CWE - VIEW LIST: CWE-702: Weaknesses Introduced During Implementation (2.1)

Home > CWE List > VIEW LIST: CWE-702: Weaknesses Introduced During Implementation (2.1)

CWE List
Full Dictionary View
Development View
Research View
Reports

About
Sources
Process
Documents
FAQs

Community
Related Activities
Discussion List
Research
CWE/SANS Top 25
CWSS
CWRAF
T-Shirt

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Coverage Claims Representation
Declarations
Make a Declaration

Contact Us
Search the Site

CWE-702: Weaknesses Introduced During Implementation

Weaknesses Introduced During Implementation

Definition in a New Window

View ID: 702 (View: Implicit Slice)

Status: Incomplete

View Data

View Objective

This view (slice) lists weaknesses that can be introduced during implementation.

View Filter: .//Introductory_Phase='Implementation'

View Metrics

	CWEs in this view		Total CWEs
Total	589	out of	886
Views	0	out of	27
Categories	4	out of	157
Weaknesses	581	out of	693
Compound_Elements	4	out of	9

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
MemberOf	View	699	Development Concepts	Development Concepts (primary)699

Content History

Submissions
Submission Date	Submitter	Organization	Source
2008-09-09		MITRE	Internal CWE Team
2008-09-09
Modifications
Modification Date	Modifier	Organization	Source
2009-02-10 (Critical)	CWE Content Team	MITRE	Internal
2009-02-10 (Critical)	Updated the View_Filter to reflect new structure in CWE Schema v4.2
2009-03-10	CWE Content Team	MITRE	Internal
2009-03-10	updated View_Filter

Weakness Base Absolute Path Traversal - (36)

Weakness Base Acceptance of Extraneous Untrusted Data With Trusted Data - (349)

Weakness Base Access of Resource Using Incompatible Type ('Type Confusion') - (843)

Weakness Variant Access to Critical Private Variable via Public Method - (767)

Weakness Base Addition of Data Structure Sentinel - (464)

Weakness Base Algorithmic Complexity - (407)

Weakness Variant Allocation of File Descriptors or Handles Without Limits or Throttling - (774)

Weakness Base Allocation of Resources Without Limits or Throttling - (770)

Weakness Class Always-Incorrect Control Flow Implementation - (670)

Weakness Variant Apple '.DS_Store' - (71)

Weakness Base Argument Injection or Modification - (88)

Weakness Variant Array Declared Public, Final, and Static - (582)

Weakness Variant ASP.NET Misconfiguration: Creating Debug Binary - (11)

Weakness Variant ASP.NET Misconfiguration: Missing Custom Error Page - (12)

Weakness Variant ASP.NET Misconfiguration: Not Using Input Validation Framework - (554)

Weakness Variant ASP.NET Misconfiguration: Password in Configuration File - (13)

Weakness Variant ASP.NET Misconfiguration: Use of Identity Impersonation - (556)

Weakness Variant Assigning instead of Comparing - (481)

Weakness Base Assignment of a Fixed Address to a Pointer - (587)

Weakness Class Asymmetric Resource Consumption (Amplification) - (405)

Weakness Variant Attempt to Access Child of a Non-structure Pointer - (588)

Weakness Variant Authentication Bypass by Alternate Name - (289)

Weakness Variant Authentication Bypass by Assumed-Immutable Data - (302)

Weakness Base Authentication Bypass by Primary Weakness - (305)

Weakness Base Authentication Bypass by Spoofing - (290)

Weakness Class Authentication Bypass Issues - (592)

Weakness Variant Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created - (593)

Weakness Variant Authorization Bypass Through User-Controlled SQL Primary Key - (566)

Weakness Base Behavioral Change in New Version or Environment - (439)

Weakness Variant Buffer Access Using Size of Source Buffer - (806)

Weakness Base Buffer Access with Incorrect Length Value - (805)

Weakness Base Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') - (120)

Weakness Variant Buffer Over-read - (126)

Weakness Variant Buffer Under-read - (127)

Weakness Base Buffer Underwrite ('Buffer Underflow') - (124)

Weakness Variant Call to Non-ubiquitous API - (589)

Weakness Variant Call to Thread run() instead of start() - (572)

Weakness Variant clone() Method Without super.clone() - (580)

Weakness Variant Cloneable Class Containing Sensitive Information - (498)

Weakness Class Coding Standards Violation - (710)

Weakness Base Collapse of Data into Unsafe Value - (182)

Weakness Variant Command Shell in Externally Accessible Directory - (553)

Weakness Variant Comparing instead of Assigning - (482)

Weakness Variant Comparison of Classes by Name - (486)

Weakness Base Comparison of Object References Instead of Object Contents - (595)

Weakness Base Compiler Removal of Code to Clear Buffers - (14)

Weakness Class Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') - (362)

Weakness Class Containment Errors (Container Errors) - (216)

Weakness Base Context Switching Race Condition - (368)

Weakness Class Covert Channel - (514)

Weakness Base Covert Storage Channel - (515)

Weakness Base Covert Timing Channel - (385)

Weakness Variant Creation of chroot Jail Without Changing Working Directory - (243)

