CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > Reports > Differences between Version 4.8 and Version 4.9  
ID

Differences between Version 4.8 and Version 4.9

Summary
Summary
Total weaknesses/chains/composites (Version 4.9) 933
Total weaknesses/chains/composites (Version 4.8) 927
Total new 6
Total deprecated 1
Total with major changes 231
Total with only minor changes 462
Total unchanged 695

Summary of Entry Types

Type Version 4.8 Version 4.9
Weakness 927 933
Category 352 352
View 48 47
Deprecated 62 63
Total 1389 1395

Field Change Summary
Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field Major Minor
Name 5 0
Description 14 9
Relationships 71 0
Applicable_Platforms 16 539
Modes_of_Introduction 0 0
Detection_Factors 2 0
Potential_Mitigations 12 3
Demonstrative_Examples 59 13
Observed_Examples 57 382
Related_Attack_Patterns 16 0
Weakness_Ordinalities 0 0
Time_of_Introduction 0 0
Likelihood_of_Exploit 0 0
References 84 5
Common_Consequences 1 1
Terminology_Notes 2 0
Alternate_Terms 4 0
Relationship_Notes 3 0
Taxonomy_Mappings 14 0
Maintenance_Notes 11 0
Research_Gaps 1 0
Background_Details 3 0
Theoretical_Notes 1 0
Other_Notes 0 0
View_Type 0 0
View_Structure 0 0
View_Filter 1 0
View_Audience 1 0
Type 1 0
Source_Taxonomy 0 0

Form and Abstraction Changes

From To Total CWE IDs
Unchanged 1388
View Deprecated 1 999

Status Changes

From To Total
Unchanged 1388
Incomplete Deprecated 1

Relationship Changes

The "Version 4.9 Total" lists the total number of relationships in Version 4.9. The "Shared" value is the total number of relationships in entries that were in both Version 4.9 and Version 4.8. The "New" value is the total number of relationships involving entries that did not exist in Version 4.8. Thus, the total number of relationships in Version 4.9 would combine stats from Shared entries and New entries.

Relationship Version 4.9 Total Version 4.8 Total Version 4.9 Shared Unchanged Added to Version 4.9 Removed from Version 4.8 Version 4.9 New
ALL 10322 10310 10262 10226 36 84 60
ChildOf 4269 4262 4239 4223 16 39 30
ParentOf 4269 4262 4239 4223 16 39 30
MemberOf 643 642 643 642 1
HasMember 643 642 643 642 1
CanPrecede 136 135 136 135 1
CanFollow 136 135 136 135 1
StartsWith 3 3 3 3
Requires 13 13 13 13
RequiredBy 13 13 13 13
CanAlsoBe 27 27 27 27
PeerOf 170 176 170 170 6

Nodes Removed from Version 4.8

CWE-ID CWE Name
None.

Nodes Added to Version 4.9

CWE-ID CWE Name
1389 Incorrect Parsing of Numbers with Different Radices
1390 Weak Authentication
1391 Use of Weak Credentials
1392 Use of Default Credentials
1393 Use of Default Password
1394 Use of Default Cryptographic Key

Nodes Deprecated in Version 4.9

CWE-ID CWE Name
999 DEPRECATED: Weaknesses without Software Fault Patterns
Important Changes
Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D Description
N Name
R Relationships

