CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  
ID

CWE VIEW: Weaknesses Addressed by the CERT Java Secure Coding Standard

View ID: 844
Structure: Graph
Status: Incomplete
Presentation Filter:
+ View Data

View Objective

CWE entries in this view (graph) are fully or partially eliminated by following the CERT Java Secure Coding Standard. Since not all rules map to specific weaknesses, this view is incomplete.

+ View Audience
StakeholderDescription
Developers

By following the CERT Java Secure Coding Standard, developers will be able to fully or partially prevent the weaknesses that are identified in this view. In addition, developers can use a CWE coverage graph to determine which weaknesses are not directly addressed by the standard, which will help identify and resolve remaining gaps in training, tool acquisition, or other approaches for reducing weaknesses.

Software_Customers

If a software developer claims to be following the CERT Java Secure Coding standard, then customers can search for the weaknesses in this view in order to formulate independent evidence of that claim.

Educators

Educators can use this view in multiple ways. For example, if there is a focus on teaching weaknesses, the educator could link them to the relevant Secure Coding Standard.

+ Relationships
Show Details:
844 - Weaknesses Addressed by the CERT Java Secure Coding Standard
+CategoryCategoryCERT Java Secure Coding Section 00 - Input Validation and Data Sanitization (IDS) - (845)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 845 (CERT Java Secure Coding Section 00 - Input Validation and Data Sanitization (IDS))
Weaknesses in this category are related to rules in the Input Validation and Data Sanitization section of the CERT Java Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
*Weakness VariantWeakness VariantAuthentication Bypass by Alternate Name - (289)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 845 (CERT Java Secure Coding Section 00 - Input Validation and Data Sanitization (IDS)) > 289 (Authentication Bypass by Alternate Name)
The software performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.
*CategoryCategoryCleansing, Canonicalization, and Comparison Errors - (171)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 845 (CERT Java Secure Coding Section 00 - Input Validation and Data Sanitization (IDS)) > 171 (Cleansing, Canonicalization, and Comparison Errors)
Weaknesses in this category are related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data.
*Weakness BaseWeakness BaseCollapse of Data into Unsafe Value - (182)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 845 (CERT Java Secure Coding Section 00 - Input Validation and Data Sanitization (IDS)) > 182 (Collapse of Data into Unsafe Value)
The software filters data in a way that causes it to be reduced or "collapsed" into an unsafe value that violates an expected security property.
*Weakness ClassWeakness ClassImproper Encoding or Escaping of Output - (116)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 845 (CERT Java Secure Coding Section 00 - Input Validation and Data Sanitization (IDS)) > 116 (Improper Encoding or Escaping of Output)
The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.Output SanitizationOutput ValidationOutput Encoding
*Weakness BaseWeakness BaseImproper Handling of Highly Compressed Data (Data Amplification) - (409)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 845 (CERT Java Secure Coding Section 00 - Input Validation and Data Sanitization (IDS)) > 409 (Improper Handling of Highly Compressed Data (Data Amplification))
The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
*Weakness VariantWeakness VariantImproper Neutralization of Escape, Meta, or Control Sequences - (150)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 845 (CERT Java Secure Coding Section 00 - Input Validation and Data Sanitization (IDS)) > 150 (Improper Neutralization of Escape, Meta, or Control Sequences)
The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.
*Weakness VariantWeakness VariantImproper Neutralization of Line Delimiters - (144)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 845 (CERT Java Secure Coding Section 00 - Input Validation and Data Sanitization (IDS)) > 144 (Improper Neutralization of Line Delimiters)
The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as line delimiters when they are sent to a downstream component.
*Weakness BaseWeakness BaseImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - (78)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 845 (CERT Java Secure Coding Section 00 - Input Validation and Data Sanitization (IDS)) > 78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Shell injectionShell metacharacters
*Weakness BaseWeakness BaseInappropriate Encoding for Output Context - (838)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 845 (CERT Java Secure Coding Section 00 - Input Validation and Data Sanitization (IDS)) > 838 (Inappropriate Encoding for Output Context)
The software uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is expected by the downstream component.
*Weakness BaseWeakness BaseIncorrect Behavior Order: Validate Before Canonicalize - (180)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 845 (CERT Java Secure Coding Section 00 - Input Validation and Data Sanitization (IDS)) > 180 (Incorrect Behavior Order: Validate Before Canonicalize)
The software validates input before it is canonicalized, which prevents the software from detecting data that becomes invalid after the canonicalization step.
*Weakness BaseWeakness BasePermissive Regular Expression - (625)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 845 (CERT Java Secure Coding Section 00 - Input Validation and Data Sanitization (IDS)) > 625 (Permissive Regular Expression)
The product uses a regular expression that does not sufficiently restrict the set of allowed values.
