CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities
New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > Reports > Differences between Version 4.18 and Version 4.19  
ID

Differences between Version 4.18 and Version 4.19

Summary
Summary
Total weaknesses/chains/composites (Version 4.19) 944
Total weaknesses/chains/composites (Version 4.18) 944
Total new 12
Total deprecated 0
Total with major changes 903
Total with only minor changes 2
Total unchanged 530

Summary of Entry Types

Type Version 4.18 Version 4.19
Weakness 944 944
Category 375 385
View 52 54
Deprecated 64 64
Total 1435 1447

Back to top
Field Change Summary
Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field Major Minor
Name 1 0
Description 118 1
Diagram 11 0
Relationships 269 0
Common_Consequences 123 1
Applicable_Platforms 376 0
Modes_of_Introduction 6 3
Detection_Factors 194 0
Potential_Mitigations 26 7
Demonstrative_Examples 46 3
Observed_Examples 53 1
Related_Attack_Patterns 0 0
Weakness_Ordinalities 664 0
Time_of_Introduction 119 0
Likelihood_of_Exploit 0 0
References 55 0
Mapping_Notes 3 0
Terminology_Notes 4 0
Alternate_Terms 4 0
Relationship_Notes 17 0
Taxonomy_Mappings 0 0
Maintenance_Notes 29 0
Affected_Resources 0 0
Functional_Areas 0 0
Research_Gaps 0 0
Background_Details 9 0
Theoretical_Notes 0 0
Other_Notes 7 1
View_Type 0 0
View_Structure 0 0
View_Filter 0 0
View_Audience 0 0
Type 1 0
Source_Taxonomy 0 0

Form and Abstraction Changes

From To Total CWE IDs
Unchanged 1434
Weakness/Base Weakness/Class 1 841

Status Changes

From To Total
Unchanged 1435

Relationship Changes

The "Version 4.19 Total" lists the total number of relationships in Version 4.19. The "Shared" value is the total number of relationships in entries that were in both Version 4.19 and Version 4.18. The "New" value is the total number of relationships involving entries that did not exist in Version 4.18. Thus, the total number of relationships in Version 4.19 would combine stats from Shared entries and New entries.

Relationship Version 4.19 Total Version 4.18 Total Version 4.19 Shared Unchanged Added to Version 4.19 Removed from Version 4.18 Version 4.19 New
ALL 13162 12578 12594 12567 27 11 568
ChildOf 5557 5303 5308 5298 10 5 249
ParentOf 5557 5303 5308 5298 10 5 249
MemberOf 762 727 727 727 35
HasMember 762 727 727 727 35
CanPrecede 143 143 143 143
CanFollow 143 143 143 143
StartsWith 3 3 3 3
Requires 13 13 13 13
RequiredBy 13 13 13 13
CanAlsoBe 27 27 27 26 1 1
PeerOf 182 176 182 176 6

Nodes Removed in Version 4.19

CWE-ID CWE Name
None.

Nodes Added to Version 4.19

CWE-ID CWE Name
1435 Weaknesses in the 2025 CWE Top 25 Most Dangerous Software Weaknesses
1436 OWASP Top Ten 2025 Category A01:2025 - Broken Access Control
1437 OWASP Top Ten 2025 Category A02:2025 - Security Misconfiguration
1438 OWASP Top Ten 2025 Category A03:2025 - Software Supply Chain Failures
1439 OWASP Top Ten 2025 Category A04:2025 - Cryptographic Failures
1440 OWASP Top Ten 2025 Category A05:2025 - Injection
1441 OWASP Top Ten 2025 Category A06:2025 - Insecure Design
1442 OWASP Top Ten 2025 Category A07:2025 - Authentication Failures
1443 OWASP Top Ten 2025 Category A08:2025 - Software or Data Integrity Failures
1444 OWASP Top Ten 2025 Category A09:2025 - Logging & Alerting Failures
1445 OWASP Top Ten 2025 Category A10:2025 - Mishandling of Exceptional Conditions
1450 Weaknesses in OWASP Top Ten RC1 (2025)

Nodes Deprecated in Version 4.19

CWE-ID CWE Name
None.
Back to top
Important Changes
Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D Description
N Name
R Relationships

