CWE - VIEW LIST: CWE-2000: Comprehensive CWE Dictionary (Draft 9)

Home > CWE List > VIEW LIST: CWE-2000: Comprehensive CWE Dictionary (Draft 9)

CWE List
Full Dictionary View
Classification Tree
Reports

About
Sources
Process
Documents

Community
Related Activities
Discussion List
Research

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Declarations
Make a Declaration

Contact Us
Search the Site

Section Contents
CWE List
Full Dictionary View
Classification Tree
Reports
Other Items of Interest
Sources

(CWE-2000)

Key
- Weakness
- Base
- Variant
- Class
- Chain
- Composite
- Category
- View
- Deprecated

VIEW LIST: CWE-2000: Comprehensive CWE Dictionary (Draft 9)

View ID

Status: Draft

2000 (View)

Objective

This view (slice) covers all the elements in CWE.

View Data

Filter Used: true()

	CWEs in this view		Total CWEs
Total	695	out of	695
Views	14	out of	14
Categories	64	out of	64
Weaknesses	605	out of	605
Compound_Elements	12	out of	12

Weakness Base Absolute Path Traversal - (36)

Weakness Base Acceptance of Extraneous Untrusted Data With Trusted Data - (349)

Weakness Variant Access Control Bypass Through User-Controlled Key - (639)

Weakness Variant Access Control Bypass Through User-Controlled SQL Primary Key - (566)

Weakness Class Access Control Issues - (284)

Weakness Base Addition of Data Structure Sentinel - (464)

Weakness Base Algorithmic Complexity - (407)

Weakness Variant Alternate XSS Syntax - (87)

Weakness Class Always-Incorrect Control Flow Implementation - (670)

Weakness Variant Apple '.DS_Store' - (71)

Weakness Variant Apple HFS+ Alternate Data Stream - (72)

Weakness Base Argument Injection or Modification - (88)

Weakness Variant Array Declared Public, Final, and Static - (582)

Category ASP.NET Environment Issues - (10)

Weakness Variant ASP.NET Misconfiguration: Creating Debug Binary - (11)

Weakness Variant ASP.NET Misconfiguration: Missing Custom Error Handling - (12)

Weakness Class ASP.NET Misconfiguration: Not Using Input Validation Framework - (554)

Weakness Variant ASP.NET Misconfiguration: Password in Configuration File - (13)

Weakness Variant ASP.NET Misconfiguration: Use of Identity Impersonation - (556)

Weakness Variant Assigning instead of Comparing - (481)

Weakness Base Assignment of a Fixed Address to a Pointer - (587)

Weakness Class Asymmetric Resource Consumption (Amplification) - (405)

Weakness Variant Attempt to Access Child of a Non-structure Pointer - (588)

Weakness Variant Authentication Bypass by Alternate Name - (289)

Weakness Variant Authentication Bypass by Alternate Path/Channel - (288)

Weakness Variant Authentication Bypass by Assumed-Immutable Data - (302)

Weakness Base Authentication Bypass by Capture-replay - (294)

Weakness Base Authentication Bypass by Primary Weakness - (305)

Weakness Base Authentication Bypass by Spoofing - (290)

Weakness Class Authentication Bypass Issues - (592)

Weakness Variant Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created - (593)

Weakness Base Behavioral Change in New Version or Environment - (439)

Weakness Base Behavioral Discrepancy Information Leak - (205)

Category Behavioral Problems - (438)

Weakness Base Boundary Beginning Violation ('Buffer Underwrite') - (124)

Weakness Variant Buffer Over-read - (126)

Weakness Variant Buffer Under-read - (127)

Category Byte/Object Code - (503)

Weakness Variant Call to Non-ubiquitous API - (589)

Weakness Variant Call to Thread run() instead of start() - (572)

Category Certificate Issues - (295)

View Chain Elements - (679)

Weakness Class Channel Accessible by Non-Endpoint (aka 'Man-in-the-Middle') - (300)

Category Channel and Path Errors - (417)

