CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities
New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > Reports > Differences between Version 3.4.1 and Version 4.0  
ID

Differences between Version 3.4.1 and Version 4.0

Summary
Summary
Total weaknesses/chains/composites (Version 4.0) 839
Total weaknesses/chains/composites (Version 3.4.1) 808
Total new 62
Total deprecated 13
Total with major changes 883
Total with only minor changes
Total unchanged 293

Summary of Entry Types

Type Version 3.4.1 Version 4.0
Weakness 808 839
Category 295 312
View 38 39
Deprecated 48 61
Total 1189 1251

Back to top
Field Change Summary
Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field Major Minor
Name 67 0
Description 152 1
Applicable_Platforms 63 0
Time_of_Introduction 19 0
Demonstrative_Examples 14 0
Detection_Factors 11 0
Likelihood_of_Exploit 0 0
Common_Consequences 4 0
Relationships 783 0
References 159 0
Potential_Mitigations 97 0
Observed_Examples 19 0
Terminology_Notes 1 0
Alternate_Terms 5 0
Related_Attack_Patterns 10 0
Relationship_Notes 6 0
Taxonomy_Mappings 22 0
Maintenance_Notes 12 0
Modes_of_Introduction 4 0
Research_Gaps 0 0
Background_Details 0 0
Theoretical_Notes 1 0
Weakness_Ordinalities 5 0
Other_Notes 4 0
View_Type 0 0
View_Structure 0 0
View_Filter 1 0
View_Audience 22 0
Type 70 0
Source_Taxonomy 0 0

Form and Abstraction Changes

From To Total CWE IDs
Unchanged 1119
Category Deprecated 11 4, 21, 171, 376, 380, 381, 442, 461, 490, 519, 559
Weakness/Base Deprecated 1 1187
Weakness/Base Weakness/Class 8 99, 114, 185, 377, 446, 522, 667, 1023
Weakness/Base Weakness/Variant 7 111, 113, 180, 181, 259, 321, 457
Weakness/Class Deprecated 1 216
Weakness/Class Pillar 10 284, 435, 664, 682, 691, 693, 697, 703, 707, 710
Weakness/Class Weakness/Base 5 73, 250, 359, 390, 756
Weakness/Variant Weakness/Base 27 201, 214, 215, 260, 261, 262, 379, 460, 478, 483, 487, 488, 497, 523, 524, 532, 540, 549, 570, 571, 585, 612, 620, 764, 911, 1069, 1071

Status Changes

From To Total
Unchanged 1171
Draft Deprecated 9
Draft Obsolete 2
Incomplete Deprecated 4
Incomplete Draft 2
Incomplete Obsolete 1

Relationship Changes

The "Version 4.0 Total" lists the total number of relationships in Version 4.0. The "Shared" value is the total number of relationships in entries that were in both Version 4.0 and Version 3.4.1. The "New" value is the total number of relationships involving entries that did not exist in Version 3.4.1. Thus, the total number of relationships in Version 4.0 would combine stats from Shared entries and New entries.

Relationship Version 4.0 Total Version 3.4.1 Total Version 4.0 Shared Unchanged Added to Version 4.0 Removed from Version 3.4.1 Version 4.0 New
ALL 8593 9365 8141 7605 536 1760 452
ChildOf 3586 3991 3386 3138 248 853 200
ParentOf 3586 3991 3386 3138 248 853 200
MemberOf 496 467 470 457 13 10 26
HasMember 496 467 470 457 13 10 26
CanPrecede 122 129 122 116 6 13
CanFollow 122 129 122 116 6 13
StartsWith 3 3 3 3
Requires 13 14 13 13 1
RequiredBy 13 14 13 13 1
CanAlsoBe 28 30 28 28 2
PeerOf 128 130 128 126 2 4

Nodes Removed from Version 3.4.1

CWE-ID CWE Name
None.

Nodes Added to Version 4.0

CWE-ID CWE Name
1189 Improper Isolation of Shared Resources on System-on-Chip (SoC)
1190 DMA Device Enabled Too Early in Boot Phase
1191 Exposed Chip Debug Interface With Insufficient Access Control
1192 System-on-Chip (SoC) Using Components without Unique, Immutable Identifiers
1193 Power-On of Untrusted Execution Core Before Enabling Fabric Access Control
1194 Hardware Design
1195 Manufacturing and Life Cycle Management Concerns
1196 Security Flow Issues
1197 Integration Issues
1198 Privilege Separation and Access Control Issues
1199 General Circuit and Logic Design Concerns
1201 Core and Compute Issues
1202 Memory and Storage Issues
1203 Peripherals, On-chip Fabric, and Interface/IO Problems
1205 Security Primitives and Cryptography Issues
1206 Power, Clock, and Reset Concerns
1207 Debug and Test Problems
1208 Cross-Cutting Problems
1209 Failure to Disable Reserved Bits
1210 Audit / Logging Errors
1211 Authentication Errors
1212 Authorization Errors
1213 Random Number Issues
1214 Data Integrity Issues
1215 Input Validation Issues
1216 Lockout Mechanism Errors
1217 User Session Errors
1218 Memory Buffer Errors
1219 File Handling Issues
1220 Insufficient Granularity of Access Control
1221 Incorrect Register Defaults or Module Parameters
1222 Insufficient Granularity of Address Regions Protected by Register Locks
1223 Race Condition for Write-Once Attributes
1224 Improper Restriction of Write-Once Bit Fields
1225 Documentation Issues
1226 Complexity Issues
1227 Encapsulation Issues
1228 API / Function Errors
1229 Creation of Emergent Resource
1230 Exposure of Sensitive Information Through Metadata
1231 Improper Implementation of Lock Protection Registers
1232 Improper Lock Behavior After Power State Transition
1233 Improper Hardware Lock Protection for Security Sensitive Controls
1234 Hardware Internal or Debug Modes Allow Override of Locks
1235 Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations
1236 Improper Neutralization of Formula Elements in a CSV File
1237 SFP Primary Cluster: Faulty Resource Release
1238 SFP Primary Cluster: Failure to Release Memory
1239 Improper Zeroization of Hardware Register
1240 Use of a Risky Cryptographic Primitive
1241 Use of Predictable Algorithm in Random Number Generator
1242 Inclusion of Undocumented Features or Chicken Bits
1243 Exposure of Security-Sensitive Fuse Values During Debug
1244 Improper Authorization on Physical Debug and Test Interfaces
1245 Improper Finite State Machines (FSMs) in Hardware Logic
1246 Improper Write Handling in Limited-write Non-Volatile Memories
1247 Missing Protection Against Voltage and Clock Glitches
1248 Semiconductor Defects in Hardware Logic with Security-Sensitive Implications
1249 Application-Level Admin Tool with Inconsistent View of Underlying Operating System
1250 Improper Preservation of Consistency Between Independent Representations of Shared State
1251 Mirrored Regions with Different Values
1252 CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations

Nodes Deprecated in Version 4.0

CWE-ID CWE Name
4 DEPRECATED: J2EE Environment Issues
21 DEPRECATED: Pathname Traversal and Equivalence Errors
171 DEPRECATED: Cleansing, Canonicalization, and Comparison Errors
216 DEPRECATED: Containment Errors (Container Errors)
376 DEPRECATED: Temporary File Issues
380 DEPRECATED: Technology-Specific Time and State Issues
381 DEPRECATED: J2EE Time and State Issues
442 DEPRECATED: Web Problems
461 DEPRECATED: Data Structure Issues
490 DEPRECATED: Mobile Code Issues
519 DEPRECATED: .NET Environment Issues
559 DEPRECATED: Often Misused: Arguments and Parameters
1187 DEPRECATED: Use of Uninitialized Resource
Back to top
Important Changes
Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D Description
N Name
R Relationships

