CWE - VIEW LIST: CWE-677: Weakness Base Elements (Draft 9)

Home > CWE List > VIEW LIST: CWE-677: Weakness Base Elements (Draft 9)

CWE List
Full Dictionary View
Classification Tree
Reports

About
Sources
Process
Documents

Community
Related Activities
Discussion List
Research

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Declarations
Make a Declaration

Contact Us
Search the Site

Section Contents
CWE List
Full Dictionary View
Classification Tree
Reports
Other Items of Interest
Sources

(CWE-677)

Key
- Weakness
- Base
- Variant
- Class
- Chain
- Composite
- Category
- View
- Deprecated

VIEW LIST: CWE-677: Weakness Base Elements (Draft 9)

View ID

Status: Draft

677 (View)

Objective

This view (slice) displays only weakness base elements.

View Data

Filter Used: .//@Weakness_Abstraction='Base'

	CWEs in this view		Total CWEs
Total	276	out of	695
Views	0	out of	14
Categories	0	out of	64
Weaknesses	276	out of	605
Compound_Elements	0	out of	12

Absolute Path Traversal - (36)

Acceptance of Extraneous Untrusted Data With Trusted Data - (349)

Addition of Data Structure Sentinel - (464)

Algorithmic Complexity - (407)

Argument Injection or Modification - (88)

Assignment of a Fixed Address to a Pointer - (587)

Authentication Bypass by Capture-replay - (294)

Authentication Bypass by Primary Weakness - (305)

Authentication Bypass by Spoofing - (290)

Behavioral Change in New Version or Environment - (439)

Behavioral Discrepancy Information Leak - (205)

Boundary Beginning Violation ('Buffer Underwrite') - (124)

Collapse of Data Into Unsafe Value - (182)

Compiler Removal of Code to Clear Buffers - (14)

Context Switching Race Condition - (368)

Covert Storage Channel - (515)

Covert Timing Channel - (385)

Creation of Temporary File in Directory with Insecure Permissions - (379)

Creation of Temporary File With Insecure Permissions - (378)

Cross-boundary Cleansing Information Leak - (212)

Custom Special Character Injection - (92)

Dangerous Handler not Disabled During Sensitive Operations - (432)

Dangling Database Cursor (aka 'Cursor Injection') - (619)

Declaration of Catch for Generic Exception - (396)

Declaration of Throws for Generic Exception - (397)

Deletion of Data Structure Sentinel - (463)

Deployment of Wrong Handler - (430)

DEPRECATED: Incorrect Initialization - (458)

DEPRECATED (Duplicate): Covert Timing Channel - (516)

DEPRECATED (Duplicate): General Information Management Problems - (225)

DEPRECATED (Duplicate): HTTP response splitting - (443)

Design Principle Violation: Client-Side Enforcement of Server-Side Security - (602)

Design Principle Violation: Failure to Satisfy Psychological Acceptability - (655)

Design Principle Violation: Insufficient Compartmentalization - (653)

Design Principle Violation: Reliance on a Single Factor in a Security Decision - (654)

Design Principle Violation: Reliance on Security through Obscurity - (656)

Direct Request ('Forced Browsing') - (425)

Direct Use of Unsafe JNI - (111)

Divide By Zero - (369)

Double-Checked Locking - (609)

Duplicate Key in Associative List (Alist) - (462)

Dynamic Variable Evaluation - (627)

Error Message Information Leaks - (209)

Executable Regular Expression Error - (624)

Expected Behavior Violation - (440)

External Control of Assumed-Immutable Web Parameter - (472)

External Control of System or Configuration Setting - (15)

External Control of User State Data - (642)

External Initialization of Trusted Variables - (454)

Failure to Add Integrity Check Value - (353)

Failure to Catch All Exceptions (Missing Catch Block) - (600)

Failure to Check for Certificate Revocation - (299)

Failure to Check Integrity Check Value - (354)

Failure to Check Whether Privileges Were Dropped Successfully - (273)

Failure to Encrypt Sensitive Data - (311)

Failure to Follow Chain of Trust in Certificate Validation - (296)

Failure to Handle Additional Special Element - (167)

Failure to Handle Extra Parameter - (235)

Failure to Handle Extra Value - (231)

Failure to Handle Highly Compressed Data (Data Amplification) - (409)

Failure to Handle Incomplete Element - (239)

Failure to Handle Insufficient Permissions or Privileges - (280)

Failure to Handle Insufficient Privileges - (274)

Failure to Handle Missing Element - (238)

Failure to Handle Missing Parameter - (234)

Failure to Handle Missing Special Element - (166)

Failure to Handle Missing Value - (230)

Failure to Handle Undefined Parameter - (236)

Failure to Handle Undefined Value - (232)

Failure to Handle Wrong Data Type - (241)

Failure to Protect Stored Data from Modification - (217)

Failure to Provide Confidentiality for Stored Data - (218)

Failure to Provide Specified Functionality - (684)

