Problems)
Weaknesses in this category are related to improper handling of virtual files within Windows-based operating systems.
*Weakness VariantWeakness VariantImproper Handling of Windows ::DATA Alternate Data Stream - (69)
631 (Resource-specific Weaknesses) > 632 (Weaknesses that Affect Files or Directories) > 68 (Windows Virtual File Problems) > 69 (Improper Handling of Windows ::DATA Alternate Data Stream)
The software does not properly prevent access to, or detect usage of, alternate data streams (ADS).
*Weakness VariantWeakness VariantImproper Handling of Windows Device Names - (67)
631 (Resource-specific Weaknesses) > 632 (Weaknesses that Affect Files or Directories) > 68 (Windows Virtual File Problems) > 67 (Improper Handling of Windows Device Names)
The software constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.
+CategoryCategoryWeaknesses that Affect Memory - (633)
631 (Resource-specific Weaknesses) > 633 (Weaknesses that Affect Memory)
Weaknesses in this category affect memory resources.
*Weakness BaseWeakness BaseBuffer Copy without Checking Size of Input ('Classic Buffer Overflow') - (120)
631 (Resource-specific Weaknesses) > 633 (Weaknesses that Affect Memory) > 120 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'))
The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.buffer overrunUnbounded Transfer
*Weakness VariantWeakness VariantCleartext Storage of Sensitive Information in Memory - (316)
631 (Resource-specific Weaknesses) > 633 (Weaknesses that Affect Memory) > 316 (Cleartext Storage of Sensitive Information in Memory)
The application stores sensitive information in cleartext in memory.
*Weakness BaseWeakness BaseCompiler Removal of Code to Clear Buffers - (14)
631 (Resource-specific Weaknesses) > 633 (Weaknesses that Affect Memory) > 14 (Compiler Removal of Code to Clear Buffers)
Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka "dead store removal."
*Weakness VariantWeakness VariantDouble Free - (415)
631 (Resource-specific Weaknesses) > 633 (Weaknesses that Affect Memory) > 415 (Double Free)
The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.Double-free
*Weakness VariantWeakness VariantHeap-based Buffer Overflow - (122)
631 (Resource-specific Weaknesses) > 633 (Weaknesses that Affect Memory) > 122 (Heap-based Buffer Overflow)
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
*Weakness VariantWeakness VariantImproper Clearing of Heap Memory Before Release ('Heap Inspection') - (244)
631 (Resource-specific Weaknesses) > 633 (Weaknesses that Affect Memory) > 244 (Improper Clearing of Heap Memory Before Release ('Heap Inspection'))
Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory.
*Weakness BaseWeakness BaseImproper Release of Memory Before Removing Last Reference ('Memory Leak') - (401)
631 (Resource-specific Weaknesses) > 633 (Weaknesses that Affect Memory) > 401 (Improper Release of Memory Before Removing Last Reference ('Memory Leak'))
The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.Memory Leak
*Weakness ClassWeakness ClassImproper Restriction of Operations within the Bounds of a Memory Buffer - (119)
631 (Resource-specific Weaknesses) > 633 (Weaknesses that Affect Memory) > 119 (Improper Restriction of Operations within the Bounds of a Memory Buffer)
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.Memory Corruption
*Weakness BaseWeakness BaseImproper Validation of Array Index - (129)
631 (Resource-specific Weaknesses) > 633 (Weaknesses that Affect Memory) > 129 (Improper Validation of Array Index)
The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array. out-of-bounds array indexindex-out-of-rangearray index underflow
*CategoryCategoryOften Misused: String Management - (251)
631 (Resource-specific Weaknesses) > 633 (Weaknesses that Affect Memory) > 251 (Often Misused: String Management)
Functions that manipulate strings encourage buffer overflows.
*Weakness BaseWeakness BaseRelease of Invalid Pointer or Reference - (763)
631 (Resource-specific Weaknesses) > 633 (Weaknesses that Affect Memory) > 763 (Release of Invalid Pointer or Reference)
The application attempts to return a memory resource to the system, but calls the wrong release function or calls the appropriate release function incorrectly.