Category Channel Errors - (418)

Category Cleansing, Canonicalization, and Comparison Errors - (171)

Weakness Variant clone() Method Without super.clone() - (580)

Category Code - (17)

Weakness Class Code Injection - (94)

Weakness Base Collapse of Data Into Unsafe Value - (182)

Weakness Variant Command Shell in Externally Accessible Directory - (553)

Weakness Variant Comparing instead of Assigning - (482)

Weakness Variant Comparison of Classes by Name - (486)

Weakness Base Compiler Removal of Code to Clear Buffers - (14)

View Composites - (678)

View Comprehensive CWE Dictionary - (2000)

Category Concurrency Issues - (557)

Category Configuration - (16)

Weakness Class Containment Errors (Container Errors) - (216)

Weakness Base Context Switching Race Condition - (368)

Weakness Class Covert Channel - (514)

Weakness Base Covert Storage Channel - (515)

Weakness Base Covert Timing Channel - (385)

Weakness Base Creation of Temporary File in Directory with Insecure Permissions - (379)

Weakness Base Creation of Temporary File With Insecure Permissions - (378)

Category Credentials Management - (255)

Weakness Variant Critical Public Variable Without Final Modifier - (493)

Weakness Base Cross-boundary Cleansing Information Leak - (212)

Compound Element: Composite Cross-Site Request Forgery (CSRF) - (352)

Category Cryptographic Issues - (310)

Weakness Base Custom Special Character Injection - (92)

Weakness Base Dangerous Handler not Disabled During Sensitive Operations - (432)

Weakness Base Dangling Database Cursor (aka 'Cursor Injection') - (619)

Category Data Handling - (19)

Weakness Variant Data Leak Between Sessions - (488)

Category Data Structure Issues - (461)

Weakness Variant Dead Code - (561)

Weakness Base Declaration of Catch for Generic Exception - (396)

Weakness Base Declaration of Throws for Generic Exception - (397)

Weakness Base Deletion of Data Structure Sentinel - (463)

Weakness Base Deployment of Wrong Handler - (430)

View Deprecated - (604)

Deprecated DEPRECATED (Duplicate): Covert Timing Channel - (516)

Deprecated DEPRECATED (Duplicate): General Information Management Problems - (225)

Deprecated DEPRECATED (Duplicate): HTTP response splitting - (443)

Deprecated DEPRECATED: Incorrect Initialization - (458)

Weakness Variant Deserialization of Untrusted Data - (502)

Weakness Base Design Principle Violation: Client-Side Enforcement of Server-Side Security - (602)

Weakness Base Design Principle Violation: Failure to Satisfy Psychological Acceptability - (655)

Weakness Class Design Principle Violation: Failure to Use Least Privilege - (250)

Weakness Base Design Principle Violation: Insufficient Compartmentalization - (653)

Weakness Class Design Principle Violation: Lack of Administrator Control over Security - (671)

Weakness Class Design Principle Violation: Not Failing Securely - (636)

Weakness Class Design Principle Violation: Not Using Complete Mediation - (638)

Weakness Class Design Principle Violation: Not Using Economy of Mechanism - (637)

Weakness Base Design Principle Violation: Reliance on a Single Factor in a Security Decision - (654)

Weakness Base Design Principle Violation: Reliance on Security through Obscurity - (656)

Weakness Class Detection of Error Condition Without Action - (390)

Weakness Base Direct Request ('Forced Browsing') - (425)

Weakness Base Direct Use of Unsafe JNI - (111)

Weakness Class Discrepancy Information Leaks - (203)

Weakness Base Divide By Zero - (369)

Weakness Variant Double Decoding of the Same Data - (174)

Weakness Variant Double Free - (415)

Weakness Base Double-Checked Locking - (609)

Weakness Variant Doubled Character XSS Manipulations - (85)

Weakness Variant Download of Untrusted Mobile Code Without Integrity Check - (494)

Weakness Base Duplicate Key in Associative List (Alist) - (462)

Weakness Class Duplicate Operations on Resource - (675)