Weakness Base Creation of Temporary File in Directory with Incorrect Permissions - (379)

Weakness Base Creation of Temporary File With Insecure Permissions - (378)

Weakness Variant Critical Public Variable Without Final Modifier - (493)

Weakness Variant Critical Variable Declared Public - (766)

Weakness Base Dangerous Signal Handler not Disabled During Sensitive Operations - (432)

Weakness Base Dangling Database Cursor ('Cursor Injection') - (619)

Weakness Variant Dead Code - (561)

Weakness Base Declaration of Catch for Generic Exception - (396)

Weakness Base Declaration of Throws for Generic Exception - (397)

Weakness Base Deletion of Data Structure Sentinel - (463)

Weakness Base Deployment of Wrong Handler - (430)

Weakness Variant Deserialization of Untrusted Data - (502)

Weakness Class Detection of Error Condition Without Action - (390)

Weakness Base Direct Request ('Forced Browsing') - (425)

Weakness Base Direct Use of Unsafe JNI - (111)

Weakness Base Divide By Zero - (369)

Weakness Variant Double Decoding of the Same Data - (174)

Weakness Variant Double Free - (415)

Weakness Base Double-Checked Locking - (609)

Weakness Variant Doubled Character XSS Manipulations - (85)

Weakness Base Download of Code Without Integrity Check - (494)

Weakness Base Duplicate Key in Associative List (Alist) - (462)

Weakness Class Duplicate Operations on Resource - (675)

Weakness Base Dynamic Variable Evaluation - (627)

Weakness Variant EJB Bad Practices: Use of AWT Swing - (575)

Weakness Variant EJB Bad Practices: Use of Class Loader - (578)

Weakness Variant EJB Bad Practices: Use of Java I/O - (576)

Weakness Variant EJB Bad Practices: Use of Sockets - (577)

Weakness Variant EJB Bad Practices: Use of Synchronization Primitives - (574)

Weakness Class Embedded Malicious Code - (506)

Weakness Variant Empty Password in Configuration File - (258)

Weakness Variant Empty Synchronized Block - (585)

Weakness Class Encoding Error - (172)

Weakness Base Executable Regular Expression Error - (624)

Weakness Base Expected Behavior Violation - (440)

Weakness Variant Explicit Call to Finalize() - (586)

Weakness Base Exposed Dangerous Method or Function - (749)

Weakness Variant Exposed IOCTL with Insufficient Access Control - (782)

Weakness Base Exposed Unsafe ActiveX Method - (618)

Weakness Variant Exposure of Backup File to an Unauthorized Control Sphere - (530)

Weakness Variant Exposure of Core Dump File to an Unauthorized Control Sphere - (528)

Weakness Variant Exposure of Data Element to Wrong Session - (488)

Weakness Base Exposure of File Descriptor to Unintended Control Sphere - (403)

Weakness Class Exposure of Resource to Wrong Sphere - (668)

Weakness Variant Exposure of Sensitive Data Through Data Queries - (202)

Weakness Variant Exposure of System Data to an Unauthorized Control Sphere - (497)

Weakness Variant Expression is Always False - (570)

Weakness Variant Expression is Always True - (571)

Weakness Base External Control of Assumed-Immutable Web Parameter - (472)

Weakness Class External Control of Critical State Data - (642)

Weakness Class External Control of File Name or Path - (73)

Weakness Base External Control of System or Configuration Setting - (15)

Weakness Class External Influence of Sphere Definition - (673)

Weakness Base External Initialization of Trusted Variables or Data Stores - (454)

Weakness Base Failure to Handle Incomplete Element - (239)

Weakness Base Failure to Handle Missing Parameter - (234)

Weakness Variant Failure to Sanitize Paired Delimiters - (157)

Weakness Class Failure to Sanitize Special Element - (159)

Weakness Class Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) - (75)

Weakness Base File and Directory Information Exposure - (538)

Category File Descriptor Exhaustion - (769)

Weakness Base Files or Directories Accessible to External Parties - (552)

Weakness Variant finalize() Method Declared Public - (583)

Weakness Variant finalize() Method Without super.finalize() - (568)

Weakness Variant Free of Memory not on the Heap - (590)

Weakness Variant Free of Pointer not at Start of Buffer - (761)

Weakness Variant Function Call With Incorrect Argument Type - (686)

Weakness Variant Function Call With Incorrect Number of Arguments - (685)

Weakness Variant Function Call With Incorrect Order of Arguments - (683)

Weakness Variant Function Call With Incorrect Variable or Reference as Argument - (688)

Weakness Variant Function Call With Incorrectly Specified Argument Value - (687)

Weakness Base Function Call with Incorrectly Specified Arguments - (628)

Weakness Base Guessable CAPTCHA - (804)

Weakness Variant Heap-based Buffer Overflow - (122)

Weakness Class Improper Access Control - (284)

Weakness Class Improper Access of Indexable Resource ('Range Error') - (118)

Weakness Variant Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code - (781)

Weakness Class Improper Authentication - (287)

Weakness Class Improper Authorization - (285)