*Weakness BaseWeakness BaseUse of Externally-Controlled Format String - (134)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 845 (CERT Java Secure Coding Section 00 - Input Validation and Data Sanitization (IDS)) > 134 (Use of Externally-Controlled Format String)
The software uses a function that accepts a format string as an argument, but the format string originates from an external source.
*Weakness VariantWeakness VariantUse of Non-Canonical URL Paths for Authorization Decisions - (647)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 845 (CERT Java Secure Coding Section 00 - Input Validation and Data Sanitization (IDS)) > 647 (Use of Non-Canonical URL Paths for Authorization Decisions)
The software defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization.
+CategoryCategoryCERT Java Secure Coding Section 01 - Declarations and Initialization (DCL) - (846)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 846 (CERT Java Secure Coding Section 01 - Declarations and Initialization (DCL))
Weaknesses in this category are related to rules in the Declarations and Initialization (DCL) section of the CERT Java Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
*Weakness ClassWeakness ClassImproper Initialization - (665)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 846 (CERT Java Secure Coding Section 01 - Declarations and Initialization (DCL)) > 665 (Improper Initialization)
The software does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.
+CategoryCategoryCERT Java Secure Coding Section 02 - Expressions (EXP) - (847)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 847 (CERT Java Secure Coding Section 02 - Expressions (EXP))
Weaknesses in this category are related to rules in the Expressions (EXP) section of the CERT Java Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
*Weakness BaseWeakness BaseComparison of Object References Instead of Object Contents - (595)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 847 (CERT Java Secure Coding Section 02 - Expressions (EXP)) > 595 (Comparison of Object References Instead of Object Contents)
The program compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects.
*Weakness VariantWeakness VariantSignal Handler Use of a Non-reentrant Function - (479)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 847 (CERT Java Secure Coding Section 02 - Expressions (EXP)) > 479 (Signal Handler Use of a Non-reentrant Function)
The program defines a signal handler that calls a non-reentrant function.
*Weakness BaseWeakness BaseUnchecked Return Value - (252)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 847 (CERT Java Secure Coding Section 02 - Expressions (EXP)) > 252 (Unchecked Return Value)
The software does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.
*Weakness VariantWeakness VariantUse of Wrong Operator in String Comparison - (597)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 847 (CERT Java Secure Coding Section 02 - Expressions (EXP)) > 597 (Use of Wrong Operator in String Comparison)
The product uses the wrong operator when comparing a string, such as using "==" when the equals() method should be used instead.
+CategoryCategoryCERT Java Secure Coding Section 03 - Numeric Types and Operations (NUM) - (848)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 848 (CERT Java Secure Coding Section 03 - Numeric Types and Operations (NUM))
Weaknesses in this category are related to rules in the Numeric Types and Operations (NUM) section of the CERT Java Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
*Weakness BaseWeakness BaseDivide By Zero - (369)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 848 (CERT Java Secure Coding Section 03 - Numeric Types and Operations (NUM)) > 369 (Divide By Zero)
The product divides a value by zero.
*Weakness BaseWeakness BaseIncorrect Conversion between Numeric Types - (681)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 848 (CERT Java Secure Coding Section 03 - Numeric Types and Operations (NUM)) > 681 (Incorrect Conversion between Numeric Types)
When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.
*Weakness BaseWeakness BaseNumeric Truncation Error - (197)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 848 (CERT Java Secure Coding Section 03 - Numeric Types and Operations (NUM)) > 197 (Numeric Truncation Error)
Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion.
+CategoryCategoryCERT Java Secure Coding Section 04 - Object Orientation (OBJ) - (849)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 849 (CERT Java Secure Coding Section 04 - Object Orientation (OBJ))
Weaknesses in this category are related to rules in the Object Orientation (OBJ) section of the CERT Java Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
*Weakness VariantWeakness VariantArray Declared Public, Final, and Static - (582)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 849 (CERT Java Secure Coding Section 04 - Object Orientation (OBJ)) > 582 (Array Declared Public, Final, and Static)
The program declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified.
*Weakness VariantWeakness VariantCloneable Class Containing Sensitive Information - (498)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 849 (CERT Java Secure Coding Section 04 - Object Orientation (OBJ)) > 498 (Cloneable Class Containing Sensitive Information)
The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class.
*Weakness VariantWeakness VariantComparison of Classes by Name - (486)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 849 (CERT Java Secure Coding Section 04 - Object Orientation (OBJ)) > 486 (Comparison of Classes by Name)
The program compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name.
*Weakness VariantWeakness VariantCritical Public Variable Without Final Modifier - (493)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 849 (CERT Java Secure Coding Section 04 - Object Orientation (OBJ)) > 493 (Critical Public Variable Without Final Modifier)
The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.
*Weakness VariantWeakness VariantCritical Variable Declared Public - (766)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 849 (CERT Java Secure Coding Section 04 - Object Orientation (OBJ)) > 766 (Critical Variable Declared Public)
The software declares a critical variable or field to be public when intended security policy requires it to be private.