R 5 J2EE Misconfiguration: Data Transmission Without Encryption
R 11 ASP.NET Misconfiguration: Creating Debug Binary
R 13 ASP.NET Misconfiguration: Password in Configuration File
R 15 External Control of System or Configuration Setting
R 16 Configuration
R 20 Improper Input Validation
R 22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
R 23 Relative Path Traversal
D 35 Path Traversal: '.../...//'
R 36 Absolute Path Traversal
R 41 Improper Resolution of Path Equivalence
D 58 Path Equivalence: Windows 8.3 Filename
R 59 Improper Link Resolution Before File Access ('Link Following')
R 61 UNIX Symbolic Link (Symlink) Following
D 64 Windows Shortcut Following (.LNK)
R 65 Windows Hard Link
R 73 External Control of File Name or Path
D R 74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
R 76 Improper Neutralization of Equivalent Special Elements
R 77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
R 78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
R 79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
R 80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
R 83 Improper Neutralization of Script in Attributes in a Web Page
R 86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages
R 88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
R 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
R 90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
R 91 XML Injection (aka Blind XPath Injection)
R 93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
R 94 Improper Control of Generation of Code ('Code Injection')
R 95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
R 96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
R 97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
R 98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
R 99 Improper Control of Resource Identifiers ('Resource Injection')
D R 103 Struts: Incomplete validate() Method Definition
R 104 Struts: Form Bean Does Not Extend Validation Class
D 107 Struts: Unused Validation Form
R 112 Missing XML Validation
R 113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
R 114 Process Control
R 115 Misinterpretation of Input
R 116 Improper Encoding or Escaping of Output
R 117 Improper Output Neutralization for Logs
D 124 Buffer Underwrite ('Buffer Underflow')
R 125 Out-of-bounds Read
D 127 Buffer Under-read
R 129 Improper Validation of Array Index
R 159 Improper Handling of Invalid Use of Special Elements
R 180 Incorrect Behavior Order: Validate Before Canonicalize
R 183 Permissive List of Allowed Inputs
R 200 Exposure of Sensitive Information to an Unauthorized Actor
R 201 Insertion of Sensitive Information Into Sent Data
R 209 Generation of Error Message Containing Sensitive Information
R 215 Insertion of Sensitive Information Into Debugging Code
R 219 Storage of File with Sensitive Data Under Web Root
D R 221 Information Loss or Omission
R 223 Omission of Security-relevant Information
R 234 Failure to Handle Missing Parameter
R 235 Improper Handling of Extra Parameters
R 248 Uncaught Exception
R 252 Unchecked Return Value
R 256 Plaintext Storage of a Password
R 258 Empty Password in Configuration File
R 259 Use of Hard-coded Password
R 260 Password in Configuration File
R 261 Weak Encoding for Password
R 266 Incorrect Privilege Assignment
R 269 Improper Privilege Management
R 274 Improper Handling of Insufficient Privileges
R 276 Incorrect Default Permissions
R 280 Improper Handling of Insufficient Permissions or Privileges
R 281 Improper Preservation of Permissions
R 282 Improper Ownership Management
R 283 Unverified Ownership
R 284 Improper Access Control
D R 285 Improper Authorization
R 286 Incorrect User Management
R 287 Improper Authentication
R 288 Authentication Bypass Using an Alternate Path or Channel
R 289 Authentication Bypass by Alternate Name
R 290 Authentication Bypass by Spoofing
R 291 Reliance on IP Address for Authentication
R 293 Using Referer Field for Authentication
R 294 Authentication Bypass by Capture-replay
R 295 Improper Certificate Validation
R 296 Improper Following of a Certificate's Chain of Trust
R 297 Improper Validation of Certificate with Host Mismatch
R 298 Improper Validation of Certificate Expiration
R 299 Improper Check for Certificate Revocation
R 300 Channel Accessible by Non-Endpoint
R 302 Authentication Bypass by Assumed-Immutable Data
R 303 Incorrect Implementation of Authentication Algorithm
R 304 Missing Critical Step in Authentication
R 305 Authentication Bypass by Primary Weakness
R 306 Missing Authentication for Critical Function
R 307 Improper Restriction of Excessive Authentication Attempts
D R 308 Use of Single-factor Authentication
R 309 Use of Password System for Primary Authentication
R 311 Missing Encryption of Sensitive Data
R 312 Cleartext Storage of Sensitive Information
R 313 Cleartext Storage in a File or on Disk
R 315 Cleartext Storage of Sensitive Information in a Cookie
R 316 Cleartext Storage of Sensitive Information in Memory
R 319 Cleartext Transmission of Sensitive Information
R 320 Key Management Errors
R 321 Use of Hard-coded Cryptographic Key
R 322 Key Exchange without Entity Authentication
R 323 Reusing a Nonce, Key Pair in Encryption
R 324 Use of a Key Past its Expiration Date
R 325 Missing Cryptographic Step
R 326 Inadequate Encryption Strength
R 327 Use of a Broken or Risky Cryptographic Algorithm
R 328 Use of Weak Hash
R 329 Generation of Predictable IV with CBC Mode
R 330 Use of Insufficiently Random Values
R 331 Insufficient Entropy
R 332 Insufficient Entropy in PRNG
R 334 Small Space of Random Values
R 335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
R 336 Same Seed in Pseudo-Random Number Generator (PRNG)
R 337 Predictable Seed in Pseudo-Random Number Generator (PRNG)
R 338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
R 340 Generation of Predictable Numbers or Identifiers
R 342 Predictable Exact Value from Previous Values
R 344 Use of Invariant Value in Dynamically Changing Context
R 345 Insufficient Verification of Data Authenticity
R 346 Origin Validation Error
R 347 Improper Verification of Cryptographic Signature
R 349 Acceptance of Extraneous Untrusted Data With Trusted Data
R 350 Reliance on Reverse DNS Resolution for a Security-Critical Action
R 352 Cross-Site Request Forgery (CSRF)
R 353 Missing Support for Integrity Check
R 359 Exposure of Private Personal Information to an Unauthorized Actor
R 362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
R 369 Divide By Zero
R 377 Insecure Temporary File
R 379 Creation of Temporary File in Directory with Insecure Permissions
R 382 J2EE Bad Practices: Use of System.exit()
R 384 Session Fixation
R 390 Detection of Error Condition Without Action
R 391 Unchecked Error Condition
R 394 Unexpected Status Code or Return Value
R 396 Declaration of Catch for Generic Exception
R 397 Declaration of Throws for Generic Exception
R 402 Transmission of Private Resources into a New Sphere ('Resource Leak')
R 416 Use After Free
R 419 Unprotected Primary Channel
R 424 Improper Protection of Alternate Path
R 425 Direct Request ('Forced Browsing')
R 426 Untrusted Search Path
R 427 Uncontrolled Search Path Element
R 434 Unrestricted Upload of File with Dangerous Type
R 436 Interpretation Conflict
R 441 Unintended Proxy or Intermediary ('Confused Deputy')
R 444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
R 447 Unimplemented or Unsupported Feature in UI
R 451 User Interface (UI) Misrepresentation of Critical Information
R 454 External Initialization of Trusted Variables or Data Stores
R 460 Improper Cleanup on Thrown Exception
R 470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
R 472 External Control of Assumed-Immutable Web Parameter
R 476 NULL Pointer Dereference
R 477 Use of Obsolete Function
R 478 Missing Default Case in Multiple Condition Expression
R 484 Omitted Break Statement in Switch
R 489 Active Debug Code
R 493 Critical Public Variable Without Final Modifier
R 494 Download of Code Without Integrity Check
R 497 Exposure of Sensitive System Information to an Unauthorized Control Sphere
R 500 Public Static Field Not Marked Final
R 501 Trust Boundary Violation
R 502 Deserialization of Untrusted Data
R 506 Embedded Malicious Code
R 509 Replicating Malicious Code (Virus or Worm)
D R 521 Weak Password Requirements
R 522 Insufficiently Protected Credentials
R 523 Unprotected Transport of Credentials
R 525 Use of Web Browser Cache Containing Sensitive Information
R 526 Cleartext Storage of Sensitive Information in an Environment Variable
R 532 Insertion of Sensitive Information into Log File
D 536 Servlet Runtime Error Message Containing Sensitive Information
R 538 Insertion of Sensitive Information into Externally-Accessible File or Directory
R 539 Use of Persistent Cookies Containing Sensitive Information
R 540 Inclusion of Sensitive Information in Source Code
R 547 Use of Hard-coded, Security-relevant Constants
R 548 Exposure of Information Through Directory Listing
R 550 Server-generated Error Message Containing Sensitive Information
R 551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
R 552 Files or Directories Accessible to External Parties
R 564 SQL Injection: Hibernate
R 565 Reliance on Cookies without Validation and Integrity Checking
R 566 Authorization Bypass Through User-Controlled SQL Primary Key
R 598 Use of GET Request Method With Sensitive Query Strings
R 601 URL Redirection to Untrusted Site ('Open Redirect')
R 602 Client-Side Enforcement of Server-Side Security
R 610 Externally Controlled Reference to a Resource in Another Sphere
D R 611 Improper Restriction of XML External Entity Reference
R 613 Insufficient Session Expiration
R 614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
R 615 Inclusion of Sensitive Information in Source Code Comments
R 617 Reachable Assertion
R 620 Unverified Password Change
R 628 Function Call with Incorrectly Specified Arguments
R 636 Not Failing Securely ('Failing Open')
R 639 Authorization Bypass Through User-Controlled Key
R 640 Weak Password Recovery Mechanism for Forgotten Password
R 642 External Control of Critical State Data
R 643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')
R 644 Improper Neutralization of HTTP Headers for Scripting Syntax
R 646 Reliance on File Name or Extension of Externally-Supplied File
R 647 Use of Non-Canonical URL Paths for Authorization Decisions
R 653 Improper Isolation or Compartmentalization
R 656 Reliance on Security Through Obscurity
R 657 Violation of Secure Design Principles
D R 662 Improper Synchronization
R 668 Exposure of Resource to Wrong Sphere
R 670 Always-Incorrect Control Flow Implementation
R 676 Use of Potentially Dangerous Function
R 691 Insufficient Control Flow Management
R 693 Protection Mechanism Failure
D 696 Incorrect Behavior Order
D 697 Incorrect Comparison
R 703 Improper Check or Handling of Exceptional Conditions
R 705 Incorrect Control Flow Scoping
R 732 Incorrect Permission Assignment for Critical Resource
R 749 Exposed Dangerous Method or Function
R 754 Improper Check for Unusual or Exceptional Conditions
R 755 Improper Handling of Exceptional Conditions
R 756 Missing Custom Error Page
R 757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
R 759 Use of a One-Way Hash without a Salt
R 760 Use of a One-Way Hash with a Predictable Salt
R 770 Allocation of Resources Without Limits or Throttling
R 776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
R 778 Insufficient Logging
R 780 Use of RSA Algorithm without OAEP
R 784 Reliance on Cookies without Validation and Integrity Checking in a Security Decision
R 787 Out-of-bounds Write
R 798 Use of Hard-coded Credentials
R 799 Improper Control of Interaction Frequency
R 807 Reliance on Untrusted Inputs in a Security Decision
D R 829 Inclusion of Functionality from Untrusted Control Sphere
R 830 Inclusion of Web Functionality from an Untrusted Source
R 841 Improper Enforcement of Behavioral Workflow
R 862 Missing Authorization
R 863 Incorrect Authorization
R 915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
R 916 Use of Password Hash With Insufficient Computational Effort
R 917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
R 918 Server-Side Request Forgery (SSRF)
R 922 Insecure Storage of Sensitive Information
R 926 Improper Export of Android Application Components
R 939 Improper Authorization in Handler for Custom URL Scheme
R 940 Improper Verification of Source of a Communication Channel
R 941 Incorrectly Specified Destination in a Communication Channel
R 942 Permissive Cross-domain Security Policy with Untrusted Domains
R 1004 Sensitive Cookie Without 'HttpOnly' Flag
R 1021 Improper Restriction of Rendered UI Layers or Frames
R 1022 Use of Web Link to Untrusted Target with window.opener Access
D 1023 Incomplete Comparison with Missing Factors
D 1024 Comparison of Incompatible Types
D 1025 Comparison Using Wrong Factors
R 1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
D 1041 Use of Redundant Code
D 1042 Static Member Data Element outside of a Singleton Class Element
D 1043 Data Element Aggregating an Excessively Large Number of Non-Primitive Elements
D 1044 Architecture with Number of Horizontal Layers Outside of Expected Range
D 1045 Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor
D 1046 Creation of Immutable Text Using String Concatenation
D 1047 Modules with Circular Dependencies
D 1048 Invokable Control Element with Large Number of Outward Calls
D 1049 Excessive Data Query Operations in a Large Data Table
D 1050 Excessive Platform Resource Consumption within a Loop
D 1051 Initialization with Hard-Coded Network Resource Configuration Data
D 1052 Excessive Use of Hard-Coded Literals in Initialization
D 1053 Missing Documentation for Design
D 1054 Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer
D 1055 Multiple Inheritance from Concrete Classes
D 1056 Invokable Control Element with Variadic Parameters
D 1057 Data Access Operations Outside of Expected Data Manager Component
D 1058 Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element
D 1060 Excessive Number of Inefficient Server-Side Data Accesses
D 1061 Insufficient Encapsulation
D 1062 Parent Class with References to Child Class
D 1063 Creation of Class Instance within a Static Code Block
D 1064 Invokable Control Element with Signature Containing an Excessive Number of Parameters
D 1065 Runtime Resource Management Control Element in a Component Built to Run on Application Servers
D 1066 Missing Serialization Control Element
D 1067 Excessive Execution of Sequential Searches of Data Resource
D 1068 Inconsistency Between Implementation and Documented Design
D 1069 Empty Exception Block
D 1070 Serializable Data Element Containing non-Serializable Item Elements
D 1072 Data Resource Access without Use of Connection Pooling
D 1073 Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses
D 1074 Class with Excessively Deep Inheritance
D 1075 Unconditional Control Flow Transfer outside of Switch Block
D 1076 Insufficient Adherence to Expected Conventions
D 1077 Floating Point Comparison with Incorrect Operator
D 1079 Parent Class without Virtual Destructor Method
D 1080 Source Code File with Excessive Number of Lines of Code
D 1082 Class Instance Self Destruction Control Element
D 1083 Data Access from Outside Expected Data Manager Component
D 1084 Invokable Control Element with Excessive File or Data Access Operations
D 1085 Invokable Control Element with Excessive Volume of Commented-out Code
D 1086 Class with Excessive Number of Child Classes
D 1087 Class with Virtual Method without a Virtual Destructor
D 1088 Synchronous Access of Remote Resource without Timeout
D 1089 Large Data Table with Excessive Number of Indices
D 1090 Method Containing Access of a Member Element from Another Class
D 1091 Use of Object without Invoking Destructor Method
D 1092 Use of Same Invokable Control Element in Multiple Architectural Layers
D 1093 Excessively Complex Data Representation
D 1094 Excessive Index Range Scan for a Data Resource
D 1095 Loop Condition Value Update within the Loop
D 1096 Singleton Class Instance Creation without Proper Locking or Synchronization
D 1097 Persistent Storable Data Element without Associated Comparison Control Element
D 1098 Data Element containing Pointer Item without Proper Copy Control Element
D 1099 Inconsistent Naming Conventions for Identifiers
D 1100 Insufficient Isolation of System-Dependent Functions
D 1101 Reliance on Runtime Component in Generated Code
D 1102 Reliance on Machine-Dependent Data Representation
D 1103 Use of Platform-Dependent Third Party Components
D R 1104 Use of Unmaintained Third Party Components