Weakness Base Improper Check for Dropped Privileges - (273)

Weakness Class Improper Check for Unusual or Exceptional Conditions - (754)

Weakness Class Improper Check or Handling of Exceptional Conditions - (703)

Weakness Variant Improper Cleanup on Thrown Exception - (460)

Weakness Variant Improper Clearing of Heap Memory Before Release ('Heap Inspection') - (244)

Weakness Class Improper Control of a Resource Through its Lifetime - (664)

Weakness Base Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') - (98)

Weakness Class Improper Control of Generation of Code ('Code Injection') - (94)

Weakness Class Improper Control of Interaction Frequency - (799)

Weakness Base Improper Control of Resource Identifiers ('Resource Injection') - (99)

Weakness Base Improper Cross-boundary Removal of Sensitive Data - (212)

Weakness Class Improper Encoding or Escaping of Output - (116)

Weakness Class Improper Enforcement of Message or Data Structure - (707)

Weakness Class Improper Following of Specification by Caller - (573)

Weakness Class Improper Fulfillment of API Contract ('API Abuse') - (227)

Weakness Base Improper Handling of Additional Special Element - (167)

Weakness Variant Improper Handling of Alternate Encoding - (173)

Weakness Variant Improper Handling of Apple HFS+ Alternate Data Stream Path - (72)

Weakness Base Improper Handling of Case Sensitivity - (178)

Weakness Class Improper Handling of Exceptional Conditions - (755)

Weakness Base Improper Handling of Extra Parameters - (235)

Weakness Base Improper Handling of Extra Values - (231)

Weakness Base Improper Handling of File Names that Identify Virtual Resources - (66)

Weakness Base Improper Handling of Highly Compressed Data (Data Amplification) - (409)

Weakness Base Improper Handling of Incomplete Structural Elements - (238)

Weakness Base Improper Handling of Inconsistent Special Elements - (168)

Weakness Base Improper Handling of Inconsistent Structural Elements - (240)

Weakness Variant Improper Handling of Insufficient Entropy in TRNG - (333)

Weakness Base Improper Handling of Insufficient Permissions or Privileges - (280)

Weakness Base Improper Handling of Insufficient Privileges - (274)

Weakness Base Improper Handling of Length Parameter Inconsistency - (130)

Weakness Base Improper Handling of Missing Special Element - (166)

Weakness Base Improper Handling of Missing Values - (230)

Weakness Variant Improper Handling of Mixed Encoding - (175)

Weakness Class Improper Handling of Syntactically Invalid Structure - (228)

Weakness Base Improper Handling of Undefined Parameters - (236)

Weakness Base Improper Handling of Undefined Values - (232)

Weakness Base Improper Handling of Unexpected Data Type - (241)

Weakness Variant Improper Handling of Unicode Encoding - (176)

Weakness Variant Improper Handling of URL Encoding (Hex Encoding) - (177)

Weakness Class Improper Handling of Values - (229)

Weakness Variant Improper Handling of Windows ::DATA Alternate Data Stream - (69)

Weakness Variant Improper Handling of Windows Device Names - (67)

Weakness Base Improper Initialization - (665)

Weakness Class Improper Input Validation - (20)

Weakness Class Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - (22)

Weakness Base Improper Link Resolution Before File Access ('Link Following') - (59)

Weakness Base Improper Locking - (667)

Weakness Variant Improper Neutralization of Alternate XSS Syntax - (87)

Weakness Variant Improper Neutralization of Comment Delimiters - (151)

Weakness Base Improper Neutralization of CRLF Sequences ('CRLF Injection') - (93)

Weakness Base Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') - (113)

Weakness Base Improper Neutralization of Data within XPath Expressions ('XPath Injection') - (643)

Weakness Base Improper Neutralization of Data within XQuery Expressions ('XQuery Injection') - (652)

Weakness Base Improper Neutralization of Delimiters - (140)

Weakness Base Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') - (95)

Weakness Base Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') - (96)

Weakness Variant Improper Neutralization of Encoded URI Schemes in a Web Page - (84)

Weakness Base Improper Neutralization of Equivalent Special Elements - (76)

Weakness Variant Improper Neutralization of Escape, Meta, or Control Sequences - (150)

Weakness Variant Improper Neutralization of Expression/Command Delimiters - (146)

Weakness Variant Improper Neutralization of HTTP Headers for Scripting Syntax - (644)

Weakness Base Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - (79)

Weakness Variant Improper Neutralization of Input Leaders - (148)

Weakness Variant Improper Neutralization of Input Terminators - (147)

Weakness Variant Improper Neutralization of Internal Special Elements - (164)

Weakness Variant Improper Neutralization of Invalid Characters in Identifiers in Web Pages - (86)

Weakness Variant Improper Neutralization of Leading Special Elements - (160)

Weakness Variant Improper Neutralization of Line Delimiters - (144)

Weakness Variant Improper Neutralization of Macro Symbols - (152)

Weakness Variant Improper Neutralization of Multiple Internal Special Elements - (165)

Weakness Variant Improper Neutralization of Multiple Leading Special Elements - (161)

Weakness Variant Improper Neutralization of Multiple Trailing Special Elements - (163)

