CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (3.1)  
ID

CWE CATEGORY: CERT C Secure Coding (2008 Version) Section 09 - Input Output (FIO)

Category ID: 743
Status: Incomplete
+ Summary
Weaknesses in this category are related to rules in the input/output section of the CERT C Secure Coding Standard, as published in 2008. Since not all rules map to specific weaknesses, this category may be incomplete.
+ Membership
NatureTypeIDName
MemberOfViewView - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).734Weaknesses Addressed by the CERT C Secure Coding Standard (2008 Version)
HasMemberClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
HasMemberVariantVariant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.37Path Traversal: '/absolute/pathname/here'
HasMemberVariantVariant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.38Path Traversal: '\absolute\pathname\here'
HasMemberVariantVariant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.39Path Traversal: 'C:dirname'
HasMemberBaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.41Improper Resolution of Path Equivalence
HasMemberBaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.59Improper Link Resolution Before File Access ('Link Following')
HasMemberVariantVariant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.62UNIX Hard Link
HasMemberVariantVariant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.64Windows Shortcut Following (.LNK)
HasMemberVariantVariant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.65Windows Hard Link
HasMemberVariantVariant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.67Improper Handling of Windows Device Names
HasMemberClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.119Improper Restriction of Operations within the Bounds of a Memory Buffer
HasMemberBaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.134Use of Externally-Controlled Format String
HasMemberBaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.241Improper Handling of Unexpected Data Type
HasMemberVariantVariant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.276Incorrect Default Permissions
HasMemberVariantVariant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.279Incorrect Execution-Assigned Permissions
HasMemberClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.362Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
HasMemberBaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.367Time-of-check Time-of-use (TOCTOU) Race Condition
HasMemberBaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.379Creation of Temporary File in Directory with Incorrect Permissions
HasMemberBaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.391Unchecked Error Condition
HasMemberBaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.403Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
HasMemberBaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.404Improper Resource Shutdown or Release
HasMemberBaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.552Files or Directories Accessible to External Parties
HasMemberClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.675Duplicate Operations on Resource
HasMemberBaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.676Use of Potentially Dangerous Function
HasMemberVariantVariant - a weakness that is described at a very low level of detail, typically limited to a specific language or technology. More specific than a Base weakness.686Function Call With Incorrect Argument Type
HasMemberClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.732Incorrect Permission Assignment for Critical Resource
+ Notes

Relationship

In the 2008 version of the CERT C Secure Coding standard, the following rules were mapped to the following CWE IDs:

  • CWE-22 FIO02-C Canonicalize path names originating from untrusted sources
  • CWE-37 FIO05-C Identify files using multiple file attributes
  • CWE-38 FIO05-C Identify files using multiple file attributes
  • CWE-39 FIO05-C Identify files using multiple file attributes
  • CWE-41 FIO02-C Canonicalize path names originating from untrusted sources
  • CWE-59 FIO02-C Canonicalize path names originating from untrusted sources
  • CWE-62 FIO05-C Identify files using multiple file attributes
  • CWE-64 FIO05-C Identify files using multiple file attributes
  • CWE-65 FIO05-C Identify files using multiple file attributes
  • CWE-67 FIO32-C Do not perform operations on devices that are only appropriate for files
  • CWE-119 FIO37-C Do not assume character data has been read
  • CWE-134 FIO30-C Exclude user input from format strings
  • CWE-134 FIO30-C Exclude user input from format strings
  • CWE-241 FIO37-C Do not assume character data has been read
  • CWE-276 FIO06-C Create files with appropriate access permissions
  • CWE-279 FIO06-C Create files with appropriate access permissions
  • CWE-362 FIO31-C Do not simultaneously open the same file multiple times
  • CWE-367 FIO01-C Be careful using functions that use file names for identification
  • CWE-379 FIO15-C Ensure that file operations are performed in a secure directory
  • CWE-379 FIO43-C Do not create temporary files in shared directories
  • CWE-391 FIO04-C Detect and handle input and output errors
  • CWE-391 FIO33-C Detect and handle input output errors resulting in undefined behavior
  • CWE-403 FIO42-C Ensure files are properly closed when they are no longer needed
  • CWE-404 FIO42-C Ensure files are properly closed when they are no longer needed
  • CWE-552 FIO15-C Ensure that file operations are performed in a secure directory
  • CWE-675 FIO31-C Do not simultaneously open the same file multiple times
  • CWE-676 FIO01-C Be careful using functions that use file names for identification
  • CWE-686 FIO00-C Take care when creating format strings
  • CWE-732 FIO06-C Create files with appropriate access permissions
+ References
+ Content History
Submissions
Submission DateSubmitterOrganization
2008-11-24CWE Content TeamMITRE
Modifications
Modification DateModifierOrganization
2011-09-13CWE Content TeamMITRE
updated Relationships
2017-11-08CWE Content TeamMITRE
updated Description, Name, Relationship_Notes
Previous Entry Names
Change DatePrevious Entry Name
2017-11-08CERT C Secure Coding Section 09 - Input Output (FIO)

More information is available — Please select a different filter.
Page Last Updated: March 29, 2018