CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > Reports > Differences between Version 2.7 and Version 2.8  
ID

Differences between Version 2.7 and Version 2.8

Summary
Summary
Total (Version 2.8) 1003
Total (Version 2.7) 945
Total new 58
Total deprecated 0
Total shared 945
Total important changes 610
Total major changes 638
Total minor changes 3
Total minor changes (no major)
Total unchanged 307

Summary of Entry Types

Type Version 2.7 Version 2.8
Category 186 243
Chain 3 3
Composite 5 5
Deprecated 14 14
View 31 32
Weakness 706 706

Field Change Summary
Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field Major Minor
Name 21 0
Description 0 0
Applicable_Platforms 0 0
Time_of_Introduction 0 0
Demonstrative_Examples 36 3
Detection_Factors 54 0
Likelihood_of_Exploit 0 0
Common_Consequences 0 0
Relationships 607 0
References 0 0
Potential_Mitigations 0 0
Observed_Examples 0 0
Terminology_Notes 0 0
Alternate_Terms 0 0
Related_Attack_Patterns 0 0
Relationship_Notes 0 0
Taxonomy_Mappings 306 0
Maintenance_Notes 0 0
Modes_of_Introduction 0 0
Affected_Resources 0 0
Functional_Areas 0 0
Research_Gaps 0 0
Background_Details 0 0
Theoretical_Notes 0 0
Weakness_Ordinalities 0 0
White_Box_Definitions 0 0
Enabling_Factors_for_Exploitation 0 0
Other_Notes 0 0
Relevant_Properties 0 0
View_Type 0 0
View_Structure 0 0
View_Filter 0 0
View_Audience 0 0
Common_Methods_of_Exploitation 0 0
Type 0 0
Causal_Nature 0 0
Source_Taxonomy 0 0
Context_Notes 0 0
Black_Box_Definitions 0 0

Form and Abstraction Changes

From To Total
Unchanged 945

Status Changes

From To Total
Unchanged 945

Relationship Changes

The "Version 2.8 Total" lists the total number of relationships in Version 2.8. The "Shared" value is the total number of relationships in entries that were in both Version 2.8 and Version 2.7. The "New" value is the total number of relationships involving entries that did not exist in Version 2.7. Thus, the total number of relationships in Version 2.8 would combine stats from Shared entries and New entries.

Relationship Version 2.8 Total Version 2.7 Total Version 2.8 Shared Unchanged Added to Version 2.8 Removed from Version 2.7 Version 2.8 New
ALL 7687 7573 6395 6395 1178 1292
ChildOf 3272 3215 2626 2626 589 646
ParentOf 3272 3215 2626 2626 589 646
MemberOf 344 344 344 344
HasMember 344 344 344 344
CanPrecede 121 121 121 121
CanFollow 121 121 121 121
StartsWith 3 3 3 3
Requires 17 17 17 17
RequiredBy 17 17 17 17
CanAlsoBe 34 34 34 34
PeerOf 142 142 142 142

Nodes Removed from Version 2.7

CWE-ID CWE Name
None.

Nodes Added to Version 2.8

CWE-ID CWE Name
944 SFP Secondary Cluster: Access Management
945 SFP Secondary Cluster: Insecure Resource Access
946 SFP Secondary Cluster: Insecure Resource Permissions
947 SFP Secondary Cluster: Authentication Bypass
948 SFP Secondary Cluster: Digital Certificate
949 SFP Secondary Cluster: Faulty Endpoint Authentication
950 SFP Secondary Cluster: Hardcoded Sensitive Data
951 SFP Secondary Cluster: Insecure Authentication Policy
952 SFP Secondary Cluster: Missing Authentication
953 SFP Secondary Cluster: Missing Endpoint Authentication
954 SFP Secondary Cluster: Multiple Binds to the Same Port
955 SFP Secondary Cluster: Unrestricted Authentication
956 SFP Secondary Cluster: Channel Attack
957 SFP Secondary Cluster: Protocol Error
958 SFP Secondary Cluster: Broken Cryptography
959 SFP Secondary Cluster: Weak Cryptography
960 SFP Secondary Cluster: Ambiguous Exception Type
961 SFP Secondary Cluster: Incorrect Exception Behavior
962 SFP Secondary Cluster: Unchecked Status Condition
963 SFP Secondary Cluster: Exposed Data
964 SFP Secondary Cluster: Exposure Temporary File
965 SFP Secondary Cluster: Insecure Session Management
966 SFP Secondary Cluster: Other Exposures
967 SFP Secondary Cluster: State Disclosure
968 SFP Secondary Cluster: Covert Channel
969 SFP Secondary Cluster: Faulty Memory Release
970 SFP Secondary Cluster: Faulty Buffer Access
971 SFP Secondary Cluster: Faulty Pointer Use
972 SFP Secondary Cluster: Faulty String Expansion
973 SFP Secondary Cluster: Improper NULL Termination
974 SFP Secondary Cluster: Incorrect Buffer Length Computation
975 SFP Secondary Cluster: Architecture
976 SFP Secondary Cluster: Compiler
977 SFP Secondary Cluster: Design
978 SFP Secondary Cluster: Implementation
979 SFP Secondary Cluster: Failed Chroot Jail
980 SFP Secondary Cluster: Link in Resource Name Resolution
981 SFP Secondary Cluster: Path Traversal
982 SFP Secondary Cluster: Failure to Release Resource
983 SFP Secondary Cluster: Faulty Resource Use
984 SFP Secondary Cluster: Life Cycle
985 SFP Secondary Cluster: Unrestricted Consumption
986 SFP Secondary Cluster: Missing Lock
987 SFP Secondary Cluster: Multiple Locks/Unlocks
988 SFP Secondary Cluster: Race Condition Window
989 SFP Secondary Cluster: Unrestricted Lock
990 SFP Secondary Cluster: Tainted Input to Command
991 SFP Secondary Cluster: Tainted Input to Environment
992 SFP Secondary Cluster: Faulty Input Transformation
993 SFP Secondary Cluster: Incorrect Input Handling
994 SFP Secondary Cluster: Tainted Input to Variable
995 SFP Secondary Cluster: Feature
996 SFP Secondary Cluster: Security
997 SFP Secondary Cluster: Information Loss
998 SFP Secondary Cluster: Glitch in Computation
999 Weaknesses without Software Fault Patterns
1001 SFP Secondary Cluster: Use of an Improper API
1002 SFP Secondary Cluster: Unexpected Entry Points

Nodes Deprecated in Version 2.8

CWE-ID CWE Name
None.
Important Changes
Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D Description
N Name
R Relationships