Weakness Variant Improper Neutralization of Null Byte or NUL Character - (158)

Weakness Variant Improper Neutralization of Parameter/Argument Delimiters - (141)

Weakness Variant Improper Neutralization of Quoting Syntax - (149)

Weakness Variant Improper Neutralization of Record Delimiters - (143)

Weakness Variant Improper Neutralization of Script in an Error Message Web Page - (81)

Weakness Variant Improper Neutralization of Script in Attributes in a Web Page - (83)

Weakness Variant Improper Neutralization of Script in Attributes of IMG Tags in a Web Page - (82)

Weakness Variant Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) - (80)

Weakness Variant Improper Neutralization of Section Delimiters - (145)

Weakness Variant Improper Neutralization of Server-Side Includes (SSI) Within a Web Page - (97)

Weakness Class Improper Neutralization of Special Elements - (138)

Weakness Class Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') - (74)

Weakness Class Improper Neutralization of Special Elements used in a Command ('Command Injection') - (77)

Weakness Base Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') - (90)

Weakness Base Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - (78)

Weakness Base Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - (89)

Weakness Variant Improper Neutralization of Substitution Characters - (153)

Weakness Variant Improper Neutralization of Trailing Special Elements - (162)

Weakness Variant Improper Neutralization of Value Delimiters - (142)

Weakness Variant Improper Neutralization of Variable Name Delimiters - (154)

Weakness Variant Improper Neutralization of Whitespace - (156)

Weakness Variant Improper Neutralization of Wildcards or Matching Symbols - (155)

Weakness Base Improper Null Termination - (170)

Weakness Base Improper Output Neutralization for Logs - (117)

Weakness Base Improper Preservation of Permissions - (281)

Weakness Base Improper Privilege Management - (269)

Weakness Base Improper Release of Memory Before Removing Last Reference ('Memory Leak') - (401)

Weakness Base Improper Resolution of Path Equivalence - (41)

Weakness Base Improper Resource Locking - (413)

Weakness Base Improper Resource Shutdown or Release - (404)

Weakness Base Improper Restriction of Names for Files and Other Resources - (641)

Weakness Class Improper Restriction of Operations within the Bounds of a Memory Buffer - (119)

Weakness Base Improper Synchronization - (662)

Weakness Base Improper Validation of Array Index - (129)

Weakness Base Improper Validation of Integrity Check Value - (354)

Weakness Base Improper Verification of Cryptographic Signature - (347)

Weakness Base Improperly Implemented Security Check for Standard - (358)

Category Inadvertently Introduced Weakness - (518)

Weakness Base Incomplete Blacklist - (184)

Weakness Base Incomplete Cleanup - (459)

Weakness Variant Incomplete Identification of Uploaded File Variables (PHP) - (616)

Weakness Base Incomplete Internal State Distinction - (372)

Weakness Base Incomplete Model of Endpoint Features - (437)

Weakness Base Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') - (444)

Weakness Class Incorrect Authorization - (863)

Weakness Class Incorrect Behavior Order - (696)

Weakness Base Incorrect Behavior Order: Authorization Before Parsing and Canonicalization - (551)

Weakness Base Incorrect Behavior Order: Early Amplification - (408)

Weakness Base Incorrect Behavior Order: Early Validation - (179)

Weakness Base Incorrect Behavior Order: Validate Before Canonicalize - (180)

Weakness Base Incorrect Behavior Order: Validate Before Filter - (181)

Weakness Variant Incorrect Block Delimitation - (483)

Weakness Class Incorrect Calculation - (682)

Weakness Base Incorrect Calculation of Buffer Size - (131)

Weakness Base Incorrect Calculation of Multi-Byte String Length - (135)

Weakness Base Incorrect Check of Function Return Value - (253)

Weakness Class Incorrect Control Flow Scoping - (705)

Weakness Base Incorrect Conversion between Numeric Types - (681)

Weakness Variant Incorrect Default Permissions - (276)

Weakness Base Incorrect Implementation of Authentication Algorithm - (303)

Weakness Base Incorrect Ownership Assignment - (708)

Weakness Class Incorrect Permission Assignment for Critical Resource - (732)

Weakness Base Incorrect Pointer Scaling - (468)

Weakness Base Incorrect Privilege Assignment - (266)

Weakness Base Incorrect Provision of Specified Functionality - (684)

Weakness Class Incorrect Regular Expression - (185)

Weakness Class Incorrect Resource Transfer Between Spheres - (669)

Weakness Base Incorrect Semantic Object Comparison - (596)

Weakness Variant Incorrect Short Circuit Evaluation - (768)

Weakness Class Incorrect Type Conversion or Cast - (704)

Weakness Base Incorrect Use of Privileged APIs - (648)

Weakness Class Incorrect User Management - (286)

Weakness Class Indicator of Poor Code Quality - (398)

Weakness Class Information Exposure - (200)

Weakness Variant Information Exposure of Internal State Through Behavioral Inconsistency - (206)

Weakness Base Information Exposure Through an Error Message - (209)

Weakness Variant Information Exposure Through an External Behavioral Inconsistency - (207)