D 1105 Insufficient Encapsulation of Machine-Dependent Functionality
D 1106 Insufficient Use of Symbolic Constants
D 1107 Insufficient Isolation of Symbolic Constant Definitions
D 1108 Excessive Reliance on Global Variables
D 1109 Use of Same Variable for Multiple Purposes
D 1113 Inappropriate Comment Style
D 1114 Inappropriate Whitespace Style
D 1115 Source Code Element without Standard Prologue
DN 1116 Inaccurate Source Code Comments
D 1117 Callable with Insufficient Behavioral Summary
D 1119 Excessive Use of Unconditional Branching
D 1120 Excessive Code Complexity
D 1121 Excessive McCabe Cyclomatic Complexity
D 1122 Excessive Halstead Complexity
D 1123 Excessive Use of Self-Modifying Code
D 1124 Excessively Deep Nesting
R 1125 Excessive Attack Surface
D 1126 Declaration of Variable with Unnecessarily Wide Scope
D 1127 Compilation with Insufficient Warnings or Errors
R 1174 ASP.NET Misconfiguration: Improper Model Validation
D 1176 Inefficient CPU Computation
D R 1188 Initialization of a Resource with an Insecure Default
D 1235 Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations
D 1236 Improper Neutralization of Formula Elements in a CSV File
R 1240 Use of a Cryptographic Primitive with a Risky Implementation
D R 1241 Use of Predictable Algorithm in Random Number Generator
D 1242 Inclusion of Undocumented Features or Chicken Bits
D 1243 Sensitive Non-Volatile Information Not Protected During Debug
D 1244 Internal Asset Exposed to Unsafe Debug Access Level or State
D 1245 Improper Finite State Machines (FSMs) in Hardware Logic
D 1246 Improper Write Handling in Limited-write Non-Volatile Memories
D 1248 Semiconductor Defects in Hardware Logic with Security-Sensitive Implications
D 1252 CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations
D 1253 Incorrect Selection of Fuse Values
R 1258 Exposure of Sensitive System Information Due to Uncleared Debug Information
D 1259 Improper Restriction of Security Token Assignment
D R 1265 Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls
R 1268 Policy Privileges are not Assigned Consistently Between Control and Data Agents
D 1270 Generation of Incorrect Security Tokens
D 1274 Improper Access Control for Volatile Memory Containing Boot Code
R 1275 Sensitive Cookie with Improper SameSite Attribute
D 1284 Improper Validation of Specified Quantity in Input
R 1329 Reliance on Component That is Not Updateable
R 1390 Weak Authentication
D R 1391 Use of Weak Credentials
R 1392 Use of Default Credentials
R 1393 Use of Default Password
R 1395 Dependency on Vulnerable Third-Party Component
Back to top
Detailed Difference Report
Detailed Difference Report
5 J2EE Misconfiguration: Data Transmission Without Encryption
Major Relationships, Weakness_Ordinalities
Minor None
6 J2EE Misconfiguration: Insufficient Session-ID Length
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
7 J2EE Misconfiguration: Missing Custom Error Page
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
8 J2EE Misconfiguration: Entity Bean Declared Remote
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
9 J2EE Misconfiguration: Weak Access Permissions for EJB Methods
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
11 ASP.NET Misconfiguration: Creating Debug Binary
Major References, Relationships, Weakness_Ordinalities
Minor None
12 ASP.NET Misconfiguration: Missing Custom Error Page
Major Weakness_Ordinalities
Minor None
13 ASP.NET Misconfiguration: Password in Configuration File
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
14 Compiler Removal of Code to Clear Buffers
Major Applicable_Platforms, Demonstrative_Examples, Detection_Factors, Weakness_Ordinalities
Minor None
15 External Control of System or Configuration Setting
Major Relationships, Weakness_Ordinalities
Minor None
16 Configuration
Major Relationships
Minor None
20 Improper Input Validation
Major Relationships, Weakness_Ordinalities
Minor None
22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Major Mapping_Notes, Relationships
Minor None
23 Relative Path Traversal
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
24 Path Traversal: '../filedir'
Major Detection_Factors, Weakness_Ordinalities
Minor None
25 Path Traversal: '/../filedir'
Major Detection_Factors, Weakness_Ordinalities
Minor None
26 Path Traversal: '/dir/../filename'
Major Detection_Factors, Weakness_Ordinalities
Minor None
27 Path Traversal: 'dir/../../filename'
Major Detection_Factors, Weakness_Ordinalities
Minor None
28 Path Traversal: '..\filedir'
Major Applicable_Platforms, Detection_Factors, Weakness_Ordinalities
Minor None
29 Path Traversal: '\..\filename'
Major Detection_Factors, Weakness_Ordinalities
Minor None
30 Path Traversal: '\dir\..\filename'
Major Detection_Factors, Weakness_Ordinalities
Minor None
31 Path Traversal: 'dir\..\..\filename'
Major Applicable_Platforms, Detection_Factors, Weakness_Ordinalities
Minor None
32 Path Traversal: '...' (Triple Dot)
Major Applicable_Platforms, Detection_Factors, Weakness_Ordinalities
Minor None
33 Path Traversal: '....' (Multiple Dot)
Major Applicable_Platforms, Detection_Factors, Weakness_Ordinalities
Minor None
34 Path Traversal: '....//'
Major Weakness_Ordinalities
Minor None
35 Path Traversal: '.../...//'
Major Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Diagram, Potential_Mitigations, Weakness_Ordinalities
Minor None
36 Absolute Path Traversal
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
37 Path Traversal: '/absolute/pathname/here'
Major Detection_Factors, Weakness_Ordinalities
Minor None
38 Path Traversal: '\absolute\pathname\here'
Major Detection_Factors, Weakness_Ordinalities
Minor None
39 Path Traversal: 'C:dirname'
Major Detection_Factors, Weakness_Ordinalities
Minor None
40 Path Traversal: '\\UNC\share\name\' (Windows UNC Share)
Major Applicable_Platforms, Detection_Factors, Weakness_Ordinalities
Minor None
41 Improper Resolution of Path Equivalence
Major Observed_Examples, Relationships, Weakness_Ordinalities
Minor None
42 Path Equivalence: 'filename.' (Trailing Dot)
Major Weakness_Ordinalities
Minor None
43 Path Equivalence: 'filename....' (Multiple Trailing Dot)
Major Weakness_Ordinalities
Minor None
44 Path Equivalence: 'file.name' (Internal Dot)
Major Weakness_Ordinalities
Minor None
45 Path Equivalence: 'file...name' (Multiple Internal Dot)
Major Weakness_Ordinalities
Minor None
46 Path Equivalence: 'filename ' (Trailing Space)
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
47 Path Equivalence: ' filename' (Leading Space)
Major Weakness_Ordinalities
Minor None
48 Path Equivalence: 'file name' (Internal Whitespace)
Major Weakness_Ordinalities
Minor None
49 Path Equivalence: 'filename/' (Trailing Slash)
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
50 Path Equivalence: '//multiple/leading/slash'
Major Weakness_Ordinalities
Minor None
51 Path Equivalence: '/multiple//internal/slash'
Major Weakness_Ordinalities
Minor None
52 Path Equivalence: '/multiple/trailing/slash//'
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
53 Path Equivalence: '\multiple\\internal\backslash'
Major Weakness_Ordinalities
Minor None
54 Path Equivalence: 'filedir\' (Trailing Backslash)
Major Applicable_Platforms, Time_of_Introduction, Weakness_Ordinalities
Minor None
55 Path Equivalence: '/./' (Single Dot Directory)
Major Observed_Examples, Weakness_Ordinalities
Minor None
56 Path Equivalence: 'filedir*' (Wildcard)
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
57 Path Equivalence: 'fakedir/../realdir/filename'
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
58 Path Equivalence: Windows 8.3 Filename
Major Applicable_Platforms, Background_Details, Description, Weakness_Ordinalities
Minor None
59 Improper Link Resolution Before File Access ('Link Following')
Major Applicable_Platforms, Relationships
Minor None
61 UNIX Symbolic Link (Symlink) Following
Major Detection_Factors, Relationships
Minor None
62 UNIX Hard Link
Major Applicable_Platforms
Minor None
64 Windows Shortcut Following (.LNK)
Major Applicable_Platforms, Common_Consequences, Description
Minor None
65 Windows Hard Link
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
66 Improper Handling of File Names that Identify Virtual Resources
Major Demonstrative_Examples, Weakness_Ordinalities
Minor None
69 Improper Handling of Windows ::DATA Alternate Data Stream
Major Detection_Factors, Potential_Mitigations, Weakness_Ordinalities
Minor None
72 Improper Handling of Apple HFS+ Alternate Data Stream Path
Major Demonstrative_Examples, Weakness_Ordinalities
Minor None
73 External Control of File Name or Path
Major Relationships
Minor None
74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Major Demonstrative_Examples, Description, Diagram, Maintenance_Notes, Other_Notes, References, Relationships
Minor None
75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
Major Weakness_Ordinalities
Minor None
76 Improper Neutralization of Equivalent Special Elements
Major Relationships
Minor None
77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Major Relationships
Minor None
78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Major Applicable_Platforms, Demonstrative_Examples, Observed_Examples, Relationships, Weakness_Ordinalities
Minor None
79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Major Applicable_Platforms, Demonstrative_Examples, Relationships
Minor Other_Notes
80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Major Applicable_Platforms, Relationships
Minor None
81 Improper Neutralization of Script in an Error Message Web Page
Major Applicable_Platforms, Detection_Factors
Minor None
82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
83 Improper Neutralization of Script in Attributes in a Web Page
Major Applicable_Platforms, Relationships
Minor None
84 Improper Neutralization of Encoded URI Schemes in a Web Page
Major Applicable_Platforms
Minor None
85 Doubled Character XSS Manipulations
Major Applicable_Platforms
Minor None
86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
87 Improper Neutralization of Alternate XSS Syntax
Major Weakness_Ordinalities
Minor None
88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Major Applicable_Platforms, Relationships
Minor None
89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Major Observed_Examples, Relationships, Weakness_Ordinalities
Minor None
90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Major Relationships, Weakness_Ordinalities
Minor None
91 XML Injection (aka Blind XPath Injection)
Major Relationships, Weakness_Ordinalities
Minor None
93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Major Demonstrative_Examples, Relationships
Minor None
94 Improper Control of Generation of Code ('Code Injection')
Major Demonstrative_Examples, Relationships, Weakness_Ordinalities
Minor None
95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Major Demonstrative_Examples, Relationships
Minor None
96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
Major Detection_Factors, Relationships
Minor None
97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Major Applicable_Platforms, Demonstrative_Examples, Relationships, Weakness_Ordinalities
Minor None
99 Improper Control of Resource Identifiers ('Resource Injection')
Major Relationships
Minor None
103 Struts: Incomplete validate() Method Definition
Major Common_Consequences, Description, Relationships
Minor None
104 Struts: Form Bean Does Not Extend Validation Class
Major Relationships
Minor None
107 Struts: Unused Validation Form
Major Description, Modes_of_Introduction
Minor None
112 Missing XML Validation
Major Relationships
Minor None
113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
114 Process Control
Major Relationships, Weakness_Ordinalities
Minor None
115 Misinterpretation of Input
Major Relationships, Weakness_Ordinalities
Minor None
116 Improper Encoding or Escaping of Output
Major Applicable_Platforms, Demonstrative_Examples, Relationships, Weakness_Ordinalities
Minor None
117 Improper Output Neutralization for Logs
Major Relationships
Minor None
118 Incorrect Access of Indexable Resource ('Range Error')
Major Weakness_Ordinalities
Minor None
119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Major Applicable_Platforms, Detection_Factors, References, Weakness_Ordinalities
Minor Potential_Mitigations
120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Major Applicable_Platforms, Detection_Factors, References, Terminology_Notes
Minor Potential_Mitigations
121 Stack-based Buffer Overflow
Major Alternate_Terms, Applicable_Platforms, Detection_Factors, Other_Notes, References, Relationship_Notes, Terminology_Notes
Minor Potential_Mitigations
122 Heap-based Buffer Overflow
Major Alternate_Terms, Applicable_Platforms, Detection_Factors, Observed_Examples, References, Relationship_Notes, Terminology_Notes
Minor Potential_Mitigations
123 Write-what-where Condition
Major Applicable_Platforms, Detection_Factors, References
Minor None
124 Buffer Underwrite ('Buffer Underflow')
Major Applicable_Platforms, Description, Detection_Factors, Modes_of_Introduction, References
Minor None
125 Out-of-bounds Read
Major Applicable_Platforms, Detection_Factors, References, Relationships
Minor None
126 Buffer Over-read
Major Applicable_Platforms, Detection_Factors, References
Minor None
127 Buffer Under-read
Major Applicable_Platforms, Description, Detection_Factors, Modes_of_Introduction, References
Minor None
128 Wrap-around Error
Major Detection_Factors
Minor None
129 Improper Validation of Array Index
Major Detection_Factors, References, Relationships
Minor Potential_Mitigations
130 Improper Handling of Length Parameter Inconsistency
Major Applicable_Platforms, Detection_Factors
Minor None
131 Incorrect Calculation of Buffer Size
Major Applicable_Platforms, Detection_Factors, Observed_Examples, References, Weakness_Ordinalities
Minor Potential_Mitigations
134 Use of Externally-Controlled Format String
Major Applicable_Platforms
Minor None
135 Incorrect Calculation of Multi-Byte String Length
Major Weakness_Ordinalities
Minor None
138 Improper Neutralization of Special Elements
Major Demonstrative_Examples, Maintenance_Notes
Minor None
140 Improper Neutralization of Delimiters
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
141 Improper Neutralization of Parameter/Argument Delimiters
Major Weakness_Ordinalities
Minor None
142 Improper Neutralization of Value Delimiters
Major Weakness_Ordinalities
Minor None
143 Improper Neutralization of Record Delimiters
Major Weakness_Ordinalities
Minor None
144 Improper Neutralization of Line Delimiters
Major Weakness_Ordinalities
Minor None
145 Improper Neutralization of Section Delimiters
Major Weakness_Ordinalities
Minor None
146 Improper Neutralization of Expression/Command Delimiters
Major Weakness_Ordinalities
Minor None
147 Improper Neutralization of Input Terminators
Major Weakness_Ordinalities
Minor None
148 Improper Neutralization of Input Leaders
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
149 Improper Neutralization of Quoting Syntax
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
150 Improper Neutralization of Escape, Meta, or Control Sequences
Major Detection_Factors, Weakness_Ordinalities
Minor None
151 Improper Neutralization of Comment Delimiters
Major Weakness_Ordinalities
Minor None
152 Improper Neutralization of Macro Symbols
Major Weakness_Ordinalities
Minor None
153 Improper Neutralization of Substitution Characters
Major Weakness_Ordinalities
Minor None
154 Improper Neutralization of Variable Name Delimiters
Major Weakness_Ordinalities
Minor None
155 Improper Neutralization of Wildcards or Matching Symbols
Major Detection_Factors, Observed_Examples, Weakness_Ordinalities
Minor None
156 Improper Neutralization of Whitespace
Major Weakness_Ordinalities
Minor None
157 Failure to Sanitize Paired Delimiters
Major Weakness_Ordinalities
Minor None
158 Improper Neutralization of Null Byte or NUL Character
Major Applicable_Platforms, References, Weakness_Ordinalities
Minor None
159 Improper Handling of Invalid Use of Special Elements
Major Relationships, Weakness_Ordinalities
Minor None
160 Improper Neutralization of Leading Special Elements
Major Weakness_Ordinalities
Minor None
161 Improper Neutralization of Multiple Leading Special Elements
Major Weakness_Ordinalities
Minor None
162 Improper Neutralization of Trailing Special Elements
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
163 Improper Neutralization of Multiple Trailing Special Elements
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
164 Improper Neutralization of Internal Special Elements
Major Weakness_Ordinalities
Minor None
165 Improper Neutralization of Multiple Internal Special Elements