R 5 J2EE Misconfiguration: Data Transmission Without Encryption
R 6 J2EE Misconfiguration: Insufficient Session-ID Length
R 7 J2EE Misconfiguration: Missing Custom Error Page
R 8 J2EE Misconfiguration: Entity Bean Declared Remote
R 11 ASP.NET Misconfiguration: Creating Debug Binary
R 12 ASP.NET Misconfiguration: Missing Custom Error Page
R 13 ASP.NET Misconfiguration: Password in Configuration File
R 14 Compiler Removal of Code to Clear Buffers
R 15 External Control of System or Configuration Setting
R 20 Improper Input Validation
R 22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
R 23 Relative Path Traversal
R 24 Path Traversal: '../filedir'
R 25 Path Traversal: '/../filedir'
R 26 Path Traversal: '/dir/../filename'
R 27 Path Traversal: 'dir/../../filename'
R 28 Path Traversal: '..\filedir'
R 29 Path Traversal: '\..\filename'
R 30 Path Traversal: '\dir\..\filename'
R 31 Path Traversal: 'dir\..\..\filename'
R 32 Path Traversal: '...' (Triple Dot)
R 33 Path Traversal: '....' (Multiple Dot)
R 34 Path Traversal: '....//'
R 35 Path Traversal: '.../...//'
R 36 Absolute Path Traversal
R 37 Path Traversal: '/absolute/pathname/here'
R 38 Path Traversal: '\absolute\pathname\here'
R 39 Path Traversal: 'C:dirname'
R 40 Path Traversal: '\\UNC\share\name\' (Windows UNC Share)
R 41 Improper Resolution of Path Equivalence
R 42 Path Equivalence: 'filename.' (Trailing Dot)
R 43 Path Equivalence: 'filename....' (Multiple Trailing Dot)
R 44 Path Equivalence: 'file.name' (Internal Dot)
R 45 Path Equivalence: 'file...name' (Multiple Internal Dot)
R 46 Path Equivalence: 'filename ' (Trailing Space)
R 47 Path Equivalence: ' filename' (Leading Space)
R 48 Path Equivalence: 'file name' (Internal Whitespace)
R 49 Path Equivalence: 'filename/' (Trailing Slash)
R 50 Path Equivalence: '//multiple/leading/slash'
R 51 Path Equivalence: '/multiple//internal/slash'
R 52 Path Equivalence: '/multiple/trailing/slash//'
R 53 Path Equivalence: '\multiple\\internal\backslash'
R 54 Path Equivalence: 'filedir\' (Trailing Backslash)
R 55 Path Equivalence: '/./' (Single Dot Directory)
R 56 Path Equivalence: 'filedir*' (Wildcard)
R 57 Path Equivalence: 'fakedir/../realdir/filename'
R 58 Path Equivalence: Windows 8.3 Filename
R 59 Improper Link Resolution Before File Access ('Link Following')
R 62 UNIX Hard Link
R 64 Windows Shortcut Following (.LNK)
R 65 Windows Hard Link
R 66 Improper Handling of File Names that Identify Virtual Resources
R 67 Improper Handling of Windows Device Names
R 71 Apple '.DS_Store'
R 72 Improper Handling of Apple HFS+ Alternate Data Stream Path
R 73 External Control of File Name or Path
R 74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
R 75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
R 76 Improper Neutralization of Equivalent Special Elements
R 77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
R 78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
R 79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
R 80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
R 81 Improper Neutralization of Script in an Error Message Web Page
R 82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
R 83 Improper Neutralization of Script in Attributes in a Web Page
R 84 Improper Neutralization of Encoded URI Schemes in a Web Page
R 85 Doubled Character XSS Manipulations
R 86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages
R 87 Improper Neutralization of Alternate XSS Syntax
R 88 Argument Injection or Modification
R 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
R 90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
R 91 XML Injection (aka Blind XPath Injection)
R 93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
R 94 Improper Control of Generation of Code ('Code Injection')
R 95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
R 96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
R 97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
R 99 Improper Control of Resource Identifiers ('Resource Injection')
R 100 Technology-Specific Input Validation Problems
R 102 Struts: Duplicate Validation Forms
R 103 Struts: Incomplete validate() Method Definition
R 104 Struts: Form Bean Does Not Extend Validation Class
R 105 Struts: Form Field Without Validator
R 106 Struts: Plug-in Framework not in Use
R 107 Struts: Unused Validation Form
R 108 Struts: Unvalidated Action Form
R 109 Struts: Validator Turned Off
R 110 Struts: Validator Without Form Field
R 111 Direct Use of Unsafe JNI
R 112 Missing XML Validation
R 113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
R 114 Process Control
R 115 Misinterpretation of Input
R 116 Improper Encoding or Escaping of Output
R 117 Improper Output Neutralization for Logs
R 118 Improper Access of Indexable Resource ('Range Error')
R 119 Improper Restriction of Operations within the Bounds of a Memory Buffer
R 120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
R 121 Stack-based Buffer Overflow
R 122 Heap-based Buffer Overflow
R 123 Write-what-where Condition
R 124 Buffer Underwrite ('Buffer Underflow')
R 125 Out-of-bounds Read
R 126 Buffer Over-read
R 127 Buffer Under-read
R 128 Wrap-around Error
R 129 Improper Validation of Array Index
R 130 Improper Handling of Length Parameter Inconsistency
R 131 Incorrect Calculation of Buffer Size
R 134 Uncontrolled Format String
R 135 Incorrect Calculation of Multi-Byte String Length
R 138 Improper Neutralization of Special Elements
R 140 Improper Neutralization of Delimiters
R 141 Improper Neutralization of Parameter/Argument Delimiters
R 142 Improper Neutralization of Value Delimiters
R 143 Improper Neutralization of Record Delimiters
R 144 Improper Neutralization of Line Delimiters
R 145 Improper Neutralization of Section Delimiters
R 146 Improper Neutralization of Expression/Command Delimiters
R 147 Improper Neutralization of Input Terminators
R 148 Improper Neutralization of Input Leaders
R 149 Improper Neutralization of Quoting Syntax
R 150 Improper Neutralization of Escape, Meta, or Control Sequences
R 151 Improper Neutralization of Comment Delimiters
R 152 Improper Neutralization of Macro Symbols
R 153 Improper Neutralization of Substitution Characters
R 154 Improper Neutralization of Variable Name Delimiters
R 155 Improper Neutralization of Wildcards or Matching Symbols
R 156 Improper Neutralization of Whitespace
R 157 Failure to Sanitize Paired Delimiters
R 158 Improper Neutralization of Null Byte or NUL Character
R 159 Failure to Sanitize Special Element
R 160 Improper Neutralization of Leading Special Elements
R 161 Improper Neutralization of Multiple Leading Special Elements
R 162 Improper Neutralization of Trailing Special Elements
R 163 Improper Neutralization of Multiple Trailing Special Elements
R 164 Improper Neutralization of Internal Special Elements
R 165 Improper Neutralization of Multiple Internal Special Elements
R 166 Improper Handling of Missing Special Element
R 167 Improper Handling of Additional Special Element
R 168 Improper Handling of Inconsistent Special Elements
R 170 Improper Null Termination
R 172 Encoding Error
R 173 Improper Handling of Alternate Encoding
R 174 Double Decoding of the Same Data
R 175 Improper Handling of Mixed Encoding
R 176 Improper Handling of Unicode Encoding
R 177 Improper Handling of URL Encoding (Hex Encoding)
R 178 Improper Handling of Case Sensitivity
R 179 Incorrect Behavior Order: Early Validation
R 180 Incorrect Behavior Order: Validate Before Canonicalize
R 181 Incorrect Behavior Order: Validate Before Filter
R 182 Collapse of Data into Unsafe Value
R 183 Permissive Whitelist
R 184 Incomplete Blacklist
R 185 Incorrect Regular Expression
R 186 Overly Restrictive Regular Expression
R 187 Partial Comparison
R 188 Reliance on Data/Memory Layout
R 190 Integer Overflow or Wraparound
R 191 Integer Underflow (Wrap or Wraparound)
R 193 Off-by-one Error
R 194 Unexpected Sign Extension
R 195 Signed to Unsigned Conversion Error
R 196 Unsigned to Signed Conversion Error
R 197 Numeric Truncation Error
R 198 Use of Incorrect Byte Ordering
R 200 Information Exposure
R 201 Information Exposure Through Sent Data
R 202 Exposure of Sensitive Data Through Data Queries
R 203 Information Exposure Through Discrepancy
R 204 Response Discrepancy Information Exposure
R 205 Information Exposure Through Behavioral Discrepancy
R 206 Information Exposure of Internal State Through Behavioral Inconsistency
R 207 Information Exposure Through an External Behavioral Inconsistency
R 208 Information Exposure Through Timing Discrepancy
R 209 Information Exposure Through an Error Message
R 210 Information Exposure Through Self-generated Error Message
R 211 Information Exposure Through Externally-generated Error Message
R 212 Improper Cross-boundary Removal of Sensitive Data
R 213 Intentional Information Exposure
R 214 Information Exposure Through Process Environment
R 215 Information Exposure Through Debug Information
R 216 Containment Errors (Container Errors)
R 219 Sensitive Data Under Web Root
R 220 Sensitive Data Under FTP Root
R 221 Information Loss or Omission
R 222 Truncation of Security-relevant Information
R 223 Omission of Security-relevant Information
R 224 Obscured Security-relevant Information by Alternate Name
R 226 Sensitive Information Uncleared Before Release
R 227 Improper Fulfillment of API Contract ('API Abuse')
R 228 Improper Handling of Syntactically Invalid Structure
R 229 Improper Handling of Values
R 230 Improper Handling of Missing Values
R 231 Improper Handling of Extra Values
R 232 Improper Handling of Undefined Values
R 233 Improper Handling of Parameters
R 234 Failure to Handle Missing Parameter
R 235 Improper Handling of Extra Parameters
R 236 Improper Handling of Undefined Parameters
R 237 Improper Handling of Structural Elements
R 238 Improper Handling of Incomplete Structural Elements
R 239 Failure to Handle Incomplete Element
R 240 Improper Handling of Inconsistent Structural Elements
R 241 Improper Handling of Unexpected Data Type
R 242 Use of Inherently Dangerous Function
R 243 Creation of chroot Jail Without Changing Working Directory
R 244 Improper Clearing of Heap Memory Before Release ('Heap Inspection')
R 245 J2EE Bad Practices: Direct Management of Connections
R 246 J2EE Bad Practices: Direct Use of Sockets
R 248 Uncaught Exception
R 252 Unchecked Return Value
R 253 Incorrect Check of Function Return Value
R 256 Plaintext Storage of a Password
R 257 Storing Passwords in a Recoverable Format
R 258 Empty Password in Configuration File
R 259 Use of Hard-coded Password
R 260 Password in Configuration File
R 261 Weak Cryptography for Passwords
R 262 Not Using Password Aging
R 263 Password Aging with Long Expiration
R 273 Improper Check for Dropped Privileges
R 276 Incorrect Default Permissions
R 277 Insecure Inherited Permissions
R 278 Insecure Preserved Inherited Permissions
R 279 Incorrect Execution-Assigned Permissions
R 280 Improper Handling of Insufficient Permissions or Privileges
R 281 Improper Preservation of Permissions
R 282 Improper Ownership Management
R 283 Unverified Ownership
R 284 Improper Access Control
R 285 Improper Authorization
R 286 Incorrect User Management
R 287 Improper Authentication
R 288 Authentication Bypass Using an Alternate Path or Channel
R 289 Authentication Bypass by Alternate Name
R 290 Authentication Bypass by Spoofing
R 293 Using Referer Field for Authentication
R 294 Authentication Bypass by Capture-replay
R 296 Improper Following of a Certificate's Chain of Trust
R 297 Improper Validation of Certificate with Host Mismatch
R 298 Improper Validation of Certificate Expiration
R 299 Improper Check for Certificate Revocation
R 300 Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
R 301 Reflection Attack in an Authentication Protocol
R 302 Authentication Bypass by Assumed-Immutable Data
R 303 Incorrect Implementation of Authentication Algorithm
R 304 Missing Critical Step in Authentication
R 305 Authentication Bypass by Primary Weakness
R 306 Missing Authentication for Critical Function
R 307 Improper Restriction of Excessive Authentication Attempts
R 308 Use of Single-factor Authentication
R 309 Use of Password System for Primary Authentication