R 20 Improper Input Validation
R 96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
R 119 Improper Restriction of Operations within the Bounds of a Memory Buffer
R 123 Write-what-where Condition
R 125 Out-of-bounds Read
R 129 Improper Validation of Array Index
R 185 Incorrect Regular Expression
R 189 Numeric Errors
D 249 DEPRECATED: Often Misused: Path Manipulation
R 261 Weak Encoding for Password
D R 262 Not Using Password Aging
D R 263 Password Aging with Long Expiration
R 287 Improper Authentication
R 288 Authentication Bypass Using an Alternate Path or Channel
R 289 Authentication Bypass by Alternate Name
R 290 Authentication Bypass by Spoofing
R 294 Authentication Bypass by Capture-replay
R 301 Reflection Attack in an Authentication Protocol
R 302 Authentication Bypass by Assumed-Immutable Data
R 303 Incorrect Implementation of Authentication Algorithm
R 304 Missing Critical Step in Authentication
R 305 Authentication Bypass by Primary Weakness
D R 306 Missing Authentication for Critical Function
D R 307 Improper Restriction of Excessive Authentication Attempts
R 308 Use of Single-factor Authentication
R 309 Use of Password System for Primary Authentication
D 312 Cleartext Storage of Sensitive Information
R 330 Use of Insufficiently Random Values
R 350 Reliance on Reverse DNS Resolution for a Security-Critical Action
R 400 Uncontrolled Resource Consumption
R 404 Improper Resource Shutdown or Release
R 407 Inefficient Algorithmic Complexity
D R 416 Use After Free
R 425 Direct Request ('Forced Browsing')
R 469 Use of Pointer Subtraction to Determine Size
DN 478 Missing Default Case in Multiple Condition Expression
R 521 Weak Password Requirements
R 522 Insufficiently Protected Credentials
R 593 Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
D R 602 Client-Side Enforcement of Server-Side Security
R 603 Use of Client-Side Authentication
R 620 Unverified Password Change
R 640 Weak Password Recovery Mechanism for Forgotten Password
R 664 Improper Control of a Resource Through its Lifetime
R 669 Incorrect Resource Transfer Between Spheres
R 704 Incorrect Type Conversion or Cast
R 771 Missing Reference to Active Allocated Resource
R 772 Missing Release of Resource after Effective Lifetime
R 773 Missing Reference to Active File Descriptor or Handle
R 775 Missing Release of File Descriptor or Handle after Effective Lifetime
R 798 Use of Hard-coded Credentials
D R 804 Guessable CAPTCHA
R 836 Use of Password Hash Instead of Password for Authentication
R 923 Improper Restriction of Communication Channel to Intended Endpoints
R 925 Improper Verification of Intent by Broadcast Receiver
R 940 Improper Verification of Source of a Communication Channel
R 970 SFP Secondary Cluster: Faulty Buffer Access
R 971 SFP Secondary Cluster: Faulty Pointer Use
R 982 SFP Secondary Cluster: Failure to Release Resource
R 983 SFP Secondary Cluster: Faulty Resource Use
R 990 SFP Secondary Cluster: Tainted Input to Command
R 998 SFP Secondary Cluster: Glitch in Computation
DN 999 DEPRECATED: Weaknesses without Software Fault Patterns
R 1003 Weaknesses for Simplified Mapping of Published Vulnerabilities
D 1191 On-Chip Debug and Test Interface With Improper Access Control
R 1195 Manufacturing and Life Cycle Management Concerns
R 1203 Peripherals, On-chip Fabric, and Interface/IO Problems
N 1206 Power, Clock, Thermal, and Reset Concerns
R 1208 Cross-Cutting Problems
R 1243 Sensitive Non-Volatile Information Not Protected During Debug
R 1246 Improper Write Handling in Limited-write Non-Volatile Memories
R 1263 Improper Physical Access Control
D 1273 Device Unlock Credential Sharing
R 1278 Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques
R 1284 Improper Validation of Specified Quantity in Input
R 1300 Improper Protection of Physical Side Channels
DN 1317 Improper Access Control in Fabric Bridge
R 1319 Improper Protection against Electromagnetic Fault Injection (EM-FI)
N 1320 Improper Protection for Outbound Error Messages and Alert Signals
R 1333 Inefficient Regular Expression Complexity
Detailed Difference Report
Detailed Difference Report
16 Configuration
Major Maintenance_Notes, References
Minor None
20 Improper Input Validation
Major References, Relationships
Minor Applicable_Platforms, Observed_Examples
22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Major Observed_Examples, References
Minor Applicable_Platforms, Demonstrative_Examples
23 Relative Path Traversal
Major Alternate_Terms, Observed_Examples, References
Minor Applicable_Platforms, Demonstrative_Examples
24 Path Traversal: '../filedir'
Major None
Minor Applicable_Platforms
25 Path Traversal: '/../filedir'
Major None
Minor Applicable_Platforms
26 Path Traversal: '/dir/../filename'