Weakness Base Dynamic Variable Evaluation - (627)

Weakness Variant EJB Bad Practices: Use of AWT Swing - (575)

Weakness Variant EJB Bad Practices: Use of Class Loader - (578)

Weakness Variant EJB Bad Practices: Use of Java I/O - (576)

Weakness Variant EJB Bad Practices: Use of Sockets - (577)

Weakness Variant EJB Bad Practices: Use of Synchronization Primitives - (574)

Weakness Class Element Problems - (237)

Weakness Class Embedded Malicious Code - (506)

Weakness Variant Empty Password in Configuration File - (258)

Weakness Variant Empty Synchronized Block - (585)

Weakness Class Encoding Error - (172)

Category Environment - (2)

Category Error Conditions, Return Values, Status Codes - (389)

Category Error Handling - (388)

Weakness Base Error Message Information Leaks - (209)

Weakness Base Executable Regular Expression Error - (624)

Weakness Base Expected Behavior Violation - (440)

Weakness Variant Explicit Call to Finalize - (586)

Weakness Variant Exposed Unsafe ActiveX Method - (618)

Weakness Class Exposure of Resource to Wrong Sphere - (668)

Weakness Variant Expression is Always False - (570)

Weakness Variant Expression is Always True - (571)

Category Expression Issues - (569)

Weakness Variant External Behavioral Inconsistency Information Leak - (207)

Weakness Base External Control of Assumed-Immutable Web Parameter - (472)

Weakness Class External Control of File Name or Path - (73)

Weakness Base External Control of System or Configuration Setting - (15)

Weakness Base External Control of User State Data - (642)

Weakness Class External Influence of Sphere Definition - (673)

Weakness Base External Initialization of Trusted Variables - (454)

Weakness Class Externally Controlled Reference to a Resource in Another Sphere - (610)

Weakness Base Failure to Add Integrity Check Value - (353)

Weakness Base Failure to Catch All Exceptions (Missing Catch Block) - (600)

Weakness Variant Failure to Change Working Directory in chroot Jail - (243)

Weakness Base Failure to Check for Certificate Revocation - (299)

Weakness Base Failure to Check Integrity Check Value - (354)

Weakness Base Failure to Check Whether Privileges Were Dropped Successfully - (273)

Weakness Variant Failure to Clear Heap Memory Before Release - (244)

Weakness Class Failure to Constrain Operations within the Bounds of an Allocated Memory Buffer - (119)

Weakness Base Failure to Encrypt Sensitive Data - (311)

Weakness Base Failure to Follow Chain of Trust in Certificate Validation - (296)

Weakness Class Failure to Follow Specification - (573)

Weakness Class Failure to Fulfill API Contract (aka 'API Abuse') - (227)

Weakness Base Failure to Handle Additional Special Element - (167)

Weakness Variant Failure to Handle Alternate Encoding - (173)

Weakness Base Failure to Handle Extra Parameter - (235)

Weakness Base Failure to Handle Extra Value - (231)

Weakness Class Failure to Handle File Names that Identify Virtual Resources - (66)

Weakness Base Failure to Handle Highly Compressed Data (Data Amplification) - (409)

Weakness Base Failure to Handle Incomplete Element - (239)

Weakness Variant Failure to Handle Insufficient Entropy in TRNG - (333)

Weakness Base Failure to Handle Insufficient Permissions or Privileges - (280)

Weakness Base Failure to Handle Insufficient Privileges - (274)

Weakness Base Failure to Handle Missing Element - (238)

Weakness Base Failure to Handle Missing Parameter - (234)

Weakness Base Failure to Handle Missing Special Element - (166)

Weakness Base Failure to Handle Missing Value - (230)

Weakness Variant Failure to Handle Mixed Encoding - (175)

Weakness Base Failure to Handle Undefined Parameter - (236)

Weakness Base Failure to Handle Undefined Value - (232)

Weakness Variant Failure to Handle Unicode Encoding - (176)