DNR 4 DEPRECATED: J2EE Environment Issues
R 5 J2EE Misconfiguration: Data Transmission Without Encryption
R 6 J2EE Misconfiguration: Insufficient Session-ID Length
R 7 J2EE Misconfiguration: Missing Custom Error Page
R 8 J2EE Misconfiguration: Entity Bean Declared Remote
R 9 J2EE Misconfiguration: Weak Access Permissions for EJB Methods
R 11 ASP.NET Misconfiguration: Creating Debug Binary
R 12 ASP.NET Misconfiguration: Missing Custom Error Page
R 13 ASP.NET Misconfiguration: Password in Configuration File
R 14 Compiler Removal of Code to Clear Buffers
R 15 External Control of System or Configuration Setting
R 16 Configuration
D R 19 Data Processing Errors
R 20 Improper Input Validation
DNR 21 DEPRECATED: Pathname Traversal and Equivalence Errors
R 22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
R 23 Relative Path Traversal
R 24 Path Traversal: '../filedir'
R 25 Path Traversal: '/../filedir'
R 26 Path Traversal: '/dir/../filename'
R 27 Path Traversal: 'dir/../../filename'
R 28 Path Traversal: '..\filedir'
R 29 Path Traversal: '\..\filename'
R 30 Path Traversal: '\dir\..\filename'
R 31 Path Traversal: 'dir\..\..\filename'
R 32 Path Traversal: '...' (Triple Dot)
R 33 Path Traversal: '....' (Multiple Dot)
R 34 Path Traversal: '....//'
R 35 Path Traversal: '.../...//'
R 36 Absolute Path Traversal
R 37 Path Traversal: '/absolute/pathname/here'
R 38 Path Traversal: '\absolute\pathname\here'
R 39 Path Traversal: 'C:dirname'
R 40 Path Traversal: '\\UNC\share\name\' (Windows UNC Share)
R 41 Improper Resolution of Path Equivalence
R 42 Path Equivalence: 'filename.' (Trailing Dot)
R 43 Path Equivalence: 'filename....' (Multiple Trailing Dot)
R 44 Path Equivalence: 'file.name' (Internal Dot)
R 45 Path Equivalence: 'file...name' (Multiple Internal Dot)
R 46 Path Equivalence: 'filename ' (Trailing Space)
R 47 Path Equivalence: ' filename' (Leading Space)
R 48 Path Equivalence: 'file name' (Internal Whitespace)
R 49 Path Equivalence: 'filename/' (Trailing Slash)
R 50 Path Equivalence: '//multiple/leading/slash'
R 51 Path Equivalence: '/multiple//internal/slash'
R 52 Path Equivalence: '/multiple/trailing/slash//'
R 53 Path Equivalence: '\multiple\\internal\backslash'
R 54 Path Equivalence: 'filedir\' (Trailing Backslash)
R 55 Path Equivalence: '/./' (Single Dot Directory)
R 56 Path Equivalence: 'filedir*' (Wildcard)
R 57 Path Equivalence: 'fakedir/../realdir/filename'
R 58 Path Equivalence: Windows 8.3 Filename
R 59 Improper Link Resolution Before File Access ('Link Following')
R 61 UNIX Symbolic Link (Symlink) Following
R 62 UNIX Hard Link
R 64 Windows Shortcut Following (.LNK)
R 65 Windows Hard Link
R 66 Improper Handling of File Names that Identify Virtual Resources
R 67 Improper Handling of Windows Device Names
D 68 DEPRECATED: Windows Virtual File Problems
R 69 Improper Handling of Windows ::DATA Alternate Data Stream
D 70 DEPRECATED: Mac Virtual File Problems
R 72 Improper Handling of Apple HFS+ Alternate Data Stream Path
R 73 External Control of File Name or Path
R 74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
R 75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
R 76 Improper Neutralization of Equivalent Special Elements
R 77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
R 78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
R 79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
R 80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
D R 81 Improper Neutralization of Script in an Error Message Web Page
R 82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
R 83 Improper Neutralization of Script in Attributes in a Web Page
R 84 Improper Neutralization of Encoded URI Schemes in a Web Page
R 85 Doubled Character XSS Manipulations
R 86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages
R 87 Improper Neutralization of Alternate XSS Syntax
R 88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
R 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
R 90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
R 91 XML Injection (aka Blind XPath Injection)
R 93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
R 94 Improper Control of Generation of Code ('Code Injection')
R 95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
R 96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
R 97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
R 98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
R 99 Improper Control of Resource Identifiers ('Resource Injection')
R 102 Struts: Duplicate Validation Forms
R 103 Struts: Incomplete validate() Method Definition
R 104 Struts: Form Bean Does Not Extend Validation Class
R 105 Struts: Form Field Without Validator
R 106 Struts: Plug-in Framework not in Use
R 107 Struts: Unused Validation Form
R 108 Struts: Unvalidated Action Form
R 109 Struts: Validator Turned Off
R 110 Struts: Validator Without Form Field
R 111 Direct Use of Unsafe JNI
R 112 Missing XML Validation
R 113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
R 114 Process Control
R 115 Misinterpretation of Input
R 116 Improper Encoding or Escaping of Output
R 117 Improper Output Neutralization for Logs
R 118 Incorrect Access of Indexable Resource ('Range Error')
R 119 Improper Restriction of Operations within the Bounds of a Memory Buffer
R 120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
R 121 Stack-based Buffer Overflow
R 122 Heap-based Buffer Overflow
R 123 Write-what-where Condition
R 124 Buffer Underwrite ('Buffer Underflow')
R 125 Out-of-bounds Read
R 126 Buffer Over-read
R 127 Buffer Under-read
R 128 Wrap-around Error
R 129 Improper Validation of Array Index
R 130 Improper Handling of Length Parameter Inconsistency
R 131 Incorrect Calculation of Buffer Size
R 133 String Errors
R 134 Use of Externally-Controlled Format String
R 136 Type Errors
DNR 137 Data Representation Errors
R 138 Improper Neutralization of Special Elements
R 140 Improper Neutralization of Delimiters
R 141 Improper Neutralization of Parameter/Argument Delimiters
R 142 Improper Neutralization of Value Delimiters
R 143 Improper Neutralization of Record Delimiters
R 144 Improper Neutralization of Line Delimiters
R 145 Improper Neutralization of Section Delimiters
R 146 Improper Neutralization of Expression/Command Delimiters
R 147 Improper Neutralization of Input Terminators
R 148 Improper Neutralization of Input Leaders
R 149 Improper Neutralization of Quoting Syntax
R 150 Improper Neutralization of Escape, Meta, or Control Sequences
R 151 Improper Neutralization of Comment Delimiters
R 152 Improper Neutralization of Macro Symbols
R 153 Improper Neutralization of Substitution Characters
R 154 Improper Neutralization of Variable Name Delimiters
R 155 Improper Neutralization of Wildcards or Matching Symbols
R 156 Improper Neutralization of Whitespace
R 157 Failure to Sanitize Paired Delimiters
R 158 Improper Neutralization of Null Byte or NUL Character
DNR 159 Improper Handling of Invalid Use of Special Elements
R 160 Improper Neutralization of Leading Special Elements
R 161 Improper Neutralization of Multiple Leading Special Elements
R 162 Improper Neutralization of Trailing Special Elements
R 163 Improper Neutralization of Multiple Trailing Special Elements
R 164 Improper Neutralization of Internal Special Elements
R 165 Improper Neutralization of Multiple Internal Special Elements
R 166 Improper Handling of Missing Special Element
D R 167 Improper Handling of Additional Special Element
D R 168 Improper Handling of Inconsistent Special Elements
R 170 Improper Null Termination
DNR 171 DEPRECATED: Cleansing, Canonicalization, and Comparison Errors
R 172 Encoding Error
R 173 Improper Handling of Alternate Encoding
R 174 Double Decoding of the Same Data
R 175 Improper Handling of Mixed Encoding
R 176 Improper Handling of Unicode Encoding
R 177 Improper Handling of URL Encoding (Hex Encoding)
R 178 Improper Handling of Case Sensitivity
R 179 Incorrect Behavior Order: Early Validation
R 180 Incorrect Behavior Order: Validate Before Canonicalize
R 181 Incorrect Behavior Order: Validate Before Filter
R 182 Collapse of Data into Unsafe Value
DNR 183 Permissive List of Allowed Inputs
DNR 184 Incomplete List of Disallowed Inputs
R 185 Incorrect Regular Expression
D R 186 Overly Restrictive Regular Expression
R 187 Partial String Comparison
R 189 Numeric Errors
R 190 Integer Overflow or Wraparound
R 191 Integer Underflow (Wrap or Wraparound)
R 192 Integer Coercion Error
R 193 Off-by-one Error
R 194 Unexpected Sign Extension
R 195 Signed to Unsigned Conversion Error
R 196 Unsigned to Signed Conversion Error
R 197 Numeric Truncation Error
R 199 Information Management Errors
DNR 200 Exposure of Sensitive Information to an Unauthorized Actor
DNR 201 Exposure of Sensitive Information Through Sent Data
NR 202 Exposure of Sensitive Information Through Data Queries
DNR 203 Observable Discrepancy
DNR 204 Observable Response Discrepancy
DNR 205 Observable Behavioral Discrepancy
DNR 206 Observable Internal Behavioral Discrepancy
DNR 207 Observable Behavioral Discrepancy With Equivalent Products
DNR 208 Observable Timing Discrepancy
DNR 209 Generation of Error Message Containing Sensitive Information
NR 210 Self-generated Error Message Containing Sensitive Information
DNR 211 Externally-Generated Error Message Containing Sensitive Information
DNR 212 Improper Removal of Sensitive Information Before Storage or Transfer
DNR 213 Exposure of Sensitive Information Due to Incompatible Policies
DNR 214 Invocation of Process Using Visible Sensitive Information
DNR 215 Insertion of Sensitive Information Into Debugging Code
DNR 216 DEPRECATED: Containment Errors (Container Errors)
DNR 219 Storage of File with Sensitive Data Under Web Root
DNR 220 Storage of File With Sensitive Data Under FTP Root
R 221 Information Loss or Omission
R 222 Truncation of Security-relevant Information
R 223 Omission of Security-relevant Information
R 224 Obscured Security-relevant Information by Alternate Name
DNR 226 Sensitive Information Uncleared in Resource Before Release for Reuse
D R 227 7PK - API Abuse
R 228 Improper Handling of Syntactically Invalid Structure
R 229 Improper Handling of Values
R 230 Improper Handling of Missing Values
R 231 Improper Handling of Extra Values
R 232 Improper Handling of Undefined Values
R 233 Improper Handling of Parameters
R 234 Failure to Handle Missing Parameter
R 235 Improper Handling of Extra Parameters
R 236 Improper Handling of Undefined Parameters
R 237 Improper Handling of Structural Elements
R 238 Improper Handling of Incomplete Structural Elements
R 239 Failure to Handle Incomplete Element
R 240 Improper Handling of Inconsistent Structural Elements
R 241 Improper Handling of Unexpected Data Type
R 242 Use of Inherently Dangerous Function
R 244 Improper Clearing of Heap Memory Before Release ('Heap Inspection')
R 245 J2EE Bad Practices: Direct Management of Connections
R 246 J2EE Bad Practices: Direct Use of Sockets
R 250 Execution with Unnecessary Privileges
R 251 Often Misused: String Management
R 254 7PK - Security Features
NR 255 Credentials Management Errors
R 256 Unprotected Storage of Credentials
R 257 Storing Passwords in a Recoverable Format
R 258 Empty Password in Configuration File
R 259 Use of Hard-coded Password
R 260 Password in Configuration File
DNR 261 Weak Encoding for Password
D 262 Not Using Password Aging
R 264 Permissions, Privileges, and Access Controls
DNR 265 Privilege Issues
R 266 Incorrect Privilege Assignment
R 267 Privilege Defined With Unsafe Actions
R 269 Improper Privilege Management
R 270 Privilege Context Switching Error
R 271 Privilege Dropping / Lowering Errors
R 272 Least Privilege Violation
R 273 Improper Check for Dropped Privileges
R 275 Permission Issues
D R 276 Incorrect Default Permissions
R 280 Improper Handling of Insufficient Permissions or Privileges
R 282 Improper Ownership Management
R 283 Unverified Ownership
R 284 Improper Access Control
R 285 Improper Authorization
R 286 Incorrect User Management
R 287 Improper Authentication
R 288 Authentication Bypass Using an Alternate Path or Channel
R 289 Authentication Bypass by Alternate Name
R 290 Authentication Bypass by Spoofing
R 291 Reliance on IP Address for Authentication
R 293 Using Referer Field for Authentication
R 294 Authentication Bypass by Capture-replay
D R 295 Improper Certificate Validation
R 296 Improper Following of a Certificate's Chain of Trust
R 297 Improper Validation of Certificate with Host Mismatch
R 298 Improper Validation of Certificate Expiration
R 299 Improper Check for Certificate Revocation
NR 300 Channel Accessible by Non-Endpoint
R 301 Reflection Attack in an Authentication Protocol
R 302 Authentication Bypass by Assumed-Immutable Data
R 303 Incorrect Implementation of Authentication Algorithm
R 304 Missing Critical Step in Authentication
R 305 Authentication Bypass by Primary Weakness
R 306 Missing Authentication for Critical Function
R 307 Improper Restriction of Excessive Authentication Attempts
R 308 Use of Single-factor Authentication
R 309 Use of Password System for Primary Authentication
D R 310 Cryptographic Issues
R 311 Missing Encryption of Sensitive Data
R 312 Cleartext Storage of Sensitive Information
R 313 Cleartext Storage in a File or on Disk
R 314 Cleartext Storage in the Registry
R 315 Cleartext Storage of Sensitive Information in a Cookie
R 316 Cleartext Storage of Sensitive Information in Memory
R 317 Cleartext Storage of Sensitive Information in GUI
R 318 Cleartext Storage of Sensitive Information in Executable
R 319 Cleartext Transmission of Sensitive Information
R 320 Key Management Errors
R 321 Use of Hard-coded Cryptographic Key
D R 322 Key Exchange without Entity Authentication
R 324 Use of a Key Past its Expiration Date
D R 325 Missing Required Cryptographic Step
R 326 Inadequate Encryption Strength
R 327 Use of a Broken or Risky Cryptographic Algorithm
R 329 Not Using a Random IV with CBC Mode
D R 330 Use of Insufficiently Random Values
R 331 Insufficient Entropy
R 332 Insufficient Entropy in PRNG
R 333 Improper Handling of Insufficient Entropy in TRNG
R 334 Small Space of Random Values
R 335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
R 336 Same Seed in Pseudo-Random Number Generator (PRNG)
D R 337 Predictable Seed in Pseudo-Random Number Generator (PRNG)
R 338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
R 339 Small Seed Space in PRNG
DNR 340 Generation of Predictable Numbers or Identifiers
R 341 Predictable from Observable State
R 342 Predictable Exact Value from Previous Values
R 343 Predictable Value Range from Previous Values
R 344 Use of Invariant Value in Dynamically Changing Context
R 345 Insufficient Verification of Data Authenticity
R 346 Origin Validation Error
R 347 Improper Verification of Cryptographic Signature
R 348 Use of Less Trusted Source
R 349 Acceptance of Extraneous Untrusted Data With Trusted Data
R 350 Reliance on Reverse DNS Resolution for a Security-Critical Action
R 351 Insufficient Type Distinction
R 352 Cross-Site Request Forgery (CSRF)
R 353 Missing Support for Integrity Check
R 354 Improper Validation of Integrity Check Value
R 355 User Interface Security Issues
R 358 Improperly Implemented Security Check for Standard
DNR 359 Exposure of Private Personal Information to an Unauthorized Actor
R 360 Trust of System Event Data
R 361 7PK - Time and State
R 362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
R 363 Race Condition Enabling Link Following
R 364 Signal Handler Race Condition
D R 365 Race Condition in Switch
R 366 Race Condition within a Thread
R 367 Time-of-check Time-of-use (TOCTOU) Race Condition
R 368 Context Switching Race Condition
R 369 Divide By Zero
R 370 Missing Check for Certificate Revocation after Initial Check
R 371 State Issues
DNR 376 DEPRECATED: Temporary File Issues
R 377 Insecure Temporary File
R 378 Creation of Temporary File With Insecure Permissions
NR 379 Creation of Temporary File in Directory with Insecure Permissions
DNR 380 DEPRECATED: Technology-Specific Time and State Issues
DNR 381 DEPRECATED: J2EE Time and State Issues
R 382 J2EE Bad Practices: Use of System.exit()
R 383 J2EE Bad Practices: Direct Use of Threads
R 384 Session Fixation
R 385 Covert Timing Channel
R 386 Symbolic Name not Mapping to Correct Object
R 387 Signal Errors
R 389 Error Conditions, Return Values, Status Codes
R 399 Resource Management Errors
D R 400 Uncontrolled Resource Consumption
R 401 Missing Release of Memory after Effective Lifetime
R 402 Transmission of Private Resources into a New Sphere ('Resource Leak')
R 403 Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
R 404 Improper Resource Shutdown or Release
R 405 Asymmetric Resource Consumption (Amplification)
R 406 Insufficient Control of Network Message Volume (Network Amplification)
R 407 Inefficient Algorithmic Complexity
R 408 Incorrect Behavior Order: Early Amplification
R 409 Improper Handling of Highly Compressed Data (Data Amplification)
R 410 Insufficient Resource Pool
R 411 Resource Locking Problems
R 412 Unrestricted Externally Accessible Lock
R 413 Improper Resource Locking
R 415 Double Free
R 416 Use After Free
DNR 417 Communication Channel Errors