R 311 Missing Encryption of Sensitive Data
R 312 Cleartext Storage of Sensitive Information
R 313 Cleartext Storage in a File or on Disk
R 314 Cleartext Storage in the Registry
R 315 Cleartext Storage of Sensitive Information in a Cookie
R 316 Cleartext Storage of Sensitive Information in Memory
R 317 Cleartext Storage of Sensitive Information in GUI
R 318 Cleartext Storage of Sensitive Information in Executable
R 319 Cleartext Transmission of Sensitive Information
R 321 Use of Hard-coded Cryptographic Key
R 322 Key Exchange without Entity Authentication
R 323 Reusing a Nonce, Key Pair in Encryption
R 324 Use of a Key Past its Expiration Date
R 325 Missing Required Cryptographic Step
R 326 Inadequate Encryption Strength
R 327 Use of a Broken or Risky Cryptographic Algorithm
R 328 Reversible One-Way Hash
R 329 Not Using a Random IV with CBC Mode
R 345 Insufficient Verification of Data Authenticity
R 346 Origin Validation Error
R 347 Improper Verification of Cryptographic Signature
R 348 Use of Less Trusted Source
R 349 Acceptance of Extraneous Untrusted Data With Trusted Data
R 350 Reliance on Reverse DNS Resolution for a Security-Critical Action
R 351 Insufficient Type Distinction
R 353 Missing Support for Integrity Check
R 354 Improper Validation of Integrity Check Value
R 356 Product UI does not Warn User of Unsafe Actions
R 357 Insufficient UI Warning of Dangerous Operations
R 358 Improperly Implemented Security Check for Standard
R 359 Exposure of Private Information ('Privacy Violation')
R 360 Trust of System Event Data
R 362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
R 363 Race Condition Enabling Link Following
R 364 Signal Handler Race Condition
R 365 Race Condition in Switch
R 366 Race Condition within a Thread
R 367 Time-of-check Time-of-use (TOCTOU) Race Condition
R 368 Context Switching Race Condition
R 369 Divide By Zero
R 370 Missing Check for Certificate Revocation after Initial Check
R 372 Incomplete Internal State Distinction
R 374 Passing Mutable Objects to an Untrusted Method
R 375 Returning a Mutable Object to an Untrusted Caller
R 377 Insecure Temporary File
R 378 Creation of Temporary File With Insecure Permissions
R 379 Creation of Temporary File in Directory with Incorrect Permissions
R 382 J2EE Bad Practices: Use of System.exit()
R 383 J2EE Bad Practices: Direct Use of Threads
R 385 Covert Timing Channel
R 386 Symbolic Name not Mapping to Correct Object
R 390 Detection of Error Condition Without Action
R 391 Unchecked Error Condition
R 392 Missing Report of Error Condition
R 393 Return of Wrong Status Code
R 394 Unexpected Status Code or Return Value
R 395 Use of NullPointerException Catch to Detect NULL Pointer Dereference
R 396 Declaration of Catch for Generic Exception
R 397 Declaration of Throws for Generic Exception
R 398 Indicator of Poor Code Quality
R 400 Uncontrolled Resource Consumption ('Resource Exhaustion')
R 401 Improper Release of Memory Before Removing Last Reference ('Memory Leak')
R 402 Transmission of Private Resources into a New Sphere ('Resource Leak')
R 403 Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
R 404 Improper Resource Shutdown or Release
R 405 Asymmetric Resource Consumption (Amplification)
R 406 Insufficient Control of Network Message Volume (Network Amplification)
R 407 Algorithmic Complexity
R 408 Incorrect Behavior Order: Early Amplification
R 409 Improper Handling of Highly Compressed Data (Data Amplification)
R 410 Insufficient Resource Pool
R 412 Unrestricted Externally Accessible Lock
R 413 Improper Resource Locking
R 414 Missing Lock Check
R 415 Double Free
R 416 Use After Free
R 419 Unprotected Primary Channel
R 420 Unprotected Alternate Channel
R 421 Race Condition During Access to Alternate Channel
R 422 Unprotected Windows Messaging Channel ('Shatter')
R 424 Improper Protection of Alternate Path
R 425 Direct Request ('Forced Browsing')
R 427 Uncontrolled Search Path Element
R 428 Unquoted Search Path or Element
R 430 Deployment of Wrong Handler
R 431 Missing Handler
R 432 Dangerous Signal Handler not Disabled During Sensitive Operations
R 433 Unparsed Raw Web Content Delivery
R 435 Interaction Error
R 436 Interpretation Conflict
R 437 Incomplete Model of Endpoint Features
R 439 Behavioral Change in New Version or Environment
R 440 Expected Behavior Violation
R 441 Unintended Proxy or Intermediary ('Confused Deputy')
R 444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
R 446 UI Discrepancy for Security Feature
R 447 Unimplemented or Unsupported Feature in UI
R 448 Obsolete Feature in UI
R 449 The UI Performs the Wrong Action
R 450 Multiple Interpretations of UI Input
R 451 User Interface (UI) Misrepresentation of Critical Information
R 453 Insecure Default Variable Initialization
R 454 External Initialization of Trusted Variables or Data Stores
R 455 Non-exit on Failed Initialization
R 456 Missing Initialization of a Variable
R 457 Use of Uninitialized Variable
R 459 Incomplete Cleanup
R 460 Improper Cleanup on Thrown Exception
R 462 Duplicate Key in Associative List (Alist)
R 463 Deletion of Data Structure Sentinel
R 464 Addition of Data Structure Sentinel
R 466 Return of Pointer Value Outside of Expected Range
R 467 Use of sizeof() on a Pointer Type
R 468 Incorrect Pointer Scaling
R 469 Use of Pointer Subtraction to Determine Size
R 470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
R 471 Modification of Assumed-Immutable Data (MAID)
R 472 External Control of Assumed-Immutable Web Parameter
R 473 PHP External Variable Modification
R 474 Use of Function with Inconsistent Implementations
R 475 Undefined Behavior for Input to API
R 476 NULL Pointer Dereference
R 477 Use of Obsolete Functions
R 478 Missing Default Case in Switch Statement
R 479 Signal Handler Use of a Non-reentrant Function
R 480 Use of Incorrect Operator
R 481 Assigning instead of Comparing
R 483 Incorrect Block Delimitation
R 484 Omitted Break Statement in Switch
R 485 Insufficient Encapsulation
R 486 Comparison of Classes by Name
R 487 Reliance on Package-level Scope
R 488 Exposure of Data Element to Wrong Session
R 489 Leftover Debug Code
R 491 Public cloneable() Method Without Final ('Object Hijack')
R 492 Use of Inner Class Containing Sensitive Data
R 493 Critical Public Variable Without Final Modifier
R 494 Download of Code Without Integrity Check
R 495 Private Array-Typed Field Returned From A Public Method
R 496 Public Data Assigned to Private Array-Typed Field
R 497 Exposure of System Data to an Unauthorized Control Sphere
R 498 Cloneable Class Containing Sensitive Information
R 499 Serializable Class Containing Sensitive Data
R 500 Public Static Field Not Marked Final
R 501 Trust Boundary Violation
R 502 Deserialization of Untrusted Data
R 514 Covert Channel
R 515 Covert Storage Channel
R 521 Weak Password Requirements
R 522 Insufficiently Protected Credentials
R 523 Unprotected Transport of Credentials
R 524 Information Exposure Through Caching
R 525 Information Exposure Through Browser Caching
R 526 Information Exposure Through Environmental Variables
R 527 Exposure of CVS Repository to an Unauthorized Control Sphere
R 528 Exposure of Core Dump File to an Unauthorized Control Sphere
R 529 Exposure of Access Control List Files to an Unauthorized Control Sphere
R 530 Exposure of Backup File to an Unauthorized Control Sphere
R 531 Information Exposure Through Test Code
R 532 Information Exposure Through Log Files
R 533 Information Exposure Through Server Log Files
R 534 Information Exposure Through Debug Log Files
R 535 Information Exposure Through Shell Error Message
R 536 Information Exposure Through Servlet Runtime Error Message
R 537 Information Exposure Through Java Runtime Error Message
R 538 File and Directory Information Exposure
R 539 Information Exposure Through Persistent Cookies
R 540 Information Exposure Through Source Code
R 541 Information Exposure Through Include Source Code
R 542 Information Exposure Through Cleanup Log Files
R 543 Use of Singleton Pattern Without Synchronization in a Multithreaded Context
R 544 Missing Standardized Error Handling Mechanism
R 545 Use of Dynamic Class Loading
R 546 Suspicious Comment
R 547 Use of Hard-coded, Security-relevant Constants
R 548 Information Exposure Through Directory Listing
R 549 Missing Password Field Masking
R 550 Information Exposure Through Server Error Message
R 551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
R 552 Files or Directories Accessible to External Parties
R 553 Command Shell in Externally Accessible Directory
R 554 ASP.NET Misconfiguration: Not Using Input Validation Framework
R 555 J2EE Misconfiguration: Plaintext Password in Configuration File
R 556 ASP.NET Misconfiguration: Use of Identity Impersonation
R 558 Use of getlogin() in Multithreaded Application
R 560 Use of umask() with chmod-style Argument
R 562 Return of Stack Variable Address
R 564 SQL Injection: Hibernate
R 565 Reliance on Cookies without Validation and Integrity Checking
R 566 Authorization Bypass Through User-Controlled SQL Primary Key
R 567 Unsynchronized Access to Shared Data in a Multithreaded Context
R 568 finalize() Method Without super.finalize()
R 570 Expression is Always False
R 571 Expression is Always True
R 572 Call to Thread run() instead of start()
R 573 Improper Following of Specification by Caller
R 574 EJB Bad Practices: Use of Synchronization Primitives
R 575 EJB Bad Practices: Use of AWT Swing
R 576 EJB Bad Practices: Use of Java I/O
R 577 EJB Bad Practices: Use of Sockets
R 578 EJB Bad Practices: Use of Class Loader
R 579 J2EE Bad Practices: Non-serializable Object Stored in Session
R 580 clone() Method Without super.clone()
R 581 Object Model Violation: Just One of Equals and Hashcode Defined
R 582 Array Declared Public, Final, and Static
R 583 finalize() Method Declared Public
R 584 Return Inside Finally Block
R 585 Empty Synchronized Block
R 586 Explicit Call to Finalize()
R 587 Assignment of a Fixed Address to a Pointer
R 588 Attempt to Access Child of a Non-structure Pointer
R 589 Call to Non-ubiquitous API
R 590 Free of Memory not on the Heap
R 591 Sensitive Data Storage in Improperly Locked Memory
R 592 Authentication Bypass Issues
R 593 Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
R 594 J2EE Framework: Saving Unserializable Objects to Disk
R 595 Comparison of Object References Instead of Object Contents
R 596 Incorrect Semantic Object Comparison
R 597 Use of Wrong Operator in String Comparison
R 598 Information Exposure Through Query Strings in GET Request
R 599 Missing Validation of OpenSSL Certificate
R 600 Uncaught Exception in Servlet
R 601 URL Redirection to Untrusted Site ('Open Redirect')
R 602 Client-Side Enforcement of Server-Side Security
R 603 Use of Client-Side Authentication
R 605 Multiple Binds to the Same Port
R 606 Unchecked Input for Loop Condition
R 607 Public Static Final Field References Mutable Object
R 608 Struts: Non-private Field in ActionForm Class
R 609 Double-Checked Locking
R 610 Externally Controlled Reference to a Resource in Another Sphere
R 611 Improper Restriction of XML External Entity Reference ('XXE')
R 612 Information Exposure Through Indexing of Private Data
R 613 Insufficient Session Expiration
R 614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
R 615 Information Exposure Through Comments
R 616 Incomplete Identification of Uploaded File Variables (PHP)
R 617 Reachable Assertion
R 618 Exposed Unsafe ActiveX Method
R 619 Dangling Database Cursor ('Cursor Injection')
R 620 Unverified Password Change
R 621 Variable Extraction Error
R 622 Improper Validation of Function Hook Arguments
R 623 Unsafe ActiveX Control Marked Safe For Scripting
R 624 Executable Regular Expression Error
R 625 Permissive Regular Expression
R 626 Null Byte Interaction Error (Poison Null Byte)
R 627 Dynamic Variable Evaluation
R 628 Function Call with Incorrectly Specified Arguments
R 636 Not Failing Securely ('Failing Open')
R 637 Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')
R 638 Not Using Complete Mediation
R 639 Authorization Bypass Through User-Controlled Key
R 640 Weak Password Recovery Mechanism for Forgotten Password