*Weakness BaseWeakness BasePassing Mutable Objects to an Untrusted Method - (374)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 849 (CERT Java Secure Coding Section 04 - Object Orientation (OBJ)) > 374 (Passing Mutable Objects to an Untrusted Method)
The program sends non-cloned mutable data as an argument to a method or function.
*Weakness VariantWeakness VariantPublic Static Field Not Marked Final - (500)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 849 (CERT Java Secure Coding Section 04 - Object Orientation (OBJ)) > 500 (Public Static Field Not Marked Final)
An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways.
*Weakness VariantWeakness VariantPublic cloneable() Method Without Final ('Object Hijack') - (491)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 849 (CERT Java Secure Coding Section 04 - Object Orientation (OBJ)) > 491 (Public cloneable() Method Without Final ('Object Hijack'))
A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state.
*Weakness BaseWeakness BaseReturning a Mutable Object to an Untrusted Caller - (375)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 849 (CERT Java Secure Coding Section 04 - Object Orientation (OBJ)) > 375 (Returning a Mutable Object to an Untrusted Caller)
Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function.
*Weakness VariantWeakness VariantUse of Inner Class Containing Sensitive Data - (492)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 849 (CERT Java Secure Coding Section 04 - Object Orientation (OBJ)) > 492 (Use of Inner Class Containing Sensitive Data)
Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers.
+CategoryCategoryCERT Java Secure Coding Section 05 - Methods (MET) - (850)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 850 (CERT Java Secure Coding Section 05 - Methods (MET))
Weaknesses in this category are related to rules in the Methods (MET) section of the CERT Java Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
*Weakness VariantWeakness VariantCall to Non-ubiquitous API - (589)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 850 (CERT Java Secure Coding Section 05 - Methods (MET)) > 589 (Call to Non-ubiquitous API)
The software uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allow denial of service or other consequences.
*Weakness VariantWeakness VariantExplicit Call to Finalize() - (586)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 850 (CERT Java Secure Coding Section 05 - Methods (MET)) > 586 (Explicit Call to Finalize())
The software makes an explicit call to the finalize() method from outside the finalizer.
*Weakness ClassWeakness ClassImproper Following of Specification by Caller - (573)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 850 (CERT Java Secure Coding Section 05 - Methods (MET)) > 573 (Improper Following of Specification by Caller)
The software does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.
*Weakness BaseWeakness BaseObject Model Violation: Just One of Equals and Hashcode Defined - (581)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 850 (CERT Java Secure Coding Section 05 - Methods (MET)) > 581 (Object Model Violation: Just One of Equals and Hashcode Defined)
The software does not maintain equal hashcodes for equal objects.
*Weakness VariantWeakness VariantReachable Assertion - (617)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 850 (CERT Java Secure Coding Section 05 - Methods (MET)) > 617 (Reachable Assertion)
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
*Weakness VariantWeakness VariantReliance on Package-level Scope - (487)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 850 (CERT Java Secure Coding Section 05 - Methods (MET)) > 487 (Reliance on Package-level Scope)
Java packages are not inherently closed; therefore, relying on them for code security is not a good practice.
*Weakness VariantWeakness Variantfinalize() Method Declared Public - (583)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 850 (CERT Java Secure Coding Section 05 - Methods (MET)) > 583 (finalize() Method Declared Public)
The program violates secure coding principles for mobile code by declaring a finalize() method public.
*Weakness VariantWeakness Variantfinalize() Method Without super.finalize() - (568)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 850 (CERT Java Secure Coding Section 05 - Methods (MET)) > 568 (finalize() Method Without super.finalize())
The software contains a finalize() method that does not call super.finalize().
+CategoryCategoryCERT Java Secure Coding Section 06 - Exceptional Behavior (ERR) - (851)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 851 (CERT Java Secure Coding Section 06 - Exceptional Behavior (ERR))
Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) section of the CERT Java Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
*Weakness BaseWeakness BaseDeclaration of Throws for Generic Exception - (397)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 851 (CERT Java Secure Coding Section 06 - Exceptional Behavior (ERR)) > 397 (Declaration of Throws for Generic Exception)
Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.
*Weakness ClassWeakness ClassDetection of Error Condition Without Action - (390)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 851 (CERT Java Secure Coding Section 06 - Exceptional Behavior (ERR)) > 390 (Detection of Error Condition Without Action)
The software detects a specific error, but takes no actions to handle the error.
*Weakness VariantWeakness VariantExposure of System Data to an Unauthorized Control Sphere - (497)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 851 (CERT Java Secure Coding Section 06 - Exceptional Behavior (ERR)) > 497 (Exposure of System Data to an Unauthorized Control Sphere)
Exposing system data or debugging information helps an adversary learn about the system and form an attack plan.
*Weakness ClassWeakness ClassImproper Check or Handling of Exceptional Conditions - (703)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 851 (CERT Java Secure Coding Section 06 - Exceptional Behavior (ERR)) > 703 (Improper Check or Handling of Exceptional Conditions)
The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software.