Weakness Base Information Exposure Through Behavioral Discrepancy - (205)

Weakness Variant Information Exposure Through Browser Caching - (525)

Weakness Variant Information Exposure Through Caching - (524)

Weakness Variant Information Exposure Through Cleanup Log Files - (542)

Weakness Variant Information Exposure Through Comments - (615)

Weakness Variant Information Exposure Through Debug Information - (215)

Weakness Variant Information Exposure Through Directory Listing - (548)

Weakness Class Information Exposure Through Discrepancy - (203)

Weakness Variant Information Exposure Through Environmental Variables - (526)

Weakness Base Information Exposure Through External Error Message - (211)

Weakness Base Information Exposure Through Generated Error Message - (210)

Weakness Variant Information Exposure Through Include Source Code - (541)

Weakness Variant Information Exposure Through Indexing of Private Data - (612)

Weakness Variant Information Exposure Through Java Runtime Error Message - (537)

Weakness Variant Information Exposure Through Log Files - (532)

Weakness Variant Information Exposure Through Persistent Cookies - (539)

Weakness Variant Information Exposure Through Process Environment - (214)

Weakness Variant Information Exposure Through Query Strings in GET Request - (598)

Weakness Variant Information Exposure Through Sent Data - (201)

Weakness Variant Information Exposure Through Server Error Message - (550)

Weakness Variant Information Exposure Through Server Log Files - (533)

Weakness Variant Information Exposure Through Servlet Runtime Error Message - (536)

Weakness Variant Information Exposure Through Shell Error Message - (535)

Weakness Variant Information Exposure Through Source Code - (540)

Weakness Base Information Exposure Through Timing Discrepancy - (208)

Weakness Variant Information Exposure Through WSDL File - (651)

Weakness Variant Information Exposure Through XML External Entity Reference - (611)

Weakness Class Information Loss or Omission - (221)

Weakness Base Insecure Default Variable Initialization - (453)

Weakness Variant Insecure Inherited Permissions - (277)

Weakness Base Insecure Temporary File - (377)

Weakness Class Insufficient Comparison - (697)

Weakness Base Insufficient Compartmentalization - (653)

Weakness Class Insufficient Control Flow Management - (691)

Weakness Base Insufficient Control of Network Message Volume (Network Amplification) - (406)

Weakness Class Insufficient Encapsulation - (485)

Weakness Base Insufficient Entropy - (331)

Weakness Variant Insufficient Entropy in PRNG - (332)

Weakness Base Insufficient Psychological Acceptability - (655)

Weakness Base Insufficient Resource Pool - (410)

Weakness Base Insufficient Session Expiration - (613)

Weakness Base Insufficient Type Distinction - (351)

Weakness Base Insufficient UI Warning of Dangerous Operations - (357)

Weakness Class Insufficient Verification of Data Authenticity - (345)

Weakness Base Insufficiently Protected Credentials - (522)

Category Integer Coercion Error - (192)

Weakness Base Integer Overflow or Wraparound - (190)

Weakness Base Integer Underflow (Wrap or Wraparound) - (191)

Weakness Base Intentional Information Exposure - (213)

Weakness Class Interaction Error - (435)

Weakness Base Interpretation Conflict - (436)

Weakness Variant J2EE Bad Practices: Direct Management of Connections - (245)

Weakness Variant J2EE Bad Practices: Direct Use of Sockets - (246)

Weakness Variant J2EE Bad Practices: Direct Use of Threads - (383)

Weakness Variant J2EE Bad Practices: Non-serializable Object Stored in Session - (579)

Weakness Variant J2EE Bad Practices: Use of System.exit() - (382)

Weakness Variant J2EE Framework: Saving Unserializable Objects to Disk - (594)

Weakness Variant J2EE Misconfiguration: Data Transmission Without Encryption - (5)

Weakness Variant J2EE Misconfiguration: Entity Bean Declared Remote - (8)

Weakness Variant J2EE Misconfiguration: Insufficient Session-ID Length - (6)

Weakness Variant J2EE Misconfiguration: Missing Custom Error Page - (7)

Weakness Variant J2EE Misconfiguration: Plaintext Password in Configuration File - (555)

Weakness Variant J2EE Misconfiguration: Weak Access Permissions for EJB Methods - (9)

Weakness Class Lack of Administrator Control over Security - (671)

Weakness Base Least Privilege Violation - (272)

Weakness Base Leftover Debug Code - (489)

Weakness Base Logic/Time Bomb - (511)

Weakness Base Misinterpretation of Input - (115)

Weakness Variant Mismatched Memory Management Routines - (762)

Weakness Class Missing Authorization - (862)

Weakness Base Missing Check for Certificate Revocation after Initial Check - (370)

Weakness Base Missing Critical Step in Authentication - (304)

Weakness Variant Missing Default Case in Switch Statement - (478)

Weakness Base Missing Handler - (431)

Weakness Base Missing Initialization - (456)

Weakness Base Missing Lock Check - (414)

Weakness Variant Missing Password Field Masking - (549)

Weakness Base Missing Reference to Active Allocated Resource - (771)