*Weakness VariantWeakness VariantSensitive Data Storage in Improperly Locked Memory - (591)
631 (Resource-specific Weaknesses) > 633 (Weaknesses that Affect Memory) > 591 (Sensitive Data Storage in Improperly Locked Memory)
The application stores sensitive data in memory that is not locked, or that has been incorrectly locked, which might cause the memory to be written to swap files on disk by the virtual memory manager. This can make the data more accessible to external actors.
*Weakness BaseWeakness BaseSensitive Information Uncleared Before Release - (226)
631 (Resource-specific Weaknesses) > 633 (Weaknesses that Affect Memory) > 226 (Sensitive Information Uncleared Before Release)
The software does not fully clear previously used information in a data structure, file, or other resource, before making that resource available to a party in another control sphere.
*Weakness BaseWeakness BaseUse After Free - (416)
631 (Resource-specific Weaknesses) > 633 (Weaknesses that Affect Memory) > 416 (Use After Free)
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.Dangling pointerUse-After-Free
*Weakness BaseWeakness BaseUse of Externally-Controlled Format String - (134)
631 (Resource-specific Weaknesses) > 633 (Weaknesses that Affect Memory) > 134 (Use of Externally-Controlled Format String)
The software uses a function that accepts a format string as an argument, but the format string originates from an external source.
*Weakness VariantWeakness VariantUse of Path Manipulation Function without Maximum-sized Buffer - (785)
631 (Resource-specific Weaknesses) > 633 (Weaknesses that Affect Memory) > 785 (Use of Path Manipulation Function without Maximum-sized Buffer)
The software invokes a function for normalizing paths or file names, but it provides an output buffer that is smaller than the maximum possible size, such as PATH_MAX.
+CategoryCategoryWeaknesses that Affect System Processes - (634)
631 (Resource-specific Weaknesses) > 634 (Weaknesses that Affect System Processes)
Weaknesses in this category affect system process resources during process invocation or inter-process communication (IPC).
*Weakness BaseWeakness BaseArgument Injection or Modification - (88)
631 (Resource-specific Weaknesses) > 634 (Weaknesses that Affect System Processes) > 88 (Argument Injection or Modification)
The software does not sufficiently delimit the arguments being passed to a component in another control sphere, allowing alternate arguments to be provided, leading to potentially security-relevant changes.
*Weakness VariantWeakness VariantCall to Thread run() instead of start() - (572)
631 (Resource-specific Weaknesses) > 634 (Weaknesses that Affect System Processes) > 572 (Call to Thread run() instead of start())
The program calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee.
*Weakness BaseWeakness BaseExposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak') - (403)
631 (Resource-specific Weaknesses) > 634 (Weaknesses that Affect System Processes) > 403 (Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak'))
A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors.File descriptor leak
*Weakness BaseWeakness BaseImproper Check for Dropped Privileges - (273)
631 (Resource-specific Weaknesses) > 634 (Weaknesses that Affect System Processes) > 273 (Improper Check for Dropped Privileges)
The software attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.
*Weakness VariantWeakness VariantImproper Handling of Windows ::DATA Alternate Data Stream - (69)
631 (Resource-specific Weaknesses) > 634 (Weaknesses that Affect System Processes) > 69 (Improper Handling of Windows ::DATA Alternate Data Stream)
The software does not properly prevent access to, or detect usage of, alternate data streams (ADS).
*Weakness BaseWeakness BaseImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - (78)
631 (Resource-specific Weaknesses) > 634 (Weaknesses that Affect System Processes) > 78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Shell injectionShell metacharacters
*Weakness BaseWeakness BaseIncorrect Privilege Assignment - (266)
631 (Resource-specific Weaknesses) > 634 (Weaknesses that Affect System Processes) > 266 (Incorrect Privilege Assignment)
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
*Weakness VariantWeakness VariantInformation Exposure Through Process Environment - (214)
631 (Resource-specific Weaknesses) > 634 (Weaknesses that Affect System Processes) > 214 (Information Exposure Through Process Environment)
A process is invoked with sensitive arguments, environment variables, or other elements that can be seen by other processes on the operating system.