R 641 Improper Restriction of Names for Files and Other Resources
R 642 External Control of Critical State Data
R 643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')
R 644 Improper Neutralization of HTTP Headers for Scripting Syntax
R 645 Overly Restrictive Account Lockout Mechanism
R 646 Reliance on File Name or Extension of Externally-Supplied File
R 647 Use of Non-Canonical URL Paths for Authorization Decisions
R 648 Incorrect Use of Privileged APIs
R 649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
R 650 Trusting HTTP Permission Methods on the Server Side
R 651 Information Exposure Through WSDL File
R 652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
R 654 Reliance on a Single Factor in a Security Decision
R 655 Insufficient Psychological Acceptability
R 656 Reliance on Security Through Obscurity
R 657 Violation of Secure Design Principles
R 662 Improper Synchronization
R 663 Use of a Non-reentrant Function in a Concurrent Context
R 664 Improper Control of a Resource Through its Lifetime
R 665 Improper Initialization
R 666 Operation on Resource in Wrong Phase of Lifetime
R 667 Improper Locking
R 668 Exposure of Resource to Wrong Sphere
R 669 Incorrect Resource Transfer Between Spheres
R 670 Always-Incorrect Control Flow Implementation
R 671 Lack of Administrator Control over Security
R 672 Operation on a Resource after Expiration or Release
R 673 External Influence of Sphere Definition
R 674 Uncontrolled Recursion
R 675 Duplicate Operations on Resource
R 676 Use of Potentially Dangerous Function
R 681 Incorrect Conversion between Numeric Types
R 682 Incorrect Calculation
R 683 Function Call With Incorrect Order of Arguments
R 684 Incorrect Provision of Specified Functionality
R 685 Function Call With Incorrect Number of Arguments
R 686 Function Call With Incorrect Argument Type
R 687 Function Call With Incorrectly Specified Argument Value
R 688 Function Call With Incorrect Variable or Reference as Argument
R 691 Insufficient Control Flow Management
R 693 Protection Mechanism Failure
R 694 Use of Multiple Resources with Duplicate Identifier
R 695 Use of Low-Level Functionality
R 696 Incorrect Behavior Order
R 697 Insufficient Comparison
R 698 Execution After Redirect (EAR)
R 703 Improper Check or Handling of Exceptional Conditions
R 704 Incorrect Type Conversion or Cast
R 705 Incorrect Control Flow Scoping
R 706 Use of Incorrectly-Resolved Name or Reference
R 707 Improper Enforcement of Message or Data Structure
R 708 Incorrect Ownership Assignment
R 710 Coding Standards Violation
R 732 Incorrect Permission Assignment for Critical Resource
R 733 Compiler Optimization Removal or Modification of Security-critical Code
R 749 Exposed Dangerous Method or Function
R 754 Improper Check for Unusual or Exceptional Conditions
R 755 Improper Handling of Exceptional Conditions
R 756 Missing Custom Error Page
R 757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
R 758 Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
R 759 Use of a One-Way Hash without a Salt
R 760 Use of a One-Way Hash with a Predictable Salt
R 761 Free of Pointer not at Start of Buffer
R 762 Mismatched Memory Management Routines
R 763 Release of Invalid Pointer or Reference
R 764 Multiple Locks of a Critical Resource
R 765 Multiple Unlocks of a Critical Resource
R 766 Critical Variable Declared Public
R 767 Access to Critical Private Variable via Public Method
R 768 Incorrect Short Circuit Evaluation
R 770 Allocation of Resources Without Limits or Throttling
R 771 Missing Reference to Active Allocated Resource
R 772 Missing Release of Resource after Effective Lifetime
R 773 Missing Reference to Active File Descriptor or Handle
R 774 Allocation of File Descriptors or Handles Without Limits or Throttling
R 775 Missing Release of File Descriptor or Handle after Effective Lifetime
R 785 Use of Path Manipulation Function without Maximum-sized Buffer
NR 885 SFP Primary Cluster: Risky Values
N 886 SFP Primary Cluster: Unused entities
NR 887 SFP Primary Cluster: API
NR 889 SFP Primary Cluster: Exception Management
NR 890 SFP Primary Cluster: Memory Access
NR 891 SFP Primary Cluster: Memory Management
NR 892 SFP Primary Cluster: Resource Management
NR 893 SFP Primary Cluster: Path Resolution
NR 894 SFP Primary Cluster: Synchronization
NR 895 SFP Primary Cluster: Information Leak
NR 896 SFP Primary Cluster: Tainted Input
NR 897 SFP Primary Cluster: Entry Points
NR 898 SFP Primary Cluster: Authentication
NR 899 SFP Primary Cluster: Access Control
N 901 SFP Primary Cluster: Privilege
NR 902 SFP Primary Cluster: Channel
NR 903 SFP Primary Cluster: Cryptography
NR 904 SFP Primary Cluster: Malware
N 905 SFP Primary Cluster: Predictability
NR 906 SFP Primary Cluster: UI
NR 907 SFP Primary Cluster: Other
Detailed Difference Report
Detailed Difference Report
5 J2EE Misconfiguration: Data Transmission Without Encryption
Major Relationships
Minor None
6 J2EE Misconfiguration: Insufficient Session-ID Length
Major Relationships
Minor None
7 J2EE Misconfiguration: Missing Custom Error Page
Major Relationships
Minor None
8 J2EE Misconfiguration: Entity Bean Declared Remote
Major Relationships, Taxonomy_Mappings
Minor None
11 ASP.NET Misconfiguration: Creating Debug Binary
Major Relationships
Minor None
12 ASP.NET Misconfiguration: Missing Custom Error Page
Major Relationships
Minor None
13 ASP.NET Misconfiguration: Password in Configuration File
Major Demonstrative_Examples, Relationships
Minor None
14 Compiler Removal of Code to Clear Buffers
Major Relationships, Taxonomy_Mappings
Minor None
15 External Control of System or Configuration Setting
Major Relationships, Taxonomy_Mappings
Minor None
16 Configuration
Major Detection_Factors
Minor None
20 Improper Input Validation
Major Detection_Factors, Relationships, Taxonomy_Mappings
Minor None
22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Major Detection_Factors, Relationships, Taxonomy_Mappings
Minor None
23 Relative Path Traversal
Major Relationships, Taxonomy_Mappings
Minor None
24 Path Traversal: '../filedir'
Major Relationships, Taxonomy_Mappings
Minor None
25 Path Traversal: '/../filedir'
Major Relationships, Taxonomy_Mappings
Minor None
26 Path Traversal: '/dir/../filename'
Major Relationships, Taxonomy_Mappings
Minor None
27 Path Traversal: 'dir/../../filename'
Major Relationships, Taxonomy_Mappings
Minor None
28 Path Traversal: '..\filedir'
Major Relationships, Taxonomy_Mappings
Minor None
29 Path Traversal: '\..\filename'
Major Relationships, Taxonomy_Mappings
Minor None
30 Path Traversal: '\dir\..\filename'
Major Relationships, Taxonomy_Mappings
Minor None
31 Path Traversal: 'dir\..\..\filename'
Major Relationships, Taxonomy_Mappings
Minor None
32 Path Traversal: '...' (Triple Dot)
Major Relationships, Taxonomy_Mappings
Minor None
33 Path Traversal: '....' (Multiple Dot)
Major Relationships, Taxonomy_Mappings
Minor None
34 Path Traversal: '....//'
Major Detection_Factors, Relationships, Taxonomy_Mappings
Minor None
35 Path Traversal: '.../...//'
Major Relationships, Taxonomy_Mappings
Minor None
36 Absolute Path Traversal
Major Relationships, Taxonomy_Mappings
Minor None
37 Path Traversal: '/absolute/pathname/here'
Major Relationships, Taxonomy_Mappings
Minor None
38 Path Traversal: '\absolute\pathname\here'
Major Relationships, Taxonomy_Mappings
Minor None
39 Path Traversal: 'C:dirname'
Major Relationships, Taxonomy_Mappings
Minor None
40 Path Traversal: '\\UNC\share\name\' (Windows UNC Share)
Major Relationships, Taxonomy_Mappings
Minor None
41 Improper Resolution of Path Equivalence
Major Detection_Factors, Relationships
Minor None
42 Path Equivalence: 'filename.' (Trailing Dot)
Major Relationships, Taxonomy_Mappings
Minor None
43 Path Equivalence: 'filename....' (Multiple Trailing Dot)
Major Relationships, Taxonomy_Mappings
Minor None
44 Path Equivalence: 'file.name' (Internal Dot)
Major Relationships, Taxonomy_Mappings
Minor None
45 Path Equivalence: 'file...name' (Multiple Internal Dot)
Major Relationships, Taxonomy_Mappings
Minor None
46 Path Equivalence: 'filename ' (Trailing Space)
Major Relationships, Taxonomy_Mappings
Minor None
47 Path Equivalence: ' filename' (Leading Space)
Major Relationships, Taxonomy_Mappings
Minor None
48 Path Equivalence: 'file name' (Internal Whitespace)
Major Relationships, Taxonomy_Mappings
Minor None
49 Path Equivalence: 'filename/' (Trailing Slash)
Major Relationships, Taxonomy_Mappings
Minor None
50 Path Equivalence: '//multiple/leading/slash'
Major Relationships, Taxonomy_Mappings
Minor None
51 Path Equivalence: '/multiple//internal/slash'
Major Relationships, Taxonomy_Mappings
Minor None
52 Path Equivalence: '/multiple/trailing/slash//'
Major Relationships, Taxonomy_Mappings
Minor None
53 Path Equivalence: '\multiple\\internal\backslash'
Major Relationships, Taxonomy_Mappings
Minor None
54 Path Equivalence: 'filedir\' (Trailing Backslash)
Major Relationships, Taxonomy_Mappings
Minor None
55 Path Equivalence: '/./' (Single Dot Directory)
Major Relationships, Taxonomy_Mappings
Minor None
56 Path Equivalence: 'filedir*' (Wildcard)
Major Relationships, Taxonomy_Mappings
Minor None
57 Path Equivalence: 'fakedir/../realdir/filename'
Major Relationships, Taxonomy_Mappings
Minor None
58 Path Equivalence: Windows 8.3 Filename
Major Relationships, Taxonomy_Mappings
Minor None
59 Improper Link Resolution Before File Access ('Link Following')
Major Detection_Factors, Relationships, Taxonomy_Mappings
Minor None
62 UNIX Hard Link
Major Relationships, Taxonomy_Mappings
Minor None
64 Windows Shortcut Following (.LNK)
Major Relationships, Taxonomy_Mappings
Minor None
65 Windows Hard Link
Major Relationships, Taxonomy_Mappings
Minor None
66 Improper Handling of File Names that Identify Virtual Resources
Major Detection_Factors, Relationships
Minor None
67 Improper Handling of Windows Device Names
Major Relationships, Taxonomy_Mappings
Minor None
71 Apple '.DS_Store'
Major Relationships
Minor None
72 Improper Handling of Apple HFS+ Alternate Data Stream Path
Major Relationships
Minor None
73 External Control of File Name or Path
Major Relationships, Taxonomy_Mappings
Minor None
74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Major Relationships, Taxonomy_Mappings
Minor None
75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
Major Relationships
Minor None
76 Improper Neutralization of Equivalent Special Elements
Major Relationships
Minor None
77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Major Relationships, Taxonomy_Mappings
Minor None
78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Major Detection_Factors, Relationships, Taxonomy_Mappings
Minor None
79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Major Relationships, Taxonomy_Mappings
Minor None
80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Major Relationships, Taxonomy_Mappings
Minor None
81 Improper Neutralization of Script in an Error Message Web Page
Major Relationships, Taxonomy_Mappings
Minor None
82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
Major Relationships, Taxonomy_Mappings
Minor None
83 Improper Neutralization of Script in Attributes in a Web Page
Major Relationships, Taxonomy_Mappings
Minor None
84 Improper Neutralization of Encoded URI Schemes in a Web Page
Major Relationships, Taxonomy_Mappings
Minor None
85 Doubled Character XSS Manipulations
Major Relationships, Taxonomy_Mappings
Minor None
86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages
Major Relationships, Taxonomy_Mappings
Minor None
87 Improper Neutralization of Alternate XSS Syntax
Major Relationships, Taxonomy_Mappings
Minor None
88 Argument Injection or Modification
Major Relationships
Minor None
89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Major Detection_Factors, Relationships, Taxonomy_Mappings
Minor None
90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Major Relationships, Taxonomy_Mappings
Minor None
91 XML Injection (aka Blind XPath Injection)
Major Relationships, Taxonomy_Mappings
Minor None
93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Major Relationships, Taxonomy_Mappings
Minor None
94 Improper Control of Generation of Code ('Code Injection')
Major Relationships
Minor None