Weakness Variant Missing Reference to Active File Descriptor or Handle - (773)

Weakness Variant Missing Release of File Descriptor or Handle after Effective Lifetime - (775)

Weakness Base Missing Release of Resource after Effective Lifetime - (772)

Weakness Base Missing Report of Error Condition - (392)

Weakness Base Missing Support for Integrity Check - (353)

Weakness Base Missing XML Validation - (112)

Weakness Base Modification of Assumed-Immutable Data (MAID) - (471)

Weakness Base Multiple Binds to the Same Port - (605)

Weakness Base Multiple Interpretations of UI Input - (450)

Weakness Variant Multiple Locks of a Critical Resource - (764)

Weakness Variant Multiple Unlocks of a Critical Resource - (765)

Weakness Variant .NET Misconfiguration: Use of Impersonation - (520)

Weakness Base Non-exit on Failed Initialization - (455)

Weakness Base Non-Replicating Malicious Code - (508)

Weakness Class Not Failing Securely ('Failing Open') - (636)

Weakness Variant Not Using a Random IV with CBC Mode - (329)

Weakness Class Not Using Complete Mediation - (638)

Weakness Variant Null Byte Interaction Error (Poison Null Byte) - (626)

Weakness Base NULL Pointer Dereference - (476)

Weakness Base Numeric Truncation Error - (197)

Weakness Base Object Model Violation: Just One of Equals and Hashcode Defined - (581)

Weakness Base Obscured Security-relevant Information by Alternate Name - (224)

Weakness Base Obsolete Feature in UI - (448)

Weakness Base Off-by-one Error - (193)

Weakness Base Omission of Security-relevant Information - (223)

Weakness Base Omitted Break Statement in Switch - (484)

Weakness Base Operation on a Resource after Expiration or Release - (672)

Weakness Base Operation on Resource in Wrong Phase of Lifetime - (666)

Weakness Base Origin Validation Error - (346)

Weakness Base Out-of-bounds Read - (125)

Weakness Base Overly Restrictive Regular Expression - (186)

Weakness Class Parameter Problems - (233)

Weakness Base Partial Comparison - (187)

Weakness Base Passing Mutable Objects to an Untrusted Method - (374)

Weakness Variant Password in Configuration File - (260)

Weakness Variant Path Equivalence: ' filename' (Leading Space) - (47)

Weakness Variant Path Equivalence: '/./' (Single Dot Directory) - (55)

Weakness Variant Path Equivalence: '//multiple/leading/slash' - (50)

Weakness Variant Path Equivalence: '/multiple//internal/slash' - (51)

Weakness Variant Path Equivalence: '/multiple/trailing/slash//' - (52)

Weakness Variant Path Equivalence: '\multiple\\internal\backslash' - (53)

Weakness Variant Path Equivalence: 'fakedir/../realdir/filename' - (57)

Weakness Variant Path Equivalence: 'file name' (Internal Whitespace) - (48)

Weakness Variant Path Equivalence: 'filedir*' (Wildcard) - (56)

Weakness Variant Path Equivalence: 'filedir\' (Trailing Backslash) - (54)

Weakness Variant Path Equivalence: 'filename ' (Trailing Space) - (46)

Weakness Variant Path Equivalence: 'file.name' (Internal Dot) - (44)

Weakness Variant Path Equivalence: 'file...name' (Multiple Internal Dot) - (45)

Weakness Variant Path Equivalence: 'filename....' (Multiple Trailing Dot) - (43)

Weakness Variant Path Equivalence: 'filename.' (Trailing Dot) - (42)

Weakness Variant Path Equivalence: 'filename/' (Trailing Slash) - (49)

Weakness Variant Path Equivalence: Windows 8.3 Filename - (58)

Weakness Variant Path Traversal: '....' (Multiple Dot) - (33)

Weakness Variant Path Traversal: '...' (Triple Dot) - (32)

Weakness Variant Path Traversal: '....//' - (34)

Weakness Variant Path Traversal: '.../...//' - (35)

Weakness Variant Path Traversal: '/../filedir' - (25)

Weakness Variant Path Traversal: '/absolute/pathname/here' - (37)

Weakness Variant Path Traversal: '/dir/../filename' - (26)

Weakness Variant Path Traversal: '../filedir' - (24)

Weakness Variant Path Traversal: '\..\filename' - (29)

Weakness Variant Path Traversal: '\\UNC\share\name\' (Windows UNC Share) - (40)

Weakness Variant Path Traversal: '\absolute\pathname\here' - (38)

Weakness Variant Path Traversal: '\dir\..\filename' - (30)

Weakness Variant Path Traversal: '..\filedir' - (28)

Weakness Variant Path Traversal: 'C:dirname' - (39)

Weakness Variant Path Traversal: 'dir/../../filename' - (27)

Weakness Variant Path Traversal: 'dir\..\..\filename' - (31)

Compound Element: Composite Permission Race Condition During Resource Copy - (689)

Weakness Base Permissive Regular Expression - (625)

Weakness Base Permissive Whitelist - (183)

Weakness Variant PHP External Variable Modification - (473)