Major Weakness_Ordinalities
Minor None
166 Improper Handling of Missing Special Element
Major Weakness_Ordinalities
Minor None
167 Improper Handling of Additional Special Element
Major Weakness_Ordinalities
Minor None
168 Improper Handling of Inconsistent Special Elements
Major Weakness_Ordinalities
Minor None
172 Encoding Error
Major Weakness_Ordinalities
Minor None
173 Improper Handling of Alternate Encoding
Major Weakness_Ordinalities
Minor None
174 Double Decoding of the Same Data
Major Weakness_Ordinalities
Minor None
175 Improper Handling of Mixed Encoding
Major Weakness_Ordinalities
Minor None
176 Improper Handling of Unicode Encoding
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
177 Improper Handling of URL Encoding (Hex Encoding)
Major Observed_Examples, Weakness_Ordinalities
Minor None
178 Improper Handling of Case Sensitivity
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
179 Incorrect Behavior Order: Early Validation
Major Observed_Examples, Weakness_Ordinalities
Minor None
180 Incorrect Behavior Order: Validate Before Canonicalize
Major Observed_Examples, Relationships, Weakness_Ordinalities
Minor None
181 Incorrect Behavior Order: Validate Before Filter
Major Weakness_Ordinalities
Minor None
182 Collapse of Data into Unsafe Value
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
183 Permissive List of Allowed Inputs
Major Applicable_Platforms, Relationships
Minor None
184 Incomplete List of Disallowed Inputs
Major Applicable_Platforms, Demonstrative_Examples, Observed_Examples
Minor None
185 Incorrect Regular Expression
Major Weakness_Ordinalities
Minor None
186 Overly Restrictive Regular Expression
Major Weakness_Ordinalities
Minor None
187 Partial String Comparison
Major Applicable_Platforms
Minor None
188 Reliance on Data/Memory Layout
Major Applicable_Platforms, Detection_Factors, References, Weakness_Ordinalities
Minor None
190 Integer Overflow or Wraparound
Major Applicable_Platforms, Observed_Examples, Weakness_Ordinalities
Minor None
191 Integer Underflow (Wrap or Wraparound)
Major Weakness_Ordinalities
Minor None
192 Integer Coercion Error
Major Weakness_Ordinalities
Minor None
193 Off-by-one Error
Major Weakness_Ordinalities
Minor None
194 Unexpected Sign Extension
Major Detection_Factors, Weakness_Ordinalities
Minor None
195 Signed to Unsigned Conversion Error
Major Weakness_Ordinalities
Minor None
196 Unsigned to Signed Conversion Error
Major Detection_Factors, Weakness_Ordinalities
Minor None
197 Numeric Truncation Error
Major Weakness_Ordinalities
Minor None
198 Use of Incorrect Byte Ordering
Major Weakness_Ordinalities
Minor None
200 Exposure of Sensitive Information to an Unauthorized Actor
Major Applicable_Platforms, Relationships
Minor None
201 Insertion of Sensitive Information Into Sent Data
Major Relationships, Weakness_Ordinalities
Minor None
202 Exposure of Sensitive Information Through Data Queries
Major Demonstrative_Examples, Potential_Mitigations, References, Weakness_Ordinalities
Minor None
203 Observable Discrepancy
Major Weakness_Ordinalities
Minor None
204 Observable Response Discrepancy
Major Weakness_Ordinalities
Minor None
205 Observable Behavioral Discrepancy
Major Weakness_Ordinalities
Minor None
206 Observable Internal Behavioral Discrepancy
Major Weakness_Ordinalities
Minor None
207 Observable Behavioral Discrepancy With Equivalent Products
Major Weakness_Ordinalities
Minor None
208 Observable Timing Discrepancy
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
209 Generation of Error Message Containing Sensitive Information
Major Applicable_Platforms, Relationships
Minor None
210 Self-generated Error Message Containing Sensitive Information
Major Weakness_Ordinalities
Minor None
211 Externally-Generated Error Message Containing Sensitive Information
Major Applicable_Platforms
Minor None
212 Improper Removal of Sensitive Information Before Storage or Transfer
Major Common_Consequences, Detection_Factors, Observed_Examples, Potential_Mitigations, References
Minor None
213 Exposure of Sensitive Information Due to Incompatible Policies
Major Weakness_Ordinalities
Minor None
214 Invocation of Process Using Visible Sensitive Information
Major Weakness_Ordinalities
Minor None
215 Insertion of Sensitive Information Into Debugging Code
Major Relationships, Weakness_Ordinalities
Minor None
219 Storage of File with Sensitive Data Under Web Root
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
220 Storage of File With Sensitive Data Under FTP Root
Major Weakness_Ordinalities
Minor None
221 Information Loss or Omission
Major Applicable_Platforms, Description, Relationships, Weakness_Ordinalities
Minor None
222 Truncation of Security-relevant Information
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
223 Omission of Security-relevant Information
Major Relationships, Weakness_Ordinalities
Minor None
224 Obscured Security-relevant Information by Alternate Name
Major Weakness_Ordinalities
Minor None
228 Improper Handling of Syntactically Invalid Structure
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
229 Improper Handling of Values
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
230 Improper Handling of Missing Values
Major Weakness_Ordinalities
Minor None
231 Improper Handling of Extra Values
Major Weakness_Ordinalities
Minor None
232 Improper Handling of Undefined Values
Major Weakness_Ordinalities
Minor None
233 Improper Handling of Parameters
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
234 Failure to Handle Missing Parameter
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
235 Improper Handling of Extra Parameters
Major Relationships, Weakness_Ordinalities
Minor None
236 Improper Handling of Undefined Parameters
Major Weakness_Ordinalities
Minor None
237 Improper Handling of Structural Elements
Major Applicable_Platforms, Demonstrative_Examples, Time_of_Introduction, Weakness_Ordinalities
Minor None
239 Failure to Handle Incomplete Element
Major Weakness_Ordinalities
Minor None
240 Improper Handling of Inconsistent Structural Elements
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
241 Improper Handling of Unexpected Data Type
Major Weakness_Ordinalities
Minor None
244 Improper Clearing of Heap Memory Before Release ('Heap Inspection')
Major Applicable_Platforms, Detection_Factors, Weakness_Ordinalities
Minor None
245 J2EE Bad Practices: Direct Management of Connections
Major Applicable_Platforms
Minor None
248 Uncaught Exception
Major Relationships, Weakness_Ordinalities
Minor None
250 Execution with Unnecessary Privileges
Major Maintenance_Notes, Weakness_Ordinalities
Minor None
252 Unchecked Return Value
Major Relationships
Minor None
253 Incorrect Check of Function Return Value
Major Applicable_Platforms, Detection_Factors, Weakness_Ordinalities
Minor None
256 Plaintext Storage of a Password
Major Relationships
Minor None
258 Empty Password in Configuration File
Major Relationships
Minor None
259 Use of Hard-coded Password
Major Relationships
Minor None
260 Password in Configuration File
Major Relationships, Weakness_Ordinalities
Minor None
261 Weak Encoding for Password
Major Relationships, Weakness_Ordinalities
Minor None
262 Not Using Password Aging
Major Weakness_Ordinalities
Minor None
263 Password Aging with Long Expiration
Major Weakness_Ordinalities
Minor None
266 Incorrect Privilege Assignment
Major Relationships
Minor None
267 Privilege Defined With Unsafe Actions
Major Weakness_Ordinalities
Minor None
269 Improper Privilege Management
Major Relationships
Minor None
270 Privilege Context Switching Error
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
274 Improper Handling of Insufficient Privileges
Major Relationships
Minor None
276 Incorrect Default Permissions
Major Diagram, Maintenance_Notes, Relationships
Minor None
277 Insecure Inherited Permissions
Major Weakness_Ordinalities
Minor None
278 Insecure Preserved Inherited Permissions
Major Weakness_Ordinalities
Minor None
279 Incorrect Execution-Assigned Permissions
Major Detection_Factors, Weakness_Ordinalities
Minor None
280 Improper Handling of Insufficient Permissions or Privileges
Major Detection_Factors, Relationships, Weakness_Ordinalities
Minor None
281 Improper Preservation of Permissions
Major Relationships
Minor None
282 Improper Ownership Management
Major Relationships, Weakness_Ordinalities
Minor None
283 Unverified Ownership
Major Relationships, Weakness_Ordinalities
Minor None
284 Improper Access Control
Major Applicable_Platforms, Demonstrative_Examples, Mapping_Notes, Observed_Examples, References, Relationships, Weakness_Ordinalities
Minor None
285 Improper Authorization
Major Applicable_Platforms, Common_Consequences, Description, Diagram, Relationships, Terminology_Notes, Weakness_Ordinalities
Minor None
286 Incorrect User Management
Major Relationships, Weakness_Ordinalities
Minor None
287 Improper Authentication
Major Applicable_Platforms, Maintenance_Notes, Relationships, Weakness_Ordinalities
Minor None
288 Authentication Bypass Using an Alternate Path or Channel
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
289 Authentication Bypass by Alternate Name
Major Detection_Factors, Observed_Examples, Relationships, Weakness_Ordinalities
Minor None
290 Authentication Bypass by Spoofing
Major Applicable_Platforms, Relationships, Time_of_Introduction, Weakness_Ordinalities
Minor None
291 Reliance on IP Address for Authentication
Major Relationships
Minor None
293 Using Referer Field for Authentication
Major Relationships, Weakness_Ordinalities
Minor None
294 Authentication Bypass by Capture-replay
Major Relationships, Weakness_Ordinalities
Minor None
295 Improper Certificate Validation
Major Applicable_Platforms, Observed_Examples, Relationships, Weakness_Ordinalities
Minor None
296 Improper Following of a Certificate's Chain of Trust
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
297 Improper Validation of Certificate with Host Mismatch
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
298 Improper Validation of Certificate Expiration
Major Relationships, Weakness_Ordinalities
Minor None
299 Improper Check for Certificate Revocation
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
300 Channel Accessible by Non-Endpoint
Major Observed_Examples, Relationships, Weakness_Ordinalities
Minor None
301 Reflection Attack in an Authentication Protocol
Major Weakness_Ordinalities
Minor None
302 Authentication Bypass by Assumed-Immutable Data
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
303 Incorrect Implementation of Authentication Algorithm
Major Relationships, Weakness_Ordinalities
Minor None
304 Missing Critical Step in Authentication
Major Relationships, Weakness_Ordinalities
Minor None
305 Authentication Bypass by Primary Weakness
Major Relationships, Weakness_Ordinalities
Minor None
306 Missing Authentication for Critical Function
Major Relationships, Weakness_Ordinalities
Minor None
307 Improper Restriction of Excessive Authentication Attempts
Major Relationships, Weakness_Ordinalities
Minor None
308 Use of Single-factor Authentication
Major Description, Diagram, Other_Notes, Potential_Mitigations, Relationships, Weakness_Ordinalities
Minor None
309 Use of Password System for Primary Authentication
Major Relationships, Weakness_Ordinalities
Minor None
311 Missing Encryption of Sensitive Data
Major Observed_Examples, Relationships, Weakness_Ordinalities
Minor None
312 Cleartext Storage of Sensitive Information
Major Observed_Examples, Relationships, Weakness_Ordinalities
Minor None
313 Cleartext Storage in a File or on Disk
Major Relationships, Weakness_Ordinalities
Minor None
314 Cleartext Storage in the Registry
Major Weakness_Ordinalities
Minor None
315 Cleartext Storage of Sensitive Information in a Cookie
Major Relationships, Weakness_Ordinalities
Minor None
316 Cleartext Storage of Sensitive Information in Memory
Major Relationships, Weakness_Ordinalities
Minor None
317 Cleartext Storage of Sensitive Information in GUI
Major Weakness_Ordinalities
Minor None
318 Cleartext Storage of Sensitive Information in Executable
Major Weakness_Ordinalities
Minor None
319 Cleartext Transmission of Sensitive Information
Major Applicable_Platforms, Maintenance_Notes, Relationships, Weakness_Ordinalities
Minor None
320 Key Management Errors
Major Relationships
Minor None
321 Use of Hard-coded Cryptographic Key
Major Maintenance_Notes, Relationships, Weakness_Ordinalities
Minor None
322 Key Exchange without Entity Authentication
Major Detection_Factors, Relationships, Weakness_Ordinalities
Minor None
323 Reusing a Nonce, Key Pair in Encryption
Major Detection_Factors, Relationships, Weakness_Ordinalities
Minor None
324 Use of a Key Past its Expiration Date
Major Relationships, Weakness_Ordinalities
Minor None
325 Missing Cryptographic Step
Major Detection_Factors, Relationships, Weakness_Ordinalities
Minor None
326 Inadequate Encryption Strength
Major Relationships, Weakness_Ordinalities
Minor None
327 Use of a Broken or Risky Cryptographic Algorithm
Major Maintenance_Notes, Relationships, Weakness_Ordinalities
Minor None
328 Use of Weak Hash
Major Relationships, Weakness_Ordinalities
Minor None
329 Generation of Predictable IV with CBC Mode
Major Relationships, Weakness_Ordinalities
Minor None
330 Use of Insufficiently Random Values
Major Relationships
Minor None
331 Insufficient Entropy
Major Detection_Factors, Relationships, Weakness_Ordinalities
Minor None
332 Insufficient Entropy in PRNG
Major Detection_Factors, Relationships, Weakness_Ordinalities
Minor None
333 Improper Handling of Insufficient Entropy in TRNG
Major Weakness_Ordinalities
Minor None
334 Small Space of Random Values
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
Major Detection_Factors, Relationships, Weakness_Ordinalities
Minor None
336 Same Seed in Pseudo-Random Number Generator (PRNG)
Major Relationships, Weakness_Ordinalities
Minor None
337 Predictable Seed in Pseudo-Random Number Generator (PRNG)
Major Detection_Factors, Relationships, Weakness_Ordinalities
Minor None
338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
339 Small Seed Space in PRNG
Major Weakness_Ordinalities
Minor None
340 Generation of Predictable Numbers or Identifiers
Major Applicable_Platforms, Detection_Factors, Relationships, Weakness_Ordinalities
Minor None
341 Predictable from Observable State
Major Detection_Factors, Observed_Examples, Weakness_Ordinalities
Minor None
342 Predictable Exact Value from Previous Values
Major Relationships, Weakness_Ordinalities
Minor None
343 Predictable Value Range from Previous Values
Major Weakness_Ordinalities
Minor None
344 Use of Invariant Value in Dynamically Changing Context
Major Relationships
Minor None
345 Insufficient Verification of Data Authenticity
Major Relationships, Weakness_Ordinalities
Minor None
346 Origin Validation Error
Major Applicable_Platforms, Detection_Factors, Relationships
Minor None
347 Improper Verification of Cryptographic Signature
Major Relationships, Weakness_Ordinalities
Minor None
348 Use of Less Trusted Source
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
349 Acceptance of Extraneous Untrusted Data With Trusted Data
Major Relationships, Weakness_Ordinalities
Minor None
350 Reliance on Reverse DNS Resolution for a Security-Critical Action
Major Relationships, Weakness_Ordinalities
Minor None
351 Insufficient Type Distinction
Major Weakness_Ordinalities
Minor None
352 Cross-Site Request Forgery (CSRF)
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
353 Missing Support for Integrity Check
Major Relationships, Weakness_Ordinalities
Minor None
354 Improper Validation of Integrity Check Value
Major Weakness_Ordinalities
Minor None
356 Product UI does not Warn User of Unsafe Actions
Major Weakness_Ordinalities
Minor None
357 Insufficient UI Warning of Dangerous Operations
Major Weakness_Ordinalities
Minor None
358 Improperly Implemented Security Check for Standard
Major Weakness_Ordinalities
Minor None
359 Exposure of Private Personal Information to an Unauthorized Actor
Major Alternate_Terms, Detection_Factors, Maintenance_Notes, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationships, Weakness_Ordinalities
Minor None
360 Trust of System Event Data
Major Weakness_Ordinalities
Minor None
362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Major Observed_Examples, Relationships, Weakness_Ordinalities
Minor None
363 Race Condition Enabling Link Following
Major Detection_Factors, Weakness_Ordinalities
Minor None
364 Signal Handler Race Condition
Major Detection_Factors, Weakness_Ordinalities
Minor None
366 Race Condition within a Thread
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
367 Time-of-check Time-of-use (TOCTOU) Race Condition