R 420 Unprotected Alternate Channel
R 421 Race Condition During Access to Alternate Channel
R 422 Unprotected Windows Messaging Channel ('Shatter')
R 424 Improper Protection of Alternate Path
R 425 Direct Request ('Forced Browsing')
R 426 Untrusted Search Path
R 427 Uncontrolled Search Path Element
R 428 Unquoted Search Path or Element
R 429 Handler Errors
R 432 Dangerous Signal Handler not Disabled During Sensitive Operations
R 436 Interpretation Conflict
R 437 Incomplete Model of Endpoint Features
R 438 Behavioral Problems
R 440 Expected Behavior Violation
R 441 Unintended Proxy or Intermediary ('Confused Deputy')
DNR 442 DEPRECATED: Web Problems
R 444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
R 446 UI Discrepancy for Security Feature
R 447 Unimplemented or Unsupported Feature in UI
R 448 Obsolete Feature in UI
R 449 The UI Performs the Wrong Action
R 451 User Interface (UI) Misrepresentation of Critical Information
R 452 Initialization and Cleanup Errors
R 453 Insecure Default Variable Initialization
R 456 Missing Initialization of a Variable
R 457 Use of Uninitialized Variable
DNR 461 DEPRECATED: Data Structure Issues
R 462 Duplicate Key in Associative List (Alist)
R 463 Deletion of Data Structure Sentinel
R 464 Addition of Data Structure Sentinel
R 465 Pointer Issues
R 469 Use of Pointer Subtraction to Determine Size
R 470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
R 471 Modification of Assumed-Immutable Data (MAID)
R 472 External Control of Assumed-Immutable Web Parameter
R 473 PHP External Variable Modification
R 474 Use of Function with Inconsistent Implementations
R 475 Undefined Behavior for Input to API
R 477 Use of Obsolete Function
R 478 Missing Default Case in Switch Statement
D R 479 Signal Handler Use of a Non-reentrant Function
R 480 Use of Incorrect Operator
R 481 Assigning instead of Comparing
R 482 Comparing instead of Assigning
R 483 Incorrect Block Delimitation
R 484 Omitted Break Statement in Switch
R 486 Comparison of Classes by Name
R 488 Exposure of Data Element to Wrong Session
DNR 489 Active Debug Code
DNR 490 DEPRECATED: Mobile Code Issues
R 491 Public cloneable() Method Without Final ('Object Hijack')
D R 492 Use of Inner Class Containing Sensitive Data
R 493 Critical Public Variable Without Final Modifier
R 494 Download of Code Without Integrity Check
R 495 Private Data Structure Returned From A Public Method
R 496 Public Data Assigned to Private Array-Typed Field
DNR 497 Exposure of Sensitive System Information to an Unauthorized Control Sphere
R 498 Cloneable Class Containing Sensitive Information
R 499 Serializable Class Containing Sensitive Data
R 500 Public Static Field Not Marked Final
R 502 Deserialization of Untrusted Data
R 506 Embedded Malicious Code
R 507 Trojan Horse
R 508 Non-Replicating Malicious Code
R 509 Replicating Malicious Code (Virus or Worm)
R 510 Trapdoor
R 511 Logic/Time Bomb
R 512 Spyware
R 514 Covert Channel
R 515 Covert Storage Channel
DNR 519 DEPRECATED: .NET Environment Issues
R 520 .NET Misconfiguration: Use of Impersonation
D 521 Weak Password Requirements
D R 522 Insufficiently Protected Credentials
D R 523 Unprotected Transport of Credentials
DNR 524 Use of Cache Containing Sensitive Information
DNR 525 Use of Web Browser Cache Containing Sensitive Information
NR 526 Exposure of Sensitive Information Through Environmental Variables
DNR 527 Exposure of Version-Control Repository to an Unauthorized Control Sphere
D R 528 Exposure of Core Dump File to an Unauthorized Control Sphere
R 529 Exposure of Access Control List Files to an Unauthorized Control Sphere
D R 530 Exposure of Backup File to an Unauthorized Control Sphere
NR 531 Inclusion of Sensitive Information in Test Code
NR 532 Insertion of Sensitive Information into Log File
NR 535 Exposure of Information Through Shell Error Message
NR 536 Servlet Runtime Error Message Containing Sensitive Information
NR 537 Java Runtime Error Message Containing Sensitive Information
DNR 538 Insertion of Sensitive Information into Externally-Accessible File or Directory
DNR 539 Use of Persistent Cookies Containing Sensitive Information
DNR 540 Inclusion of Sensitive Information in Source Code
NR 541 Inclusion of Sensitive Information in an Include File
R 543 Use of Singleton Pattern Without Synchronization in a Multithreaded Context
R 546 Suspicious Comment
R 547 Use of Hard-coded, Security-relevant Constants
NR 548 Exposure of Information Through Directory Listing
NR 550 Server-generated Error Message Containing Sensitive Information
R 551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
D R 552 Files or Directories Accessible to External Parties
R 553 Command Shell in Externally Accessible Directory
R 554 ASP.NET Misconfiguration: Not Using Input Validation Framework
R 555 J2EE Misconfiguration: Plaintext Password in Configuration File
R 556 ASP.NET Misconfiguration: Use of Identity Impersonation
R 557 Concurrency Issues
R 558 Use of getlogin() in Multithreaded Application
DNR 559 DEPRECATED: Often Misused: Arguments and Parameters
R 560 Use of umask() with chmod-style Argument
R 561 Dead Code
R 562 Return of Stack Variable Address
R 563 Assignment to Variable without Use
R 564 SQL Injection: Hibernate
R 565 Reliance on Cookies without Validation and Integrity Checking
R 566 Authorization Bypass Through User-Controlled SQL Primary Key
R 568 finalize() Method Without super.finalize()
R 570 Expression is Always False
R 571 Expression is Always True
R 572 Call to Thread run() instead of start()
R 573 Improper Following of Specification by Caller
R 574 EJB Bad Practices: Use of Synchronization Primitives
R 575 EJB Bad Practices: Use of AWT Swing
R 576 EJB Bad Practices: Use of Java I/O
R 577 EJB Bad Practices: Use of Sockets
R 578 EJB Bad Practices: Use of Class Loader
R 579 J2EE Bad Practices: Non-serializable Object Stored in Session
R 580 clone() Method Without super.clone()
R 581 Object Model Violation: Just One of Equals and Hashcode Defined
R 582 Array Declared Public, Final, and Static
D R 583 finalize() Method Declared Public
R 585 Empty Synchronized Block
R 586 Explicit Call to Finalize()
R 589 Call to Non-ubiquitous API
R 590 Free of Memory not on the Heap
R 591 Sensitive Data Storage in Improperly Locked Memory
R 593 Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
R 594 J2EE Framework: Saving Unserializable Objects to Disk
R 595 Comparison of Object References Instead of Object Contents
R 597 Use of Wrong Operator in String Comparison
DNR 598 Use of GET Request Method With Sensitive Query Strings
R 599 Missing Validation of OpenSSL Certificate
R 601 URL Redirection to Untrusted Site ('Open Redirect')
R 602 Client-Side Enforcement of Server-Side Security
R 603 Use of Client-Side Authentication
R 606 Unchecked Input for Loop Condition
R 607 Public Static Final Field References Mutable Object
R 608 Struts: Non-private Field in ActionForm Class
R 609 Double-Checked Locking
R 610 Externally Controlled Reference to a Resource in Another Sphere
R 611 Improper Restriction of XML External Entity Reference
DNR 612 Improper Authorization of Index Containing Sensitive Information
R 613 Insufficient Session Expiration
R 614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
NR 615 Inclusion of Sensitive Information in Source Code Comments
R 616 Incomplete Identification of Uploaded File Variables (PHP)
R 619 Dangling Database Cursor ('Cursor Injection')
R 620 Unverified Password Change
R 621 Variable Extraction Error
R 622 Improper Validation of Function Hook Arguments
R 623 Unsafe ActiveX Control Marked Safe For Scripting
R 624 Executable Regular Expression Error
R 625 Permissive Regular Expression
R 626 Null Byte Interaction Error (Poison Null Byte)
R 627 Dynamic Variable Evaluation
R 628 Function Call with Incorrectly Specified Arguments
R 636 Not Failing Securely ('Failing Open')
R 637 Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')
R 638 Not Using Complete Mediation
R 639 Authorization Bypass Through User-Controlled Key
R 641 Improper Restriction of Names for Files and Other Resources
R 642 External Control of Critical State Data
R 643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')
R 644 Improper Neutralization of HTTP Headers for Scripting Syntax
R 645 Overly Restrictive Account Lockout Mechanism
R 646 Reliance on File Name or Extension of Externally-Supplied File
R 647 Use of Non-Canonical URL Paths for Authorization Decisions
R 649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
R 650 Trusting HTTP Permission Methods on the Server Side
NR 651 Exposure of WSDL File Containing Sensitive Information
R 652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
R 653 Insufficient Compartmentalization
R 654 Reliance on a Single Factor in a Security Decision
R 655 Insufficient Psychological Acceptability
R 656 Reliance on Security Through Obscurity
R 657 Violation of Secure Design Principles
D R 662 Improper Synchronization
R 663 Use of a Non-reentrant Function in a Concurrent Context
R 664 Improper Control of a Resource Through its Lifetime
R 665 Improper Initialization
R 666 Operation on Resource in Wrong Phase of Lifetime
R 667 Improper Locking
R 668 Exposure of Resource to Wrong Sphere
R 669 Incorrect Resource Transfer Between Spheres
R 670 Always-Incorrect Control Flow Implementation
R 671 Lack of Administrator Control over Security
R 672 Operation on a Resource after Expiration or Release
R 673 External Influence of Sphere Definition
R 674 Uncontrolled Recursion
R 675 Duplicate Operations on Resource
R 676 Use of Potentially Dangerous Function
R 681 Incorrect Conversion between Numeric Types
R 682 Incorrect Calculation
R 683 Function Call With Incorrect Order of Arguments
R 684 Incorrect Provision of Specified Functionality
R 685 Function Call With Incorrect Number of Arguments
R 686 Function Call With Incorrect Argument Type
R 687 Function Call With Incorrectly Specified Argument Value
R 688 Function Call With Incorrect Variable or Reference as Argument
R 689 Permission Race Condition During Resource Copy
R 693 Protection Mechanism Failure
R 694 Use of Multiple Resources with Duplicate Identifier
R 695 Use of Low-Level Functionality
R 696 Incorrect Behavior Order
R 697 Incorrect Comparison
R 698 Execution After Redirect (EAR)
DNR 699 Software Development
R 703 Improper Check or Handling of Exceptional Conditions
R 704 Incorrect Type Conversion or Cast
R 705 Incorrect Control Flow Scoping
R 706 Use of Incorrectly-Resolved Name or Reference
DNR 707 Improper Neutralization
R 708 Incorrect Ownership Assignment
R 710 Improper Adherence to Coding Standards
R 731 OWASP Top Ten 2004 Category A10 - Insecure Configuration Management
D R 732 Incorrect Permission Assignment for Critical Resource
R 733 Compiler Optimization Removal or Modification of Security-critical Code
R 749 Exposed Dangerous Method or Function
R 754 Improper Check for Unusual or Exceptional Conditions
R 755 Improper Handling of Exceptional Conditions
R 756 Missing Custom Error Page
R 757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
R 758 Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
R 759 Use of a One-Way Hash without a Salt
R 760 Use of a One-Way Hash with a Predictable Salt
R 761 Free of Pointer not at Start of Buffer
R 762 Mismatched Memory Management Routines
R 763 Release of Invalid Pointer or Reference
R 764 Multiple Locks of a Critical Resource
R 765 Multiple Unlocks of a Critical Resource
R 766 Critical Data Element Declared Public
R 767 Access to Critical Private Variable via Public Method
R 768 Incorrect Short Circuit Evaluation
R 770 Allocation of Resources Without Limits or Throttling
R 771 Missing Reference to Active Allocated Resource
R 772 Missing Release of Resource after Effective Lifetime
R 773 Missing Reference to Active File Descriptor or Handle
R 774 Allocation of File Descriptors or Handles Without Limits or Throttling
R 775 Missing Release of File Descriptor or Handle after Effective Lifetime
R 776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
R 777 Regular Expression without Anchors
R 778 Insufficient Logging
R 779 Logging of Excessive Data
R 780 Use of RSA Algorithm without OAEP
R 781 Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code
R 782 Exposed IOCTL with Insufficient Access Control
R 783 Operator Precedence Logic Error
R 784 Reliance on Cookies without Validation and Integrity Checking in a Security Decision
R 785 Use of Path Manipulation Function without Maximum-sized Buffer
R 786 Access of Memory Location Before Start of Buffer
R 787 Out-of-bounds Write
R 788 Access of Memory Location After End of Buffer
R 789 Uncontrolled Memory Allocation
R 790 Improper Filtering of Special Elements
R 791 Incomplete Filtering of Special Elements
R 792 Incomplete Filtering of One or More Instances of Special Elements
R 793 Only Filtering One Instance of a Special Element
R 794 Incomplete Filtering of Multiple Instances of Special Elements
R 795 Only Filtering Special Elements at a Specified Location
R 796 Only Filtering Special Elements Relative to a Marker
R 797 Only Filtering Special Elements at an Absolute Position
R 798 Use of Hard-coded Credentials
R 799 Improper Control of Interaction Frequency
R 804 Guessable CAPTCHA
R 805 Buffer Access with Incorrect Length Value
R 806 Buffer Access Using Size of Source Buffer
R 807 Reliance on Untrusted Inputs in a Security Decision
R 820 Missing Synchronization
R 821 Incorrect Synchronization
R 822 Untrusted Pointer Dereference
R 823 Use of Out-of-range Pointer Offset
R 824 Access of Uninitialized Pointer
R 825 Expired Pointer Dereference
D R 826 Premature Release of Resource During Expected Lifetime
R 827 Improper Control of Document Type Definition
R 828 Signal Handler with Functionality that is not Asynchronous-Safe
R 829 Inclusion of Functionality from Untrusted Control Sphere
R 830 Inclusion of Web Functionality from an Untrusted Source
R 831 Signal Handler Function Associated with Multiple Signals
R 832 Unlock of a Resource that is not Locked
R 833 Deadlock
R 834 Excessive Iteration
R 835 Loop with Unreachable Exit Condition ('Infinite Loop')
R 836 Use of Password Hash Instead of Password for Authentication
R 837 Improper Enforcement of a Single, Unique Action
R 838 Inappropriate Encoding for Output Context
R 840 Business Logic Errors
R 841 Improper Enforcement of Behavioral Workflow
R 842 Placement of User into Incorrect Group
R 843 Access of Resource Using Incompatible Type ('Type Confusion')
R 845 The CERT Oracle Secure Coding Standard for Java (2011) Chapter 2 - Input Validation and Data Sanitization (IDS)
R 862 Missing Authorization
R 863 Incorrect Authorization
D 885 SFP Primary Cluster: Risky Values
D 886 SFP Primary Cluster: Unused entities
D 887 SFP Primary Cluster: API
D 889 SFP Primary Cluster: Exception Management
D 890 SFP Primary Cluster: Memory Access
D 891 SFP Primary Cluster: Memory Management
D 892 SFP Primary Cluster: Resource Management
D 893 SFP Primary Cluster: Path Resolution
D 894 SFP Primary Cluster: Synchronization
D 895 SFP Primary Cluster: Information Leak
D 896 SFP Primary Cluster: Tainted Input
D 897 SFP Primary Cluster: Entry Points
D 898 SFP Primary Cluster: Authentication
D 899 SFP Primary Cluster: Access Control
D 901 SFP Primary Cluster: Privilege
D R 908 Use of Uninitialized Resource
R 909 Missing Initialization of Resource
R 910 Use of Expired File Descriptor
R 911 Improper Update of Reference Count
R 912 Hidden Functionality
R 913 Improper Control of Dynamically-Managed Code Resources
R 914 Improper Control of Dynamically-Identified Variables
R 915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
R 916 Use of Password Hash With Insufficient Computational Effort
R 917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
R 918 Server-Side Request Forgery (SSRF)
R 920 Improper Restriction of Power Consumption
R 921 Storage of Sensitive Data in a Mechanism without Access Control
R 922 Insecure Storage of Sensitive Information
R 923 Improper Restriction of Communication Channel to Intended Endpoints
D R 924 Improper Enforcement of Message Integrity During Transmission in a Communication Channel
R 925 Improper Verification of Intent by Broadcast Receiver
R 926 Improper Export of Android Application Components
R 927 Use of Implicit Intent for Sensitive Communication
R 939 Improper Authorization in Handler for Custom URL Scheme
R 940 Improper Verification of Source of a Communication Channel
R 941 Incorrectly Specified Destination in a Communication Channel
R 942 Overly Permissive Cross-domain Whitelist
R 943 Improper Neutralization of Special Elements in Data Query Logic
D 945 SFP Secondary Cluster: Insecure Resource Access
D 949 SFP Secondary Cluster: Faulty Endpoint Authentication
D 950 SFP Secondary Cluster: Hardcoded Sensitive Data
D 953 SFP Secondary Cluster: Missing Endpoint Authentication
D 954 SFP Secondary Cluster: Multiple Binds to the Same Port
D 955 SFP Secondary Cluster: Unrestricted Authentication
D 960 SFP Secondary Cluster: Ambiguous Exception Type
D 961 SFP Secondary Cluster: Incorrect Exception Behavior
D 962 SFP Secondary Cluster: Unchecked Status Condition
D 963 SFP Secondary Cluster: Exposed Data