Failure to Release Memory Before Removing Last Reference (aka 'Memory Leak') - (401)

Failure to Report Error in Status Code - (392)

Failure to Resolve Case Sensitivity - (178)

Failure to Resolve Equivalent Special Elements into a Different Plane - (76)

Failure to Resolve Inconsistent Elements - (240)

Failure to Resolve Inconsistent Special Elements - (168)

Failure to Resolve Links Before File Access (aka 'Link Following') - (59)

Failure to Restrict Excessive Authentication Attempts - (307)

Failure to Sanitize CRLF Sequences (aka 'CRLF Injection') - (93)

Failure to Sanitize CRLF Sequences in HTTP Headers (aka 'HTTP Response Splitting') - (113)

Failure to Sanitize Data into an OS Command (aka 'OS Command Injection') - (78)

Failure to Sanitize Data into LDAP Queries (aka 'LDAP Injection') - (90)

Failure to Sanitize Data into SQL Queries (aka 'SQL Injection') - (89)

Failure to Sanitize Delimiters - (140)

Failure to Sanitize Directives in a Web Page (aka 'Cross-site scripting' (XSS)) - (79)

Failure to Sanitize Server-Side Includes (SSI) Within a Web Page - (97)

Failure to Validate Certificate Expiration - (298)

Failure to Validate Host-specific Certificate Data - (297)

Files or Directories Accessible to External Parties - (552)

Function Call with Incorrectly Specified Arguments - (628)

Hard-Coded Password - (259)

Improper Implementation of Authentication Algorithm - (303)

Improperly Implemented Security Check for Standard - (358)

Improperly Trusted Reverse DNS - (350)

Improperly Verified Signature - (347)

Improper Null Termination - (170)

Improper Resource Shutdown or Release - (404)

Improper Use of Privileged APIs - (648)

Incomplete Blacklist - (184)

Incomplete Cleanup - (459)

Incomplete Internal State Distinction - (372)

Incomplete Model of Endpoint Features - (437)

Incorrect Behavior Order: Early Amplification - (408)

Incorrect Behavior Order: Early Validation - (179)

Incorrect Calculation - (682)

Incorrect Calculation of Multi-Byte String Length - (135)

Incorrect Conversion between Numeric Types - (681)

Incorrect or Incomplete Initialization - (665)

Incorrect Output Sanitization for Logs - (117)

Incorrect Pointer Scaling - (468)

Incorrect Privilege Assignment - (266)

Incorrect Semantic Object Comparison - (596)

Incorrect Sign Extension - (194)

Incorrect Syntactic Object Comparison - (595)

Information Leak of System Data - (497)

Insecure Default Variable Initialization - (453)

Insecure Temporary File - (377)

Insufficient Control of a Resource Through its Lifetime - (664)

Insufficient Control of Directives in Dynamically Evaluated Code (aka 'Eval Injection') - (95)

Insufficient Control of Directives in Statically Saved Code (Static Code Injection) - (96)

Insufficient Control of Resource Identifiers (aka 'Resource Injection') - (99)

Insufficient Entropy - (331)

Insufficient Locking - (667)

Insufficiently Protected Credentials - (522)

Insufficient Resource Locking - (413)

Insufficient Resource Pool - (410)

Insufficient Session Expiration - (613)

Insufficient Synchronization - (662)

Insufficient Type Distinction - (351)

Insufficient UI Warning of Dangerous Operations - (357)

Integer Overflow (Wrap or Wraparound) - (190)

Integer Underflow (Wrap or Wraparound) - (191)

Intended Information Leak - (213)

Interpretation Conflict - (436)

Interpretation Conflict in Web Traffic (aka 'HTTP Request Smuggling') - (444)

Key Exchange without Entity Authentication - (322)

Least Privilege Violation - (272)

Leftover Debug Code - (489)

Length Parameter Inconsistency - (130)

Logic/Time Bomb - (511)

Miscalculated Null Termination - (132)

Misinterpretation of Input - (115)

Misinterpreted Function Return Value - (253)

Missing Critical Step in Authentication - (304)

Missing Error Handling Mechanism - (544)

Missing Handler - (431)

Missing Initialization - (456)

Missing Lock Check - (414)

Missing or Inconsistent Access Control - (285)

Missing Required Cryptographic Step - (325)

Missing XML Validation - (112)

Modification of Assumed-Immutable Data (MAID) - (471)

Multiple Binds to the Same Port - (605)

Multiple Interpretations of UI Input - (450)

Mutable Objects Passed by Reference - (374)

Network Amplification - (406)

Non-exit on Failed Initialization - (455)

Non-Replicating Malicious Code - (508)

NULL Pointer Dereference - (476)

Numeric Truncation Error - (197)

Object Model Violation: Just One of Equals and Hashcode Defined - (581)

Obscured Security-relevant Information by Alternate Name - (224)

Obsolete Feature in UI - (448)

Off-by-one Error - (193)

Omission of Security-relevant Information - (223)