95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Major Relationships, Taxonomy_Mappings
Minor None
96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
Major Relationships, Taxonomy_Mappings
Minor None
97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
Major Relationships
Minor None
99 Improper Control of Resource Identifiers ('Resource Injection')
Major Relationships, Taxonomy_Mappings
Minor None
100 Technology-Specific Input Validation Problems
Major Relationships
Minor None
102 Struts: Duplicate Validation Forms
Major Relationships, Taxonomy_Mappings
Minor None
103 Struts: Incomplete validate() Method Definition
Major Relationships, Taxonomy_Mappings
Minor None
104 Struts: Form Bean Does Not Extend Validation Class
Major Relationships, Taxonomy_Mappings
Minor None
105 Struts: Form Field Without Validator
Major Relationships, Taxonomy_Mappings
Minor None
106 Struts: Plug-in Framework not in Use
Major Relationships
Minor None
107 Struts: Unused Validation Form
Major Relationships
Minor None
108 Struts: Unvalidated Action Form
Major Relationships, Taxonomy_Mappings
Minor None
109 Struts: Validator Turned Off
Major Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor None
110 Struts: Validator Without Form Field
Major Relationships, Taxonomy_Mappings
Minor None
111 Direct Use of Unsafe JNI
Major Relationships, Taxonomy_Mappings
Minor None
112 Missing XML Validation
Major Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor None
113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
Major Relationships, Taxonomy_Mappings
Minor None
114 Process Control
Major Relationships
Minor None
115 Misinterpretation of Input
Major Relationships
Minor None
116 Improper Encoding or Escaping of Output
Major Demonstrative_Examples, Relationships
Minor None
117 Improper Output Neutralization for Logs
Major Relationships, Taxonomy_Mappings
Minor None
118 Improper Access of Indexable Resource ('Range Error')
Major Relationships, Taxonomy_Mappings
Minor None
119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Major Detection_Factors, Relationships, Taxonomy_Mappings
Minor Demonstrative_Examples
120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Major Detection_Factors, Relationships, Taxonomy_Mappings
Minor None
121 Stack-based Buffer Overflow
Major Relationships, Taxonomy_Mappings
Minor None
122 Heap-based Buffer Overflow
Major Relationships, Taxonomy_Mappings
Minor None
123 Write-what-where Condition
Major Relationships, Taxonomy_Mappings
Minor None
124 Buffer Underwrite ('Buffer Underflow')
Major Relationships, Taxonomy_Mappings
Minor None
125 Out-of-bounds Read
Major Relationships, Taxonomy_Mappings
Minor Demonstrative_Examples
126 Buffer Over-read
Major Relationships, Taxonomy_Mappings
Minor None
127 Buffer Under-read
Major Relationships, Taxonomy_Mappings
Minor None
128 Wrap-around Error
Major Relationships, Taxonomy_Mappings
Minor None
129 Improper Validation of Array Index
Major Relationships, Taxonomy_Mappings
Minor None
130 Improper Handling of Length Parameter Inconsistency
Major Relationships
Minor None
131 Incorrect Calculation of Buffer Size
Major Detection_Factors, Relationships
Minor None
134 Uncontrolled Format String
Major Demonstrative_Examples, Detection_Factors, Relationships, Taxonomy_Mappings
Minor None
135 Incorrect Calculation of Multi-Byte String Length
Major Relationships, Taxonomy_Mappings
Minor None
138 Improper Neutralization of Special Elements
Major Relationships, Taxonomy_Mappings
Minor None
140 Improper Neutralization of Delimiters
Major Relationships, Taxonomy_Mappings
Minor None
141 Improper Neutralization of Parameter/Argument Delimiters
Major Relationships, Taxonomy_Mappings
Minor None
142 Improper Neutralization of Value Delimiters
Major Relationships, Taxonomy_Mappings
Minor None
143 Improper Neutralization of Record Delimiters
Major Relationships, Taxonomy_Mappings
Minor None
144 Improper Neutralization of Line Delimiters
Major Relationships, Taxonomy_Mappings
Minor None
145 Improper Neutralization of Section Delimiters
Major Relationships, Taxonomy_Mappings
Minor None
146 Improper Neutralization of Expression/Command Delimiters
Major Relationships, Taxonomy_Mappings
Minor None
147 Improper Neutralization of Input Terminators
Major Relationships, Taxonomy_Mappings
Minor None
148 Improper Neutralization of Input Leaders
Major Relationships, Taxonomy_Mappings
Minor None
149 Improper Neutralization of Quoting Syntax
Major Relationships, Taxonomy_Mappings
Minor None
150 Improper Neutralization of Escape, Meta, or Control Sequences
Major Relationships
Minor None
151 Improper Neutralization of Comment Delimiters
Major Relationships, Taxonomy_Mappings
Minor None
152 Improper Neutralization of Macro Symbols
Major Relationships, Taxonomy_Mappings
Minor None
153 Improper Neutralization of Substitution Characters
Major Relationships, Taxonomy_Mappings
Minor None
154 Improper Neutralization of Variable Name Delimiters
Major Relationships, Taxonomy_Mappings
Minor None
155 Improper Neutralization of Wildcards or Matching Symbols
Major Relationships, Taxonomy_Mappings
Minor None
156 Improper Neutralization of Whitespace
Major Relationships, Taxonomy_Mappings
Minor None
157 Failure to Sanitize Paired Delimiters
Major Relationships, Taxonomy_Mappings
Minor None
158 Improper Neutralization of Null Byte or NUL Character
Major Relationships, Taxonomy_Mappings
Minor None
159 Failure to Sanitize Special Element
Major Relationships, Taxonomy_Mappings
Minor None
160 Improper Neutralization of Leading Special Elements
Major Relationships, Taxonomy_Mappings
Minor None
161 Improper Neutralization of Multiple Leading Special Elements
Major Relationships, Taxonomy_Mappings
Minor None
162 Improper Neutralization of Trailing Special Elements
Major Relationships, Taxonomy_Mappings
Minor None
163 Improper Neutralization of Multiple Trailing Special Elements
Major Relationships, Taxonomy_Mappings
Minor None
164 Improper Neutralization of Internal Special Elements
Major Relationships, Taxonomy_Mappings
Minor None
165 Improper Neutralization of Multiple Internal Special Elements
Major Relationships, Taxonomy_Mappings
Minor None
166 Improper Handling of Missing Special Element
Major Relationships
Minor None
167 Improper Handling of Additional Special Element
Major Relationships
Minor None
168 Improper Handling of Inconsistent Special Elements
Major Relationships
Minor None
170 Improper Null Termination
Major Relationships, Taxonomy_Mappings
Minor None
172 Encoding Error
Major Relationships
Minor None
173 Improper Handling of Alternate Encoding
Major Relationships
Minor None
174 Double Decoding of the Same Data
Major Relationships
Minor None
175 Improper Handling of Mixed Encoding
Major Relationships
Minor None
176 Improper Handling of Unicode Encoding
Major Relationships
Minor None
177 Improper Handling of URL Encoding (Hex Encoding)
Major Relationships
Minor None
178 Improper Handling of Case Sensitivity
Major Relationships
Minor None
179 Incorrect Behavior Order: Early Validation
Major Relationships
Minor None
180 Incorrect Behavior Order: Validate Before Canonicalize
Major Relationships
Minor None
181 Incorrect Behavior Order: Validate Before Filter
Major Relationships
Minor None
182 Collapse of Data into Unsafe Value
Major Relationships
Minor None
183 Permissive Whitelist
Major Relationships
Minor None
184 Incomplete Blacklist
Major Demonstrative_Examples, Relationships
Minor None
185 Incorrect Regular Expression
Major Demonstrative_Examples, Relationships
Minor None
186 Overly Restrictive Regular Expression
Major Relationships
Minor None
187 Partial Comparison
Major Relationships
Minor None
188 Reliance on Data/Memory Layout
Major Demonstrative_Examples, Relationships
Minor None
190 Integer Overflow or Wraparound
Major Detection_Factors, Relationships, Taxonomy_Mappings
Minor Demonstrative_Examples
191 Integer Underflow (Wrap or Wraparound)
Major Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor None
193 Off-by-one Error
Major Demonstrative_Examples, Relationships
Minor None
194 Unexpected Sign Extension
Major Relationships, Taxonomy_Mappings
Minor None
195 Signed to Unsigned Conversion Error
Major Relationships, Taxonomy_Mappings
Minor None
196 Unsigned to Signed Conversion Error
Major Relationships, Taxonomy_Mappings
Minor None
197 Numeric Truncation Error
Major Relationships, Taxonomy_Mappings
Minor None
198 Use of Incorrect Byte Ordering
Major Relationships
Minor None
200 Information Exposure
Major Detection_Factors, Relationships
Minor None
201 Information Exposure Through Sent Data
Major Demonstrative_Examples, Relationships
Minor None
202 Exposure of Sensitive Data Through Data Queries
Major Relationships
Minor None
203 Information Exposure Through Discrepancy
Major Relationships
Minor None
204 Response Discrepancy Information Exposure
Major Relationships
Minor None
205 Information Exposure Through Behavioral Discrepancy
Major Relationships
Minor None
206 Information Exposure of Internal State Through Behavioral Inconsistency
Major Relationships
Minor None
207 Information Exposure Through an External Behavioral Inconsistency
Major Relationships
Minor None
208 Information Exposure Through Timing Discrepancy
Major Relationships
Minor None
209 Information Exposure Through an Error Message
Major Relationships, Taxonomy_Mappings
Minor None
210 Information Exposure Through Self-generated Error Message
Major Relationships, Taxonomy_Mappings
Minor None
211 Information Exposure Through Externally-generated Error Message
Major Relationships
Minor None
212 Improper Cross-boundary Removal of Sensitive Data
Major Relationships
Minor None
213 Intentional Information Exposure
Major Demonstrative_Examples, Relationships
Minor None
214 Information Exposure Through Process Environment
Major Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor None
215 Information Exposure Through Debug Information
Major Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor None
216 Containment Errors (Container Errors)
Major Relationships
Minor None
219 Sensitive Data Under Web Root
Major Relationships
Minor None
220 Sensitive Data Under FTP Root
Major Relationships
Minor None
221 Information Loss or Omission
Major Relationships
Minor None
222 Truncation of Security-relevant Information
Major Relationships
Minor None
223 Omission of Security-relevant Information
Major Relationships
Minor None
224 Obscured Security-relevant Information by Alternate Name
Major Relationships
Minor None
226 Sensitive Information Uncleared Before Release
Major Relationships, Taxonomy_Mappings
Minor None
227 Improper Fulfillment of API Contract ('API Abuse')
Major Relationships
Minor None
228 Improper Handling of Syntactically Invalid Structure
Major Relationships
Minor None
229 Improper Handling of Values
Major Relationships
Minor None
230 Improper Handling of Missing Values
Major Relationships
Minor None
231 Improper Handling of Extra Values
Major Relationships
Minor None
232 Improper Handling of Undefined Values
Major Demonstrative_Examples, Relationships
Minor None
233 Improper Handling of Parameters
Major Relationships
Minor None
234 Failure to Handle Missing Parameter
Major Relationships
Minor None
235 Improper Handling of Extra Parameters
Major Relationships
Minor None
236 Improper Handling of Undefined Parameters
Major Relationships
Minor None
237 Improper Handling of Structural Elements
Major Relationships
Minor None
238 Improper Handling of Incomplete Structural Elements
Major Relationships
Minor None
239 Failure to Handle Incomplete Element
Major Relationships
Minor None
240 Improper Handling of Inconsistent Structural Elements
Major Relationships
Minor None
241 Improper Handling of Unexpected Data Type
Major Relationships
Minor None
242 Use of Inherently Dangerous Function
Major Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor None
243 Creation of chroot Jail Without Changing Working Directory
Major Relationships, Taxonomy_Mappings
Minor None
244 Improper Clearing of Heap Memory Before Release ('Heap Inspection')
Major Relationships, Taxonomy_Mappings
Minor None
245 J2EE Bad Practices: Direct Management of Connections
Major Relationships, Taxonomy_Mappings