D 969 SFP Secondary Cluster: Faulty Memory Release
D R 970 SFP Secondary Cluster: Faulty Buffer Access
D R 971 SFP Secondary Cluster: Faulty Pointer Use
D 972 SFP Secondary Cluster: Faulty String Expansion
D 973 SFP Secondary Cluster: Improper NULL Termination
D R 974 SFP Secondary Cluster: Incorrect Buffer Length Computation
R 978 SFP Secondary Cluster: Implementation
D 979 SFP Secondary Cluster: Failed Chroot Jail
D 980 SFP Secondary Cluster: Link in Resource Name Resolution
D 981 SFP Secondary Cluster: Path Traversal
D R 982 SFP Secondary Cluster: Failure to Release Resource
D R 983 SFP Secondary Cluster: Faulty Resource Use
D 985 SFP Secondary Cluster: Unrestricted Consumption
D 986 SFP Secondary Cluster: Missing Lock
D 987 SFP Secondary Cluster: Multiple Locks/Unlocks
D 988 SFP Secondary Cluster: Race Condition Window
D 989 SFP Secondary Cluster: Unrestricted Lock
D R 990 SFP Secondary Cluster: Tainted Input to Command
D 991 SFP Secondary Cluster: Tainted Input to Environment
D 994 SFP Secondary Cluster: Tainted Input to Variable
D R 998 SFP Secondary Cluster: Glitch in Computation
D R 1000 Research Concepts
D 1001 SFP Secondary Cluster: Use of an Improper API
R 1004 Sensitive Cookie Without 'HttpOnly' Flag
R 1006 Bad Coding Practices
R 1007 Insufficient Visual Distinction of Homoglyphs Presented to User
D 1011 Authorize Actors
D 1013 Encrypt Data
D 1014 Identify Actors
D 1018 Manage User Sessions
R 1021 Improper Restriction of Rendered UI Layers or Frames
R 1022 Use of Web Link to Untrusted Target with window.opener Access
D R 1023 Incomplete Comparison with Missing Factors
R 1024 Comparison of Incompatible Types
D R 1025 Comparison Using Wrong Factors
R 1037 Processor Optimization Removal or Modification of Security-critical Code
R 1038 Insecure Automated Optimizations
R 1039 Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations
R 1042 Static Member Data Element outside of a Singleton Class Element
R 1043 Data Element Aggregating an Excessively Large Number of Non-Primitive Elements
R 1045 Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor
D R 1046 Creation of Immutable Text Using String Concatenation
R 1047 Modules with Circular Dependencies
R 1049 Excessive Data Query Operations in a Large Data Table
R 1050 Excessive Platform Resource Consumption within a Loop
D 1051 Initialization with Hard-Coded Network Resource Configuration Data
R 1052 Excessive Use of Hard-Coded Literals in Initialization
D R 1053 Missing Documentation for Design
R 1054 Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer
R 1055 Multiple Inheritance from Concrete Classes
R 1056 Invokable Control Element with Variadic Parameters
R 1057 Data Access Operations Outside of Expected Data Manager Component
R 1058 Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element
R 1059 Incomplete Documentation
D R 1060 Excessive Number of Inefficient Server-Side Data Accesses
R 1061 Insufficient Encapsulation
R 1062 Parent Class with References to Child Class
R 1063 Creation of Class Instance within a Static Code Block
D R 1064 Invokable Control Element with Signature Containing an Excessive Number of Parameters
D 1066 Missing Serialization Control Element
R 1067 Excessive Execution of Sequential Searches of Data Resource
R 1068 Inconsistency Between Implementation and Documented Design
R 1069 Empty Exception Block
R 1071 Empty Code Block
R 1072 Data Resource Access without Use of Connection Pooling
D R 1073 Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses
D R 1074 Class with Excessively Deep Inheritance
R 1075 Unconditional Control Flow Transfer outside of Switch Block
R 1076 Insufficient Adherence to Expected Conventions
R 1078 Inappropriate Source Code Style or Formatting
R 1079 Parent Class without Virtual Destructor Method
D R 1080 Source Code File with Excessive Number of Lines of Code
R 1082 Class Instance Self Destruction Control Element
R 1083 Data Access from Outside Expected Data Manager Component
D R 1084 Invokable Control Element with Excessive File or Data Access Operations
D R 1085 Invokable Control Element with Excessive Volume of Commented-out Code
D R 1086 Class with Excessive Number of Child Classes
R 1087 Class with Virtual Method without a Virtual Destructor
R 1088 Synchronous Access of Remote Resource without Timeout
D R 1089 Large Data Table with Excessive Number of Indices
R 1090 Method Containing Access of a Member Element from Another Class
R 1091 Use of Object without Invoking Destructor Method
R 1093 Excessively Complex Data Representation
D R 1094 Excessive Index Range Scan for a Data Resource
R 1095 Loop Condition Value Update within the Loop
D R 1096 Singleton Class Instance Creation without Proper Locking or Synchronization
R 1097 Persistent Storable Data Element without Associated Comparison Control Element
R 1098 Data Element containing Pointer Item without Proper Copy Control Element
R 1099 Inconsistent Naming Conventions for Identifiers
R 1100 Insufficient Isolation of System-Dependent Functions
R 1102 Reliance on Machine-Dependent Data Representation
R 1105 Insufficient Encapsulation of Machine-Dependent Functionality
R 1106 Insufficient Use of Symbolic Constants
R 1107 Insufficient Isolation of Symbolic Constant Definitions
R 1108 Excessive Reliance on Global Variables
R 1109 Use of Same Variable for Multiple Purposes
R 1110 Incomplete Design Documentation
R 1111 Incomplete I/O Documentation
R 1112 Incomplete Documentation of Program Execution
R 1113 Inappropriate Comment Style
R 1114 Inappropriate Whitespace Style
R 1115 Source Code Element without Standard Prologue
R 1116 Inaccurate Comments
R 1117 Callable with Insufficient Behavioral Summary
R 1118 Insufficient Documentation of Error Handling Techniques
R 1119 Excessive Use of Unconditional Branching
R 1120 Excessive Code Complexity
R 1121 Excessive McCabe Cyclomatic Complexity
R 1122 Excessive Halstead Complexity
R 1123 Excessive Use of Self-Modifying Code
R 1124 Excessively Deep Nesting
R 1125 Excessive Attack Surface
D 1128 CISQ Quality Measures (2016)
R 1147 SEI CERT Oracle Secure Coding Standard for Java - Guidelines 13. Input Output (FIO)
R 1164 Irrelevant Code
R 1172 SEI CERT C Coding Standard - Guidelines 51. Microsoft Windows (WIN)
R 1173 Improper Use of Validation Framework
R 1174 ASP.NET Misconfiguration: Improper Model Validation
R 1176 Inefficient CPU Computation
R 1177 Use of Prohibited Code
DNR 1187 DEPRECATED: Use of Uninitialized Resource
R 1188 Insecure Default Initialization of Resource
Back to top
Detailed Difference Report
Detailed Difference Report
2 7PK - Environment
Major References
Minor None
4 DEPRECATED: J2EE Environment Issues
Major Description, Name, Relationships, Taxonomy_Mappings, Type
Minor None
5 J2EE Misconfiguration: Data Transmission Without Encryption
Major References, Relationships
Minor None
6 J2EE Misconfiguration: Insufficient Session-ID Length
Major References, Relationships
Minor None
7 J2EE Misconfiguration: Missing Custom Error Page
Major References, Relationships
Minor None
8 J2EE Misconfiguration: Entity Bean Declared Remote
Major References, Relationships
Minor None
9 J2EE Misconfiguration: Weak Access Permissions for EJB Methods
Major References, Relationships
Minor None
11 ASP.NET Misconfiguration: Creating Debug Binary
Major References, Relationships, Time_of_Introduction
Minor None
12 ASP.NET Misconfiguration: Missing Custom Error Page
Major References, Relationships
Minor None
13 ASP.NET Misconfiguration: Password in Configuration File
Major References, Relationships
Minor None
14 Compiler Removal of Code to Clear Buffers
Major References, Relationships
Minor None
15 External Control of System or Configuration Setting
Major References, Relationships
Minor None
16 Configuration
Major Maintenance_Notes, Relationships
Minor None
19 Data Processing Errors
Major Description, Relationships
Minor None
20 Improper Input Validation
Major Potential_Mitigations, References, Related_Attack_Patterns, Relationships
Minor None
21 DEPRECATED: Pathname Traversal and Equivalence Errors
Major Description, Name, Relationships, Type
Minor None
22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Major Potential_Mitigations, Relationships
Minor None
23 Relative Path Traversal
Major Potential_Mitigations, Relationships
Minor None
24 Path Traversal: '../filedir'
Major Potential_Mitigations, Relationships
Minor None
25 Path Traversal: '/../filedir'
Major Potential_Mitigations, Relationships
Minor None
26 Path Traversal: '/dir/../filename'
Major Potential_Mitigations, Relationships
Minor None
27 Path Traversal: 'dir/../../filename'
Major Potential_Mitigations, Relationships
Minor None
28 Path Traversal: '..\filedir'
Major Potential_Mitigations, Relationships
Minor None
29 Path Traversal: '\..\filename'
Major Potential_Mitigations, Relationships
Minor None
30 Path Traversal: '\dir\..\filename'
Major Potential_Mitigations, Relationships
Minor None
31 Path Traversal: 'dir\..\..\filename'
Major Potential_Mitigations, Relationships
Minor None
32 Path Traversal: '...' (Triple Dot)
Major Potential_Mitigations, Relationships
Minor None
33 Path Traversal: '....' (Multiple Dot)
Major Potential_Mitigations, Relationships
Minor None
34 Path Traversal: '....//'
Major Potential_Mitigations, Relationships
Minor None
35 Path Traversal: '.../...//'
Major Potential_Mitigations, Relationships
Minor None
36 Absolute Path Traversal
Major Relationships
Minor None
37 Path Traversal: '/absolute/pathname/here'
Major Potential_Mitigations, Relationships
Minor None
38 Path Traversal: '\absolute\pathname\here'
Major Potential_Mitigations, Relationships
Minor None
39 Path Traversal: 'C:dirname'
Major Potential_Mitigations, Relationships
Minor None
40 Path Traversal: '\\UNC\share\name\' (Windows UNC Share)
Major Potential_Mitigations, Relationships
Minor None
41 Improper Resolution of Path Equivalence
Major Potential_Mitigations, Relationships
Minor None
42 Path Equivalence: 'filename.' (Trailing Dot)
Major Relationships
Minor None
43 Path Equivalence: 'filename....' (Multiple Trailing Dot)
Major Relationships
Minor None
44 Path Equivalence: 'file.name' (Internal Dot)
Major Relationships
Minor None
45 Path Equivalence: 'file...name' (Multiple Internal Dot)
Major Relationships
Minor None
46 Path Equivalence: 'filename ' (Trailing Space)
Major Relationships
Minor None
47 Path Equivalence: ' filename' (Leading Space)
Major Relationships
Minor None
48 Path Equivalence: 'file name' (Internal Whitespace)
Major Relationships
Minor None
49 Path Equivalence: 'filename/' (Trailing Slash)
Major Relationships
Minor None
50 Path Equivalence: '//multiple/leading/slash'
Major Relationships
Minor None
51 Path Equivalence: '/multiple//internal/slash'
Major Relationships
Minor None
52 Path Equivalence: '/multiple/trailing/slash//'
Major Relationships
Minor None
53 Path Equivalence: '\multiple\\internal\backslash'
Major Relationships
Minor None
54 Path Equivalence: 'filedir\' (Trailing Backslash)
Major Relationships
Minor None
55 Path Equivalence: '/./' (Single Dot Directory)
Major Relationships
Minor None
56 Path Equivalence: 'filedir*' (Wildcard)
Major Relationships
Minor None
57 Path Equivalence: 'fakedir/../realdir/filename'
Major Relationships
Minor None
58 Path Equivalence: Windows 8.3 Filename
Major Relationships
Minor None
59 Improper Link Resolution Before File Access ('Link Following')
Major Relationships
Minor None
61 UNIX Symbolic Link (Symlink) Following
Major Relationships
Minor None
62 UNIX Hard Link
Major Relationships
Minor None
64 Windows Shortcut Following (.LNK)
Major Relationships
Minor None
65 Windows Hard Link
Major Relationships
Minor None
66 Improper Handling of File Names that Identify Virtual Resources
Major Relationships
Minor None
67 Improper Handling of Windows Device Names
Major Relationships
Minor None
68 DEPRECATED: Windows Virtual File Problems
Major Description
Minor None
69 Improper Handling of Windows ::DATA Alternate Data Stream
Major Relationships
Minor None
70 DEPRECATED: Mac Virtual File Problems
Major Description
Minor None
72 Improper Handling of Apple HFS+ Alternate Data Stream Path
Major Relationships
Minor None
73 External Control of File Name or Path
Major Potential_Mitigations, References, Relationships, Time_of_Introduction, Type
Minor None
74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Major References, Relationship_Notes, Relationships, Theoretical_Notes
Minor None
75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
Major Relationships
Minor None
76 Improper Neutralization of Equivalent Special Elements
Major Relationships
Minor None
77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Major Potential_Mitigations, References, Relationships
Minor None
78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Major Potential_Mitigations, Relationships
Minor None
79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Major Applicable_Platforms, Potential_Mitigations, Relationships
Minor None
80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Major Relationships
Minor None
81 Improper Neutralization of Script in an Error Message Web Page
Major Description, Relationships
Minor None
82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
Major Relationships
Minor None
83 Improper Neutralization of Script in Attributes in a Web Page
Major Relationships
Minor None
84 Improper Neutralization of Encoded URI Schemes in a Web Page
Major Relationships
Minor None
85 Doubled Character XSS Manipulations
Major Relationships
Minor None
86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages
Major Relationships
Minor None
87 Improper Neutralization of Alternate XSS Syntax
Major Relationships
Minor None
88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Major Potential_Mitigations, Relationships
Minor None
89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Major Potential_Mitigations, Relationships, Time_of_Introduction
Minor None
90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Major Potential_Mitigations, Relationships
Minor None
91 XML Injection (aka Blind XPath Injection)
Major Potential_Mitigations, Related_Attack_Patterns, Relationships
Minor None
93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Major Relationships
Minor None
94 Improper Control of Generation of Code ('Code Injection')
Major Potential_Mitigations, Relationships
Minor None
95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Major Potential_Mitigations, Relationships
Minor None
96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
Major Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
Major Potential_Mitigations, Relationships
Minor None
98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Major Potential_Mitigations, Relationships
Minor None
99 Improper Control of Resource Identifiers ('Resource Injection')
Major Other_Notes, Potential_Mitigations, References, Relationships, Type
Minor None
102 Struts: Duplicate Validation Forms
Major References, Relationships
Minor None
103 Struts: Incomplete validate() Method Definition
Major References, Relationships
Minor None
104 Struts: Form Bean Does Not Extend Validation Class
Major References, Relationships
Minor None
105 Struts: Form Field Without Validator
Major References, Relationships
Minor None
106 Struts: Plug-in Framework not in Use
Major References, Relationships
Minor None
107 Struts: Unused Validation Form
Major References, Relationships
Minor None
108 Struts: Unvalidated Action Form
Major References, Relationships
Minor None
109 Struts: Validator Turned Off
Major References, Relationships
Minor None
110 Struts: Validator Without Form Field
Major References, Relationships
Minor None
111 Direct Use of Unsafe JNI
Major References, Relationships, Type
Minor None
112 Missing XML Validation
Major References, Related_Attack_Patterns, Relationships
Minor None
113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
Major Applicable_Platforms, Potential_Mitigations, Relationships, Type
Minor None
114 Process Control
Major References, Relationships, Type
Minor None
115 Misinterpretation of Input
Major Relationships, Time_of_Introduction
Minor None
116 Improper Encoding or Escaping of Output
Major Relationships
Minor None
117 Improper Output Neutralization for Logs
Major Potential_Mitigations, References, Relationships
Minor None
118 Incorrect Access of Indexable Resource ('Range Error')
Major Applicable_Platforms, Relationships, Time_of_Introduction
Minor None
119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Major Potential_Mitigations, Relationships
Minor None
121 Stack-based Buffer Overflow
Major Relationships
Minor None
122 Heap-based Buffer Overflow
Major Relationships
Minor None
123 Write-what-where Condition
Major Relationships, Taxonomy_Mappings
Minor None
124 Buffer Underwrite ('Buffer Underflow')
Major Relationships
Minor None
125 Out-of-bounds Read
Major Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
126 Buffer Over-read
Major Relationships
Minor None
127 Buffer Under-read
Major Relationships
Minor None
128 Wrap-around Error
Major Relationships
Minor None
129 Improper Validation of Array Index
Major Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
130 Improper Handling of Length Parameter Inconsistency