*Weakness VariantWeakness VariantImproper Cleanup on Thrown Exception - (460)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 851 (CERT Java Secure Coding Section 06 - Exceptional Behavior (ERR)) > 460 (Improper Cleanup on Thrown Exception)
The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow.
*Weakness VariantWeakness VariantImproper Handling of Missing Values - (230)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 851 (CERT Java Secure Coding Section 06 - Exceptional Behavior (ERR)) > 230 (Improper Handling of Missing Values)
The software does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empty, blank, or null.
*Weakness VariantWeakness VariantImproper Handling of Undefined Values - (232)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 851 (CERT Java Secure Coding Section 06 - Exceptional Behavior (ERR)) > 232 (Improper Handling of Undefined Values)
The software does not handle or incorrectly handles when a value is not defined or supported for the associated parameter, field, or argument name.
*Weakness ClassWeakness ClassIncorrect Control Flow Scoping - (705)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 851 (CERT Java Secure Coding Section 06 - Exceptional Behavior (ERR)) > 705 (Incorrect Control Flow Scoping)
The software does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.
*Weakness BaseWeakness BaseInformation Exposure Through an Error Message - (209)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 851 (CERT Java Secure Coding Section 06 - Exceptional Behavior (ERR)) > 209 (Information Exposure Through an Error Message)
The software generates an error message that includes sensitive information about its environment, users, or associated data.
*Weakness VariantWeakness VariantJ2EE Bad Practices: Use of System.exit() - (382)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 851 (CERT Java Secure Coding Section 06 - Exceptional Behavior (ERR)) > 382 (J2EE Bad Practices: Use of System.exit())
A J2EE application uses System.exit(), which also shuts down its container.
*Weakness BaseWeakness BaseReturn Inside Finally Block - (584)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 851 (CERT Java Secure Coding Section 06 - Exceptional Behavior (ERR)) > 584 (Return Inside Finally Block)
The code has a return statement inside a finally block, which will cause any thrown exception in the try block to be discarded.
*Weakness BaseWeakness BaseUncaught Exception - (248)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 851 (CERT Java Secure Coding Section 06 - Exceptional Behavior (ERR)) > 248 (Uncaught Exception)
An exception is thrown from a function, but it is not caught.
*Weakness BaseWeakness BaseUncaught Exception in Servlet - (600)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 851 (CERT Java Secure Coding Section 06 - Exceptional Behavior (ERR)) > 600 (Uncaught Exception in Servlet )
The Servlet does not catch all exceptions, which may reveal sensitive debugging information.Missing Catch Block
*Compound Element: ChainCompound Element: ChainUnchecked Return Value to NULL Pointer Dereference - (690)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 851 (CERT Java Secure Coding Section 06 - Exceptional Behavior (ERR)) > 690 (Unchecked Return Value to NULL Pointer Dereference)
The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference.
*Weakness BaseWeakness BaseUse of NullPointerException Catch to Detect NULL Pointer Dereference - (395)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 851 (CERT Java Secure Coding Section 06 - Exceptional Behavior (ERR)) > 395 (Use of NullPointerException Catch to Detect NULL Pointer Dereference)
Catching NullPointerException should not be used as an alternative to programmatic checks to prevent dereferencing a null pointer.
+CategoryCategoryCERT Java Secure Coding Section 07 - Visibility and Atomicity (VNA) - (852)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 852 (CERT Java Secure Coding Section 07 - Visibility and Atomicity (VNA))
Weaknesses in this category are related to rules in the Visibility and Atomicity (VNA) section of the CERT Java Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
*Weakness ClassWeakness ClassConcurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') - (362)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 852 (CERT Java Secure Coding Section 07 - Visibility and Atomicity (VNA)) > 362 (Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition'))
The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.
*Weakness BaseWeakness BaseImproper Synchronization - (662)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 852 (CERT Java Secure Coding Section 07 - Visibility and Atomicity (VNA)) > 662 (Improper Synchronization)
The software attempts to use a shared resource in an exclusive manner, but does not prevent or incorrectly prevents use of the resource by another thread or process.
*Weakness BaseWeakness BaseRace Condition within a Thread - (366)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 852 (CERT Java Secure Coding Section 07 - Visibility and Atomicity (VNA)) > 366 (Race Condition within a Thread)
If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.
*Weakness BaseWeakness BaseUnsynchronized Access to Shared Data in a Multithreaded Context - (567)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 852 (CERT Java Secure Coding Section 07 - Visibility and Atomicity (VNA)) > 567 (Unsynchronized Access to Shared Data in a Multithreaded Context)
The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.
*Weakness BaseWeakness BaseImproper Locking - (667)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 852 (CERT Java Secure Coding Section 07 - Visibility and Atomicity (VNA)) > 667 (Improper Locking)
The software does not properly acquire a lock on a resource, or it does not properly release a lock on a resource, leading to unexpected resource state changes and behaviors.