Major Weakness_Ordinalities
Minor None
368 Context Switching Race Condition
Major Applicable_Platforms, Detection_Factors
Minor None
369 Divide By Zero
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
370 Missing Check for Certificate Revocation after Initial Check
Major Weakness_Ordinalities
Minor None
372 Incomplete Internal State Distinction
Major Weakness_Ordinalities
Minor None
374 Passing Mutable Objects to an Untrusted Method
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
375 Returning a Mutable Object to an Untrusted Caller
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
377 Insecure Temporary File
Major Other_Notes, Relationships, Weakness_Ordinalities
Minor None
378 Creation of Temporary File With Insecure Permissions
Major Detection_Factors, Weakness_Ordinalities
Minor None
379 Creation of Temporary File in Directory with Insecure Permissions
Major Relationships, Weakness_Ordinalities
Minor None
382 J2EE Bad Practices: Use of System.exit()
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
383 J2EE Bad Practices: Direct Use of Threads
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
384 Session Fixation
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
385 Covert Timing Channel
Major Weakness_Ordinalities
Minor None
386 Symbolic Name not Mapping to Correct Object
Major Weakness_Ordinalities
Minor None
390 Detection of Error Condition Without Action
Major Relationships, Weakness_Ordinalities
Minor None
391 Unchecked Error Condition
Major Relationships, Weakness_Ordinalities
Minor None
393 Return of Wrong Status Code
Major Observed_Examples, Weakness_Ordinalities
Minor None
394 Unexpected Status Code or Return Value
Major Detection_Factors, Relationships, Weakness_Ordinalities
Minor None
395 Use of NullPointerException Catch to Detect NULL Pointer Dereference
Major Weakness_Ordinalities
Minor None
396 Declaration of Catch for Generic Exception
Major Relationships, Weakness_Ordinalities
Minor None
397 Declaration of Throws for Generic Exception
Major Relationships, Weakness_Ordinalities
Minor None
400 Uncontrolled Resource Consumption
Major Applicable_Platforms, Maintenance_Notes, Weakness_Ordinalities
Minor None
401 Missing Release of Memory after Effective Lifetime
Major Applicable_Platforms
Minor None
402 Transmission of Private Resources into a New Sphere ('Resource Leak')
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
403 Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
Major Detection_Factors, Weakness_Ordinalities
Minor None
405 Asymmetric Resource Consumption (Amplification)
Major Weakness_Ordinalities
Minor None
406 Insufficient Control of Network Message Volume (Network Amplification)
Major Detection_Factors, Weakness_Ordinalities
Minor None
407 Inefficient Algorithmic Complexity
Major Weakness_Ordinalities
Minor None
408 Incorrect Behavior Order: Early Amplification
Major Weakness_Ordinalities
Minor None
409 Improper Handling of Highly Compressed Data (Data Amplification)
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
410 Insufficient Resource Pool
Major Weakness_Ordinalities
Minor None
412 Unrestricted Externally Accessible Lock
Major Weakness_Ordinalities
Minor None
413 Improper Resource Locking
Major Weakness_Ordinalities
Minor None
414 Missing Lock Check
Major Detection_Factors, Weakness_Ordinalities
Minor None
415 Double Free
Major Applicable_Platforms, Detection_Factors, References, Weakness_Ordinalities
Minor None
416 Use After Free
Major Applicable_Platforms, Detection_Factors, References, Relationships
Minor None
419 Unprotected Primary Channel
Major Relationships, Weakness_Ordinalities
Minor None
420 Unprotected Alternate Channel
Major Weakness_Ordinalities
Minor None
421 Race Condition During Access to Alternate Channel
Major Weakness_Ordinalities
Minor None
422 Unprotected Windows Messaging Channel ('Shatter')
Major Weakness_Ordinalities
Minor None
424 Improper Protection of Alternate Path
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
425 Direct Request ('Forced Browsing')
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
426 Untrusted Search Path
Major Relationships, Weakness_Ordinalities
Minor None
427 Uncontrolled Search Path Element
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
428 Unquoted Search Path or Element
Major Weakness_Ordinalities
Minor None
430 Deployment of Wrong Handler
Major Applicable_Platforms
Minor None
431 Missing Handler
Major Weakness_Ordinalities
Minor None
432 Dangerous Signal Handler not Disabled During Sensitive Operations
Major Weakness_Ordinalities
Minor None
433 Unparsed Raw Web Content Delivery
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
434 Unrestricted Upload of File with Dangerous Type
Major Relationships
Minor None
435 Improper Interaction Between Multiple Correctly-Behaving Entities
Major Weakness_Ordinalities
Minor None
436 Interpretation Conflict
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
437 Incomplete Model of Endpoint Features
Major Weakness_Ordinalities
Minor None
439 Behavioral Change in New Version or Environment
Major Weakness_Ordinalities
Minor None
440 Expected Behavior Violation
Major Weakness_Ordinalities
Minor None
441 Unintended Proxy or Intermediary ('Confused Deputy')
Major Alternate_Terms, Relationships, Weakness_Ordinalities
Minor None
444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Major Applicable_Platforms, Detection_Factors, Relationships, Weakness_Ordinalities
Minor None
447 Unimplemented or Unsupported Feature in UI
Major Applicable_Platforms, Common_Consequences, Relationships, Weakness_Ordinalities
Minor None
448 Obsolete Feature in UI
Major Weakness_Ordinalities
Minor None
449 The UI Performs the Wrong Action
Major Detection_Factors, Potential_Mitigations, Weakness_Ordinalities
Minor None
450 Multiple Interpretations of UI Input
Major Weakness_Ordinalities
Minor None
451 User Interface (UI) Misrepresentation of Critical Information
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
453 Insecure Default Variable Initialization
Major Detection_Factors, Weakness_Ordinalities
Minor None
454 External Initialization of Trusted Variables or Data Stores
Major Detection_Factors, Relationships, Weakness_Ordinalities
Minor None
455 Non-exit on Failed Initialization
Major Weakness_Ordinalities
Minor None
456 Missing Initialization of a Variable
Major Weakness_Ordinalities
Minor Observed_Examples
457 Use of Uninitialized Variable
Major Weakness_Ordinalities
Minor None
459 Incomplete Cleanup
Major Weakness_Ordinalities
Minor None
460 Improper Cleanup on Thrown Exception
Major Relationships, Weakness_Ordinalities
Minor None
462 Duplicate Key in Associative List (Alist)
Major Weakness_Ordinalities
Minor None
463 Deletion of Data Structure Sentinel
Major Weakness_Ordinalities
Minor None
464 Addition of Data Structure Sentinel
Major Demonstrative_Examples, Weakness_Ordinalities
Minor None
466 Return of Pointer Value Outside of Expected Range
Major Applicable_Platforms, Detection_Factors, References, Weakness_Ordinalities
Minor None
468 Incorrect Pointer Scaling
Major Detection_Factors, Weakness_Ordinalities
Minor None
469 Use of Pointer Subtraction to Determine Size
Major Weakness_Ordinalities
Minor None
470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Major Demonstrative_Examples, Relationships, Weakness_Ordinalities
Minor None
471 Modification of Assumed-Immutable Data (MAID)
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
472 External Control of Assumed-Immutable Web Parameter
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
473 PHP External Variable Modification
Major Weakness_Ordinalities
Minor None
476 NULL Pointer Dereference
Major Detection_Factors, Observed_Examples, References, Relationships
Minor None
477 Use of Obsolete Function
Major Relationships
Minor None
478 Missing Default Case in Multiple Condition Expression
Major Relationships
Minor None
479 Signal Handler Use of a Non-reentrant Function
Major Weakness_Ordinalities
Minor None
480 Use of Incorrect Operator
Major Weakness_Ordinalities
Minor None
481 Assigning instead of Comparing
Major Weakness_Ordinalities
Minor None
482 Comparing instead of Assigning
Major Weakness_Ordinalities
Minor None
483 Incorrect Block Delimitation
Major Observed_Examples
Minor None
484 Omitted Break Statement in Switch
Major Applicable_Platforms, Relationships
Minor None
486 Comparison of Classes by Name
Major Weakness_Ordinalities
Minor None
487 Reliance on Package-level Scope
Major Common_Consequences, Detection_Factors, Weakness_Ordinalities
Minor None
488 Exposure of Data Element to Wrong Session
Major Weakness_Ordinalities
Minor None
489 Active Debug Code
Major Relationships
Minor None
491 Public cloneable() Method Without Final ('Object Hijack')
Major Detection_Factors, Weakness_Ordinalities
Minor None
492 Use of Inner Class Containing Sensitive Data
Major Weakness_Ordinalities
Minor None
493 Critical Public Variable Without Final Modifier
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
494 Download of Code Without Integrity Check
Major Relationships, Weakness_Ordinalities
Minor None
495 Private Data Structure Returned From A Public Method
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
496 Public Data Assigned to Private Array-Typed Field
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
497 Exposure of Sensitive System Information to an Unauthorized Control Sphere
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
498 Cloneable Class Containing Sensitive Information
Major Applicable_Platforms, Detection_Factors, Weakness_Ordinalities
Minor None
499 Serializable Class Containing Sensitive Data
Major Weakness_Ordinalities
Minor None
500 Public Static Field Not Marked Final
Major Relationships, Weakness_Ordinalities
Minor None
501 Trust Boundary Violation
Major Relationships, Weakness_Ordinalities
Minor None
502 Deserialization of Untrusted Data
Major Applicable_Platforms, Observed_Examples, Relationships, Weakness_Ordinalities
Minor None
506 Embedded Malicious Code
Major Applicable_Platforms, Demonstrative_Examples, Relationship_Notes, Relationships, Weakness_Ordinalities
Minor None
507 Trojan Horse
Major Applicable_Platforms, Relationship_Notes, Time_of_Introduction, Weakness_Ordinalities
Minor None
508 Non-Replicating Malicious Code
Major Applicable_Platforms, Relationship_Notes, Time_of_Introduction, Weakness_Ordinalities
Minor None
509 Replicating Malicious Code (Virus or Worm)
Major Applicable_Platforms, Relationship_Notes, Relationships, Weakness_Ordinalities
Minor None
510 Trapdoor
Major Applicable_Platforms, Relationship_Notes, Time_of_Introduction, Weakness_Ordinalities
Minor None
511 Logic/Time Bomb
Major Detection_Factors, Potential_Mitigations, Relationship_Notes, Weakness_Ordinalities
Minor None
512 Spyware
Major Applicable_Platforms, Relationship_Notes, Weakness_Ordinalities
Minor None
514 Covert Channel
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
515 Covert Storage Channel
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
520 .NET Misconfiguration: Use of Impersonation
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
521 Weak Password Requirements
Major Background_Details, Description, Diagram, Potential_Mitigations, Relationships, Weakness_Ordinalities
Minor None
522 Insufficiently Protected Credentials
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
523 Unprotected Transport of Credentials
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
524 Use of Cache Containing Sensitive Information
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
525 Use of Web Browser Cache Containing Sensitive Information
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
526 Cleartext Storage of Sensitive Information in an Environment Variable
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
527 Exposure of Version-Control Repository to an Unauthorized Control Sphere
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
528 Exposure of Core Dump File to an Unauthorized Control Sphere
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
529 Exposure of Access Control List Files to an Unauthorized Control Sphere
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
530 Exposure of Backup File to an Unauthorized Control Sphere
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
531 Inclusion of Sensitive Information in Test Code
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
532 Insertion of Sensitive Information into Log File
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
535 Exposure of Information Through Shell Error Message
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
536 Servlet Runtime Error Message Containing Sensitive Information
Major Applicable_Platforms, Description, Weakness_Ordinalities
Minor None
537 Java Runtime Error Message Containing Sensitive Information
Major Weakness_Ordinalities
Minor None
538 Insertion of Sensitive Information into Externally-Accessible File or Directory
Major Relationships, Weakness_Ordinalities
Minor None
539 Use of Persistent Cookies Containing Sensitive Information
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
540 Inclusion of Sensitive Information in Source Code
Major Applicable_Platforms, Detection_Factors, Relationships, Weakness_Ordinalities
Minor None
541 Inclusion of Sensitive Information in an Include File
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
543 Use of Singleton Pattern Without Synchronization in a Multithreaded Context
Major Detection_Factors, Weakness_Ordinalities
Minor None
544 Missing Standardized Error Handling Mechanism
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
546 Suspicious Comment
Major Detection_Factors
Minor None
547 Use of Hard-coded, Security-relevant Constants
Major Applicable_Platforms, Common_Consequences, Relationships
Minor None
548 Exposure of Information Through Directory Listing
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
549 Missing Password Field Masking
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
550 Server-generated Error Message Containing Sensitive Information
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
552 Files or Directories Accessible to External Parties
Major Relationships, Weakness_Ordinalities
Minor None
553 Command Shell in Externally Accessible Directory
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
555 J2EE Misconfiguration: Plaintext Password in Configuration File
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
556 ASP.NET Misconfiguration: Use of Identity Impersonation
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
558 Use of getlogin() in Multithreaded Application
Major Detection_Factors, Weakness_Ordinalities
Minor None
560 Use of umask() with chmod-style Argument
Major Detection_Factors, Potential_Mitigations, Weakness_Ordinalities
Minor None
561 Dead Code
Major Observed_Examples
Minor None
562 Return of Stack Variable Address
Major Detection_Factors, Observed_Examples, References
Minor None
563 Assignment to Variable without Use
Major Applicable_Platforms
Minor None
564 SQL Injection: Hibernate
Major Relationships, Weakness_Ordinalities
Minor None
565 Reliance on Cookies without Validation and Integrity Checking
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
566 Authorization Bypass Through User-Controlled SQL Primary Key
Major Relationships, Weakness_Ordinalities
Minor None
567 Unsynchronized Access to Shared Data in a Multithreaded Context
Major Weakness_Ordinalities
Minor None
568 finalize() Method Without super.finalize()
Major Weakness_Ordinalities
Minor None
570 Expression is Always False
Major Weakness_Ordinalities
Minor None
571 Expression is Always True
Major Weakness_Ordinalities
Minor None
572 Call to Thread run() instead of start()
Major Weakness_Ordinalities
Minor None
573 Improper Following of Specification by Caller
Major Applicable_Platforms, Detection_Factors
Minor None
574 EJB Bad Practices: Use of Synchronization Primitives
Major Weakness_Ordinalities
Minor None
575 EJB Bad Practices: Use of AWT Swing
Major Weakness_Ordinalities
Minor None
576 EJB Bad Practices: Use of Java I/O
Major Weakness_Ordinalities
Minor None
577 EJB Bad Practices: Use of Sockets
Major Weakness_Ordinalities
Minor None
578 EJB Bad Practices: Use of Class Loader
Major Weakness_Ordinalities
Minor None
579 J2EE Bad Practices: Non-serializable Object Stored in Session
Major Weakness_Ordinalities
Minor None
580 clone() Method Without super.clone()
Major Weakness_Ordinalities
Minor None
581 Object Model Violation: Just One of Equals and Hashcode Defined
Major Weakness_Ordinalities
Minor None
582 Array Declared Public, Final, and Static
Major Detection_Factors