Major Relationships
Minor None
131 Incorrect Calculation of Buffer Size
Major Relationships
Minor None
133 String Errors
Major Relationships
Minor None
134 Use of Externally-Controlled Format String
Major Detection_Factors, Relationships
Minor None
136 Type Errors
Major Relationships
Minor None
137 Data Representation Errors
Major Description, Name, Relationships
Minor None
138 Improper Neutralization of Special Elements
Major Potential_Mitigations, Relationships
Minor None
140 Improper Neutralization of Delimiters
Major Potential_Mitigations, Relationships
Minor None
141 Improper Neutralization of Parameter/Argument Delimiters
Major Potential_Mitigations, Relationships
Minor None
142 Improper Neutralization of Value Delimiters
Major Potential_Mitigations, Relationships
Minor None
143 Improper Neutralization of Record Delimiters
Major Potential_Mitigations, Relationships
Minor None
144 Improper Neutralization of Line Delimiters
Major Potential_Mitigations, Relationships
Minor None
145 Improper Neutralization of Section Delimiters
Major Potential_Mitigations, Relationships
Minor None
146 Improper Neutralization of Expression/Command Delimiters
Major Potential_Mitigations, Relationships
Minor None
147 Improper Neutralization of Input Terminators
Major Potential_Mitigations, Relationships
Minor None
148 Improper Neutralization of Input Leaders
Major Potential_Mitigations, Relationships
Minor None
149 Improper Neutralization of Quoting Syntax
Major Potential_Mitigations, Relationships
Minor None
150 Improper Neutralization of Escape, Meta, or Control Sequences
Major Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
151 Improper Neutralization of Comment Delimiters
Major Potential_Mitigations, Relationships
Minor None
152 Improper Neutralization of Macro Symbols
Major Potential_Mitigations, Relationships
Minor None
153 Improper Neutralization of Substitution Characters
Major Potential_Mitigations, Relationships
Minor None
154 Improper Neutralization of Variable Name Delimiters
Major Potential_Mitigations, Relationships
Minor None
155 Improper Neutralization of Wildcards or Matching Symbols
Major Potential_Mitigations, Relationships
Minor None
156 Improper Neutralization of Whitespace
Major Potential_Mitigations, Relationships
Minor None
157 Failure to Sanitize Paired Delimiters
Major Potential_Mitigations, Relationships
Minor None
158 Improper Neutralization of Null Byte or NUL Character
Major Potential_Mitigations, Relationships
Minor None
159 Improper Handling of Invalid Use of Special Elements
Major Description, Name, Potential_Mitigations, Relationships
Minor None
160 Improper Neutralization of Leading Special Elements
Major Potential_Mitigations, Relationships
Minor None
161 Improper Neutralization of Multiple Leading Special Elements
Major Potential_Mitigations, Relationships
Minor None
162 Improper Neutralization of Trailing Special Elements
Major Potential_Mitigations, Relationships
Minor None
163 Improper Neutralization of Multiple Trailing Special Elements
Major Potential_Mitigations, Relationships
Minor None
164 Improper Neutralization of Internal Special Elements
Major Potential_Mitigations, Relationships
Minor None
165 Improper Neutralization of Multiple Internal Special Elements
Major Potential_Mitigations, Relationships
Minor None
166 Improper Handling of Missing Special Element
Major Potential_Mitigations, Relationships
Minor None
167 Improper Handling of Additional Special Element
Major Description, Potential_Mitigations, Relationships
Minor None
168 Improper Handling of Inconsistent Special Elements
Major Description, Potential_Mitigations, Relationships
Minor None
170 Improper Null Termination
Major Relationships
Minor None
171 DEPRECATED: Cleansing, Canonicalization, and Comparison Errors
Major Description, Name, Relationships, Type
Minor None
172 Encoding Error
Major Potential_Mitigations, Relationships
Minor None
173 Improper Handling of Alternate Encoding
Major Potential_Mitigations, Relationships
Minor None
174 Double Decoding of the Same Data
Major Potential_Mitigations, Relationships
Minor None
175 Improper Handling of Mixed Encoding
Major Potential_Mitigations, Relationships
Minor None
176 Improper Handling of Unicode Encoding
Major Potential_Mitigations, Relationships
Minor None
177 Improper Handling of URL Encoding (Hex Encoding)
Major Potential_Mitigations, Relationships
Minor None
178 Improper Handling of Case Sensitivity
Major Potential_Mitigations, Relationships
Minor None
179 Incorrect Behavior Order: Early Validation
Major Relationships
Minor None
180 Incorrect Behavior Order: Validate Before Canonicalize
Major Relationships, Type
Minor None
181 Incorrect Behavior Order: Validate Before Filter
Major Relationships, Type
Minor None
182 Collapse of Data into Unsafe Value
Major Potential_Mitigations, Relationships
Minor None
183 Permissive List of Allowed Inputs
Major Alternate_Terms, Description, Name, Observed_Examples, Relationships
Minor None
184 Incomplete List of Disallowed Inputs
Major Alternate_Terms, Description, Detection_Factors, Modes_of_Introduction, Name, Observed_Examples, Potential_Mitigations, Relationship_Notes, Relationships
Minor None
185 Incorrect Regular Expression
Major Relationships, Type
Minor None
186 Overly Restrictive Regular Expression
Major Description, Relationships
Minor None
187 Partial String Comparison
Major Relationships
Minor None
189 Numeric Errors
Major Relationships
Minor None
190 Integer Overflow or Wraparound
Major Relationships
Minor None
191 Integer Underflow (Wrap or Wraparound)
Major Relationships
Minor None
192 Integer Coercion Error
Major Relationships
Minor None
193 Off-by-one Error
Major Relationships
Minor None
194 Unexpected Sign Extension
Major Relationships
Minor None
195 Signed to Unsigned Conversion Error
Major Relationships
Minor None
196 Unsigned to Signed Conversion Error
Major Relationships
Minor None
197 Numeric Truncation Error
Major Relationships
Minor None
199 Information Management Errors
Major Relationships
Minor None
200 Exposure of Sensitive Information to an Unauthorized Actor
Major Applicable_Platforms, Demonstrative_Examples, Description, Name, Observed_Examples, Related_Attack_Patterns, Relationships, Weakness_Ordinalities
Minor None
201 Exposure of Sensitive Information Through Sent Data
Major Demonstrative_Examples, Description, Name, References, Relationships, Type
Minor None
202 Exposure of Sensitive Information Through Data Queries
Major Maintenance_Notes, Name, References, Relationships
Minor None
203 Observable Discrepancy
Major Alternate_Terms, Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, Observed_Examples, Relationships
Minor None
204 Observable Response Discrepancy
Major Description, Name, Relationships
Minor None
205 Observable Behavioral Discrepancy
Major Description, Name, Observed_Examples, Relationships
Minor None
206 Observable Internal Behavioral Discrepancy
Major Description, Name, Potential_Mitigations, Relationships
Minor None
207 Observable Behavioral Discrepancy With Equivalent Products
Major Description, Name, Relationships
Minor None
208 Observable Timing Discrepancy
Major Description, Name, Relationships
Minor None
209 Generation of Error Message Containing Sensitive Information
Major Applicable_Platforms, Description, Name, Observed_Examples, References, Relationships, Weakness_Ordinalities
Minor None
210 Self-generated Error Message Containing Sensitive Information
Major Name, Relationships, Time_of_Introduction
Minor None
211 Externally-Generated Error Message Containing Sensitive Information
Major Description, Name, Relationships
Minor None
212 Improper Removal of Sensitive Information Before Storage or Transfer
Major Description, Name, Relationships, Weakness_Ordinalities
Minor None
213 Exposure of Sensitive Information Due to Incompatible Policies
Major Demonstrative_Examples, Description, Maintenance_Notes, Modes_of_Introduction, Name, Other_Notes, Relationship_Notes, Relationships, Time_of_Introduction
Minor None
214 Invocation of Process Using Visible Sensitive Information
Major Description, Name, Relationships, Type
Minor None
215 Insertion of Sensitive Information Into Debugging Code
Major Demonstrative_Examples, Description, Name, Potential_Mitigations, Relationships, Time_of_Introduction, Type
Minor None
216 DEPRECATED: Containment Errors (Container Errors)
Major Applicable_Platforms, Common_Consequences, Description, Maintenance_Notes, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type
Minor None
219 Storage of File with Sensitive Data Under Web Root
Major Description, Name, Relationships
Minor None
220 Storage of File With Sensitive Data Under FTP Root
Major Description, Name, Relationships
Minor None
221 Information Loss or Omission
Major Relationships
Minor None
222 Truncation of Security-relevant Information
Major Relationships
Minor None
223 Omission of Security-relevant Information
Major Relationships
Minor None
224 Obscured Security-relevant Information by Alternate Name
Major Relationships
Minor None
226 Sensitive Information Uncleared in Resource Before Release for Reuse
Major Applicable_Platforms, Description, Name, Relationships, Time_of_Introduction, Weakness_Ordinalities
Minor None
227 7PK - API Abuse
Major Description, References, Relationships
Minor None
228 Improper Handling of Syntactically Invalid Structure
Major Relationships
Minor None
229 Improper Handling of Values
Major Relationships
Minor None
230 Improper Handling of Missing Values
Major Relationships
Minor None
231 Improper Handling of Extra Values
Major Relationships
Minor None
232 Improper Handling of Undefined Values
Major Relationships
Minor None
233 Improper Handling of Parameters
Major Relationships
Minor None
234 Failure to Handle Missing Parameter
Major Relationships
Minor None
235 Improper Handling of Extra Parameters
Major Relationships
Minor None
236 Improper Handling of Undefined Parameters
Major Relationships
Minor None
237 Improper Handling of Structural Elements
Major Relationships
Minor None
238 Improper Handling of Incomplete Structural Elements
Major Relationships
Minor None
239 Failure to Handle Incomplete Element
Major Relationships
Minor None
240 Improper Handling of Inconsistent Structural Elements
Major Relationships
Minor None
241 Improper Handling of Unexpected Data Type
Major Potential_Mitigations, Relationships
Minor None
242 Use of Inherently Dangerous Function
Major References, Relationships
Minor None
243 Creation of chroot Jail Without Changing Working Directory
Major References
Minor None
244 Improper Clearing of Heap Memory Before Release ('Heap Inspection')
Major References, Relationships
Minor None
245 J2EE Bad Practices: Direct Management of Connections
Major References, Relationships
Minor None
246 J2EE Bad Practices: Direct Use of Sockets
Major References, Relationships
Minor None
247 DEPRECATED (Duplicate): Reliance on DNS Lookups in a Security Decision
Major References
Minor None
248 Uncaught Exception
Major References
Minor None
250 Execution with Unnecessary Privileges
Major Applicable_Platforms, Detection_Factors, Observed_Examples, References, Relationships, Type
Minor None
251 Often Misused: String Management
Major Relationships, Taxonomy_Mappings
Minor None
252 Unchecked Return Value
Major References
Minor None
253 Incorrect Check of Function Return Value
Major References
Minor None
254 7PK - Security Features
Major References, Relationships
Minor None
255 Credentials Management Errors
Major Name, Relationships
Minor None
256 Unprotected Storage of Credentials
Major References, Relationships
Minor None
257 Storing Passwords in a Recoverable Format
Major References, Relationships
Minor None
258 Empty Password in Configuration File
Major References, Relationships
Minor None
259 Use of Hard-coded Password
Major References, Relationships, Type
Minor None
260 Password in Configuration File
Major References, Relationships, Type
Minor None
261 Weak Encoding for Password
Major Description, Name, Other_Notes, References, Relationships, Type
Minor None
262 Not Using Password Aging
Major Demonstrative_Examples, Description, Potential_Mitigations, References, Type
Minor None
263 Password Aging with Long Expiration
Major Demonstrative_Examples, References
Minor None
264 Permissions, Privileges, and Access Controls
Major Maintenance_Notes, Relationships
Minor None
265 Privilege Issues
Major Description, Name, Relationships
Minor None
266 Incorrect Privilege Assignment
Major Relationships
Minor None
267 Privilege Defined With Unsafe Actions
Major Relationships
Minor None
269 Improper Privilege Management
Major Observed_Examples, Relationships
Minor None
270 Privilege Context Switching Error
Major Relationships
Minor None
271 Privilege Dropping / Lowering Errors
Major Relationships
Minor None
272 Least Privilege Violation
Major Detection_Factors, References, Relationships
Minor None
273 Improper Check for Dropped Privileges
Major References, Relationships, Time_of_Introduction
Minor None
275 Permission Issues
Major Relationships, Terminology_Notes
Minor None
276 Incorrect Default Permissions
Major Applicable_Platforms, Description, Detection_Factors, Relationships
Minor None
280 Improper Handling of Insufficient Permissions or Privileges
Major Relationships
Minor None
282 Improper Ownership Management
Major Relationships
Minor None
283 Unverified Ownership
Major Relationships
Minor None
284 Improper Access Control
Major Relationships, Taxonomy_Mappings, Type
Minor None
285 Improper Authorization
Major References, Relationships
Minor None
286 Incorrect User Management
Major Relationships
Minor None
287 Improper Authentication
Major Relationships
Minor None
288 Authentication Bypass Using an Alternate Path or Channel
Major Relationships
Minor None
289 Authentication Bypass by Alternate Name
Major Potential_Mitigations, Relationships
Minor None
290 Authentication Bypass by Spoofing
Major Relationships
Minor None
291 Reliance on IP Address for Authentication
Major References, Relationships
Minor None
293 Using Referer Field for Authentication
Major Relationships
Minor None
294 Authentication Bypass by Capture-replay
Major References, Relationships
Minor None
295 Improper Certificate Validation
Major Applicable_Platforms, Demonstrative_Examples, Description, Observed_Examples, Relationships
Minor None
296 Improper Following of a Certificate's Chain of Trust
Major Demonstrative_Examples, References, Relationships
Minor None
297 Improper Validation of Certificate with Host Mismatch
Major Applicable_Platforms, References, Relationships
Minor None
298 Improper Validation of Certificate Expiration
Major References, Relationships
Minor None
299 Improper Check for Certificate Revocation
Major References, Relationships
Minor None
300 Channel Accessible by Non-Endpoint
Major Alternate_Terms, Name, Observed_Examples, Related_Attack_Patterns, Relationships
Minor None
301 Reflection Attack in an Authentication Protocol
Major References, Relationships
Minor None
302 Authentication Bypass by Assumed-Immutable Data
Major Relationships
Minor None
303 Incorrect Implementation of Authentication Algorithm
Major Relationships
Minor None
304 Missing Critical Step in Authentication
Major Relationships
Minor None
305 Authentication Bypass by Primary Weakness
Major Relationships
Minor None
306 Missing Authentication for Critical Function
Major Relationships
Minor None
307 Improper Restriction of Excessive Authentication Attempts
Major Detection_Factors, Relationships
Minor None
308 Use of Single-factor Authentication
Major References, Relationships
Minor None
309 Use of Password System for Primary Authentication
Major References, Relationships
Minor None
310 Cryptographic Issues
Major Description, Maintenance_Notes, Relationships
Minor None
311 Missing Encryption of Sensitive Data
Major References, Relationships
Minor None
312 Cleartext Storage of Sensitive Information
Major Applicable_Platforms, Relationships
Minor None
313 Cleartext Storage in a File or on Disk
Major Relationships
Minor None
314 Cleartext Storage in the Registry
Major Relationships
Minor None
315 Cleartext Storage of Sensitive Information in a Cookie
Major Relationships
Minor None
316 Cleartext Storage of Sensitive Information in Memory
Major Relationships
Minor None
317 Cleartext Storage of Sensitive Information in GUI
Major Relationships
Minor None
318 Cleartext Storage of Sensitive Information in Executable
Major Relationships
Minor None
319 Cleartext Transmission of Sensitive Information
Major Applicable_Platforms, Related_Attack_Patterns, Relationships
Minor None
320 Key Management Errors
Major Maintenance_Notes, Relationships
Minor None
321 Use of Hard-coded Cryptographic Key
Major References, Relationships, Type
Minor None
322 Key Exchange without Entity Authentication
Major Common_Consequences, Demonstrative_Examples, Description, References, Relationships
Minor None
323 Reusing a Nonce, Key Pair in Encryption
Major References
Minor None
324 Use of a Key Past its Expiration Date
Major Relationships
Minor None
325 Missing Required Cryptographic Step
Major Applicable_Platforms, Description, Relationships
Minor None
326 Inadequate Encryption Strength