Weakness Base Placement of User into Incorrect Group - (842)

Weakness Variant Plaintext Storage in Executable - (318)

Weakness Class Predictability Problems - (340)

Weakness Base Predictable Exact Value from Previous Values - (342)

Weakness Base Predictable from Observable State - (341)

Weakness Base Predictable Seed in PRNG - (337)

Weakness Base Predictable Value Range from Previous Values - (343)

Weakness Class Privacy Violation - (359)

Weakness Variant Private Array-Typed Field Returned From A Public Method - (495)

Weakness Base Privilege Chaining - (268)

Weakness Base Privilege Context Switching Error - (270)

Weakness Base Privilege Defined With Unsafe Actions - (267)

Weakness Class Privilege Dropping / Lowering Errors - (271)

Weakness Class PRNG Seed Error - (335)

Weakness Base Process Control - (114)

Weakness Base Product UI does not Warn User of Unsafe Actions - (356)

Weakness Class Protection Mechanism Failure - (693)

Weakness Variant Public cloneable() Method Without Final ('Object Hijack') - (491)

Weakness Variant Public Data Assigned to Private Array-Typed Field - (496)

Weakness Variant Public Static Field Not Marked Final - (500)

Weakness Variant Public Static Final Field References Mutable Object - (607)

Weakness Base Race Condition Enabling Link Following - (363)

Weakness Base Race Condition in Switch - (365)

Weakness Base Race Condition within a Thread - (366)

Weakness Variant Reachable Assertion - (617)

Weakness Base Redirect Without Exit - (698)

Weakness Variant Regular Expression without Anchors - (777)

Weakness Base Relative Path Traversal - (23)

Weakness Base Release of Invalid Pointer or Reference - (763)

Weakness Base Reliance on a Single Factor in a Security Decision - (654)

Weakness Base Reliance on Cookies without Validation and Integrity Checking - (565)

Weakness Variant Reliance on Cookies without Validation and Integrity Checking in a Security Decision - (784)

Weakness Base Reliance on Data/Memory Layout - (188)

Weakness Variant Reliance on DNS Lookups in a Security Decision - (247)

Weakness Variant Reliance on File Name or Extension of Externally-Supplied File - (646)

Weakness Base Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking - (649)

Weakness Variant Reliance on Package-level Scope - (487)

Weakness Base Reliance on Security Through Obscurity - (656)

Weakness Base Reliance on Untrusted Inputs in a Security Decision - (807)

Weakness Base Replicating Malicious Code (Virus or Worm) - (509)

Weakness Base Response Discrepancy Information Exposure - (204)

Weakness Base Return Inside Finally Block - (584)

Weakness Base Return of Pointer Value Outside of Expected Range - (466)

Weakness Base Return of Stack Variable Address - (562)

Weakness Base Return of Wrong Status Code - (393)

Weakness Base Returning a Mutable Object to an Untrusted Caller - (375)

Weakness Base Same Seed in PRNG - (336)

Weakness Variant Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - (614)

Weakness Variant Sensitive Data Storage in Improperly Locked Memory - (591)

Weakness Variant Sensitive Data Under Web Root - (219)

Weakness Base Sensitive Information Uncleared Before Release - (226)

Weakness Variant Serializable Class Containing Sensitive Data - (499)

Compound Element: Composite Session Fixation - (384)

Weakness Base Signal Handler Race Condition - (364)

Weakness Variant Signal Handler Use of a Non-reentrant Function - (479)

Weakness Variant Signed to Unsigned Conversion Error - (195)

Weakness Base Small Seed Space in PRNG - (339)

Weakness Base Small Space of Random Values - (334)

Weakness Base Spyware - (512)

Weakness Variant SQL Injection: Hibernate - (564)

Weakness Variant Stack-based Buffer Overflow - (121)

Weakness Variant Struts: Duplicate Validation Forms - (102)

Weakness Variant Struts: Form Bean Does Not Extend Validation Class - (104)

Weakness Variant Struts: Form Field Without Validator - (105)

Weakness Variant Struts: Incomplete validate() Method Definition - (103)

Weakness Variant Struts: Non-private Field in ActionForm Class - (608)

Weakness Variant Struts: Plug-in Framework not in Use - (106)

Weakness Variant Struts: Unused Validation Form - (107)

Weakness Variant Struts: Unvalidated Action Form - (108)

Weakness Variant Struts: Validator Turned Off - (109)

Weakness Variant Struts: Validator Without Form Field - (110)

Weakness Variant Suspicious Comment - (546)

Weakness Base Symbolic Name not Mapping to Correct Object - (386)

Category Technology-Specific Input Validation Problems - (100)

Weakness Base The UI Performs the Wrong Action - (449)

Weakness Base Time-of-check Time-of-use (TOCTOU) Race Condition - (367)

Weakness Class Transmission of Private Resources into a New Sphere ('Resource Leak') - (402)

Weakness Base Trapdoor - (510)

Weakness Base Trojan Horse - (507)

Weakness Base Truncation of Security-relevant Information - (222)

Weakness Variant Trust of OpenSSL Certificate Without Validation - (599)