Minor None
583 finalize() Method Declared Public
Major Weakness_Ordinalities
Minor None
584 Return Inside Finally Block
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
586 Explicit Call to Finalize()
Major Demonstrative_Examples
Minor None
587 Assignment of a Fixed Address to a Pointer
Major Applicable_Platforms, Detection_Factors, References
Minor None
588 Attempt to Access Child of a Non-structure Pointer
Major Applicable_Platforms, Detection_Factors, Weakness_Ordinalities
Minor None
589 Call to Non-ubiquitous API
Major Applicable_Platforms
Minor None
590 Free of Memory not on the Heap
Major Applicable_Platforms, Detection_Factors, References, Weakness_Ordinalities
Minor None
591 Sensitive Data Storage in Improperly Locked Memory
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
593 Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
594 J2EE Framework: Saving Unserializable Objects to Disk
Major Applicable_Platforms
Minor None
595 Comparison of Object References Instead of Object Contents
Major Weakness_Ordinalities
Minor None
597 Use of Wrong Operator in String Comparison
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
598 Use of GET Request Method With Sensitive Query Strings
Major Applicable_Platforms, Background_Details, Common_Consequences, Other_Notes, References, Relationships, Weakness_Ordinalities
Minor None
599 Missing Validation of OpenSSL Certificate
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
600 Uncaught Exception in Servlet
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
601 URL Redirection to Untrusted Site ('Open Redirect')
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
602 Client-Side Enforcement of Server-Side Security
Major Detection_Factors, Observed_Examples, Potential_Mitigations, Relationships
Minor None
603 Use of Client-Side Authentication
Major Weakness_Ordinalities
Minor None
605 Multiple Binds to the Same Port
Major Detection_Factors
Minor None
606 Unchecked Input for Loop Condition
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
607 Public Static Final Field References Mutable Object
Major Weakness_Ordinalities
Minor None
608 Struts: Non-private Field in ActionForm Class
Major Detection_Factors
Minor None
609 Double-Checked Locking
Major Detection_Factors, Weakness_Ordinalities
Minor None
610 Externally Controlled Reference to a Resource in Another Sphere
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
611 Improper Restriction of XML External Entity Reference
Major Applicable_Platforms, Background_Details, Common_Consequences, Description, Diagram, Relationships, Weakness_Ordinalities
Minor None
612 Improper Authorization of Index Containing Sensitive Information
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
613 Insufficient Session Expiration
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Major Observed_Examples, Relationships, Weakness_Ordinalities
Minor None
615 Inclusion of Sensitive Information in Source Code Comments
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
617 Reachable Assertion
Major Applicable_Platforms, Observed_Examples, Relationships
Minor None
618 Exposed Unsafe ActiveX Method
Major Applicable_Platforms
Minor None
620 Unverified Password Change
Major Applicable_Platforms, Relationships
Minor None
623 Unsafe ActiveX Control Marked Safe For Scripting
Major Applicable_Platforms
Minor None
624 Executable Regular Expression Error
Major Detection_Factors, Weakness_Ordinalities
Minor None
626 Null Byte Interaction Error (Poison Null Byte)
Major Detection_Factors
Minor None
628 Function Call with Incorrectly Specified Arguments
Major Relationships
Minor None
636 Not Failing Securely ('Failing Open')
Major Relationships
Minor None
639 Authorization Bypass Through User-Controlled Key
Major References, Relationships, Weakness_Ordinalities
Minor None
640 Weak Password Recovery Mechanism for Forgotten Password
Major Relationships, Weakness_Ordinalities
Minor None
641 Improper Restriction of Names for Files and Other Resources
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
642 External Control of Critical State Data
Major Detection_Factors, Potential_Mitigations, Relationships, Weakness_Ordinalities
Minor None
643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')
Major Relationships, Weakness_Ordinalities
Minor None
644 Improper Neutralization of HTTP Headers for Scripting Syntax
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
645 Overly Restrictive Account Lockout Mechanism
Major Weakness_Ordinalities
Minor None
646 Reliance on File Name or Extension of Externally-Supplied File
Major Relationships, Weakness_Ordinalities
Minor None
647 Use of Non-Canonical URL Paths for Authorization Decisions
Major Relationships, Weakness_Ordinalities
Minor None
648 Incorrect Use of Privileged APIs
Major Weakness_Ordinalities
Minor None
649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
Major Weakness_Ordinalities
Minor None
650 Trusting HTTP Permission Methods on the Server Side
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
651 Exposure of WSDL File Containing Sensitive Information
Major Weakness_Ordinalities
Minor None
652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
Major Weakness_Ordinalities
Minor None
653 Improper Isolation or Compartmentalization
Major Relationships
Minor None
655 Insufficient Psychological Acceptability
Major Maintenance_Notes
Minor None
656 Reliance on Security Through Obscurity
Major Applicable_Platforms, Relationships
Minor None
657 Violation of Secure Design Principles
Major Applicable_Platforms, Maintenance_Notes, Relationships, Time_of_Introduction, Weakness_Ordinalities
Minor None
662 Improper Synchronization
Major Applicable_Platforms, Description, Detection_Factors, Relationships, Weakness_Ordinalities
Minor None
663 Use of a Non-reentrant Function in a Concurrent Context
Major Applicable_Platforms, Detection_Factors, Weakness_Ordinalities
Minor None
664 Improper Control of a Resource Through its Lifetime
Major Demonstrative_Examples, Detection_Factors, Potential_Mitigations, Weakness_Ordinalities
Minor None
665 Improper Initialization
Major Observed_Examples
Minor None
666 Operation on Resource in Wrong Phase of Lifetime
Major Applicable_Platforms, Detection_Factors, Weakness_Ordinalities
Minor None
667 Improper Locking
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
668 Exposure of Resource to Wrong Sphere
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
669 Incorrect Resource Transfer Between Spheres
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
670 Always-Incorrect Control Flow Implementation
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
671 Lack of Administrator Control over Security
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
672 Operation on a Resource after Expiration or Release
Major Detection_Factors, Weakness_Ordinalities
Minor None
673 External Influence of Sphere Definition
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
674 Uncontrolled Recursion
Major Weakness_Ordinalities
Minor None
675 Multiple Operations on Resource in Single-Operation Context
Major Weakness_Ordinalities
Minor None
676 Use of Potentially Dangerous Function
Major Relationships
Minor None
680 Integer Overflow to Buffer Overflow
Major Applicable_Platforms, Detection_Factors, References, Time_of_Introduction, Weakness_Ordinalities
Minor None
681 Incorrect Conversion between Numeric Types
Major Applicable_Platforms, Detection_Factors, Weakness_Ordinalities
Minor None
682 Incorrect Calculation
Major Weakness_Ordinalities
Minor None
683 Function Call With Incorrect Order of Arguments
Major Applicable_Platforms, Detection_Factors, Potential_Mitigations
Minor None
684 Incorrect Provision of Specified Functionality
Major Applicable_Platforms
Minor None
686 Function Call With Incorrect Argument Type
Major Applicable_Platforms, Detection_Factors, Potential_Mitigations
Minor None
687 Function Call With Incorrectly Specified Argument Value
Major Applicable_Platforms
Minor None
690 Unchecked Return Value to NULL Pointer Dereference
Major Applicable_Platforms, Detection_Factors, References, Weakness_Ordinalities
Minor None
691 Insufficient Control Flow Management
Major Observed_Examples, Relationships, Weakness_Ordinalities
Minor None
692 Incomplete Denylist to Cross-Site Scripting
Major Applicable_Platforms, Time_of_Introduction, Weakness_Ordinalities
Minor None
693 Protection Mechanism Failure
Major Relationships, Weakness_Ordinalities
Minor None
694 Use of Multiple Resources with Duplicate Identifier
Major Weakness_Ordinalities
Minor None
695 Use of Low-Level Functionality
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
696 Incorrect Behavior Order
Major Applicable_Platforms, Description
Minor None
697 Incorrect Comparison
Major Common_Consequences, Description, Detection_Factors, Diagram
Minor None
698 Execution After Redirect (EAR)
Major Applicable_Platforms
Minor None
703 Improper Check or Handling of Exceptional Conditions
Major Diagram, Relationships, Weakness_Ordinalities
Minor None
704 Incorrect Type Conversion or Cast
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
705 Incorrect Control Flow Scoping
Major Detection_Factors, Observed_Examples, Relationships, Weakness_Ordinalities
Minor None
706 Use of Incorrectly-Resolved Name or Reference
Major Applicable_Platforms, Demonstrative_Examples, Detection_Factors, Weakness_Ordinalities
Minor None
707 Improper Neutralization
Major Detection_Factors, Weakness_Ordinalities
Minor None
708 Incorrect Ownership Assignment
Major Detection_Factors, Observed_Examples, Potential_Mitigations, Weakness_Ordinalities
Minor None
710 Improper Adherence to Coding Standards
Major Detection_Factors, Potential_Mitigations, Weakness_Ordinalities
Minor None
732 Incorrect Permission Assignment for Critical Resource
Major Relationships, Weakness_Ordinalities
Minor None
733 Compiler Optimization Removal or Modification of Security-critical Code
Major Common_Consequences, Demonstrative_Examples, Detection_Factors, Time_of_Introduction, Weakness_Ordinalities
Minor None
749 Exposed Dangerous Method or Function
Major Relationships
Minor None
754 Improper Check for Unusual or Exceptional Conditions
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
755 Improper Handling of Exceptional Conditions
Major Detection_Factors, Relationships, Weakness_Ordinalities
Minor None
756 Missing Custom Error Page
Major Applicable_Platforms, Relationships, Time_of_Introduction, Weakness_Ordinalities
Minor None
757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
758 Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
Major Applicable_Platforms, Common_Consequences, Time_of_Introduction
Minor None
759 Use of a One-Way Hash without a Salt
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
760 Use of a One-Way Hash with a Predictable Salt
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
761 Free of Pointer not at Start of Buffer
Major Applicable_Platforms, Detection_Factors, Potential_Mitigations, References, Weakness_Ordinalities
Minor None
762 Mismatched Memory Management Routines
Major Applicable_Platforms, Detection_Factors, Potential_Mitigations, References, Weakness_Ordinalities
Minor None
763 Release of Invalid Pointer or Reference
Major Applicable_Platforms, Detection_Factors, References, Weakness_Ordinalities
Minor None
764 Multiple Locks of a Critical Resource
Major Applicable_Platforms, Detection_Factors, Weakness_Ordinalities
Minor None
765 Multiple Unlocks of a Critical Resource
Major Applicable_Platforms, Detection_Factors, Weakness_Ordinalities
Minor None
767 Access to Critical Private Variable via Public Method
Major Weakness_Ordinalities
Minor None
768 Incorrect Short Circuit Evaluation
Major Applicable_Platforms, Detection_Factors, Weakness_Ordinalities
Minor None
770 Allocation of Resources Without Limits or Throttling
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
771 Missing Reference to Active Allocated Resource
Major Applicable_Platforms, Detection_Factors, Weakness_Ordinalities
Minor None
772 Missing Release of Resource after Effective Lifetime
Major Detection_Factors, Weakness_Ordinalities
Minor None
773 Missing Reference to Active File Descriptor or Handle
Major Applicable_Platforms, Detection_Factors, Weakness_Ordinalities
Minor None
774 Allocation of File Descriptors or Handles Without Limits or Throttling
Major Applicable_Platforms, Detection_Factors, Weakness_Ordinalities
Minor None
775 Missing Release of File Descriptor or Handle after Effective Lifetime
Major Applicable_Platforms, Detection_Factors, Weakness_Ordinalities
Minor None
776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
777 Regular Expression without Anchors
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
778 Insufficient Logging
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
779 Logging of Excessive Data
Major Detection_Factors, Weakness_Ordinalities
Minor None
780 Use of RSA Algorithm without OAEP
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
781 Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code
Major Weakness_Ordinalities
Minor None
782 Exposed IOCTL with Insufficient Access Control
Major Weakness_Ordinalities
Minor None
783 Operator Precedence Logic Error
Major Detection_Factors, Weakness_Ordinalities
Minor None
784 Reliance on Cookies without Validation and Integrity Checking in a Security Decision
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
785 Use of Path Manipulation Function without Maximum-sized Buffer
Major Detection_Factors, Weakness_Ordinalities
Minor None
786 Access of Memory Location Before Start of Buffer
Major Applicable_Platforms, Detection_Factors, References, Time_of_Introduction, Weakness_Ordinalities
Minor None
787 Out-of-bounds Write
Major Applicable_Platforms, Detection_Factors, References, Relationships
Minor None
788 Access of Memory Location After End of Buffer
Major Applicable_Platforms, Detection_Factors, References, Time_of_Introduction, Weakness_Ordinalities
Minor None
789 Memory Allocation with Excessive Size Value
Major Detection_Factors, References
Minor None
790 Improper Filtering of Special Elements
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
791 Incomplete Filtering of Special Elements
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
792 Incomplete Filtering of One or More Instances of Special Elements
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
793 Only Filtering One Instance of a Special Element
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
794 Incomplete Filtering of Multiple Instances of Special Elements
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
795 Only Filtering Special Elements at a Specified Location
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
796 Only Filtering Special Elements Relative to a Marker
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
797 Only Filtering Special Elements at an Absolute Position
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
798 Use of Hard-coded Credentials
Major Maintenance_Notes, Mapping_Notes, Observed_Examples, Relationships
Minor None
799 Improper Control of Interaction Frequency
Major Applicable_Platforms, Observed_Examples, Relationships
Minor None
805 Buffer Access with Incorrect Length Value
Major Applicable_Platforms, Detection_Factors, References
Minor None
806 Buffer Access Using Size of Source Buffer
Major Applicable_Platforms, Detection_Factors, References
Minor None
807 Reliance on Untrusted Inputs in a Security Decision
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
820 Missing Synchronization
Major Applicable_Platforms, Time_of_Introduction, Weakness_Ordinalities
Minor None
821 Incorrect Synchronization
Major Applicable_Platforms, Detection_Factors, Time_of_Introduction, Weakness_Ordinalities
Minor None
822 Untrusted Pointer Dereference
Major Applicable_Platforms, Detection_Factors, References, Time_of_Introduction, Weakness_Ordinalities
Minor None
823 Use of Out-of-range Pointer Offset
Major Applicable_Platforms, Detection_Factors, References, Time_of_Introduction, Weakness_Ordinalities
Minor None
824 Access of Uninitialized Pointer
Major Applicable_Platforms, Detection_Factors, References, Time_of_Introduction, Weakness_Ordinalities
Minor None
825 Expired Pointer Dereference
Major Applicable_Platforms, Detection_Factors, Observed_Examples, References, Time_of_Introduction, Weakness_Ordinalities
Minor None
826 Premature Release of Resource During Expected Lifetime
Major Applicable_Platforms, Detection_Factors, Time_of_Introduction, Weakness_Ordinalities
Minor None
827 Improper Control of Document Type Definition
Major Weakness_Ordinalities
Minor None