Major Maintenance_Notes, Potential_Mitigations, Relationships
Minor None
327 Use of a Broken or Risky Cryptographic Algorithm
Major Applicable_Platforms, Detection_Factors, Maintenance_Notes, Relationships
Minor None
329 Not Using a Random IV with CBC Mode
Major Relationships
Minor None
330 Use of Insufficiently Random Values
Major Applicable_Platforms, Description, Relationships
Minor None
331 Insufficient Entropy
Major Relationships
Minor None
332 Insufficient Entropy in PRNG
Major Relationships
Minor None
333 Improper Handling of Insufficient Entropy in TRNG
Major References, Relationships
Minor None
334 Small Space of Random Values
Major Relationships
Minor None
335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
Major Relationships
Minor None
336 Same Seed in Pseudo-Random Number Generator (PRNG)
Major Relationships
Minor None
337 Predictable Seed in Pseudo-Random Number Generator (PRNG)
Major Description, Relationships
Minor None
338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Major References, Relationships
Minor None
339 Small Seed Space in PRNG
Major Relationships
Minor None
340 Generation of Predictable Numbers or Identifiers
Major Description, Name, Relationships
Minor None
341 Predictable from Observable State
Major Relationships
Minor None
342 Predictable Exact Value from Previous Values
Major Relationships
Minor None
343 Predictable Value Range from Previous Values
Major Relationships
Minor None
344 Use of Invariant Value in Dynamically Changing Context
Major Relationships
Minor None
345 Insufficient Verification of Data Authenticity
Major Relationships
Minor None
346 Origin Validation Error
Major Relationships
Minor None
347 Improper Verification of Cryptographic Signature
Major Relationships
Minor None
348 Use of Less Trusted Source
Major Relationships
Minor None
349 Acceptance of Extraneous Untrusted Data With Trusted Data
Major Relationships
Minor None
350 Reliance on Reverse DNS Resolution for a Security-Critical Action
Major References, Relationships
Minor None
351 Insufficient Type Distinction
Major Relationships
Minor None
352 Cross-Site Request Forgery (CSRF)
Major Relationships
Minor None
353 Missing Support for Integrity Check
Major References, Relationships
Minor None
354 Improper Validation of Integrity Check Value
Major References, Relationships
Minor None
355 User Interface Security Issues
Major Relationships
Minor None
358 Improperly Implemented Security Check for Standard
Major Relationships
Minor None
359 Exposure of Private Personal Information to an Unauthorized Actor
Major Alternate_Terms, Applicable_Platforms, Demonstrative_Examples, Description, Detection_Factors, Maintenance_Notes, Name, Potential_Mitigations, References, Relationships, Type
Minor None
360 Trust of System Event Data
Major References, Relationships
Minor None
361 7PK - Time and State
Major References, Relationships
Minor None
362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Major Applicable_Platforms, Demonstrative_Examples, Observed_Examples, Relationships
Minor None
363 Race Condition Enabling Link Following
Major Relationships
Minor None
364 Signal Handler Race Condition
Major References, Relationships
Minor None
365 Race Condition in Switch
Major Description, References, Relationships
Minor None
366 Race Condition within a Thread
Major References, Relationships
Minor None
367 Time-of-check Time-of-use (TOCTOU) Race Condition
Major References, Relationships
Minor None
368 Context Switching Race Condition
Major Relationships
Minor None
369 Divide By Zero
Major Relationships
Minor None
370 Missing Check for Certificate Revocation after Initial Check
Major References, Relationships
Minor None
371 State Issues
Major Relationships
Minor None
374 Passing Mutable Objects to an Untrusted Method
Major References
Minor None
375 Returning a Mutable Object to an Untrusted Caller
Major References
Minor None
376 DEPRECATED: Temporary File Issues
Major Description, Name, Relationships, Type
Minor None
377 Insecure Temporary File
Major References, Relationships, Type
Minor None
378 Creation of Temporary File With Insecure Permissions
Major References, Relationships
Minor None
379 Creation of Temporary File in Directory with Insecure Permissions
Major Name, References, Relationships, Type
Minor None
380 DEPRECATED: Technology-Specific Time and State Issues
Major Description, Name, Relationships, Type
Minor None
381 DEPRECATED: J2EE Time and State Issues
Major Description, Name, Relationships, Type
Minor None
382 J2EE Bad Practices: Use of System.exit()
Major References, Relationships
Minor None
383 J2EE Bad Practices: Direct Use of Threads
Major References, Relationships
Minor None
384 Session Fixation
Major References, Relationships
Minor None
385 Covert Timing Channel
Major References, Relationships
Minor None
386 Symbolic Name not Mapping to Correct Object
Major References, Relationships
Minor None
387 Signal Errors
Major Relationships
Minor None
388 7PK - Errors
Major References
Minor None
389 Error Conditions, Return Values, Status Codes
Major Relationships
Minor None
390 Detection of Error Condition Without Action
Major References, Type
Minor None
391 Unchecked Error Condition
Major References
Minor None
393 Return of Wrong Status Code
Major Observed_Examples
Minor None
395 Use of NullPointerException Catch to Detect NULL Pointer Dereference
Major References
Minor None
396 Declaration of Catch for Generic Exception
Major References
Minor None
397 Declaration of Throws for Generic Exception
Major References
Minor None
398 7PK - Code Quality
Major References
Minor None
399 Resource Management Errors
Major Relationships
Minor None
400 Uncontrolled Resource Consumption
Major Description, References, Related_Attack_Patterns, Relationships
Minor None
401 Missing Release of Memory after Effective Lifetime
Major References, Relationships, Taxonomy_Mappings
Minor None
402 Transmission of Private Resources into a New Sphere ('Resource Leak')
Major Relationships
Minor None
403 Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
Major Relationships
Minor None
404 Improper Resource Shutdown or Release
Major Relationships
Minor None
405 Asymmetric Resource Consumption (Amplification)
Major Relationships
Minor None
406 Insufficient Control of Network Message Volume (Network Amplification)
Major Relationships
Minor None
407 Inefficient Algorithmic Complexity
Major Relationships
Minor None
408 Incorrect Behavior Order: Early Amplification
Major Relationships
Minor None
409 Improper Handling of Highly Compressed Data (Data Amplification)
Major Relationships
Minor None
410 Insufficient Resource Pool
Major Relationships
Minor None
411 Resource Locking Problems
Major Relationships
Minor None
412 Unrestricted Externally Accessible Lock
Major Relationships
Minor None
413 Improper Resource Locking
Major Relationships
Minor None
415 Double Free
Major References, Relationships
Minor None
416 Use After Free
Major References, Relationships, Taxonomy_Mappings
Minor None
417 Communication Channel Errors
Major Description, Maintenance_Notes, Name, Relationship_Notes, Relationships
Minor None
420 Unprotected Alternate Channel
Major Relationships
Minor None
421 Race Condition During Access to Alternate Channel
Major Relationships
Minor None
422 Unprotected Windows Messaging Channel ('Shatter')
Major Relationships
Minor None
424 Improper Protection of Alternate Path
Major Relationships
Minor None
425 Direct Request ('Forced Browsing')
Major Applicable_Platforms, Relationships
Minor None
426 Untrusted Search Path
Major References, Relationships
Minor None
427 Uncontrolled Search Path Element
Major Relationships
Minor None
428 Unquoted Search Path or Element
Major Potential_Mitigations, Relationships
Minor None
429 Handler Errors
Major Relationships
Minor None
432 Dangerous Signal Handler not Disabled During Sensitive Operations
Major Relationships
Minor None
434 Unrestricted Upload of File with Dangerous Type
Major Applicable_Platforms, Potential_Mitigations
Minor None
435 Improper Interaction Between Multiple Correctly-Behaving Entities
Major Applicable_Platforms, Type
Minor None
436 Interpretation Conflict
Major Relationships
Minor None
437 Incomplete Model of Endpoint Features
Major Relationships
Minor None
438 Behavioral Problems
Major Relationships
Minor None
440 Expected Behavior Violation
Major Relationships
Minor None
441 Unintended Proxy or Intermediary ('Confused Deputy')
Major Relationships
Minor None
442 DEPRECATED: Web Problems
Major Description, Name, Relationships, Taxonomy_Mappings, Type
Minor None
444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Major Applicable_Platforms, Relationships
Minor None
446 UI Discrepancy for Security Feature
Major Relationships, Type
Minor None
447 Unimplemented or Unsupported Feature in UI
Major Relationships, Time_of_Introduction
Minor None
448 Obsolete Feature in UI
Major Relationships
Minor None
449 The UI Performs the Wrong Action
Major Relationships
Minor None
450 Multiple Interpretations of UI Input
Major Potential_Mitigations
Minor None
451 User Interface (UI) Misrepresentation of Critical Information
Major Relationships
Minor None
452 Initialization and Cleanup Errors
Major Relationships
Minor None
453 Insecure Default Variable Initialization
Major Relationships, Time_of_Introduction
Minor None
456 Missing Initialization of a Variable
Major Relationships
Minor None
457 Use of Uninitialized Variable
Major References, Relationships, Type
Minor None
460 Improper Cleanup on Thrown Exception
Major References, Type
Minor None
461 DEPRECATED: Data Structure Issues
Major Description, Name, Relationships, Type
Minor None
462 Duplicate Key in Associative List (Alist)
Major References, Relationships
Minor None
463 Deletion of Data Structure Sentinel
Major References, Relationships
Minor None
464 Addition of Data Structure Sentinel
Major References, Relationships
Minor None
465 Pointer Issues
Major Relationships
Minor None
466 Return of Pointer Value Outside of Expected Range
Major References
Minor None
467 Use of sizeof() on a Pointer Type
Major References
Minor None
468 Incorrect Pointer Scaling
Major References
Minor None
469 Use of Pointer Subtraction to Determine Size
Major References, Relationships, Taxonomy_Mappings
Minor None
470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Major References, Relationships
Minor None
471 Modification of Assumed-Immutable Data (MAID)
Major Relationships
Minor None
472 External Control of Assumed-Immutable Web Parameter
Major Potential_Mitigations, Relationships
Minor None
473 PHP External Variable Modification
Major Relationships
Minor None
474 Use of Function with Inconsistent Implementations
Major References, Relationships
Minor None
475 Undefined Behavior for Input to API
Major References, Relationships
Minor None
476 NULL Pointer Dereference
Major References
Minor None
477 Use of Obsolete Function
Major References, Relationships
Minor None
478 Missing Default Case in Switch Statement
Major References, Relationships, Type
Minor None
479 Signal Handler Use of a Non-reentrant Function
Major Description, References, Relationships
Minor None
480 Use of Incorrect Operator
Major References, Relationships, Taxonomy_Mappings
Minor None
481 Assigning instead of Comparing
Major References, Relationships
Minor None
482 Comparing instead of Assigning
Major References, Relationships
Minor None
483 Incorrect Block Delimitation
Major References, Relationships, Type
Minor None
484 Omitted Break Statement in Switch
Major References, Relationships
Minor None
485 7PK - Encapsulation
Major References
Minor None
486 Comparison of Classes by Name
Major References, Relationships
Minor None
487 Reliance on Package-level Scope
Major References, Type
Minor None
488 Exposure of Data Element to Wrong Session
Major References, Relationships, Type
Minor None
489 Active Debug Code
Major Description, Name, References, Relationships
Minor None
490 DEPRECATED: Mobile Code Issues
Major Description, Name, Relationships, Type
Minor None
491 Public cloneable() Method Without Final ('Object Hijack')
Major References, Relationships
Minor None
492 Use of Inner Class Containing Sensitive Data
Major Description, References, Relationships
Minor None
493 Critical Public Variable Without Final Modifier
Major References, Relationships
Minor None
494 Download of Code Without Integrity Check
Major Demonstrative_Examples, Relationships
Minor None
495 Private Data Structure Returned From A Public Method
Major References, Relationships
Minor None
496 Public Data Assigned to Private Array-Typed Field
Major References, Relationships
Minor None
497 Exposure of Sensitive System Information to an Unauthorized Control Sphere
Major Description, Name, References, Relationships, Type
Minor None
498 Cloneable Class Containing Sensitive Information
Major References, Relationships
Minor None
499 Serializable Class Containing Sensitive Data
Major References, Relationships
Minor None
500 Public Static Field Not Marked Final
Major References, Relationships
Minor None
501 Trust Boundary Violation
Major References
Minor None
502 Deserialization of Untrusted Data
Major Observed_Examples, References, Relationships
Minor None
506 Embedded Malicious Code
Major Relationships
Minor None
507 Trojan Horse
Major Relationships
Minor None
508 Non-Replicating Malicious Code
Major Relationships
Minor None
509 Replicating Malicious Code (Virus or Worm)
Major Relationships
Minor None
510 Trapdoor
Major Detection_Factors, Relationships
Minor None
511 Logic/Time Bomb
Major Applicable_Platforms, Relationships
Minor None
512 Spyware
Major Relationships
Minor None
514 Covert Channel
Major Relationships
Minor None
515 Covert Storage Channel
Major Relationships
Minor None
519 DEPRECATED: .NET Environment Issues
Major Description, Name, Relationships, Taxonomy_Mappings, Type
Minor None
520 .NET Misconfiguration: Use of Impersonation
Major Relationships
Minor None
521 Weak Password Requirements
Major Applicable_Platforms, Description, Modes_of_Introduction, Potential_Mitigations, References
Minor None
522 Insufficiently Protected Credentials
Major Description, Relationships, Type
Minor None
523 Unprotected Transport of Credentials
Major Description, Relationships, Type
Minor None
524 Use of Cache Containing Sensitive Information
Major Description, Name, Relationships, Type
Minor None
525 Use of Web Browser Cache Containing Sensitive Information
Major Description, Name, Relationships
Minor None
526 Exposure of Sensitive Information Through Environmental Variables
Major Name, Relationships
Minor None
527 Exposure of Version-Control Repository to an Unauthorized Control Sphere
Major Description, Name, Relationships
Minor None
528 Exposure of Core Dump File to an Unauthorized Control Sphere
Major Description, Relationships
Minor None
529 Exposure of Access Control List Files to an Unauthorized Control Sphere
Major Relationships
Minor None
530 Exposure of Backup File to an Unauthorized Control Sphere
Major Description, Relationships
Minor None
531 Inclusion of Sensitive Information in Test Code
Major Name, Relationships, Time_of_Introduction
Minor None
532 Insertion of Sensitive Information into Log File
Major Name, Relationships, Type
Minor None
535 Exposure of Information Through Shell Error Message
Major Name, Relationships
Minor None
536 Servlet Runtime Error Message Containing Sensitive Information
Major Name, Relationships
Minor None
537 Java Runtime Error Message Containing Sensitive Information
Major Name, Relationships
Minor None
538 Insertion of Sensitive Information into Externally-Accessible File or Directory
Major Description, Name, Relationships
Minor None
539 Use of Persistent Cookies Containing Sensitive Information
Major Description, Name, Relationships
Minor None
540 Inclusion of Sensitive Information in Source Code
Major Description, Name, Relationships, Type
Minor None
541 Inclusion of Sensitive Information in an Include File
Major Name, Relationships
Minor None
543 Use of Singleton Pattern Without Synchronization in a Multithreaded Context
Major Relationships
Minor None
546 Suspicious Comment
Major Applicable_Platforms, Relationships
Minor None
547 Use of Hard-coded, Security-relevant Constants
Major Relationships
Minor None
548 Exposure of Information Through Directory Listing
Major Name, Relationships
Minor None
549 Missing Password Field Masking
Major Type
Minor None
550 Server-generated Error Message Containing Sensitive Information
Major Name, Relationships
Minor None
551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
Major Relationships
Minor None
552 Files or Directories Accessible to External Parties
Major Description, Relationships
Minor None
553 Command Shell in Externally Accessible Directory
Major Relationships
Minor None
554 ASP.NET Misconfiguration: Not Using Input Validation Framework
Major Relationships
Minor None
555 J2EE Misconfiguration: Plaintext Password in Configuration File
Major Relationships
Minor None
556 ASP.NET Misconfiguration: Use of Identity Impersonation
Major Relationships
Minor None
557 Concurrency Issues
Major Relationships
Minor None
558 Use of getlogin() in Multithreaded Application
Major Relationships
Minor None