*Weakness BaseWeakness BaseImproper Resource Locking - (413)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 852 (CERT Java Secure Coding Section 07 - Visibility and Atomicity (VNA)) > 413 (Improper Resource Locking)
The software does not lock or does not correctly lock a resource when the software must have exclusive access to the resource.
+CategoryCategoryCERT Java Secure Coding Section 08 - Locking (LCK) - (853)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 853 (CERT Java Secure Coding Section 08 - Locking (LCK))
Weaknesses in this category are related to rules in the Locking (LCK) section of the CERT Java Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
*Weakness BaseWeakness BaseDeadlock - (833)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 853 (CERT Java Secure Coding Section 08 - Locking (LCK)) > 833 (Deadlock)
The software contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.
*Weakness BaseWeakness BaseDouble-Checked Locking - (609)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 853 (CERT Java Secure Coding Section 08 - Locking (LCK)) > 609 (Double-Checked Locking)
The program uses double-checked locking to access a resource without the overhead of explicit synchronization, but the locking is insufficient.
*Weakness BaseWeakness BaseImproper Locking - (667)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 853 (CERT Java Secure Coding Section 08 - Locking (LCK)) > 667 (Improper Locking)
The software does not properly acquire a lock on a resource, or it does not properly release a lock on a resource, leading to unexpected resource state changes and behaviors.
*Weakness BaseWeakness BaseImproper Resource Locking - (413)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 853 (CERT Java Secure Coding Section 08 - Locking (LCK)) > 413 (Improper Resource Locking)
The software does not lock or does not correctly lock a resource when the software must have exclusive access to the resource.
*Weakness BaseWeakness BaseMissing Synchronization - (820)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 853 (CERT Java Secure Coding Section 08 - Locking (LCK)) > 820 (Missing Synchronization)
The software utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.
*Weakness BaseWeakness BaseUnrestricted Externally Accessible Lock - (412)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 853 (CERT Java Secure Coding Section 08 - Locking (LCK)) > 412 (Unrestricted Externally Accessible Lock)
The software properly checks for the existence of a lock, but the lock can be externally controlled or influenced by an actor that is outside of the intended sphere of control.
+CategoryCategoryCERT Java Secure Coding Section 09 - Thread APIs (THI) - (854)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 854 (CERT Java Secure Coding Section 09 - Thread APIs (THI))
Weaknesses in this category are related to rules in the Thread APIs (THI) section of the CERT Java Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
*Weakness VariantWeakness VariantCall to Thread run() instead of start() - (572)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 854 (CERT Java Secure Coding Section 09 - Thread APIs (THI)) > 572 (Call to Thread run() instead of start())
The program calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee.
*Weakness ClassWeakness ClassIncorrect Control Flow Scoping - (705)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 854 (CERT Java Secure Coding Section 09 - Thread APIs (THI)) > 705 (Incorrect Control Flow Scoping)
The software does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.
+CategoryCategoryCERT Java Secure Coding Section 10 - Thread Pools (TPS) - (855)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 855 (CERT Java Secure Coding Section 10 - Thread Pools (TPS))
Weaknesses in this category are related to rules in the Thread Pools (TPS) section of the CERT Java Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
*Weakness BaseWeakness BaseInsufficient Resource Pool - (410)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 855 (CERT Java Secure Coding Section 10 - Thread Pools (TPS)) > 410 (Insufficient Resource Pool)
The software's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.
*Weakness BaseWeakness BaseMissing Report of Error Condition - (392)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 855 (CERT Java Secure Coding Section 10 - Thread Pools (TPS)) > 392 (Missing Report of Error Condition)
The software encounters an error but does not provide a status code or return value to indicate that an error has occurred.
*Weakness ClassWeakness ClassAsymmetric Resource Consumption (Amplification) - (405)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 855 (CERT Java Secure Coding Section 10 - Thread Pools (TPS)) > 405 (Asymmetric Resource Consumption (Amplification))
Software that does not appropriately monitor or control resource consumption can lead to adverse system performance.
*CategoryCategoryCERT Java Secure Coding Section 11 - Thread-Safety Miscellaneous (TSM) - (856)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 856 (CERT Java Secure Coding Section 11 - Thread-Safety Miscellaneous (TSM))
Weaknesses in this category are related to rules in the Thread-Safety Miscellaneous (TSM) section of the CERT Java Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
+CategoryCategoryCERT Java Secure Coding Section 12 - Input Output (FIO) - (857)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 857 (CERT Java Secure Coding Section 12 - Input Output (FIO))
Weaknesses in this category are related to rules in the Input Output (FIO) section of the CERT Java Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
*Weakness ClassWeakness ClassAsymmetric Resource Consumption (Amplification) - (405)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 857 (CERT Java Secure Coding Section 12 - Input Output (FIO)) > 405 (Asymmetric Resource Consumption (Amplification))
Software that does not appropriately monitor or control resource consumption can lead to adverse system performance.