828 Signal Handler with Functionality that is not Asynchronous-Safe
Major Applicable_Platforms, Detection_Factors, Time_of_Introduction, Weakness_Ordinalities
Minor None
829 Inclusion of Functionality from Untrusted Control Sphere
Major Applicable_Platforms, Common_Consequences, Description, Diagram, Other_Notes, Relationships, Weakness_Ordinalities
Minor None
830 Inclusion of Web Functionality from an Untrusted Source
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
831 Signal Handler Function Associated with Multiple Signals
Major Applicable_Platforms, Time_of_Introduction, Weakness_Ordinalities
Minor None
832 Unlock of a Resource that is not Locked
Major Applicable_Platforms, Detection_Factors, Time_of_Introduction, Weakness_Ordinalities
Minor None
833 Deadlock
Major Applicable_Platforms, Detection_Factors, Time_of_Introduction, Weakness_Ordinalities
Minor None
834 Excessive Iteration
Major Applicable_Platforms, Time_of_Introduction, Weakness_Ordinalities
Minor None
835 Loop with Unreachable Exit Condition ('Infinite Loop')
Major Applicable_Platforms, Detection_Factors, Time_of_Introduction, Weakness_Ordinalities
Minor None
836 Use of Password Hash Instead of Password for Authentication
Major Weakness_Ordinalities
Minor None
837 Improper Enforcement of a Single, Unique Action
Major Applicable_Platforms, Time_of_Introduction, Weakness_Ordinalities
Minor None
838 Inappropriate Encoding for Output Context
Major Time_of_Introduction, Weakness_Ordinalities
Minor None
839 Numeric Range Comparison Without Minimum Check
Major Detection_Factors, Time_of_Introduction, Weakness_Ordinalities
Minor None
841 Improper Enforcement of Behavioral Workflow
Major Applicable_Platforms, Detection_Factors, Relationships, Type, Weakness_Ordinalities
Minor None
842 Placement of User into Incorrect Group
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
843 Access of Resource Using Incompatible Type ('Type Confusion')
Major Detection_Factors, Observed_Examples, Weakness_Ordinalities
Minor None
862 Missing Authorization
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
863 Incorrect Authorization
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
908 Use of Uninitialized Resource
Major Detection_Factors, Observed_Examples
Minor None
909 Missing Initialization of Resource
Major Detection_Factors
Minor None
910 Use of Expired File Descriptor
Major Detection_Factors
Minor None
912 Hidden Functionality
Major Applicable_Platforms, Demonstrative_Examples, Detection_Factors, Potential_Mitigations, Weakness_Ordinalities
Minor None
913 Improper Control of Dynamically-Managed Code Resources
Major Applicable_Platforms, Demonstrative_Examples, Weakness_Ordinalities
Minor None
914 Improper Control of Dynamically-Identified Variables
Major Applicable_Platforms
Minor None
915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
Major Applicable_Platforms, Relationships
Minor None
916 Use of Password Hash With Insufficient Computational Effort
Major Relationships
Minor None
917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Major Relationships
Minor None
918 Server-Side Request Forgery (SSRF)
Major Applicable_Platforms, Demonstrative_Examples, References, Relationships, Weakness_Ordinalities
Minor None
920 Improper Restriction of Power Consumption
Major Weakness_Ordinalities
Minor None
921 Storage of Sensitive Data in a Mechanism without Access Control
Major Weakness_Ordinalities
Minor None
922 Insecure Storage of Sensitive Information
Major Demonstrative_Examples, References, Relationships, Weakness_Ordinalities
Minor None
923 Improper Restriction of Communication Channel to Intended Endpoints
Major Applicable_Platforms, Observed_Examples, Weakness_Ordinalities
Minor None
924 Improper Enforcement of Message Integrity During Transmission in a Communication Channel
Major Weakness_Ordinalities
Minor None
925 Improper Verification of Intent by Broadcast Receiver
Major Weakness_Ordinalities
Minor None
926 Improper Export of Android Application Components
Major Relationships, Weakness_Ordinalities
Minor None
927 Use of Implicit Intent for Sensitive Communication
Major Weakness_Ordinalities
Minor None
939 Improper Authorization in Handler for Custom URL Scheme
Major Common_Consequences, Detection_Factors, Relationships, Weakness_Ordinalities
Minor None
940 Improper Verification of Source of a Communication Channel
Major Common_Consequences, Relationships, Weakness_Ordinalities
Minor None
941 Incorrectly Specified Destination in a Communication Channel
Major Common_Consequences, Relationships, Weakness_Ordinalities
Minor None
942 Permissive Cross-domain Security Policy with Untrusted Domains
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
943 Improper Neutralization of Special Elements in Data Query Logic
Major Weakness_Ordinalities
Minor None
1004 Sensitive Cookie Without 'HttpOnly' Flag
Major Applicable_Platforms, Observed_Examples, References, Relationships, Weakness_Ordinalities
Minor None
1007 Insufficient Visual Distinction of Homoglyphs Presented to User
Major Applicable_Platforms
Minor None
1021 Improper Restriction of Rendered UI Layers or Frames
Major Applicable_Platforms, References, Relationships, Weakness_Ordinalities
Minor None
1022 Use of Web Link to Untrusted Target with window.opener Access
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
1023 Incomplete Comparison with Missing Factors
Major Applicable_Platforms, Common_Consequences, Description
Minor None
1024 Comparison of Incompatible Types
Major Description, Detection_Factors, Modes_of_Introduction
Minor None
1025 Comparison Using Wrong Factors
Major Common_Consequences, Description
Minor None
1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
Major Relationships
Minor None
1038 Insecure Automated Optimizations
Major Demonstrative_Examples
Minor None
1041 Use of Redundant Code
Major Common_Consequences, Description, Detection_Factors, Time_of_Introduction
Minor None
1042 Static Member Data Element outside of a Singleton Class Element
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1043 Data Element Aggregating an Excessively Large Number of Non-Primitive Elements
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1044 Architecture with Number of Horizontal Layers Outside of Expected Range
Major Applicable_Platforms, Common_Consequences, Description
Minor None
1045 Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1046 Creation of Immutable Text Using String Concatenation
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1047 Modules with Circular Dependencies
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1048 Invokable Control Element with Large Number of Outward Calls
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1049 Excessive Data Query Operations in a Large Data Table
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1050 Excessive Platform Resource Consumption within a Loop
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1051 Initialization with Hard-Coded Network Resource Configuration Data
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1052 Excessive Use of Hard-Coded Literals in Initialization
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1053 Missing Documentation for Design
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1054 Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1055 Multiple Inheritance from Concrete Classes
Major Applicable_Platforms, Common_Consequences, Description, Detection_Factors, Time_of_Introduction
Minor None
1056 Invokable Control Element with Variadic Parameters
Major Applicable_Platforms, Common_Consequences, Description, Detection_Factors, Time_of_Introduction
Minor None
1057 Data Access Operations Outside of Expected Data Manager Component
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1058 Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1060 Excessive Number of Inefficient Server-Side Data Accesses
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1061 Insufficient Encapsulation
Major Applicable_Platforms, Common_Consequences, Description, Detection_Factors, Time_of_Introduction, Weakness_Ordinalities
Minor None
1062 Parent Class with References to Child Class
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1063 Creation of Class Instance within a Static Code Block
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1064 Invokable Control Element with Signature Containing an Excessive Number of Parameters
Major Applicable_Platforms, Common_Consequences, Description, Detection_Factors, Time_of_Introduction
Minor None
1065 Runtime Resource Management Control Element in a Component Built to Run on Application Servers
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1066 Missing Serialization Control Element
Major Applicable_Platforms, Background_Details, Common_Consequences, Description, Time_of_Introduction
Minor None
1067 Excessive Execution of Sequential Searches of Data Resource
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1068 Inconsistency Between Implementation and Documented Design
Major Common_Consequences, Description
Minor None
1069 Empty Exception Block
Major Common_Consequences, Description, Time_of_Introduction
Minor None
1070 Serializable Data Element Containing non-Serializable Item Elements
Major Applicable_Platforms, Background_Details, Common_Consequences, Description, Time_of_Introduction
Minor None
1071 Empty Code Block
Major Applicable_Platforms, Detection_Factors, Time_of_Introduction
Minor None
1072 Data Resource Access without Use of Connection Pooling
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1073 Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses
Major Common_Consequences, Description, Time_of_Introduction
Minor None
1074 Class with Excessively Deep Inheritance
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1075 Unconditional Control Flow Transfer outside of Switch Block
Major Applicable_Platforms, Common_Consequences, Description, Detection_Factors, Time_of_Introduction
Minor None
1076 Insufficient Adherence to Expected Conventions
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Time_of_Introduction
Minor None
1077 Floating Point Comparison with Incorrect Operator
Major Applicable_Platforms, Common_Consequences, Description, Detection_Factors, Time_of_Introduction
Minor None
1078 Inappropriate Source Code Style or Formatting
Major Applicable_Platforms, Common_Consequences, Detection_Factors, Time_of_Introduction
Minor None
1079 Parent Class without Virtual Destructor Method
Major Applicable_Platforms, Common_Consequences, Description, Detection_Factors, Time_of_Introduction
Minor None
1080 Source Code File with Excessive Number of Lines of Code
Major Applicable_Platforms, Common_Consequences, Description, Detection_Factors, Time_of_Introduction
Minor None
1082 Class Instance Self Destruction Control Element
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1083 Data Access from Outside Expected Data Manager Component
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1084 Invokable Control Element with Excessive File or Data Access Operations
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1085 Invokable Control Element with Excessive Volume of Commented-out Code
Major Applicable_Platforms, Common_Consequences, Description, Detection_Factors, Time_of_Introduction
Minor None
1086 Class with Excessive Number of Child Classes
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1087 Class with Virtual Method without a Virtual Destructor
Major Applicable_Platforms, Common_Consequences, Description, Detection_Factors, Time_of_Introduction
Minor None
1088 Synchronous Access of Remote Resource without Timeout
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1089 Large Data Table with Excessive Number of Indices
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1090 Method Containing Access of a Member Element from Another Class
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1091 Use of Object without Invoking Destructor Method
Major Applicable_Platforms, Common_Consequences, Description, Detection_Factors, Time_of_Introduction
Minor None
1092 Use of Same Invokable Control Element in Multiple Architectural Layers
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1093 Excessively Complex Data Representation
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1094 Excessive Index Range Scan for a Data Resource
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1095 Loop Condition Value Update within the Loop
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1096 Singleton Class Instance Creation without Proper Locking or Synchronization
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1097 Persistent Storable Data Element without Associated Comparison Control Element
Major Applicable_Platforms, Background_Details, Common_Consequences, Description, Time_of_Introduction
Minor None
1098 Data Element containing Pointer Item without Proper Copy Control Element
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1099 Inconsistent Naming Conventions for Identifiers
Major Applicable_Platforms, Common_Consequences, Description, Detection_Factors, Time_of_Introduction
Minor None
1100 Insufficient Isolation of System-Dependent Functions
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1101 Reliance on Runtime Component in Generated Code
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1102 Reliance on Machine-Dependent Data Representation
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1103 Use of Platform-Dependent Third Party Components
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1104 Use of Unmaintained Third Party Components
Major Applicable_Platforms, Common_Consequences, Description, Detection_Factors, Diagram, Relationships, Time_of_Introduction
Minor None
1105 Insufficient Encapsulation of Machine-Dependent Functionality
Major Applicable_Platforms, Common_Consequences, Description, Detection_Factors, Time_of_Introduction
Minor None
1106 Insufficient Use of Symbolic Constants
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Time_of_Introduction
Minor None
1107 Insufficient Isolation of Symbolic Constant Definitions
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1108 Excessive Reliance on Global Variables
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1109 Use of Same Variable for Multiple Purposes
Major Applicable_Platforms, Common_Consequences, Description, Observed_Examples, Time_of_Introduction
Minor None
1110 Incomplete Design Documentation
Major Common_Consequences, Time_of_Introduction
Minor None
1111 Incomplete I/O Documentation
Major Applicable_Platforms, Common_Consequences, Time_of_Introduction
Minor None
1112 Incomplete Documentation of Program Execution
Major Applicable_Platforms, Common_Consequences, Time_of_Introduction
Minor None
1113 Inappropriate Comment Style
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1114 Inappropriate Whitespace Style
Major Applicable_Platforms, Common_Consequences, Description, Observed_Examples, Time_of_Introduction
Minor None
1115 Source Code Element without Standard Prologue
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1116 Inaccurate Source Code Comments
Major Common_Consequences, Description, Name, Time_of_Introduction
Minor None
1117 Callable with Insufficient Behavioral Summary
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1118 Insufficient Documentation of Error Handling Techniques
Major Applicable_Platforms, Common_Consequences, Time_of_Introduction
Minor None
1119 Excessive Use of Unconditional Branching
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1120 Excessive Code Complexity
Major Applicable_Platforms, Common_Consequences, Description, Detection_Factors, Time_of_Introduction
Minor None
1121 Excessive McCabe Cyclomatic Complexity
Major Applicable_Platforms, Common_Consequences, Description, Detection_Factors, Time_of_Introduction
Minor None
1122 Excessive Halstead Complexity
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1123 Excessive Use of Self-Modifying Code
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1124 Excessively Deep Nesting
Major Applicable_Platforms, Common_Consequences, Description, Time_of_Introduction
Minor None
1125 Excessive Attack Surface
Major Applicable_Platforms, Common_Consequences, Relationships, Time_of_Introduction
Minor None
1126 Declaration of Variable with Unnecessarily Wide Scope
Major Applicable_Platforms, Common_Consequences, Description, Detection_Factors, Time_of_Introduction
Minor None
1127 Compilation with Insufficient Warnings or Errors
Major Applicable_Platforms, Common_Consequences, Description, Detection_Factors
Minor None
1164 Irrelevant Code