Minor None
246 J2EE Bad Practices: Direct Use of Sockets
Major Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor None
247 DEPRECATED (Duplicate): Reliance on DNS Lookups in a Security Decision
Major Taxonomy_Mappings
Minor None
248 Uncaught Exception
Major Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor None
250 Execution with Unnecessary Privileges
Major Detection_Factors
Minor None
252 Unchecked Return Value
Major Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor None
253 Incorrect Check of Function Return Value
Major Relationships, Taxonomy_Mappings
Minor None
255 Credentials Management
Major Detection_Factors
Minor None
256 Plaintext Storage of a Password
Major Relationships, Taxonomy_Mappings
Minor None
257 Storing Passwords in a Recoverable Format
Major Relationships, Taxonomy_Mappings
Minor None
258 Empty Password in Configuration File
Major Relationships
Minor None
259 Use of Hard-coded Password
Major Relationships, Taxonomy_Mappings
Minor None
260 Password in Configuration File
Major Demonstrative_Examples, Relationships
Minor None
261 Weak Cryptography for Passwords
Major Relationships
Minor None
262 Not Using Password Aging
Major Relationships
Minor None
263 Password Aging with Long Expiration
Major Relationships
Minor None
264 Permissions, Privileges, and Access Controls
Major Detection_Factors
Minor None
265 Privilege / Sandbox Issues
Major Detection_Factors
Minor None
272 Least Privilege Violation
Major Detection_Factors, Taxonomy_Mappings
Minor None
273 Improper Check for Dropped Privileges
Major Relationships, Taxonomy_Mappings
Minor None
275 Permission Issues
Major Detection_Factors
Minor None
276 Incorrect Default Permissions
Major Detection_Factors, Relationships
Minor None
277 Insecure Inherited Permissions
Major Relationships
Minor None
278 Insecure Preserved Inherited Permissions
Major Relationships
Minor None
279 Incorrect Execution-Assigned Permissions
Major Relationships
Minor None
280 Improper Handling of Insufficient Permissions or Privileges
Major Relationships, Taxonomy_Mappings
Minor None
281 Improper Preservation of Permissions
Major Relationships
Minor None
282 Improper Ownership Management
Major Relationships
Minor None
283 Unverified Ownership
Major Relationships
Minor None
284 Improper Access Control
Major Relationships
Minor None
285 Improper Authorization
Major Detection_Factors, Relationships, Taxonomy_Mappings
Minor None
286 Incorrect User Management
Major Relationships
Minor None
287 Improper Authentication
Major Detection_Factors, Relationships
Minor None
288 Authentication Bypass Using an Alternate Path or Channel
Major Relationships
Minor None
289 Authentication Bypass by Alternate Name
Major Relationships
Minor None
290 Authentication Bypass by Spoofing
Major Demonstrative_Examples, Relationships
Minor None
292 DEPRECATED (Duplicate): Trusting Self-reported DNS Name
Major Taxonomy_Mappings
Minor None
293 Using Referer Field for Authentication
Major Relationships, Taxonomy_Mappings
Minor None
294 Authentication Bypass by Capture-replay
Major Relationships
Minor None
295 Improper Certificate Validation
Major Detection_Factors
Minor None
296 Improper Following of a Certificate's Chain of Trust
Major Demonstrative_Examples, Relationships
Minor None
297 Improper Validation of Certificate with Host Mismatch
Major Relationships
Minor None
298 Improper Validation of Certificate Expiration
Major Relationships
Minor None
299 Improper Check for Certificate Revocation
Major Relationships
Minor None
300 Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
Major Demonstrative_Examples, Relationships
Minor None
301 Reflection Attack in an Authentication Protocol
Major Relationships
Minor None
302 Authentication Bypass by Assumed-Immutable Data
Major Demonstrative_Examples, Relationships
Minor None
303 Incorrect Implementation of Authentication Algorithm
Major Relationships
Minor None
304 Missing Critical Step in Authentication
Major Relationships
Minor None
305 Authentication Bypass by Primary Weakness
Major Relationships
Minor None
306 Missing Authentication for Critical Function
Major Detection_Factors, Relationships, Taxonomy_Mappings
Minor None
307 Improper Restriction of Excessive Authentication Attempts
Major Detection_Factors, Relationships, Taxonomy_Mappings
Minor None
308 Use of Single-factor Authentication
Major Relationships
Minor None
309 Use of Password System for Primary Authentication
Major Relationships
Minor None
311 Missing Encryption of Sensitive Data
Major Detection_Factors, Relationships, Taxonomy_Mappings
Minor None
312 Cleartext Storage of Sensitive Information
Major Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor None
313 Cleartext Storage in a File or on Disk
Major Relationships, Taxonomy_Mappings
Minor None
314 Cleartext Storage in the Registry
Major Relationships, Taxonomy_Mappings
Minor None
315 Cleartext Storage of Sensitive Information in a Cookie
Major Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor None
316 Cleartext Storage of Sensitive Information in Memory
Major Relationships, Taxonomy_Mappings
Minor None
317 Cleartext Storage of Sensitive Information in GUI
Major Relationships, Taxonomy_Mappings
Minor None
318 Cleartext Storage of Sensitive Information in Executable
Major Relationships
Minor None
319 Cleartext Transmission of Sensitive Information
Major Relationships, Taxonomy_Mappings
Minor None
321 Use of Hard-coded Cryptographic Key
Major Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor None
322 Key Exchange without Entity Authentication
Major Relationships
Minor None
323 Reusing a Nonce, Key Pair in Encryption
Major Relationships
Minor None
324 Use of a Key Past its Expiration Date
Major Demonstrative_Examples, Relationships
Minor None
325 Missing Required Cryptographic Step
Major Relationships
Minor None
326 Inadequate Encryption Strength
Major Relationships
Minor None
327 Use of a Broken or Risky Cryptographic Algorithm
Major Demonstrative_Examples, Detection_Factors, Relationships
Minor None
328 Reversible One-Way Hash
Major Relationships
Minor None
329 Not Using a Random IV with CBC Mode
Major Relationships
Minor None
330 Use of Insufficiently Random Values
Major Detection_Factors
Minor None
336 Same Seed in PRNG
Major Demonstrative_Examples
Minor None
345 Insufficient Verification of Data Authenticity
Major Relationships
Minor None
346 Origin Validation Error
Major Relationships
Minor None
347 Improper Verification of Cryptographic Signature
Major Demonstrative_Examples, Relationships
Minor None
348 Use of Less Trusted Source
Major Relationships
Minor None
349 Acceptance of Extraneous Untrusted Data With Trusted Data
Major Relationships
Minor None
350 Reliance on Reverse DNS Resolution for a Security-Critical Action
Major Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor None
351 Insufficient Type Distinction
Major Relationships
Minor None
352 Cross-Site Request Forgery (CSRF)
Major Detection_Factors
Minor None
353 Missing Support for Integrity Check
Major Relationships
Minor None
354 Improper Validation of Integrity Check Value
Major Relationships
Minor None
356 Product UI does not Warn User of Unsafe Actions
Major Relationships
Minor None
357 Insufficient UI Warning of Dangerous Operations
Major Relationships
Minor None
358 Improperly Implemented Security Check for Standard
Major Relationships
Minor None
359 Exposure of Private Information ('Privacy Violation')
Major Relationships
Minor None
360 Trust of System Event Data
Major Relationships, Taxonomy_Mappings
Minor None
362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Major Detection_Factors, Relationships
Minor None
363 Race Condition Enabling Link Following
Major Relationships, Taxonomy_Mappings
Minor None
364 Signal Handler Race Condition
Major Relationships, Taxonomy_Mappings
Minor None
365 Race Condition in Switch
Major Relationships, Taxonomy_Mappings
Minor None
366 Race Condition within a Thread
Major Relationships, Taxonomy_Mappings
Minor None
367 Time-of-check Time-of-use (TOCTOU) Race Condition
Major Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor None
368 Context Switching Race Condition
Major Relationships
Minor None
369 Divide By Zero
Major Relationships, Taxonomy_Mappings
Minor None
370 Missing Check for Certificate Revocation after Initial Check
Major Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor None
372 Incomplete Internal State Distinction
Major Relationships
Minor None
374 Passing Mutable Objects to an Untrusted Method
Major Relationships, Taxonomy_Mappings
Minor None
375 Returning a Mutable Object to an Untrusted Caller
Major Relationships, Taxonomy_Mappings
Minor None
377 Insecure Temporary File
Major Relationships
Minor None
378 Creation of Temporary File With Insecure Permissions
Major Relationships
Minor None
379 Creation of Temporary File in Directory with Incorrect Permissions
Major Relationships
Minor None
382 J2EE Bad Practices: Use of System.exit()
Major Relationships, Taxonomy_Mappings
Minor None
383 J2EE Bad Practices: Direct Use of Threads
Major Relationships, Taxonomy_Mappings
Minor None
385 Covert Timing Channel
Major Relationships
Minor None
386 Symbolic Name not Mapping to Correct Object
Major Relationships
Minor None
390 Detection of Error Condition Without Action
Major Relationships, Taxonomy_Mappings
Minor None
391 Unchecked Error Condition
Major Relationships, Taxonomy_Mappings
Minor None
392 Missing Report of Error Condition
Major Relationships, Taxonomy_Mappings
Minor None
393 Return of Wrong Status Code
Major Relationships, Taxonomy_Mappings
Minor None
394 Unexpected Status Code or Return Value
Major Relationships, Taxonomy_Mappings
Minor None
395 Use of NullPointerException Catch to Detect NULL Pointer Dereference
Major Detection_Factors, Relationships
Minor None
396 Declaration of Catch for Generic Exception
Major Relationships, Taxonomy_Mappings
Minor None
397 Declaration of Throws for Generic Exception
Major Relationships, Taxonomy_Mappings
Minor None
398 Indicator of Poor Code Quality
Major Detection_Factors, Relationships
Minor None
399 Resource Management Errors
Major Detection_Factors
Minor None
400 Uncontrolled Resource Consumption ('Resource Exhaustion')
Major Relationships, Taxonomy_Mappings
Minor None
401 Improper Release of Memory Before Removing Last Reference ('Memory Leak')
Major Relationships, Taxonomy_Mappings
Minor None
402 Transmission of Private Resources into a New Sphere ('Resource Leak')
Major Relationships
Minor None
403 Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
Major Relationships, Taxonomy_Mappings
Minor None
404 Improper Resource Shutdown or Release
Major Relationships, Taxonomy_Mappings
Minor None
405 Asymmetric Resource Consumption (Amplification)
Major Relationships
Minor None
406 Insufficient Control of Network Message Volume (Network Amplification)
Major Relationships
Minor None
407 Algorithmic Complexity
Major Relationships
Minor None
408 Incorrect Behavior Order: Early Amplification
Major Relationships
Minor None
409 Improper Handling of Highly Compressed Data (Data Amplification)
Major Relationships
Minor None
410 Insufficient Resource Pool
Major Relationships
Minor None
412 Unrestricted Externally Accessible Lock
Major Relationships, Taxonomy_Mappings
Minor None
413 Improper Resource Locking
Major Relationships, Taxonomy_Mappings
Minor None
414 Missing Lock Check
Major Relationships, Taxonomy_Mappings
Minor None
415 Double Free
Major Relationships, Taxonomy_Mappings
Minor None
416 Use After Free
Major Relationships, Taxonomy_Mappings
Minor None
419 Unprotected Primary Channel
Major Relationships
Minor None
420 Unprotected Alternate Channel
Major Relationships
Minor None
421 Race Condition During Access to Alternate Channel
Major Relationships
Minor None
422 Unprotected Windows Messaging Channel ('Shatter')
Major Relationships, Taxonomy_Mappings
Minor None
424 Improper Protection of Alternate Path
Major Relationships, Taxonomy_Mappings
Minor None
425 Direct Request ('Forced Browsing')
Major Relationships, Taxonomy_Mappings
Minor None
427 Uncontrolled Search Path Element
Major Relationships
Minor None
428 Unquoted Search Path or Element