Weakness Variant Failure to Handle URL Encoding (Hex Encoding) - (177)

Weakness Variant Failure to Handle Windows ::DATA Alternate Data Stream - (69)

Weakness Variant Failure to Handle Windows Device Names - (67)

Weakness Base Failure to Handle Wrong Data Type - (241)

Weakness Class Failure to Protect Alternate Path - (424)

Weakness Base Failure to Protect Stored Data from Modification - (217)

Weakness Base Failure to Provide Confidentiality for Stored Data - (218)

Weakness Base Failure to Provide Specified Functionality - (684)

Weakness Base Failure to Release Memory Before Removing Last Reference (aka 'Memory Leak') - (401)

Weakness Base Failure to Report Error in Status Code - (392)

Weakness Base Failure to Resolve Case Sensitivity - (178)

Weakness Variant Failure to Resolve Encoded URI Schemes in a Web Page - (84)

Weakness Base Failure to Resolve Equivalent Special Elements into a Different Plane - (76)

Weakness Base Failure to Resolve Inconsistent Elements - (240)

Weakness Base Failure to Resolve Inconsistent Special Elements - (168)

Weakness Base Failure to Resolve Links Before File Access (aka 'Link Following') - (59)

Weakness Class Failure to Resolve Path Equivalence - (41)

Weakness Base Failure to Restrict Excessive Authentication Attempts - (307)

Weakness Variant Failure to Sanitize Comment Element - (151)

Weakness Base Failure to Sanitize CRLF Sequences (aka 'CRLF Injection') - (93)

Weakness Base Failure to Sanitize CRLF Sequences in HTTP Headers (aka 'HTTP Response Splitting') - (113)

Weakness Class Failure to Sanitize Data into a Control Plane (aka 'Command Injection') - (77)

Weakness Class Failure to Sanitize Data into a Different Plane (aka 'Injection') - (74)

Weakness Base Failure to Sanitize Data into an OS Command (aka 'OS Command Injection') - (78)

Weakness Base Failure to Sanitize Data into LDAP Queries (aka 'LDAP Injection') - (90)

Weakness Base Failure to Sanitize Data into SQL Queries (aka 'SQL Injection') - (89)

Weakness Base Failure to Sanitize Delimiters - (140)

Weakness Base Failure to Sanitize Directives in a Web Page (aka 'Cross-site scripting' (XSS)) - (79)

Weakness Variant Failure to Sanitize Directives in an Error Message Web Page - (81)

Weakness Variant Failure to Sanitize Escape, Meta, or Control Sequences - (150)

Weakness Variant Failure to Sanitize Expression/Command Delimiters - (146)

Weakness Variant Failure to Sanitize Input Leaders - (148)

Weakness Variant Failure to Sanitize Input Terminators - (147)

Weakness Variant Failure to Sanitize Internal Special Element - (164)

Weakness Variant Failure to Sanitize Leading Special Element - (160)

Weakness Variant Failure to Sanitize Line Delimiters - (144)

Weakness Variant Failure to Sanitize Macro Symbol - (152)

Weakness Variant Failure to Sanitize Multiple Internal Special Elements - (165)

Weakness Variant Failure to Sanitize Multiple Leading Special Elements - (161)

Weakness Variant Failure to Sanitize Multiple Trailing Special Elements - (163)

Weakness Variant Failure to Sanitize Null Byte or NUL Character - (158)

Weakness Variant Failure to Sanitize Paired Delimiters - (157)

Weakness Variant Failure to Sanitize Parameter/Argument Delimiters - (141)

Weakness Variant Failure to Sanitize Quoting Syntax - (149)

Weakness Variant Failure to Sanitize Record Delimiters - (143)

Weakness Variant Failure to Sanitize Script in Attributes in a Web Page - (83)

Weakness Variant Failure to Sanitize Script in Attributes of IMG Tags in a Web Page - (82)

Weakness Variant Failure to Sanitize Script-Related HTML Tags in a Web Page (Basic XSS) - (80)