Weakness Base Trust of System Event Data - (360)

Weakness Variant Trusting HTTP Permission Methods on the Server Side - (650)

Weakness Base UI Discrepancy for Security Feature - (446)

Weakness Base UI Misrepresentation of Critical Information - (451)

Weakness Base Uncaught Exception - (248)

Weakness Base Uncaught Exception in Servlet - (600)

Weakness Base Unchecked Error Condition - (391)

Weakness Base Unchecked Input for Loop Condition - (606)

Weakness Base Unchecked Return Value - (252)

Weakness Base Uncontrolled Format String - (134)

Weakness Variant Uncontrolled Memory Allocation - (789)

Weakness Base Uncontrolled Recursion - (674)

Weakness Base Uncontrolled Resource Consumption ('Resource Exhaustion') - (400)

Weakness Base Uncontrolled Search Path Element - (427)

Weakness Base Undefined Behavior for Input to API - (475)

Weakness Base Unexpected Sign Extension - (194)

Weakness Base Unexpected Status Code or Return Value - (394)

Weakness Base Unimplemented or Unsupported Feature in UI - (447)

Weakness Variant UNIX Hard Link - (62)

Compound Element: Composite UNIX Symbolic Link (Symlink) Following - (61)

Weakness Class Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism') - (637)

Weakness Variant Unparsed Raw Web Content Delivery - (433)

Weakness Base Unprotected Alternate Channel - (420)

Weakness Base Unprotected Primary Channel - (419)

Weakness Base Unquoted Search Path or Element - (428)

Weakness Base Unrestricted Externally Accessible Lock - (412)

Weakness Variant Unrestricted Recursive Entity References in DTDs ('XML Bomb') - (776)

Weakness Base Unrestricted Upload of File with Dangerous Type - (434)

Weakness Variant Unsafe ActiveX Control Marked Safe For Scripting - (623)

Weakness Variant Unsigned to Signed Conversion Error - (196)

Weakness Base Unsynchronized Access to Shared Data in a Multithreaded Context - (567)

Compound Element: Composite Untrusted Search Path - (426)

Weakness Variant Unused Variable - (563)

Weakness Variant Unvalidated Function Hook Arguments - (622)

Weakness Variant Unverified Password Change - (620)

Weakness Variant URL Redirection to Untrusted Site ('Open Redirect') - (601)

Weakness Base Use After Free - (416)

Weakness Base Use of a Non-reentrant Function in a Concurrent Context - (663)

Weakness Base Use of Client-Side Authentication - (603)

Weakness Base Use of Cryptographically Weak PRNG - (338)

Weakness Variant Use of Dynamic Class Loading - (545)

Weakness Base Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') - (470)

Weakness Base Use of Function with Inconsistent Implementations - (474)

Weakness Variant Use of getlogin() in Multithreaded Application - (558)

Weakness Base Use of Hard-coded Password - (259)

Weakness Variant Use of Hard-coded, Security-relevant Constants - (547)

Weakness Base Use of Incorrect Byte Ordering - (198)

Weakness Base Use of Incorrect Operator - (480)

Weakness Class Use of Incorrectly-Resolved Name or Reference - (706)

Weakness Base Use of Inherently Dangerous Function - (242)

Weakness Variant Use of Inner Class Containing Sensitive Data - (492)

Weakness Class Use of Insufficiently Random Values - (330)

Weakness Base Use of Invariant Value in Dynamically Changing Context - (344)

Weakness Base Use of Less Trusted Source - (348)

Weakness Base Use of Low-Level Functionality - (695)

Weakness Base Use of Multiple Resources with Duplicate Identifier - (694)

Weakness Variant Use of Non-Canonical URL Paths for Authorization Decisions - (647)

Weakness Base Use of NullPointerException Catch to Detect NULL Pointer Dereference - (395)

Weakness Base Use of Obsolete Functions - (477)

Weakness Variant Use of Path Manipulation Function without Maximum-sized Buffer - (785)

Weakness Base Use of Pointer Subtraction to Determine Size - (469)

Weakness Base Use of Potentially Dangerous Function - (676)

Weakness Variant Use of RSA Algorithm without OAEP - (780)

Weakness Variant Use of Singleton Pattern Without Synchronization in a Multithreaded Context - (543)

Weakness Variant Use of sizeof() on a Pointer Type - (467)

Weakness Variant Use of umask() with chmod-style Argument - (560)

Weakness Variant Use of Uninitialized Variable - (457)

Weakness Variant Use of Wrong Operator in String Comparison - (597)

Weakness Base Variable Extraction Error - (621)

Weakness Class Violation of Secure Design Principles - (657)

Weakness Base Weak Password Recovery Mechanism for Forgotten Password - (640)

Weakness Base Weak Password Requirements - (521)

Weakness Variant Windows Hard Link - (65)

Weakness Base Wrap-around Error - (128)

Weakness Base Write-what-where Condition - (123)

Weakness Base XML Injection (aka Blind XPath Injection) - (91)

Page Last Updated: September 12, 2011


	CWE is a Software Assurance strategic initiative co-sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2006-2012, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us