Major Relationships
Minor None
430 Deployment of Wrong Handler
Major Relationships
Minor None
431 Missing Handler
Major Relationships, Taxonomy_Mappings
Minor None
432 Dangerous Signal Handler not Disabled During Sensitive Operations
Major Relationships
Minor None
433 Unparsed Raw Web Content Delivery
Major Relationships
Minor None
434 Unrestricted Upload of File with Dangerous Type
Major Detection_Factors
Minor None
435 Interaction Error
Major Relationships
Minor None
436 Interpretation Conflict
Major Relationships
Minor None
437 Incomplete Model of Endpoint Features
Major Relationships
Minor None
439 Behavioral Change in New Version or Environment
Major Relationships
Minor None
440 Expected Behavior Violation
Major Relationships
Minor None
441 Unintended Proxy or Intermediary ('Confused Deputy')
Major Relationships
Minor None
444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Major Relationships
Minor None
446 UI Discrepancy for Security Feature
Major Relationships
Minor None
447 Unimplemented or Unsupported Feature in UI
Major Relationships
Minor None
448 Obsolete Feature in UI
Major Relationships
Minor None
449 The UI Performs the Wrong Action
Major Relationships
Minor None
450 Multiple Interpretations of UI Input
Major Relationships
Minor None
451 User Interface (UI) Misrepresentation of Critical Information
Major Relationships
Minor None
453 Insecure Default Variable Initialization
Major Relationships
Minor None
454 External Initialization of Trusted Variables or Data Stores
Major Relationships, Taxonomy_Mappings
Minor None
455 Non-exit on Failed Initialization
Major Relationships
Minor None
456 Missing Initialization of a Variable
Major Relationships, Taxonomy_Mappings
Minor None
457 Use of Uninitialized Variable
Major Relationships, Taxonomy_Mappings
Minor None
459 Incomplete Cleanup
Major Relationships, Taxonomy_Mappings
Minor None
460 Improper Cleanup on Thrown Exception
Major Relationships
Minor None
462 Duplicate Key in Associative List (Alist)
Major Relationships
Minor None
463 Deletion of Data Structure Sentinel
Major Relationships
Minor None
464 Addition of Data Structure Sentinel
Major Relationships
Minor None
466 Return of Pointer Value Outside of Expected Range
Major Relationships, Taxonomy_Mappings
Minor None
467 Use of sizeof() on a Pointer Type
Major Relationships, Taxonomy_Mappings
Minor None
468 Incorrect Pointer Scaling
Major Relationships, Taxonomy_Mappings
Minor None
469 Use of Pointer Subtraction to Determine Size
Major Relationships, Taxonomy_Mappings
Minor None
470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Major Relationships
Minor None
471 Modification of Assumed-Immutable Data (MAID)
Major Relationships
Minor None
472 External Control of Assumed-Immutable Web Parameter
Major Relationships
Minor None
473 PHP External Variable Modification
Major Relationships
Minor None
474 Use of Function with Inconsistent Implementations
Major Relationships, Taxonomy_Mappings
Minor None
475 Undefined Behavior for Input to API
Major Relationships, Taxonomy_Mappings
Minor None
476 NULL Pointer Dereference
Major Relationships, Taxonomy_Mappings
Minor None
477 Use of Obsolete Functions
Major Detection_Factors, Relationships, Taxonomy_Mappings
Minor None
478 Missing Default Case in Switch Statement
Major Relationships, Taxonomy_Mappings
Minor None
479 Signal Handler Use of a Non-reentrant Function
Major Relationships, Taxonomy_Mappings
Minor None
480 Use of Incorrect Operator
Major Relationships
Minor None
481 Assigning instead of Comparing
Major Relationships, Taxonomy_Mappings
Minor None
482 Comparing instead of Assigning
Major Taxonomy_Mappings
Minor None
483 Incorrect Block Delimitation
Major Relationships
Minor None
484 Omitted Break Statement in Switch
Major Relationships, Taxonomy_Mappings
Minor None
485 Insufficient Encapsulation
Major Relationships
Minor None
486 Comparison of Classes by Name
Major Relationships, Taxonomy_Mappings
Minor None
487 Reliance on Package-level Scope
Major Relationships
Minor None
488 Exposure of Data Element to Wrong Session
Major Relationships
Minor None
489 Leftover Debug Code
Major Relationships, Taxonomy_Mappings
Minor None
491 Public cloneable() Method Without Final ('Object Hijack')
Major Relationships, Taxonomy_Mappings
Minor None
492 Use of Inner Class Containing Sensitive Data
Major Relationships
Minor None
493 Critical Public Variable Without Final Modifier
Major Relationships, Taxonomy_Mappings
Minor None
494 Download of Code Without Integrity Check
Major Relationships, Taxonomy_Mappings
Minor None
495 Private Array-Typed Field Returned From A Public Method
Major Relationships, Taxonomy_Mappings
Minor None
496 Public Data Assigned to Private Array-Typed Field
Major Relationships, Taxonomy_Mappings
Minor None
497 Exposure of System Data to an Unauthorized Control Sphere
Major Relationships, Taxonomy_Mappings
Minor None
498 Cloneable Class Containing Sensitive Information
Major Relationships, Taxonomy_Mappings
Minor None
499 Serializable Class Containing Sensitive Data
Major Relationships, Taxonomy_Mappings
Minor None
500 Public Static Field Not Marked Final
Major Relationships, Taxonomy_Mappings
Minor None
501 Trust Boundary Violation
Major Relationships, Taxonomy_Mappings
Minor None
502 Deserialization of Untrusted Data
Major Relationships, Taxonomy_Mappings
Minor None
506 Embedded Malicious Code
Major Detection_Factors
Minor None
510 Trapdoor
Major Detection_Factors
Minor None
514 Covert Channel
Major Detection_Factors, Relationships
Minor None
515 Covert Storage Channel
Major Relationships
Minor None
521 Weak Password Requirements
Major Relationships
Minor None
522 Insufficiently Protected Credentials
Major Relationships
Minor None
523 Unprotected Transport of Credentials
Major Relationships, Taxonomy_Mappings
Minor None
524 Information Exposure Through Caching
Major Relationships
Minor None
525 Information Exposure Through Browser Caching
Major Relationships
Minor None
526 Information Exposure Through Environmental Variables
Major Relationships, Taxonomy_Mappings
Minor None
527 Exposure of CVS Repository to an Unauthorized Control Sphere
Major Relationships
Minor None
528 Exposure of Core Dump File to an Unauthorized Control Sphere
Major Relationships
Minor None
529 Exposure of Access Control List Files to an Unauthorized Control Sphere
Major Relationships
Minor None
530 Exposure of Backup File to an Unauthorized Control Sphere
Major Relationships
Minor None
531 Information Exposure Through Test Code
Major Relationships, Taxonomy_Mappings
Minor None
532 Information Exposure Through Log Files
Major Relationships, Taxonomy_Mappings
Minor None
533 Information Exposure Through Server Log Files
Major Relationships, Taxonomy_Mappings
Minor None
534 Information Exposure Through Debug Log Files
Major Relationships, Taxonomy_Mappings
Minor None
535 Information Exposure Through Shell Error Message
Major Relationships
Minor None
536 Information Exposure Through Servlet Runtime Error Message
Major Relationships
Minor None
537 Information Exposure Through Java Runtime Error Message
Major Relationships
Minor None
538 File and Directory Information Exposure
Major Relationships
Minor None
539 Information Exposure Through Persistent Cookies
Major Relationships
Minor None
540 Information Exposure Through Source Code
Major Relationships
Minor None
541 Information Exposure Through Include Source Code
Major Relationships
Minor None
542 Information Exposure Through Cleanup Log Files
Major Relationships, Taxonomy_Mappings
Minor None
543 Use of Singleton Pattern Without Synchronization in a Multithreaded Context
Major Relationships, Taxonomy_Mappings
Minor None
544 Missing Standardized Error Handling Mechanism
Major Relationships
Minor None
545 Use of Dynamic Class Loading
Major Relationships, Taxonomy_Mappings
Minor None
546 Suspicious Comment
Major Relationships
Minor None
547 Use of Hard-coded, Security-relevant Constants
Major Relationships
Minor None
548 Information Exposure Through Directory Listing
Major Relationships
Minor None
549 Missing Password Field Masking
Major Relationships
Minor None
550 Information Exposure Through Server Error Message
Major Relationships
Minor None
551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
Major Relationships
Minor None
552 Files or Directories Accessible to External Parties
Major Relationships
Minor None
553 Command Shell in Externally Accessible Directory
Major Relationships
Minor None
554 ASP.NET Misconfiguration: Not Using Input Validation Framework
Major Relationships, Taxonomy_Mappings
Minor None
555 J2EE Misconfiguration: Plaintext Password in Configuration File
Major Relationships
Minor None
556 ASP.NET Misconfiguration: Use of Identity Impersonation
Major Relationships
Minor None
558 Use of getlogin() in Multithreaded Application
Major Relationships, Taxonomy_Mappings
Minor None
560 Use of umask() with chmod-style Argument
Major Relationships
Minor None
561 Dead Code
Major Detection_Factors, Taxonomy_Mappings
Minor None
562 Return of Stack Variable Address
Major Relationships, Taxonomy_Mappings
Minor None
563 Assignment to Variable without Use ('Unused Variable')
Major Taxonomy_Mappings
Minor None
564 SQL Injection: Hibernate
Major Relationships, Taxonomy_Mappings
Minor None
565 Reliance on Cookies without Validation and Integrity Checking
Major Relationships, Taxonomy_Mappings
Minor None
566 Authorization Bypass Through User-Controlled SQL Primary Key
Major Relationships, Taxonomy_Mappings
Minor None
567 Unsynchronized Access to Shared Data in a Multithreaded Context
Major Relationships, Taxonomy_Mappings
Minor None
568 finalize() Method Without super.finalize()
Major Relationships, Taxonomy_Mappings
Minor None
570 Expression is Always False
Major Relationships, Taxonomy_Mappings
Minor None
571 Expression is Always True
Major Relationships, Taxonomy_Mappings
Minor None
572 Call to Thread run() instead of start()
Major Relationships, Taxonomy_Mappings
Minor None
573 Improper Following of Specification by Caller
Major Relationships
Minor None
574 EJB Bad Practices: Use of Synchronization Primitives
Major Relationships, Taxonomy_Mappings
Minor None
575 EJB Bad Practices: Use of AWT Swing
Major Relationships, Taxonomy_Mappings
Minor None
576 EJB Bad Practices: Use of Java I/O
Major Relationships, Taxonomy_Mappings
Minor None
577 EJB Bad Practices: Use of Sockets
Major Relationships, Taxonomy_Mappings
Minor None
578 EJB Bad Practices: Use of Class Loader
Major Relationships, Taxonomy_Mappings
Minor None
579 J2EE Bad Practices: Non-serializable Object Stored in Session
Major Relationships, Taxonomy_Mappings
Minor None
580 clone() Method Without super.clone()
Major Relationships, Taxonomy_Mappings
Minor None
581 Object Model Violation: Just One of Equals and Hashcode Defined
Major Relationships
Minor None
582 Array Declared Public, Final, and Static
Major Relationships
Minor None
583 finalize() Method Declared Public
Major Relationships, Taxonomy_Mappings
Minor None
584 Return Inside Finally Block
Major Relationships, Taxonomy_Mappings
Minor None
585 Empty Synchronized Block
Major Relationships, Taxonomy_Mappings
Minor None
586 Explicit Call to Finalize()
Major Relationships, Taxonomy_Mappings
Minor None
587 Assignment of a Fixed Address to a Pointer
Major Relationships, Taxonomy_Mappings
Minor None
588 Attempt to Access Child of a Non-structure Pointer
Major Relationships, Taxonomy_Mappings
Minor None
589 Call to Non-ubiquitous API
Major Relationships, Taxonomy_Mappings
Minor None
590 Free of Memory not on the Heap
Major Relationships, Taxonomy_Mappings
Minor None
591 Sensitive Data Storage in Improperly Locked Memory
Major Relationships, Taxonomy_Mappings
Minor None
592 Authentication Bypass Issues
Major Relationships
Minor None
593 Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
Major Relationships
Minor None
594 J2EE Framework: Saving Unserializable Objects to Disk
Major Relationships, Taxonomy_Mappings
Minor None
595 Comparison of Object References Instead of Object Contents
Major Relationships
Minor None
596 Incorrect Semantic Object Comparison
Major Relationships
Minor None
597 Use of Wrong Operator in String Comparison