*Weakness ClassWeakness ClassExposure of Private Information ('Privacy Violation') - (359)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 857 (CERT Java Secure Coding Section 12 - Input Output (FIO)) > 359 (Exposure of Private Information ('Privacy Violation'))
The software does not properly prevent private data (such as credit card numbers) from being accessed by actors who either (1) are not explicitly authorized to access the data or (2) do not have the implicit consent of the people to which the data is related. Privacy leakPrivacy leakage
*Weakness VariantWeakness VariantImproper Handling of Windows Device Names - (67)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 857 (CERT Java Secure Coding Section 12 - Input Output (FIO)) > 67 (Improper Handling of Windows Device Names)
The software constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.
*Weakness BaseWeakness BaseImproper Resource Shutdown or Release - (404)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 857 (CERT Java Secure Coding Section 12 - Input Output (FIO)) > 404 (Improper Resource Shutdown or Release)
The program does not release or incorrectly releases a resource before it is made available for re-use.
*Weakness BaseWeakness BaseIncomplete Cleanup - (459)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 857 (CERT Java Secure Coding Section 12 - Input Output (FIO)) > 459 (Incomplete Cleanup)
The software does not properly "clean up" and remove temporary or supporting resources after they have been used.Insufficient Cleanup
*Weakness BaseWeakness BaseIncorrect Calculation of Multi-Byte String Length - (135)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 857 (CERT Java Secure Coding Section 12 - Input Output (FIO)) > 135 (Incorrect Calculation of Multi-Byte String Length)
The software does not correctly calculate the length of strings that can contain wide or multi-byte characters.
*Weakness VariantWeakness VariantIncorrect Default Permissions - (276)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 857 (CERT Java Secure Coding Section 12 - Input Output (FIO)) > 276 (Incorrect Default Permissions)
The software, upon installation, sets incorrect permissions for an object that exposes it to an unintended actor.
*Weakness VariantWeakness VariantIncorrect Execution-Assigned Permissions - (279)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 857 (CERT Java Secure Coding Section 12 - Input Output (FIO)) > 279 (Incorrect Execution-Assigned Permissions)
While it is executing, the software sets the permissions of an object in a way that violates the intended permissions that have been specified by the user.
*Weakness VariantWeakness VariantInformation Exposure Through Cleanup Log Files - (542)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 857 (CERT Java Secure Coding Section 12 - Input Output (FIO)) > 542 (Information Exposure Through Cleanup Log Files)
The application does not properly protect or delete a log file related to cleanup.
*Weakness VariantWeakness VariantInformation Exposure Through Log Files - (532)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 857 (CERT Java Secure Coding Section 12 - Input Output (FIO)) > 532 (Information Exposure Through Log Files)
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
*Weakness VariantWeakness VariantInformation Exposure Through Server Log Files - (533)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 857 (CERT Java Secure Coding Section 12 - Input Output (FIO)) > 533 (Information Exposure Through Server Log Files)
A server.log file was found. This can give information on whatever application left the file. Usually this can give full path names and system information, and sometimes usernames and passwords.
*Weakness BaseWeakness BaseInsecure Temporary File - (377)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 857 (CERT Java Secure Coding Section 12 - Input Output (FIO)) > 377 (Insecure Temporary File)
Creating and using insecure temporary files can leave application and system data vulnerable to attack.
*Weakness BaseWeakness BaseUse of Incorrect Byte Ordering - (198)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 857 (CERT Java Secure Coding Section 12 - Input Output (FIO)) > 198 (Use of Incorrect Byte Ordering)
The software receives input from an upstream component, but it does not account for byte ordering (e.g. big-endian and little-endian) when processing the input, causing an incorrect number or value to be used.
*Weakness BaseWeakness BaseAllocation of Resources Without Limits or Throttling - (770)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 857 (CERT Java Secure Coding Section 12 - Input Output (FIO)) > 770 (Allocation of Resources Without Limits or Throttling)
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on how many resources can be allocated, in violation of the intended security policy for that actor.
*Weakness ClassWeakness ClassIncorrect Permission Assignment for Critical Resource - (732)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 857 (CERT Java Secure Coding Section 12 - Input Output (FIO)) > 732 (Incorrect Permission Assignment for Critical Resource)
The software specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
+CategoryCategoryCERT Java Secure Coding Section 13 - Serialization (SER) - (858)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 858 (CERT Java Secure Coding Section 13 - Serialization (SER))
Weaknesses in this category are related to rules in the Serialization (SER) section of the CERT Java Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
*Weakness VariantWeakness VariantDeserialization of Untrusted Data - (502)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 858 (CERT Java Secure Coding Section 13 - Serialization (SER)) > 502 (Deserialization of Untrusted Data)
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.Marshaling, UnmarshalingPickling, Unpickling
*Weakness ClassWeakness ClassExecution with Unnecessary Privileges - (250)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 858 (CERT Java Secure Coding Section 13 - Serialization (SER)) > 250 (Execution with Unnecessary Privileges)
The software performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.