Weakness Variant Failure to Sanitize Section Delimiters - (145)

Weakness Base Failure to Sanitize Server-Side Includes (SSI) Within a Web Page - (97)

Weakness Class Failure to Sanitize Special Element - (159)

Weakness Class Failure to Sanitize Special Elements - (138)

Weakness Class Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) - (75)

Weakness Variant Failure to Sanitize Substitution Character - (153)

Weakness Variant Failure to Sanitize Trailing Special Element - (162)

Weakness Variant Failure to Sanitize Value Delimiters - (142)

Weakness Variant Failure to Sanitize Variable Name Delimiter - (154)

Weakness Variant Failure to Sanitize Whitespace - (156)

Weakness Variant Failure to Sanitize Wildcard or Matching Symbol - (155)

Weakness Variant Failure to Use Default Case in Switch - (478)

Weakness Base Failure to Validate Certificate Expiration - (298)

Weakness Base Failure to Validate Host-specific Certificate Data - (297)

Weakness Class File and Directory Information Leaks - (538)

Weakness Base Files or Directories Accessible to External Parties - (552)

Weakness Variant finalize() Method Declared Public - (583)

Weakness Variant finalize() Method Without super.finalize() - (568)

Weakness Variant Free of Invalid Pointer Not on the Heap - (590)

Weakness Variant Function Call With Incorrect Argument Type - (686)

Weakness Variant Function Call With Incorrect Number of Arguments - (685)

Weakness Variant Function Call With Incorrect Order of Arguments - (683)

Weakness Variant Function Call With Incorrect Variable or Reference as Argument - (688)

Weakness Variant Function Call With Incorrectly Specified Argument Value - (687)

Weakness Base Function Call with Incorrectly Specified Arguments - (628)

Category General Special Element Problems - (139)

Category Handler Errors - (429)

Weakness Base Hard-Coded Password - (259)

Weakness Variant Heap-based Buffer Overflow - (122)

Weakness Variant Improper Cleanup on Thrown Exception - (460)

Weakness Class Improper Handling of Values - (229)

Weakness Base Improper Implementation of Authentication Algorithm - (303)

Weakness Base Improper Null Termination - (170)

Weakness Class Improper Ownership Management - (282)

Weakness Base Improper Resource Shutdown or Release - (404)

Weakness Base Improper Use of Privileged APIs - (648)

Weakness Base Improperly Implemented Security Check for Standard - (358)

Weakness Base Improperly Trusted Reverse DNS - (350)

Weakness Base Improperly Verified Signature - (347)

Category Inadvertently Introduced Weakness - (518)

Weakness Base Incomplete Blacklist - (184)

Compound Element: Chain Incomplete Blacklist to Cross-Site Scripting - (692)

Weakness Base Incomplete Cleanup - (459)

Weakness Variant Incomplete Identification of Uploaded File Variables (PHP) - (616)

Weakness Base Incomplete Internal State Distinction - (372)

Weakness Base Incomplete Model of Endpoint Features - (437)

Weakness Variant Incorrect Behavior Order: Authorization Before Parsing and Canonicalization - (551)

Weakness Base Incorrect Behavior Order: Early Amplification - (408)

Weakness Base Incorrect Behavior Order: Early Validation - (179)

Weakness Variant Incorrect Behavior Order: Validate Before Canonicalize - (180)

Weakness Variant Incorrect Behavior Order: Validate Before Filter - (181)

Weakness Variant Incorrect Block Delimitation - (483)

Weakness Base Incorrect Calculation - (682)

Weakness Class Incorrect Calculation of Buffer Size - (131)

Weakness Base Incorrect Calculation of Multi-Byte String Length - (135)

Weakness Base Incorrect Conversion between Numeric Types - (681)

Weakness Base Incorrect or Incomplete Initialization - (665)

Weakness Class Incorrect Output Sanitization - (116)

Weakness Base Incorrect Output Sanitization for Logs - (117)

Weakness Base Incorrect Pointer Scaling - (468)

Weakness Base Incorrect Privilege Assignment - (266)