559 DEPRECATED: Often Misused: Arguments and Parameters
Major Description, Name, Relationship_Notes, Relationships, Type
Minor None
560 Use of umask() with chmod-style Argument
Major Relationships
Minor None
561 Dead Code
Major Applicable_Platforms, Observed_Examples, Relationships
Minor None
562 Return of Stack Variable Address
Major Relationships
Minor None
563 Assignment to Variable without Use
Major Relationships
Minor None
564 SQL Injection: Hibernate
Major Relationships
Minor None
565 Reliance on Cookies without Validation and Integrity Checking
Major Relationships
Minor None
566 Authorization Bypass Through User-Controlled SQL Primary Key
Major Relationships
Minor None
568 finalize() Method Without super.finalize()
Major Relationships
Minor None
570 Expression is Always False
Major Relationships, Type
Minor None
571 Expression is Always True
Major Relationships, Type
Minor None
572 Call to Thread run() instead of start()
Major Relationships
Minor None
573 Improper Following of Specification by Caller
Major Relationships
Minor None
574 EJB Bad Practices: Use of Synchronization Primitives
Major Relationships
Minor None
575 EJB Bad Practices: Use of AWT Swing
Major Relationships
Minor None
576 EJB Bad Practices: Use of Java I/O
Major Relationships
Minor None
577 EJB Bad Practices: Use of Sockets
Major Relationships
Minor None
578 EJB Bad Practices: Use of Class Loader
Major Relationships
Minor None
579 J2EE Bad Practices: Non-serializable Object Stored in Session
Major Relationships
Minor None
580 clone() Method Without super.clone()
Major Relationships
Minor None
581 Object Model Violation: Just One of Equals and Hashcode Defined
Major Relationships
Minor None
582 Array Declared Public, Final, and Static
Major Relationships, Taxonomy_Mappings
Minor None
583 finalize() Method Declared Public
Major Description, Relationships
Minor None
585 Empty Synchronized Block
Major Relationships, Type
Minor None
586 Explicit Call to Finalize()
Major Relationships
Minor None
589 Call to Non-ubiquitous API
Major Relationships
Minor None
590 Free of Memory not on the Heap
Major Relationships
Minor None
591 Sensitive Data Storage in Improperly Locked Memory
Major Relationships
Minor None
593 Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
Major Common_Consequences, Relationships
Minor None
594 J2EE Framework: Saving Unserializable Objects to Disk
Major Relationships
Minor None
595 Comparison of Object References Instead of Object Contents
Major Relationships
Minor None
597 Use of Wrong Operator in String Comparison
Major Relationships
Minor None
598 Use of GET Request Method With Sensitive Query Strings
Major Description, Name, Potential_Mitigations, Relationships
Minor None
599 Missing Validation of OpenSSL Certificate
Major Relationships
Minor None
601 URL Redirection to Untrusted Site ('Open Redirect')
Major Applicable_Platforms, Potential_Mitigations, Relationships
Minor None
602 Client-Side Enforcement of Server-Side Security
Major Applicable_Platforms, Relationships
Minor None
603 Use of Client-Side Authentication
Major Relationships
Minor None
606 Unchecked Input for Loop Condition
Major Relationships
Minor None
607 Public Static Final Field References Mutable Object
Major Relationships
Minor None
608 Struts: Non-private Field in ActionForm Class
Major Relationships
Minor None
609 Double-Checked Locking
Major Relationships
Minor None
610 Externally Controlled Reference to a Resource in Another Sphere
Major Relationships
Minor None
611 Improper Restriction of XML External Entity Reference
Major Applicable_Platforms, Relationships
Minor None
612 Improper Authorization of Index Containing Sensitive Information
Major Description, Name, References, Relationships, Type
Minor None
613 Insufficient Session Expiration
Major Relationships
Minor None
614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Major Applicable_Platforms, Relationships
Minor None
615 Inclusion of Sensitive Information in Source Code Comments
Major Name, Relationships
Minor None
616 Incomplete Identification of Uploaded File Variables (PHP)
Major Relationships
Minor None
619 Dangling Database Cursor ('Cursor Injection')
Major Relationships
Minor None
620 Unverified Password Change
Major Relationships, Type
Minor None
621 Variable Extraction Error
Major Relationships
Minor None
622 Improper Validation of Function Hook Arguments
Major Relationships
Minor None
623 Unsafe ActiveX Control Marked Safe For Scripting
Major Relationships
Minor None
624 Executable Regular Expression Error
Major Relationships
Minor None
625 Permissive Regular Expression
Major Relationships
Minor None
626 Null Byte Interaction Error (Poison Null Byte)
Major Relationships
Minor None
627 Dynamic Variable Evaluation
Major Relationships
Minor None
628 Function Call with Incorrectly Specified Arguments
Major Relationships
Minor None
629 Weaknesses in OWASP Top Ten (2007)
Major View_Audience
Minor None
636 Not Failing Securely ('Failing Open')
Major Relationships
Minor None
637 Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')
Major Relationships
Minor None
638 Not Using Complete Mediation
Major Relationships
Minor None
639 Authorization Bypass Through User-Controlled Key
Major Relationships
Minor None
641 Improper Restriction of Names for Files and Other Resources
Major Relationships
Minor None
642 External Control of Critical State Data
Major Relationships
Minor None
643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')
Major Relationships
Minor None
644 Improper Neutralization of HTTP Headers for Scripting Syntax
Major Applicable_Platforms, Relationships
Minor None
645 Overly Restrictive Account Lockout Mechanism
Major Relationships
Minor None
646 Reliance on File Name or Extension of Externally-Supplied File
Major Applicable_Platforms, Relationships
Minor None
647 Use of Non-Canonical URL Paths for Authorization Decisions
Major Applicable_Platforms, Relationships
Minor None
649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
Major Observed_Examples, Relationships
Minor None
650 Trusting HTTP Permission Methods on the Server Side
Major Relationships
Minor None
651 Exposure of WSDL File Containing Sensitive Information
Major Name, Relationships
Minor None
652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
Major Relationships
Minor None
653 Insufficient Compartmentalization
Major Demonstrative_Examples, Relationships
Minor None
654 Reliance on a Single Factor in a Security Decision
Major Relationships
Minor None
655 Insufficient Psychological Acceptability
Major Relationships, Time_of_Introduction
Minor None
656 Reliance on Security Through Obscurity
Major Relationships, Time_of_Introduction
Minor None
657 Violation of Secure Design Principles
Major Relationships
Minor None
662 Improper Synchronization
Major Description, Relationships
Minor None
663 Use of a Non-reentrant Function in a Concurrent Context
Major Relationships
Minor None
664 Improper Control of a Resource Through its Lifetime
Major Applicable_Platforms, Relationships, Type
Minor None
665 Improper Initialization
Major Relationships
Minor None
666 Operation on Resource in Wrong Phase of Lifetime
Major Relationships, Time_of_Introduction
Minor None
667 Improper Locking
Major Relationships, Type
Minor None
668 Exposure of Resource to Wrong Sphere
Major Relationships
Minor None
669 Incorrect Resource Transfer Between Spheres
Major Relationships
Minor None
670 Always-Incorrect Control Flow Implementation
Major Relationships, Time_of_Introduction
Minor None
671 Lack of Administrator Control over Security
Major Relationships
Minor None
672 Operation on a Resource after Expiration or Release
Major Applicable_Platforms, Relationships
Minor None
673 External Influence of Sphere Definition
Major Relationships
Minor None
674 Uncontrolled Recursion
Major Related_Attack_Patterns, Relationships
Minor None
675 Duplicate Operations on Resource
Major Relationships
Minor None
676 Use of Potentially Dangerous Function
Major Detection_Factors, References, Relationships
Minor None
681 Incorrect Conversion between Numeric Types
Major Relationships
Minor None
682 Incorrect Calculation
Major Applicable_Platforms, Observed_Examples, Relationships, Type
Minor None
683 Function Call With Incorrect Order of Arguments
Major Relationships
Minor None
684 Incorrect Provision of Specified Functionality
Major Relationships
Minor None
685 Function Call With Incorrect Number of Arguments
Major Relationships
Minor None
686 Function Call With Incorrect Argument Type
Major Relationships
Minor None
687 Function Call With Incorrectly Specified Argument Value
Major Relationships, Taxonomy_Mappings
Minor None
688 Function Call With Incorrect Variable or Reference as Argument
Major Relationships
Minor None
689 Permission Race Condition During Resource Copy
Major Relationships
Minor None
691 Insufficient Control Flow Management
Major Applicable_Platforms, Type
Minor None
693 Protection Mechanism Failure
Major Applicable_Platforms, Related_Attack_Patterns, Relationships, Type
Minor None
694 Use of Multiple Resources with Duplicate Identifier
Major Relationships
Minor None
695 Use of Low-Level Functionality
Major Relationships
Minor None
696 Incorrect Behavior Order
Major Relationships
Minor None
697 Incorrect Comparison
Major Applicable_Platforms, Relationships, Type
Minor None
698 Execution After Redirect (EAR)
Major Relationships
Minor None
699 Software Development
Major Description, Name, Other_Notes, Relationships, View_Audience
Minor None
700 Seven Pernicious Kingdoms
Major References
Minor None
703 Improper Check or Handling of Exceptional Conditions
Major Applicable_Platforms, Relationships, Type
Minor None
704 Incorrect Type Conversion or Cast
Major Relationships
Minor None
705 Incorrect Control Flow Scoping
Major Observed_Examples, Relationships
Minor None
706 Use of Incorrectly-Resolved Name or Reference
Major Relationships
Minor None
707 Improper Neutralization
Major Applicable_Platforms, Description, Name, Relationships, Type
Minor None
708 Incorrect Ownership Assignment
Major Relationships
Minor None
710 Improper Adherence to Coding Standards
Major Applicable_Platforms, Relationships, Type
Minor None
711 Weaknesses in OWASP Top Ten (2004)
Major View_Audience
Minor None
731 OWASP Top Ten 2004 Category A10 - Insecure Configuration Management
Major Relationships
Minor None
732 Incorrect Permission Assignment for Critical Resource
Major Applicable_Platforms, Description, Detection_Factors, Modes_of_Introduction, Relationships
Minor None
733 Compiler Optimization Removal or Modification of Security-critical Code
Major Relationships
Minor None
734 Weaknesses Addressed by the CERT C Secure Coding Standard (2008)
Major View_Audience
Minor None
749 Exposed Dangerous Method or Function
Major Relationships
Minor None
750 Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors
Major View_Audience
Minor None
754 Improper Check for Unusual or Exceptional Conditions
Major Potential_Mitigations, Relationships
Minor None
755 Improper Handling of Exceptional Conditions
Major Relationships
Minor None
756 Missing Custom Error Page
Major Relationships, Type
Minor None
757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
Major Observed_Examples, Relationship_Notes, Relationships
Minor None
758 Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
Major Relationships
Minor None
759 Use of a One-Way Hash without a Salt
Major Relationships
Minor None
760 Use of a One-Way Hash with a Predictable Salt
Major Relationships
Minor None
761 Free of Pointer not at Start of Buffer
Major Relationships
Minor None
762 Mismatched Memory Management Routines
Major Relationships
Minor None
763 Release of Invalid Pointer or Reference
Major Relationships
Minor None
764 Multiple Locks of a Critical Resource
Major Relationships, Type
Minor None
765 Multiple Unlocks of a Critical Resource
Major Relationships
Minor None
766 Critical Data Element Declared Public
Major Relationships
Minor None
767 Access to Critical Private Variable via Public Method
Major Relationships
Minor None
768 Incorrect Short Circuit Evaluation
Major Relationships
Minor None
770 Allocation of Resources Without Limits or Throttling
Major Potential_Mitigations, Related_Attack_Patterns, Relationships
Minor None
771 Missing Reference to Active Allocated Resource
Major Relationships, Taxonomy_Mappings
Minor None
772 Missing Release of Resource after Effective Lifetime
Major Applicable_Platforms, Relationships, Taxonomy_Mappings
Minor None
773 Missing Reference to Active File Descriptor or Handle
Major Relationships, Taxonomy_Mappings
Minor None
774 Allocation of File Descriptors or Handles Without Limits or Throttling
Major Relationships
Minor None
775 Missing Release of File Descriptor or Handle after Effective Lifetime
Major Relationships, Taxonomy_Mappings
Minor None
776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Major Applicable_Platforms, Relationships
Minor None
777 Regular Expression without Anchors
Major Relationships
Minor None
778 Insufficient Logging
Major Relationships
Minor None
779 Logging of Excessive Data
Major Relationships
Minor None
780 Use of RSA Algorithm without OAEP
Major Relationships
Minor None
781 Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code
Major Relationships
Minor None
782 Exposed IOCTL with Insufficient Access Control
Major Relationships
Minor None
783 Operator Precedence Logic Error
Major Relationships
Minor None
784 Reliance on Cookies without Validation and Integrity Checking in a Security Decision
Major Applicable_Platforms, Relationships
Minor None
785 Use of Path Manipulation Function without Maximum-sized Buffer
Major References, Relationships
Minor None
786 Access of Memory Location Before Start of Buffer
Major Relationships
Minor None
787 Out-of-bounds Write
Major Observed_Examples, Relationships
Minor None
788 Access of Memory Location After End of Buffer
Major Relationships
Minor None
789 Uncontrolled Memory Allocation
Major Relationships
Minor None
790 Improper Filtering of Special Elements
Major Relationships
Minor None
791 Incomplete Filtering of Special Elements
Major Relationships
Minor None
792 Incomplete Filtering of One or More Instances of Special Elements
Major Relationships
Minor None
793 Only Filtering One Instance of a Special Element
Major Relationships
Minor None
794 Incomplete Filtering of Multiple Instances of Special Elements
Major Relationships
Minor None
795 Only Filtering Special Elements at a Specified Location
Major Relationships
Minor None
796 Only Filtering Special Elements Relative to a Marker
Major Relationships
Minor None
797 Only Filtering Special Elements at an Absolute Position
Major Relationships
Minor None
798 Use of Hard-coded Credentials
Major Applicable_Platforms, Relationships
Minor None
799 Improper Control of Interaction Frequency
Major Relationships
Minor None
800 Weaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors
Major View_Audience
Minor None
804 Guessable CAPTCHA
Major Relationships
Minor None
805 Buffer Access with Incorrect Length Value
Major Relationships
Minor None
806 Buffer Access Using Size of Source Buffer
Major Relationships
Minor None
807 Reliance on Untrusted Inputs in a Security Decision
Major Relationships
Minor None
809 Weaknesses in OWASP Top Ten (2010)
Major View_Audience
Minor None
820 Missing Synchronization
Major Relationships
Minor None
821 Incorrect Synchronization
Major Relationships
Minor Description
822 Untrusted Pointer Dereference
Major Relationships
Minor None
823 Use of Out-of-range Pointer Offset
Major Relationships
Minor None
824 Access of Uninitialized Pointer
Major Relationships
Minor None
825 Expired Pointer Dereference
Major Relationships
Minor None
826 Premature Release of Resource During Expected Lifetime
Major Description, Relationships
Minor None
827 Improper Control of Document Type Definition
Major Applicable_Platforms, Relationships
Minor None
828 Signal Handler with Functionality that is not Asynchronous-Safe
Major Relationships
Minor None
829 Inclusion of Functionality from Untrusted Control Sphere
Major Potential_Mitigations, Relationships
Minor None
830 Inclusion of Web Functionality from an Untrusted Source
Major Relationships
Minor None
831 Signal Handler Function Associated with Multiple Signals
Major Relationships
Minor None
832 Unlock of a Resource that is not Locked
Major Relationships
Minor None
833 Deadlock
Major Relationships
Minor None
834 Excessive Iteration
Major Relationships
Minor None
835 Loop with Unreachable Exit Condition ('Infinite Loop')
Major Relationships
Minor None
836 Use of Password Hash Instead of Password for Authentication
Major Relationships
Minor None
837 Improper Enforcement of a Single, Unique Action
Major Relationships
Minor None
838 Inappropriate Encoding for Output Context
Major Relationships
Minor None
840 Business Logic Errors
Major Relationships
Minor None
841 Improper Enforcement of Behavioral Workflow
Major Relationships
Minor None
842 Placement of User into Incorrect Group
Major Relationships
Minor None
843 Access of Resource Using Incompatible Type ('Type Confusion')
Major Relationships
Minor None
844 Weaknesses Addressed by The CERT Oracle Secure Coding Standard for Java (2011)