*Weakness VariantWeakness VariantSerializable Class Containing Sensitive Data - (499)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 858 (CERT Java Secure Coding Section 13 - Serialization (SER)) > 499 (Serializable Class Containing Sensitive Data)
The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another class.
*Weakness BaseWeakness BaseUncontrolled Resource Consumption ('Resource Exhaustion') - (400)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 858 (CERT Java Secure Coding Section 13 - Serialization (SER)) > 400 (Uncontrolled Resource Consumption ('Resource Exhaustion'))
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
*Weakness BaseWeakness BaseAllocation of Resources Without Limits or Throttling - (770)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 858 (CERT Java Secure Coding Section 13 - Serialization (SER)) > 770 (Allocation of Resources Without Limits or Throttling)
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on how many resources can be allocated, in violation of the intended security policy for that actor.
*Weakness VariantWeakness VariantCall to Non-ubiquitous API - (589)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 858 (CERT Java Secure Coding Section 13 - Serialization (SER)) > 589 (Call to Non-ubiquitous API)
The software uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allow denial of service or other consequences.
*Weakness BaseWeakness BaseCleartext Transmission of Sensitive Information - (319)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 858 (CERT Java Secure Coding Section 13 - Serialization (SER)) > 319 (Cleartext Transmission of Sensitive Information)
The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
+CategoryCategoryCERT Java Secure Coding Section 14 - Platform Security (SEC) - (859)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 859 (CERT Java Secure Coding Section 14 - Platform Security (SEC))
Weaknesses in this category are related to rules in the Platform Security (SEC) section of the CERT Java Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
*Weakness VariantWeakness VariantAuthentication Bypass by Assumed-Immutable Data - (302)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 859 (CERT Java Secure Coding Section 14 - Platform Security (SEC)) > 302 (Authentication Bypass by Assumed-Immutable Data)
The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.
*Weakness ClassWeakness ClassChannel Accessible by Non-Endpoint ('Man-in-the-Middle') - (300)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 859 (CERT Java Secure Coding Section 14 - Platform Security (SEC)) > 300 (Channel Accessible by Non-Endpoint ('Man-in-the-Middle'))
The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.
*Weakness BaseWeakness BaseCleartext Transmission of Sensitive Information - (319)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 859 (CERT Java Secure Coding Section 14 - Platform Security (SEC)) > 319 (Cleartext Transmission of Sensitive Information)
The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
*Weakness BaseWeakness BaseDirect Use of Unsafe JNI - (111)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 859 (CERT Java Secure Coding Section 14 - Platform Security (SEC)) > 111 (Direct Use of Unsafe JNI)
When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that code, even if those weaknesses cannot occur in Java.
*Weakness BaseWeakness BaseDownload of Code Without Integrity Check - (494)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 859 (CERT Java Secure Coding Section 14 - Platform Security (SEC)) > 494 (Download of Code Without Integrity Check)
The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.
*Weakness BaseWeakness BaseImproper Verification of Cryptographic Signature - (347)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 859 (CERT Java Secure Coding Section 14 - Platform Security (SEC)) > 347 (Improper Verification of Cryptographic Signature)
The software does not verify, or incorrectly verifies, the cryptographic signature for data.
*Weakness BaseWeakness BaseIncorrect Privilege Assignment - (266)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 859 (CERT Java Secure Coding Section 14 - Platform Security (SEC)) > 266 (Incorrect Privilege Assignment)
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
*Weakness BaseWeakness BaseLeast Privilege Violation - (272)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 859 (CERT Java Secure Coding Section 14 - Platform Security (SEC)) > 272 (Least Privilege Violation)
The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.
*Weakness BaseWeakness BaseReliance on Untrusted Inputs in a Security Decision - (807)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 859 (CERT Java Secure Coding Section 14 - Platform Security (SEC)) > 807 (Reliance on Untrusted Inputs in a Security Decision)
The application uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.
*Weakness BaseWeakness BaseUse of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') - (470)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 859 (CERT Java Secure Coding Section 14 - Platform Security (SEC)) > 470 (Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection'))
The application uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.Reflection Injection
*Weakness ClassWeakness ClassIncorrect Permission Assignment for Critical Resource - (732)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 859 (CERT Java Secure Coding Section 14 - Platform Security (SEC)) > 732 (Incorrect Permission Assignment for Critical Resource)
The software specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
+CategoryCategoryCERT Java Secure Coding Section 15 - Runtime Environment (ENV) - (860)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 860 (CERT Java Secure Coding Section 15 - Runtime Environment (ENV))
Weaknesses in this category are related to rules in the Runtime Environment (ENV) section of the CERT Java Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
*Weakness BaseWeakness BaseAcceptance of Extraneous Untrusted Data With Trusted Data - (349)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 860 (CERT Java Secure Coding Section 15 - Runtime Environment (ENV)) > 349 (Acceptance of Extraneous Untrusted Data With Trusted Data)
The software, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.