Weakness Class Incorrect Resource Transfer Between Spheres - (669)

Weakness Base Incorrect Semantic Object Comparison - (596)

Weakness Base Incorrect Sign Extension - (194)

Weakness Base Incorrect Syntactic Object Comparison - (595)

Weakness Class Indicator of Poor Code Quality - (398)

Weakness Class Information Leak (Information Disclosure) - (200)

Weakness Base Information Leak of System Data - (497)

Weakness Variant Information Leak Through Access Control List Files - (529)

Weakness Variant Information Leak Through Backup (.~bk) Files - (530)

Weakness Variant Information Leak Through Browser Caching - (525)

Weakness Variant Information Leak Through Caching - (524)

Weakness Variant Information Leak through Class Cloning - (498)

Weakness Variant Information Leak Through Cleanup Log Files - (542)

Weakness Variant Information Leak Through Comments - (615)

Weakness Variant Information Leak Through Core Dump Files - (528)

Weakness Variant Information Leak Through CVS Repository - (527)

Weakness Variant Information Leak Through Debug Information - (215)

Weakness Variant Information Leak Through Debug Log Files - (534)

Weakness Variant Information Leak Through Directory Listing - (548)

Weakness Variant Information Leak Through Environmental Variables - (526)

Weakness Variant Information Leak Through Include Source Code - (541)

Weakness Variant Information Leak Through Indexing of Private Data - (612)

Weakness Variant Information Leak Through Java Runtime Error Message - (537)

Weakness Variant Information Leak Through Log Files - (532)

Weakness Variant Information Leak Through Persistent Cookies - (539)

Weakness Variant Information Leak Through Query Strings in GET Request - (598)

Weakness Variant Information Leak Through Sent Data - (201)

Weakness Variant Information Leak Through Server Error Message - (550)

Weakness Variant Information Leak Through Server Log Files - (533)

Weakness Variant Information Leak Through Servlet Runtime Error Message - (536)

Weakness Variant Information Leak Through Shell Error Message - (535)

Weakness Variant Information Leak Through Source Code - (540)

Weakness Variant Information Leak Through Test Code - (531)

Weakness Variant Information Leak through WSDL File - (651)

Weakness Variant Information Leak Through XML External Entity File Disclosure - (611)

Weakness Class Information Loss or Omission - (221)

Category Information Management Errors - (199)

Category Initialization and Cleanup Errors - (452)

Weakness Variant Insecure Default Permissions - (276)

Weakness Base Insecure Default Variable Initialization - (453)

Weakness Variant Insecure Execution-assigned Permissions - (279)

Weakness Variant Insecure Inherited Permissions - (277)

Weakness Variant Insecure Preserved Inherited Permissions - (278)

Weakness Base Insecure Temporary File - (377)

Weakness Class Insufficient Authentication - (287)

Weakness Class Insufficient Control Flow Management - (691)

Weakness Base Insufficient Control of a Resource Through its Lifetime - (664)

Weakness Base Insufficient Control of Directives in Dynamically Evaluated Code (aka 'Eval Injection') - (95)

Weakness Base Insufficient Control of Directives in Statically Saved Code (Static Code Injection) - (96)

Compound Element: Composite Insufficient Control of Filename for Include/Require Statement in PHP Program (aka 'PHP File Inclusion') - (98)

Weakness Base Insufficient Control of Resource Identifiers (aka 'Resource Injection') - (99)

Weakness Class Insufficient Encapsulation - (485)

Weakness Base Insufficient Entropy - (331)

Weakness Variant Insufficient Entropy in PRNG - (332)

Weakness Variant Insufficient Filtering of File and Other Resource Names for Executable Content - (641)

Weakness Variant Insufficient Filtering of HTTP Headers for Scripting Syntax - (644)

Weakness Class Insufficient Input Validation - (20)

Weakness Base Insufficient Locking - (667)

Weakness Base Insufficient Resource Locking - (413)

Weakness Base Insufficient Resource Pool - (410)