Major Relationships, Taxonomy_Mappings
Minor None
598 Information Exposure Through Query Strings in GET Request
Major Relationships, Taxonomy_Mappings
Minor None
599 Missing Validation of OpenSSL Certificate
Major Relationships
Minor None
600 Uncaught Exception in Servlet
Major Relationships, Taxonomy_Mappings
Minor None
601 URL Redirection to Untrusted Site ('Open Redirect')
Major Detection_Factors, Relationships, Taxonomy_Mappings
Minor None
602 Client-Side Enforcement of Server-Side Security
Major Relationships
Minor None
603 Use of Client-Side Authentication
Major Relationships
Minor None
605 Multiple Binds to the Same Port
Major Relationships, Taxonomy_Mappings
Minor None
606 Unchecked Input for Loop Condition
Major Relationships, Taxonomy_Mappings
Minor None
607 Public Static Final Field References Mutable Object
Major Relationships, Taxonomy_Mappings
Minor None
608 Struts: Non-private Field in ActionForm Class
Major Relationships, Taxonomy_Mappings
Minor None
609 Double-Checked Locking
Major Relationships, Taxonomy_Mappings
Minor None
610 Externally Controlled Reference to a Resource in Another Sphere
Major Relationships
Minor None
611 Improper Restriction of XML External Entity Reference ('XXE')
Major Relationships, Taxonomy_Mappings
Minor None
612 Information Exposure Through Indexing of Private Data
Major Relationships
Minor None
613 Insufficient Session Expiration
Major Relationships
Minor None
614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Major Relationships
Minor None
615 Information Exposure Through Comments
Major Relationships
Minor None
616 Incomplete Identification of Uploaded File Variables (PHP)
Major Relationships, Taxonomy_Mappings
Minor None
617 Reachable Assertion
Major Relationships, Taxonomy_Mappings
Minor None
618 Exposed Unsafe ActiveX Method
Major Relationships
Minor None
619 Dangling Database Cursor ('Cursor Injection')
Major Relationships, Taxonomy_Mappings
Minor None
620 Unverified Password Change
Major Relationships, Taxonomy_Mappings
Minor None
621 Variable Extraction Error
Major Relationships, Taxonomy_Mappings
Minor None
622 Improper Validation of Function Hook Arguments
Major Relationships, Taxonomy_Mappings
Minor None
623 Unsafe ActiveX Control Marked Safe For Scripting
Major Relationships
Minor None
624 Executable Regular Expression Error
Major Relationships, Taxonomy_Mappings
Minor None
625 Permissive Regular Expression
Major Relationships
Minor None
626 Null Byte Interaction Error (Poison Null Byte)
Major Relationships
Minor None
627 Dynamic Variable Evaluation
Major Relationships
Minor None
628 Function Call with Incorrectly Specified Arguments
Major Relationships
Minor None
636 Not Failing Securely ('Failing Open')
Major Relationships
Minor None
637 Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')
Major Relationships
Minor None
638 Not Using Complete Mediation
Major Relationships, Taxonomy_Mappings
Minor None
639 Authorization Bypass Through User-Controlled Key
Major Relationships
Minor None
640 Weak Password Recovery Mechanism for Forgotten Password
Major Relationships
Minor None
641 Improper Restriction of Names for Files and Other Resources
Major Relationships, Taxonomy_Mappings
Minor None
642 External Control of Critical State Data
Major Relationships, Taxonomy_Mappings
Minor None
643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')
Major Relationships, Taxonomy_Mappings
Minor None
644 Improper Neutralization of HTTP Headers for Scripting Syntax
Major Relationships, Taxonomy_Mappings
Minor None
645 Overly Restrictive Account Lockout Mechanism
Major Relationships
Minor None
646 Reliance on File Name or Extension of Externally-Supplied File
Major Relationships
Minor None
647 Use of Non-Canonical URL Paths for Authorization Decisions
Major Relationships
Minor None
648 Incorrect Use of Privileged APIs
Major Relationships
Minor None
649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
Major Relationships
Minor None
650 Trusting HTTP Permission Methods on the Server Side
Major Relationships
Minor None
651 Information Exposure Through WSDL File
Major Relationships
Minor None
652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
Major Relationships, Taxonomy_Mappings
Minor None
653 Insufficient Compartmentalization
Major Detection_Factors
Minor None
654 Reliance on a Single Factor in a Security Decision
Major Relationships
Minor None
655 Insufficient Psychological Acceptability
Major Relationships
Minor None
656 Reliance on Security Through Obscurity
Major Relationships
Minor None
657 Violation of Secure Design Principles
Major Relationships
Minor None
662 Improper Synchronization
Major Relationships, Taxonomy_Mappings
Minor None
663 Use of a Non-reentrant Function in a Concurrent Context
Major Relationships
Minor None
664 Improper Control of a Resource Through its Lifetime
Major Relationships
Minor None
665 Improper Initialization
Major Relationships, Taxonomy_Mappings
Minor None
666 Operation on Resource in Wrong Phase of Lifetime
Major Relationships
Minor None
667 Improper Locking
Major Relationships, Taxonomy_Mappings
Minor None
668 Exposure of Resource to Wrong Sphere
Major Relationships
Minor None
669 Incorrect Resource Transfer Between Spheres
Major Relationships
Minor None
670 Always-Incorrect Control Flow Implementation
Major Relationships
Minor None
671 Lack of Administrator Control over Security
Major Relationships
Minor None
672 Operation on a Resource after Expiration or Release
Major Relationships, Taxonomy_Mappings
Minor None
673 External Influence of Sphere Definition
Major Relationships
Minor None
674 Uncontrolled Recursion
Major Relationships, Taxonomy_Mappings
Minor None
675 Duplicate Operations on Resource
Major Relationships
Minor None
676 Use of Potentially Dangerous Function
Major Detection_Factors, Relationships, Taxonomy_Mappings
Minor None
681 Incorrect Conversion between Numeric Types
Major Relationships, Taxonomy_Mappings
Minor None
682 Incorrect Calculation
Major Relationships
Minor None
683 Function Call With Incorrect Order of Arguments
Major Relationships
Minor None
684 Incorrect Provision of Specified Functionality
Major Relationships
Minor None
685 Function Call With Incorrect Number of Arguments
Major Relationships, Taxonomy_Mappings
Minor None
686 Function Call With Incorrect Argument Type
Major Relationships, Taxonomy_Mappings
Minor None
687 Function Call With Incorrectly Specified Argument Value
Major Relationships
Minor None
688 Function Call With Incorrect Variable or Reference as Argument
Major Relationships
Minor None
691 Insufficient Control Flow Management
Major Relationships
Minor None
693 Protection Mechanism Failure
Major Relationships
Minor None
694 Use of Multiple Resources with Duplicate Identifier
Major Relationships
Minor None
695 Use of Low-Level Functionality
Major Relationships
Minor None
696 Incorrect Behavior Order
Major Relationships
Minor None
697 Insufficient Comparison
Major Relationships
Minor None
698 Execution After Redirect (EAR)
Major Relationships
Minor None
703 Improper Check or Handling of Exceptional Conditions
Major Detection_Factors, Relationships
Minor None
704 Incorrect Type Conversion or Cast
Major Relationships, Taxonomy_Mappings
Minor None
705 Incorrect Control Flow Scoping
Major Relationships
Minor None
706 Use of Incorrectly-Resolved Name or Reference
Major Relationships
Minor None
707 Improper Enforcement of Message or Data Structure
Major Relationships
Minor None
708 Incorrect Ownership Assignment
Major Relationships
Minor None
710 Coding Standards Violation
Major Relationships
Minor None
732 Incorrect Permission Assignment for Critical Resource
Major Detection_Factors, Relationships
Minor None
733 Compiler Optimization Removal or Modification of Security-critical Code
Major Relationships
Minor None
749 Exposed Dangerous Method or Function
Major Relationships
Minor None
754 Improper Check for Unusual or Exceptional Conditions
Major Demonstrative_Examples, Relationships
Minor None
755 Improper Handling of Exceptional Conditions
Major Relationships
Minor None
756 Missing Custom Error Page
Major Relationships
Minor None
757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
Major Relationships
Minor None
758 Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
Major Relationships
Minor None
759 Use of a One-Way Hash without a Salt
Major Detection_Factors, Relationships
Minor None
760 Use of a One-Way Hash with a Predictable Salt
Major Relationships
Minor None
761 Free of Pointer not at Start of Buffer
Major Relationships, Taxonomy_Mappings
Minor None
762 Mismatched Memory Management Routines
Major Relationships, Taxonomy_Mappings
Minor None
763 Release of Invalid Pointer or Reference
Major Relationships, Taxonomy_Mappings
Minor None
764 Multiple Locks of a Critical Resource
Major Relationships, Taxonomy_Mappings
Minor None
765 Multiple Unlocks of a Critical Resource
Major Relationships, Taxonomy_Mappings
Minor None
766 Critical Variable Declared Public
Major Relationships, Taxonomy_Mappings
Minor None
767 Access to Critical Private Variable via Public Method
Major Relationships, Taxonomy_Mappings
Minor None
768 Incorrect Short Circuit Evaluation
Major Relationships, Taxonomy_Mappings
Minor None
770 Allocation of Resources Without Limits or Throttling
Major Relationships
Minor None
771 Missing Reference to Active Allocated Resource
Major Relationships, Taxonomy_Mappings
Minor None
772 Missing Release of Resource after Effective Lifetime
Major Relationships, Taxonomy_Mappings
Minor None
773 Missing Reference to Active File Descriptor or Handle
Major Relationships, Taxonomy_Mappings
Minor None
774 Allocation of File Descriptors or Handles Without Limits or Throttling
Major Relationships, Taxonomy_Mappings
Minor None
775 Missing Release of File Descriptor or Handle after Effective Lifetime
Major Relationships, Taxonomy_Mappings
Minor None
785 Use of Path Manipulation Function without Maximum-sized Buffer
Major Relationships, Taxonomy_Mappings
Minor None
798 Use of Hard-coded Credentials
Major Demonstrative_Examples, Detection_Factors
Minor None
807 Reliance on Untrusted Inputs in a Security Decision
Major Detection_Factors
Minor None
829 Inclusion of Functionality from Untrusted Control Sphere
Major Detection_Factors
Minor None
834 Excessive Iteration
Major Detection_Factors
Minor None
862 Missing Authorization
Major Detection_Factors
Minor None
863 Incorrect Authorization
Major Detection_Factors
Minor None
885 SFP Primary Cluster: Risky Values
Major Name, Relationships
Minor None
886 SFP Primary Cluster: Unused entities
Major Name
Minor None
887 SFP Primary Cluster: API
Major Name, Relationships
Minor None
889 SFP Primary Cluster: Exception Management
Major Name, Relationships
Minor None
890 SFP Primary Cluster: Memory Access
Major Name, Relationships
Minor None
891 SFP Primary Cluster: Memory Management
Major Name, Relationships
Minor None
892 SFP Primary Cluster: Resource Management
Major Name, Relationships
Minor None
893 SFP Primary Cluster: Path Resolution
Major Name, Relationships
Minor None
894 SFP Primary Cluster: Synchronization
Major Name, Relationships
Minor None
895 SFP Primary Cluster: Information Leak
Major Name, Relationships
Minor None
896 SFP Primary Cluster: Tainted Input
Major Name, Relationships
Minor None
897 SFP Primary Cluster: Entry Points
Major Name, Relationships
Minor None
898 SFP Primary Cluster: Authentication
Major Name, Relationships
Minor None
899 SFP Primary Cluster: Access Control
Major Name, Relationships
Minor None
901 SFP Primary Cluster: Privilege
Major Name
Minor None
902 SFP Primary Cluster: Channel
Major Name, Relationships
Minor None
903 SFP Primary Cluster: Cryptography
Major Name, Relationships
Minor None
904 SFP Primary Cluster: Malware
Major Name, Relationships
Minor None
905 SFP Primary Cluster: Predictability
Major Name
Minor None
906 SFP Primary Cluster: UI
Major Name, Relationships
Minor None
907 SFP Primary Cluster: Other
Major Name, Relationships
Minor None
916 Use of Password Hash With Insufficient Computational Effort
Major Detection_Factors
Minor None

More information is available — Please select a different filter.
Page Last Updated: January 05, 2017