*Weakness ClassWeakness ClassIncorrect Permission Assignment for Critical Resource - (732)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 860 (CERT Java Secure Coding Section 15 - Runtime Environment (ENV)) > 732 (Incorrect Permission Assignment for Critical Resource)
The software specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
+CategoryCategoryCERT Java Secure Coding Section 49 - Miscellaneous (MSC) - (861)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 861 (CERT Java Secure Coding Section 49 - Miscellaneous (MSC))
Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT Java Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
*Weakness BaseWeakness BaseAllocation of Resources Without Limits or Throttling - (770)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 861 (CERT Java Secure Coding Section 49 - Miscellaneous (MSC)) > 770 (Allocation of Resources Without Limits or Throttling)
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on how many resources can be allocated, in violation of the intended security policy for that actor.
*Weakness VariantWeakness VariantImproper Handling of Insufficient Entropy in TRNG - (333)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 861 (CERT Java Secure Coding Section 49 - Miscellaneous (MSC)) > 333 (Improper Handling of Insufficient Entropy in TRNG)
True random number generators (TRNG) generally have a limited source of entropy and therefore can fail or block.
*Weakness BaseWeakness BaseImproper Release of Memory Before Removing Last Reference ('Memory Leak') - (401)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 861 (CERT Java Secure Coding Section 49 - Miscellaneous (MSC)) > 401 (Improper Release of Memory Before Removing Last Reference ('Memory Leak'))
The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.Memory Leak
*Weakness VariantWeakness VariantInsufficient Entropy in PRNG - (332)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 861 (CERT Java Secure Coding Section 49 - Miscellaneous (MSC)) > 332 (Insufficient Entropy in PRNG)
The lack of entropy available for, or used by, a Pseudo-Random Number Generator (PRNG) can be a stability and security threat.
*Weakness BaseWeakness BaseMissing Encryption of Sensitive Data - (311)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 861 (CERT Java Secure Coding Section 49 - Miscellaneous (MSC)) > 311 (Missing Encryption of Sensitive Data)
The software does not encrypt sensitive or critical information before storage or transmission.
*Weakness BaseWeakness BasePredictable Seed in PRNG - (337)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 861 (CERT Java Secure Coding Section 49 - Miscellaneous (MSC)) > 337 (Predictable Seed in PRNG)
A PRNG is initialized from a predictable seed, e.g. using process ID or system time.
*Weakness BaseWeakness BaseSame Seed in PRNG - (336)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 861 (CERT Java Secure Coding Section 49 - Miscellaneous (MSC)) > 336 (Same Seed in PRNG)
A PRNG uses the same seed each time the product is initialized. If an attacker can guess (or knows) the seed, then he/she may be able to determine the "random" number produced from the PRNG.
*Weakness BaseWeakness BaseUse of Hard-coded Credentials - (798)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 861 (CERT Java Secure Coding Section 49 - Miscellaneous (MSC)) > 798 (Use of Hard-coded Credentials)
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
*Weakness BaseWeakness BaseUse of Hard-coded Password - (259)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 861 (CERT Java Secure Coding Section 49 - Miscellaneous (MSC)) > 259 (Use of Hard-coded Password)
The software contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.
*Weakness ClassWeakness ClassUse of Insufficiently Random Values - (330)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 861 (CERT Java Secure Coding Section 49 - Miscellaneous (MSC)) > 330 (Use of Insufficiently Random Values)
The software may use insufficiently random numbers or values in a security context that depends on unpredictable numbers.
*Weakness VariantWeakness VariantUse of Singleton Pattern Without Synchronization in a Multithreaded Context - (543)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 861 (CERT Java Secure Coding Section 49 - Miscellaneous (MSC)) > 543 (Use of Singleton Pattern Without Synchronization in a Multithreaded Context)
The software uses the singleton pattern when creating a resource within a multithreaded environment.
*Weakness BaseWeakness BaseUncontrolled Resource Consumption ('Resource Exhaustion') - (400)
844 (Weaknesses Addressed by the CERT Java Secure Coding Standard) > 861 (CERT Java Secure Coding Section 49 - Miscellaneous (MSC)) > 400 (Uncontrolled Resource Consumption ('Resource Exhaustion'))
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
+ Relationship Notes

The relationships in this view were determined based on specific statements within the rules from the standard. Not all rules have direct relationships to individual weaknesses, although they likely have chaining relationships in specific circumstances.

+ Content History
Submissions
Submission DateSubmitterOrganizationSource
2011-05-24Internal CWE Team
+ View Metrics
CWEs in this viewTotal CWEs
Total124out of1006
Views0out of33
Categories18out of245
Weaknesses105out of720
Compound_Elements1out of8

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017