*Weakness VariantWeakness VariantJ2EE Bad Practices: Direct Use of Threads - (383)
631 (Resource-specific Weaknesses) > 634 (Weaknesses that Affect System Processes) > 383 (J2EE Bad Practices: Direct Use of Threads)
Thread management in a Web application is forbidden in some circumstances and is always highly error prone.
*Weakness BaseWeakness BaseProcess Control - (114)
631 (Resource-specific Weaknesses) > 634 (Weaknesses that Affect System Processes) > 114 (Process Control)
Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) on behalf of an attacker.
*Weakness BaseWeakness BaseRace Condition During Access to Alternate Channel - (421)
631 (Resource-specific Weaknesses) > 634 (Weaknesses that Affect System Processes) > 421 (Race Condition During Access to Alternate Channel)
The product opens an alternate channel to communicate with an authorized user, but the channel is accessible to other actors.
*Weakness BaseWeakness BaseRace Condition within a Thread - (366)
631 (Resource-specific Weaknesses) > 634 (Weaknesses that Affect System Processes) > 366 (Race Condition within a Thread)
If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.
*CategoryCategorySignal Errors - (387)
631 (Resource-specific Weaknesses) > 634 (Weaknesses that Affect System Processes) > 387 (Signal Errors)
Weaknesses in this category are related to the improper handling of signals.
*Weakness BaseWeakness BaseSignal Handler Race Condition - (364)
631 (Resource-specific Weaknesses) > 634 (Weaknesses that Affect System Processes) > 364 (Signal Handler Race Condition)
The software uses a signal handler that introduces a race condition.
*Weakness VariantWeakness VariantSignal Handler Use of a Non-reentrant Function - (479)
631 (Resource-specific Weaknesses) > 634 (Weaknesses that Affect System Processes) > 479 (Signal Handler Use of a Non-reentrant Function)
The program defines a signal handler that calls a non-reentrant function.
*Weakness VariantWeakness VariantUnprotected Windows Messaging Channel ('Shatter') - (422)
631 (Resource-specific Weaknesses) > 634 (Weaknesses that Affect System Processes) > 422 (Unprotected Windows Messaging Channel ('Shatter'))
The software does not properly verify the source of a message in the Windows Messaging System while running at elevated privileges, creating an alternate channel through which an attacker can directly send a message to the product.
+Compound Element: CompositeCompound Element: CompositeUntrusted Search Path - (426)
631 (Resource-specific Weaknesses) > 634 (Weaknesses that Affect System Processes) > 426 (Untrusted Search Path)
The application searches for critical resources using an externally-supplied search path that can point to resources that are not under the application's direct control.Untrusted Path
*Weakness ClassWeakness ClassContainment Errors (Container Errors) - (216)
631 (Resource-specific Weaknesses) > 634 (Weaknesses that Affect System Processes) > 426 (Untrusted Search Path) > 216 (Containment Errors (Container Errors))
This tries to cover various problems in which improper data are included within a "container."
*Weakness BaseWeakness BaseModification of Assumed-Immutable Data (MAID) - (471)
631 (Resource-specific Weaknesses) > 634 (Weaknesses that Affect System Processes) > 426 (Untrusted Search Path) > 471 (Modification of Assumed-Immutable Data (MAID))
The software does not properly protect an assumed-immutable element from being modified by an attacker.
*CategoryCategoryPermission Issues - (275)
631 (Resource-specific Weaknesses) > 634 (Weaknesses that Affect System Processes) > 426 (Untrusted Search Path) > 275 (Permission Issues)
Weaknesses in this category are related to improper assignment or handling of permissions.
+ Content History
Modifications
Modification DateModifierOrganizationSource
2008-09-08CWE Content TeamMITREInternal
updated Relationships, View_Structure
2017-01-19CWE Content TeamMITREInternal
updated Relationships
+ View Metrics
CWEs in this viewTotal CWEs
Total62out of1006
Views0out of33
Categories11out of245
Weaknesses49out of720
Compound_Elements2out of8

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017