Omitted Break Statement - (484)

Operation on Resource in Wrong Phase of Lifetime - (666)

Origin Validation Error - (346)

Out-of-bounds Read - (125)

Overly Restrictive Account Lockout Mechanism - (645)

Overly Restrictive Regular Expression - (186)

Partial Comparison - (187)

Passing Mutable Objects to an Untrusted Method - (375)

Password Aging with Long Expiration - (263)

Permission Preservation Failure - (281)

Permissive Regular Expression - (625)

Permissive Whitelist - (183)

Plaintext Storage of Sensitive Information - (312)

Plaintext Transmission of Sensitive Information - (319)

Predictable Exact Value from Previous Values - (342)

Predictable from Observable State - (341)

Predictable Seed in PRNG - (337)

Predictable Value Range from Previous Values - (343)

Privilege Chaining - (268)

Privilege Context Switching Error - (270)

Privilege Defined With Unsafe Actions - (267)

Privilege Management Error - (269)

Process Control - (114)

Product-External Error Message Information Leak - (211)

Product-Generated Error Message Information Leak - (210)

Product UI does not Warn User of Unsafe Actions - (356)

Proxied Trusted Channel - (423)

Race Condition Enabling Link Following - (363)

Race Condition in Checking for Certificate Revocation - (370)

Race Condition in Switch - (365)

Race Condition within a Thread - (366)

Relative Path Traversal - (23)

Reliance on Data/Memory Layout - (188)

Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking - (649)

Replicating Malicious Code (Virus or Worm) - (509)

Resource Exhaustion - (400)

Response Discrepancy Information Leak - (204)

Return Inside Finally Block - (584)

Return of Pointer Value Outside of Expected Range - (466)

Return of Stack Variable Address - (562)

Return of Wrong Status Code - (393)

Reusing a Nonce, Key Pair in Encryption - (323)

Reversible One-Way Hash - (328)

Same Seed in PRNG - (336)

Sensitive Information Uncleared Before Release - (226)

Signal Handler Race Condition - (364)

Small Seed Space in PRNG - (339)

Small Space of Random Values - (334)

Spyware - (512)

State Synchronization Error - (373)

Storing Passwords in a Recoverable Format - (257)

Symbolic Name not Mapping to Correct Object - (386)

The UI Performs the Wrong Action - (449)

Time-of-check Time-of-use Race Condition - (367)

Timing Discrepancy Information Leak - (208)

Trapdoor - (510)

Trojan Horse - (507)

Truncation of Security-relevant Information - (222)

Trust Boundary Violation - (501)

Trust of System Event Data - (360)

UI Misrepresentation of Critical Information - (451)

Uncaught Exception - (248)

Unchecked Array Indexing - (129)

Unchecked Error Condition - (391)

Unchecked Return Value - (252)

Uncontrolled Format String - (134)

Uncontrolled Recursion - (674)

Uncontrolled Search Path Element - (427)

Undefined Behavior for Input to API - (475)

Unexpected Status Code or Return Value - (394)

Unimplemented or Unsupported Feature in UI - (447)

Unintended Proxy/Intermediary - (441)

UNIX File Descriptor Leak - (403)

Unprotected Alternate Channel - (420)

Unprotected Primary Channel - (419)

Unquoted Search Path or Element - (428)

Unrestricted Lock on Critical Resource - (412)

Unsafe Treatment of XPath Input - (643)

Unsafe Treatment of XQuery Input - (652)

Unsynchronized Access to Shared Data - (567)

Unverified Ownership - (283)

Use After Free - (416)

Use of a Broken or Risky Cryptographic Algorithm - (327)

Use of a Key Past its Expiration Date - (324)

Use of a Non-reentrant Function in an Unsynchronized Context - (663)

Use of a Resource after Expiration or Release - (672)

Use of Client-Side Authentication - (603)

Use of Cookies in Security Decision - (565)

Use of Cryptographically Weak PRNG - (338)

Use of Externally-Controlled Input to Select Classes or Code (aka 'Unsafe Reflection') - (470)

Use of Function with Inconsistent Implementations - (474)

Use of Hard-coded Cryptographic Key - (321)

Use of Incorrect Byte Ordering - (198)

Use of Incorrect Operator - (480)

Use of Invariant Value in Dynamically Changing Context - (344)

Use of Less Trusted Source - (348)

Use of NullPointerException Catch to Detect NULL Pointer Dereference - (395)

Use of Obsolete Functions - (477)

Use of Password System for Primary Authentication - (309)

Use of Pointer Subtraction to Determine Size - (469)

Use of Potentially Dangerous Function - (676)

Use of Single-factor Authentication - (308)

Variable Extraction Error - (621)

Weak Password Recovery Mechanism - (640)

Weak Password Requirements - (521)

Wrap-around Error - (128)

Write-what-where Condition - (123)

XML Injection (aka Blind XPath Injection) - (91)

Page Last Updated: April 11, 2008


	CWE is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2008, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us