Major Applicable_Platforms, Detection_Factors, Observed_Examples, Time_of_Introduction, Weakness_Ordinalities
Minor None
1174 ASP.NET Misconfiguration: Improper Model Validation
Major Relationships
Minor None
1176 Inefficient CPU Computation
Major Applicable_Platforms, Common_Consequences, Description
Minor None
1177 Use of Prohibited Code
Major Applicable_Platforms, Detection_Factors
Minor None
1188 Initialization of a Resource with an Insecure Default
Major Applicable_Platforms, Common_Consequences, Description, Detection_Factors, Modes_of_Introduction, References, Relationships, Time_of_Introduction
Minor None
1190 DMA Device Enabled Too Early in Boot Phase
Major Weakness_Ordinalities
Minor None
1192 Improper Identifier for IP Block used in System-On-Chip (SOC)
Major Weakness_Ordinalities
Minor None
1193 Power-On of Untrusted Execution Core Before Enabling Fabric Access Control
Major Applicable_Platforms, Time_of_Introduction, Weakness_Ordinalities
Minor None
1204 Generation of Weak Initialization Vector (IV)
Major Detection_Factors, Weakness_Ordinalities
Minor None
1209 Failure to Disable Reserved Bits
Major Weakness_Ordinalities
Minor Modes_of_Introduction
1220 Insufficient Granularity of Access Control
Major Weakness_Ordinalities
Minor None
1221 Incorrect Register Defaults or Module Parameters
Major Detection_Factors, Potential_Mitigations, Weakness_Ordinalities
Minor None
1222 Insufficient Granularity of Address Regions Protected by Register Locks
Major Weakness_Ordinalities
Minor None
1223 Race Condition for Write-Once Attributes
Major Detection_Factors, Potential_Mitigations, Weakness_Ordinalities
Minor Demonstrative_Examples
1224 Improper Restriction of Write-Once Bit Fields
Major Detection_Factors, Potential_Mitigations, Weakness_Ordinalities
Minor None
1229 Creation of Emergent Resource
Major Common_Consequences, Demonstrative_Examples, Time_of_Introduction, Weakness_Ordinalities
Minor None
1230 Exposure of Sensitive Information Through Metadata
Major Common_Consequences, Weakness_Ordinalities
Minor None
1232 Improper Lock Behavior After Power State Transition
Major Weakness_Ordinalities
Minor None
1234 Hardware Internal or Debug Modes Allow Override of Locks
Major Demonstrative_Examples, Weakness_Ordinalities
Minor None
1235 Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations
Major Background_Details, Common_Consequences, Description, Detection_Factors, Potential_Mitigations, Weakness_Ordinalities
Minor None
1236 Improper Neutralization of Formula Elements in a CSV File
Major Background_Details, Common_Consequences, Description, Detection_Factors, Weakness_Ordinalities
Minor None
1239 Improper Zeroization of Hardware Register
Major Weakness_Ordinalities
Minor None
1240 Use of a Cryptographic Primitive with a Risky Implementation
Major Relationships
Minor None
1241 Use of Predictable Algorithm in Random Number Generator
Major Description, Potential_Mitigations, Relationships, Weakness_Ordinalities
Minor None
1242 Inclusion of Undocumented Features or Chicken Bits
Major Common_Consequences, Demonstrative_Examples, Description, Weakness_Ordinalities
Minor None
1243 Sensitive Non-Volatile Information Not Protected During Debug
Major Common_Consequences, Description, Weakness_Ordinalities
Minor None
1244 Internal Asset Exposed to Unsafe Debug Access Level or State
Major Common_Consequences, Description
Minor None
1245 Improper Finite State Machines (FSMs) in Hardware Logic
Major Common_Consequences, Description, Weakness_Ordinalities
Minor None
1246 Improper Write Handling in Limited-write Non-Volatile Memories
Major Common_Consequences, Description, Weakness_Ordinalities
Minor None
1247 Improper Protection Against Voltage and Clock Glitches
Major Demonstrative_Examples
Minor None
1248 Semiconductor Defects in Hardware Logic with Security-Sensitive Implications
Major Common_Consequences, Description, Weakness_Ordinalities
Minor None
1249 Application-Level Admin Tool with Inconsistent View of Underlying Operating System
Major Weakness_Ordinalities
Minor None
1250 Improper Preservation of Consistency Between Independent Representations of Shared State
Major Common_Consequences, Time_of_Introduction, Weakness_Ordinalities
Minor None
1251 Mirrored Regions with Different Values
Major Time_of_Introduction, Weakness_Ordinalities
Minor None
1252 CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations
Major Common_Consequences, Description, Weakness_Ordinalities
Minor None
1253 Incorrect Selection of Fuse Values
Major Common_Consequences, Description, Weakness_Ordinalities
Minor None
1254 Incorrect Comparison Logic Granularity
Major Weakness_Ordinalities
Minor None
1255 Comparison Logic is Vulnerable to Power Side-Channel Attacks
Major Weakness_Ordinalities
Minor Modes_of_Introduction
1257 Improper Access Control Applied to Mirrored or Aliased Memory Regions
Major Weakness_Ordinalities
Minor None
1258 Exposure of Sensitive System Information Due to Uncleared Debug Information
Major Relationships, Weakness_Ordinalities
Minor None
1259 Improper Restriction of Security Token Assignment
Major Common_Consequences, Description, Weakness_Ordinalities
Minor None
1261 Improper Handling of Single Event Upsets
Major Demonstrative_Examples, Weakness_Ordinalities
Minor None
1262 Improper Access Control for Register Interface
Major Demonstrative_Examples, References
Minor None
1263 Improper Physical Access Control
Major Weakness_Ordinalities
Minor Modes_of_Introduction
1264 Hardware Logic with Insecure De-Synchronization between Control and Data Channels
Major None
Minor Description
1265 Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls
Major Applicable_Platforms, Description, Relationships, Time_of_Introduction
Minor None
1266 Improper Scrubbing of Sensitive Data from Decommissioned Device
Major Weakness_Ordinalities
Minor None
1267 Policy Uses Obsolete Encoding
Major Demonstrative_Examples, Weakness_Ordinalities
Minor None
1268 Policy Privileges are not Assigned Consistently Between Control and Data Agents
Major Demonstrative_Examples, Relationships, Weakness_Ordinalities
Minor None
1269 Product Released in Non-Release Configuration
Major Weakness_Ordinalities
Minor None
1270 Generation of Incorrect Security Tokens
Major Common_Consequences, Description, Weakness_Ordinalities
Minor None
1273 Device Unlock Credential Sharing
Major Weakness_Ordinalities
Minor None
1274 Improper Access Control for Volatile Memory Containing Boot Code
Major Common_Consequences, Description
Minor None
1275 Sensitive Cookie with Improper SameSite Attribute
Major Applicable_Platforms, Relationships, Weakness_Ordinalities
Minor None
1276 Hardware Child Block Incorrectly Connected to Parent System
Major Demonstrative_Examples, Weakness_Ordinalities
Minor None
1277 Firmware Not Updateable
Major None
Minor Demonstrative_Examples
1278 Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques
Major Weakness_Ordinalities
Minor None
1279 Cryptographic Operations are run Before Supporting Units are Ready
Major Weakness_Ordinalities
Minor None
1280 Access Control Check Implemented After Asset is Accessed
Major Weakness_Ordinalities
Minor None
1281 Sequence of Processor Instructions Leads to Unexpected Behavior
Major Weakness_Ordinalities
Minor None
1282 Assumed-Immutable Data is Stored in Writable Memory
Major Weakness_Ordinalities
Minor None
1283 Mutable Attestation or Measurement Reporting Data
Major Weakness_Ordinalities
Minor None
1284 Improper Validation of Specified Quantity in Input
Major Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Modes_of_Introduction, Observed_Examples, Weakness_Ordinalities
Minor None
1285 Improper Validation of Specified Index, Position, or Offset in Input
Major Detection_Factors, Weakness_Ordinalities
Minor None
1286 Improper Validation of Syntactic Correctness of Input
Major Weakness_Ordinalities
Minor None
1287 Improper Validation of Specified Type of Input
Major Weakness_Ordinalities
Minor None
1288 Improper Validation of Consistency within Input
Major Weakness_Ordinalities
Minor None
1289 Improper Validation of Unsafe Equivalence in Input
Major Weakness_Ordinalities
Minor None
1290 Incorrect Decoding of Security Identifiers
Major Weakness_Ordinalities
Minor None
1291 Public Key Re-Use for Signing both Debug and Production Code
Major Weakness_Ordinalities
Minor Potential_Mitigations
1292 Incorrect Conversion of Security Identifiers
Major Weakness_Ordinalities
Minor None
1293 Missing Source Correlation of Multiple Independent Data
Major Weakness_Ordinalities
Minor None
1294 Insecure Security Identifier Mechanism
Major Weakness_Ordinalities
Minor None
1295 Debug Messages Revealing Unnecessary Information
Major Detection_Factors, Weakness_Ordinalities
Minor None
1296 Incorrect Chaining or Granularity of Debug Components
Major Weakness_Ordinalities
Minor None
1297 Unprotected Confidential Information on Device is Accessible by OSAT Vendors
Major Weakness_Ordinalities
Minor None
1298 Hardware Logic Contains Race Conditions
Major Weakness_Ordinalities
Minor None
1299 Missing Protection Mechanism for Alternate Hardware Interface
Major Weakness_Ordinalities
Minor None
1301 Insufficient or Incomplete Data Removal within Hardware Component
Major Weakness_Ordinalities
Minor None
1302 Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)
Major Demonstrative_Examples, Weakness_Ordinalities
Minor None
1303 Non-Transparent Sharing of Microarchitectural Resources
Major Weakness_Ordinalities
Minor None
1304 Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation
Major Weakness_Ordinalities
Minor None
1310 Missing Ability to Patch ROM Code
Major Weakness_Ordinalities
Minor None
1311 Improper Translation of Security Attributes by Fabric Bridge
Major Weakness_Ordinalities
Minor None
1312 Missing Protection for Mirrored Regions in On-Chip Fabric Firewall
Major Weakness_Ordinalities
Minor None
1313 Hardware Allows Activation of Test or Debug Logic at Runtime
Major Weakness_Ordinalities
Minor None
1314 Missing Write Protection for Parametric Data Values
Major Weakness_Ordinalities
Minor None
1315 Improper Setting of Bus Controlling Capability in Fabric End-point
Major Weakness_Ordinalities
Minor None
1316 Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges
Major Weakness_Ordinalities
Minor None
1317 Improper Access Control in Fabric Bridge
Major Weakness_Ordinalities
Minor None
1318 Missing Support for Security Features in On-chip Fabrics or Buses
Major Weakness_Ordinalities
Minor None
1319 Improper Protection against Electromagnetic Fault Injection (EM-FI)
Major Demonstrative_Examples, Observed_Examples, Weakness_Ordinalities
Minor None
1320 Improper Protection for Outbound Error Messages and Alert Signals
Major Weakness_Ordinalities
Minor None
1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Major Detection_Factors, Weakness_Ordinalities
Minor None
1322 Use of Blocking Code in Single-threaded, Non-blocking Context
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
1323 Improper Management of Sensitive Trace Data
Major Weakness_Ordinalities
Minor None
1326 Missing Immutable Root of Trust in Hardware
Major Weakness_Ordinalities
Minor None
1327 Binding to an Unrestricted IP Address
Major Weakness_Ordinalities
Minor None
1328 Security Version Number Mutable to Older Versions
Major Weakness_Ordinalities
Minor None
1329 Reliance on Component That is Not Updateable
Major Relationships
Minor Demonstrative_Examples
1330 Remanent Data Readable after Memory Erase
Major Weakness_Ordinalities
Minor None
1333 Inefficient Regular Expression Complexity
Major Detection_Factors, Weakness_Ordinalities
Minor None
1334 Unauthorized Error Injection Can Degrade Hardware Redundancy
Major Weakness_Ordinalities
Minor None
1335 Incorrect Bitwise Shift of Integer
Major Detection_Factors, Weakness_Ordinalities
Minor None
1336 Improper Neutralization of Special Elements Used in a Template Engine
Major Applicable_Platforms, Detection_Factors, Weakness_Ordinalities
Minor None
1338 Improper Protections Against Hardware Overheating
Major Weakness_Ordinalities
Minor None
1339 Insufficient Precision or Accuracy of a Real Number
Major Detection_Factors, Weakness_Ordinalities
Minor None
1341 Multiple Releases of Same Resource or Handle
Major Observed_Examples, Weakness_Ordinalities
Minor None
1342 Information Exposure through Microarchitectural State after Transient Execution
Major Weakness_Ordinalities
Minor None
1351 Improper Handling of Hardware Behavior in Exceptionally Cold Environments
Major Weakness_Ordinalities
Minor None
1357 Reliance on Insufficiently Trustworthy Component
Major Demonstrative_Examples, Detection_Factors
Minor None
1358 Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS
Major Maintenance_Notes, Relationship_Notes
Minor None
1359 ICS Communications
Major Maintenance_Notes, Relationship_Notes
Minor None
1360 ICS Dependencies (& Architecture)
Major Maintenance_Notes, Relationship_Notes
Minor None
1361 ICS Supply Chain
Major Maintenance_Notes, Relationship_Notes
Minor None
1362 ICS Engineering (Constructions/Deployment)
Major Maintenance_Notes, Relationship_Notes
Minor None
1363 ICS Operations (& Maintenance)
Major Maintenance_Notes, Relationship_Notes
Minor None
1364 ICS Communications: Zone Boundary Failures
Major Maintenance_Notes, Relationship_Notes
Minor None
1365 ICS Communications: Unreliability
Major Maintenance_Notes, Relationship_Notes
Minor None
1366 ICS Communications: Frail Security in Protocols
Major Maintenance_Notes
Minor None
1370 ICS Supply Chain: Common Mode Frailties
Major Maintenance_Notes
Minor None
1371 ICS Supply Chain: Poorly Documented or Undocumented Features
Major Maintenance_Notes
Minor None
1372 ICS Supply Chain: OT Counterfeit and Malicious Corruption
Major Maintenance_Notes
Minor None
1373 ICS Engineering (Construction/Deployment): Trust Model Problems
Major Maintenance_Notes
Minor None
1374 ICS Engineering (Construction/Deployment): Maker Breaker Blindness
Major Maintenance_Notes
Minor None
1375 ICS Engineering (Construction/Deployment): Gaps in Details/Data
Major Maintenance_Notes
Minor None
1376 ICS Engineering (Construction/Deployment): Security Gaps in Commissioning
Major Maintenance_Notes
Minor None
1384 Improper Handling of Physical or Environmental Conditions
Major Demonstrative_Examples, References, Weakness_Ordinalities
Minor None
1385 Missing Origin Validation in WebSockets
Major Applicable_Platforms, Weakness_Ordinalities
Minor None
1386 Insecure Operation on Windows Junction / Mount Point
Major Weakness_Ordinalities
Minor None
1389 Incorrect Parsing of Numbers with Different Radices
Major Detection_Factors, Weakness_Ordinalities
Minor None
1390 Weak Authentication
Major Observed_Examples, Relationships, Weakness_Ordinalities
Minor None
1391 Use of Weak Credentials
Major Common_Consequences, Description, Potential_Mitigations, References, Relationships, Weakness_Ordinalities
Minor None
1392 Use of Default Credentials
Major Observed_Examples, Relationships, Weakness_Ordinalities
Minor None
1393 Use of Default Password
Major Observed_Examples, References, Relationships, Weakness_Ordinalities
Minor None
1394 Use of Default Cryptographic Key
Major Weakness_Ordinalities
Minor None
1395 Dependency on Vulnerable Third-Party Component
Major Observed_Examples, Relationships, Weakness_Ordinalities
Minor None
1419 Incorrect Initialization of Resource
Major Detection_Factors, Weakness_Ordinalities
Minor None
1420 Exposure of Sensitive Information during Transient Execution
Major References, Weakness_Ordinalities
Minor None
1421 Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution
Major References, Weakness_Ordinalities
Minor None
1422 Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution
Major Weakness_Ordinalities
Minor None
1423 Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution
Major Weakness_Ordinalities
Minor None
1426 Improper Validation of Generative AI Output
Major Weakness_Ordinalities
Minor None
1427 Improper Neutralization of Input Used for LLM Prompting
Major Observed_Examples, Weakness_Ordinalities
Minor None
1428 Reliance on HTTP instead of HTTPS
Major Weakness_Ordinalities
Minor None
1429 Missing Security-Relevant Feedback for Unexecuted Operations in Hardware Interface
Major Demonstrative_Examples, Weakness_Ordinalities
Minor Common_Consequences
1430 Weaknesses in the 2024 CWE Top 25 Most Dangerous Software Weaknesses
Major References
Minor None
1431 Driving Intermediate Cryptographic State/Results to Hardware Module Outputs
Major Weakness_Ordinalities
Minor None
Back to top
Page Last Updated: December 11, 2025
 

Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2025, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.