Major View_Audience
Minor None
845 The CERT Oracle Secure Coding Standard for Java (2011) Chapter 2 - Input Validation and Data Sanitization (IDS)
Major Relationships
Minor None
862 Missing Authorization
Major Relationships
Minor None
863 Incorrect Authorization
Major Relationships
Minor None
868 Weaknesses Addressed by the SEI CERT C++ Coding Standard (2016 Version)
Major View_Audience
Minor None
885 SFP Primary Cluster: Risky Values
Major Description
Minor None
886 SFP Primary Cluster: Unused entities
Major Description
Minor None
887 SFP Primary Cluster: API
Major Description
Minor None
888 Software Fault Pattern (SFP) Clusters
Major References, View_Audience
Minor None
889 SFP Primary Cluster: Exception Management
Major Description
Minor None
890 SFP Primary Cluster: Memory Access
Major Description
Minor None
891 SFP Primary Cluster: Memory Management
Major Description
Minor None
892 SFP Primary Cluster: Resource Management
Major Description
Minor None
893 SFP Primary Cluster: Path Resolution
Major Description
Minor None
894 SFP Primary Cluster: Synchronization
Major Description
Minor None
895 SFP Primary Cluster: Information Leak
Major Description
Minor None
896 SFP Primary Cluster: Tainted Input
Major Description
Minor None
897 SFP Primary Cluster: Entry Points
Major Description
Minor None
898 SFP Primary Cluster: Authentication
Major Description
Minor None
899 SFP Primary Cluster: Access Control
Major Description
Minor None
900 Weaknesses in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors
Major View_Audience
Minor None
901 SFP Primary Cluster: Privilege
Major Description
Minor None
908 Use of Uninitialized Resource
Major Description, Relationships
Minor None
909 Missing Initialization of Resource
Major Relationships
Minor None
910 Use of Expired File Descriptor
Major Relationships
Minor None
911 Improper Update of Reference Count
Major Relationships, Type
Minor None
912 Hidden Functionality
Major Relationships
Minor None
913 Improper Control of Dynamically-Managed Code Resources
Major Relationships
Minor None
914 Improper Control of Dynamically-Identified Variables
Major Relationships
Minor None
915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
Major Relationships
Minor None
916 Use of Password Hash With Insufficient Computational Effort
Major Relationships
Minor None
917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Major Relationships
Minor None
918 Server-Side Request Forgery (SSRF)
Major Applicable_Platforms, Relationships
Minor None
919 Weaknesses in Mobile Applications
Major View_Filter
Minor None
920 Improper Restriction of Power Consumption
Major Applicable_Platforms, Relationships
Minor None
921 Storage of Sensitive Data in a Mechanism without Access Control
Major Applicable_Platforms, Relationships
Minor None
922 Insecure Storage of Sensitive Information
Major Relationships
Minor None
923 Improper Restriction of Communication Channel to Intended Endpoints
Major Relationships
Minor None
924 Improper Enforcement of Message Integrity During Transmission in a Communication Channel
Major Description, Relationships
Minor None
925 Improper Verification of Intent by Broadcast Receiver
Major Applicable_Platforms, Relationships
Minor None
926 Improper Export of Android Application Components
Major Applicable_Platforms, Relationships
Minor None
927 Use of Implicit Intent for Sensitive Communication
Major Applicable_Platforms, Relationships
Minor None
928 Weaknesses in OWASP Top Ten (2013)
Major View_Audience
Minor None
939 Improper Authorization in Handler for Custom URL Scheme
Major Applicable_Platforms, Relationships
Minor None
940 Improper Verification of Source of a Communication Channel
Major Applicable_Platforms, Potential_Mitigations, Relationships
Minor None
941 Incorrectly Specified Destination in a Communication Channel
Major Applicable_Platforms, Relationships
Minor None
942 Overly Permissive Cross-domain Whitelist
Major Applicable_Platforms, Relationships
Minor None
943 Improper Neutralization of Special Elements in Data Query Logic
Major Relationships
Minor None
945 SFP Secondary Cluster: Insecure Resource Access
Major Description
Minor None
949 SFP Secondary Cluster: Faulty Endpoint Authentication
Major Description
Minor None
950 SFP Secondary Cluster: Hardcoded Sensitive Data
Major Description
Minor None
953 SFP Secondary Cluster: Missing Endpoint Authentication
Major Description
Minor None
954 SFP Secondary Cluster: Multiple Binds to the Same Port
Major Description
Minor None
955 SFP Secondary Cluster: Unrestricted Authentication
Major Description
Minor None
960 SFP Secondary Cluster: Ambiguous Exception Type
Major Description
Minor None
961 SFP Secondary Cluster: Incorrect Exception Behavior
Major Description
Minor None
962 SFP Secondary Cluster: Unchecked Status Condition
Major Description
Minor None
963 SFP Secondary Cluster: Exposed Data
Major Description
Minor None
969 SFP Secondary Cluster: Faulty Memory Release
Major Description
Minor None
970 SFP Secondary Cluster: Faulty Buffer Access
Major Description, Relationships
Minor None
971 SFP Secondary Cluster: Faulty Pointer Use
Major Description, Relationships
Minor None
972 SFP Secondary Cluster: Faulty String Expansion
Major Description
Minor None
973 SFP Secondary Cluster: Improper NULL Termination
Major Description
Minor None
974 SFP Secondary Cluster: Incorrect Buffer Length Computation
Major Description, Relationships
Minor None
978 SFP Secondary Cluster: Implementation
Major Relationships
Minor None
979 SFP Secondary Cluster: Failed Chroot Jail
Major Description
Minor None
980 SFP Secondary Cluster: Link in Resource Name Resolution
Major Description
Minor None
981 SFP Secondary Cluster: Path Traversal
Major Description
Minor None
982 SFP Secondary Cluster: Failure to Release Resource
Major Description, Relationships
Minor None
983 SFP Secondary Cluster: Faulty Resource Use
Major Description, Relationships
Minor None
985 SFP Secondary Cluster: Unrestricted Consumption
Major Description
Minor None
986 SFP Secondary Cluster: Missing Lock
Major Description
Minor None
987 SFP Secondary Cluster: Multiple Locks/Unlocks
Major Description
Minor None
988 SFP Secondary Cluster: Race Condition Window
Major Description
Minor None
989 SFP Secondary Cluster: Unrestricted Lock
Major Description
Minor None
990 SFP Secondary Cluster: Tainted Input to Command
Major Description, Relationships
Minor None
991 SFP Secondary Cluster: Tainted Input to Environment
Major Description
Minor None
994 SFP Secondary Cluster: Tainted Input to Variable
Major Description
Minor None
998 SFP Secondary Cluster: Glitch in Computation
Major Description, Relationships
Minor None
999 Weaknesses without Software Fault Patterns
Major View_Audience
Minor None
1000 Research Concepts
Major Description, Relationships, View_Audience
Minor None
1001 SFP Secondary Cluster: Use of an Improper API
Major Description
Minor None
1004 Sensitive Cookie Without 'HttpOnly' Flag
Major Applicable_Platforms, Relationships
Minor None
1005 7PK - Input Validation and Representation
Major References
Minor None
1006 Bad Coding Practices
Major Relationships
Minor None
1007 Insufficient Visual Distinction of Homoglyphs Presented to User
Major Applicable_Platforms, Relationships
Minor None
1008 Architectural Concepts
Major Maintenance_Notes, View_Audience
Minor None
1011 Authorize Actors
Major Description
Minor None
1013 Encrypt Data
Major Description
Minor None
1014 Identify Actors
Major Description
Minor None
1018 Manage User Sessions
Major Description
Minor None
1021 Improper Restriction of Rendered UI Layers or Frames
Major Applicable_Platforms, Relationships
Minor None
1022 Use of Web Link to Untrusted Target with window.opener Access
Major Applicable_Platforms, Relationships
Minor None
1023 Incomplete Comparison with Missing Factors
Major Description, Relationships, Type
Minor None
1024 Comparison of Incompatible Types
Major Relationships
Minor None
1025 Comparison Using Wrong Factors
Major Description, Relationships
Minor None
1026 Weaknesses in OWASP Top Ten (2017)
Major References, View_Audience
Minor None
1027 OWASP Top Ten 2017 Category A1 - Injection
Major References
Minor None
1028 OWASP Top Ten 2017 Category A2 - Broken Authentication
Major References
Minor None
1029 OWASP Top Ten 2017 Category A3 - Sensitive Data Exposure
Major References
Minor None
1030 OWASP Top Ten 2017 Category A4 - XML External Entities (XXE)
Major References
Minor None
1031 OWASP Top Ten 2017 Category A5 - Broken Access Control
Major References
Minor None
1032 OWASP Top Ten 2017 Category A6 - Security Misconfiguration
Major References
Minor None
1033 OWASP Top Ten 2017 Category A7 - Cross-Site Scripting (XSS)
Major References
Minor None
1034 OWASP Top Ten 2017 Category A8 - Insecure Deserialization
Major References
Minor None
1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
Major References
Minor None
1036 OWASP Top Ten 2017 Category A10 - Insufficient Logging & Monitoring
Major References
Minor None
1037 Processor Optimization Removal or Modification of Security-critical Code
Major Relationships
Minor None
1038 Insecure Automated Optimizations
Major Relationships
Minor None
1039 Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations
Major Relationships
Minor None
1040 Quality Weaknesses with Indirect Security Impacts
Major View_Audience
Minor None
1042 Static Member Data Element outside of a Singleton Class Element
Major Relationships
Minor None
1043 Data Element Aggregating an Excessively Large Number of Non-Primitive Elements
Major Relationships
Minor None
1045 Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor
Major Relationships
Minor None
1046 Creation of Immutable Text Using String Concatenation
Major Description, Relationships
Minor None
1047 Modules with Circular Dependencies
Major Relationships
Minor None
1049 Excessive Data Query Operations in a Large Data Table
Major Relationships
Minor None
1050 Excessive Platform Resource Consumption within a Loop
Major Relationships
Minor None
1051 Initialization with Hard-Coded Network Resource Configuration Data
Major Description
Minor None
1052 Excessive Use of Hard-Coded Literals in Initialization
Major Relationships
Minor None
1053 Missing Documentation for Design
Major Description, Relationships
Minor None
1054 Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer
Major Relationships
Minor None
1055 Multiple Inheritance from Concrete Classes
Major Relationships
Minor None
1056 Invokable Control Element with Variadic Parameters
Major Relationships
Minor None
1057 Data Access Operations Outside of Expected Data Manager Component
Major Relationships
Minor None
1058 Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element
Major Relationships
Minor None
1059 Incomplete Documentation
Major Relationships
Minor None
1060 Excessive Number of Inefficient Server-Side Data Accesses
Major Description, Relationships
Minor None
1061 Insufficient Encapsulation
Major Relationships
Minor None
1062 Parent Class with References to Child Class
Major Relationships
Minor None
1063 Creation of Class Instance within a Static Code Block
Major Relationships
Minor None
1064 Invokable Control Element with Signature Containing an Excessive Number of Parameters
Major Description, Relationships
Minor None
1066 Missing Serialization Control Element
Major Description
Minor None
1067 Excessive Execution of Sequential Searches of Data Resource
Major Relationships
Minor None
1068 Inconsistency Between Implementation and Documented Design
Major Relationships
Minor None
1069 Empty Exception Block
Major Relationships, Type
Minor None
1071 Empty Code Block
Major Relationships, Type
Minor None
1072 Data Resource Access without Use of Connection Pooling
Major Relationships
Minor None
1073 Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses
Major Description, Relationships
Minor None
1074 Class with Excessively Deep Inheritance
Major Description, Relationships
Minor None
1075 Unconditional Control Flow Transfer outside of Switch Block
Major Relationships
Minor None
1076 Insufficient Adherence to Expected Conventions
Major Relationships
Minor None
1078 Inappropriate Source Code Style or Formatting
Major Relationships
Minor None
1079 Parent Class without Virtual Destructor Method
Major Relationships
Minor None
1080 Source Code File with Excessive Number of Lines of Code
Major Description, Relationships
Minor None
1082 Class Instance Self Destruction Control Element
Major Relationships
Minor None
1083 Data Access from Outside Expected Data Manager Component
Major Relationships
Minor None
1084 Invokable Control Element with Excessive File or Data Access Operations
Major Description, Relationships
Minor None
1085 Invokable Control Element with Excessive Volume of Commented-out Code
Major Description, Relationships
Minor None
1086 Class with Excessive Number of Child Classes
Major Description, Relationships
Minor None
1087 Class with Virtual Method without a Virtual Destructor
Major Relationships
Minor None
1088 Synchronous Access of Remote Resource without Timeout
Major Relationships
Minor None
1089 Large Data Table with Excessive Number of Indices
Major Description, Relationships
Minor None
1090 Method Containing Access of a Member Element from Another Class
Major Relationships
Minor None
1091 Use of Object without Invoking Destructor Method
Major Relationships
Minor None
1093 Excessively Complex Data Representation
Major Relationships
Minor None
1094 Excessive Index Range Scan for a Data Resource
Major Description, Relationships
Minor None
1095 Loop Condition Value Update within the Loop
Major Relationships
Minor None
1096 Singleton Class Instance Creation without Proper Locking or Synchronization
Major Description, Relationships
Minor None
1097 Persistent Storable Data Element without Associated Comparison Control Element
Major Relationships
Minor None
1098 Data Element containing Pointer Item without Proper Copy Control Element
Major Relationships
Minor None
1099 Inconsistent Naming Conventions for Identifiers
Major Relationships
Minor None
1100 Insufficient Isolation of System-Dependent Functions
Major Relationships
Minor None
1102 Reliance on Machine-Dependent Data Representation
Major Relationships
Minor None
1105 Insufficient Encapsulation of Machine-Dependent Functionality
Major Relationships
Minor None
1106 Insufficient Use of Symbolic Constants
Major Relationships
Minor None
1107 Insufficient Isolation of Symbolic Constant Definitions
Major Relationships
Minor None
1108 Excessive Reliance on Global Variables
Major Relationships
Minor None
1109 Use of Same Variable for Multiple Purposes
Major Relationships
Minor None
1110 Incomplete Design Documentation
Major Relationships
Minor None
1111 Incomplete I/O Documentation
Major Relationships
Minor None
1112 Incomplete Documentation of Program Execution
Major Relationships
Minor None
1113 Inappropriate Comment Style
Major Relationships
Minor None
1114 Inappropriate Whitespace Style
Major Relationships
Minor None
1115 Source Code Element without Standard Prologue
Major Relationships
Minor None
1116 Inaccurate Comments
Major Relationships
Minor None
1117 Callable with Insufficient Behavioral Summary
Major Relationships
Minor None
1118 Insufficient Documentation of Error Handling Techniques
Major Relationships
Minor None
1119 Excessive Use of Unconditional Branching
Major Relationships
Minor None
1120 Excessive Code Complexity
Major Relationships
Minor None
1121 Excessive McCabe Cyclomatic Complexity
Major Relationships
Minor None
1122 Excessive Halstead Complexity
Major Relationships
Minor None
1123 Excessive Use of Self-Modifying Code
Major Relationships
Minor None
1124 Excessively Deep Nesting
Major Relationships
Minor None
1125 Excessive Attack Surface
Major Relationships
Minor None
1128 CISQ Quality Measures (2016)
Major Description, View_Audience
Minor None
1133 Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java
Major View_Audience
Minor None
1147 SEI CERT Oracle Secure Coding Standard for Java - Guidelines 13. Input Output (FIO)
Major Relationships
Minor None
1154 Weaknesses Addressed by the SEI CERT C Coding Standard
Major View_Audience
Minor None
1164 Irrelevant Code
Major Relationships
Minor None
1172 SEI CERT C Coding Standard - Guidelines 51. Microsoft Windows (WIN)
Major Relationships
Minor None
1173 Improper Use of Validation Framework
Major Relationships
Minor None
1174 ASP.NET Misconfiguration: Improper Model Validation
Major Relationships
Minor None
1176 Inefficient CPU Computation
Major Relationships
Minor None
1177 Use of Prohibited Code
Major References, Relationships
Minor None
1178 Weaknesses Addressed by the SEI CERT Perl Coding Standard
Major View_Audience
Minor None
1187 DEPRECATED: Use of Uninitialized Resource
Major Description, Name, Relationships, Type, Weakness_Ordinalities
Minor None
1188 Insecure Default Initialization of Resource
Major Relationships
Minor None
1200 Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors
Major View_Audience
Minor None
Back to top
Page Last Updated: February 20, 2020
 

Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2024, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.