Major None
Minor Applicable_Platforms
27 Path Traversal: 'dir/../../filename'
Major None
Minor Applicable_Platforms, Observed_Examples
28 Path Traversal: '..\filedir'
Major None
Minor Applicable_Platforms, Observed_Examples
29 Path Traversal: '\..\filename'
Major None
Minor Applicable_Platforms, Observed_Examples
30 Path Traversal: '\dir\..\filename'
Major None
Minor Applicable_Platforms, Observed_Examples
31 Path Traversal: 'dir\..\..\filename'
Major None
Minor Applicable_Platforms, Observed_Examples
32 Path Traversal: '...' (Triple Dot)
Major None
Minor Applicable_Platforms, Observed_Examples
33 Path Traversal: '....' (Multiple Dot)
Major None
Minor Applicable_Platforms, Observed_Examples
34 Path Traversal: '....//'
Major None
Minor Applicable_Platforms, Observed_Examples
35 Path Traversal: '.../...//'
Major None
Minor Applicable_Platforms, Observed_Examples
36 Absolute Path Traversal
Major Observed_Examples
Minor Applicable_Platforms
37 Path Traversal: '/absolute/pathname/here'
Major None
Minor Applicable_Platforms, Observed_Examples
38 Path Traversal: '\absolute\pathname\here'
Major None
Minor Applicable_Platforms, Observed_Examples
39 Path Traversal: 'C:dirname'
Major None
Minor Applicable_Platforms, Observed_Examples
40 Path Traversal: '\\UNC\share\name\' (Windows UNC Share)
Major None
Minor Applicable_Platforms, Observed_Examples
41 Improper Resolution of Path Equivalence
Major None
Minor Applicable_Platforms, Observed_Examples
42 Path Equivalence: 'filename.' (Trailing Dot)
Major None
Minor Applicable_Platforms, Observed_Examples
43 Path Equivalence: 'filename....' (Multiple Trailing Dot)
Major None
Minor Applicable_Platforms, Observed_Examples
44 Path Equivalence: 'file.name' (Internal Dot)
Major None
Minor Applicable_Platforms
45 Path Equivalence: 'file...name' (Multiple Internal Dot)
Major None
Minor Applicable_Platforms
46 Path Equivalence: 'filename ' (Trailing Space)
Major None
Minor Applicable_Platforms, Observed_Examples
47 Path Equivalence: ' filename' (Leading Space)
Major None
Minor Applicable_Platforms
48 Path Equivalence: 'file name' (Internal Whitespace)
Major None
Minor Applicable_Platforms, Observed_Examples
49 Path Equivalence: 'filename/' (Trailing Slash)
Major None
Minor Applicable_Platforms, Observed_Examples
50 Path Equivalence: '//multiple/leading/slash'
Major None
Minor Applicable_Platforms, Observed_Examples
51 Path Equivalence: '/multiple//internal/slash'
Major None
Minor Applicable_Platforms, Observed_Examples
52 Path Equivalence: '/multiple/trailing/slash//'
Major None
Minor Applicable_Platforms, Observed_Examples
53 Path Equivalence: '\multiple\\internal\backslash'
Major None
Minor Applicable_Platforms
54 Path Equivalence: 'filedir\' (Trailing Backslash)
Major None
Minor Applicable_Platforms, Observed_Examples
55 Path Equivalence: '/./' (Single Dot Directory)
Major None
Minor Applicable_Platforms, Observed_Examples
56 Path Equivalence: 'filedir*' (Wildcard)
Major None
Minor Applicable_Platforms, Observed_Examples
57 Path Equivalence: 'fakedir/../realdir/filename'
Major None
Minor Applicable_Platforms, Observed_Examples
58 Path Equivalence: Windows 8.3 Filename
Major None
Minor Applicable_Platforms, Observed_Examples
59 Improper Link Resolution Before File Access ('Link Following')
Major Alternate_Terms, Background_Details, Observed_Examples, References, Relationship_Notes, Theoretical_Notes
Minor Applicable_Platforms
61 UNIX Symbolic Link (Symlink) Following
Major Observed_Examples
Minor Applicable_Platforms
62 UNIX Hard Link
Major Observed_Examples
Minor Applicable_Platforms
64 Windows Shortcut Following (.LNK)
Major None
Minor Applicable_Platforms, Observed_Examples
65 Windows Hard Link
Major None
Minor Applicable_Platforms, Observed_Examples
66 Improper Handling of File Names that Identify Virtual Resources
Major None
Minor Applicable_Platforms
67 Improper Handling of Windows Device Names
Major None
Minor Applicable_Platforms, Observed_Examples
69 Improper Handling of Windows ::DATA Alternate Data Stream
Major None
Minor Applicable_Platforms, Observed_Examples
72 Improper Handling of Apple HFS+ Alternate Data Stream Path
Major None
Minor Applicable_Platforms, Observed_Examples
73 External Control of File Name or Path
Major None
Minor Applicable_Platforms, Observed_Examples
74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Major Observed_Examples
Minor Applicable_Platforms
75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
Major None
Minor Applicable_Platforms
76 Improper Neutralization of Equivalent Special Elements
Major None
Minor Applicable_Platforms
77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Major Observed_Examples, References, Terminology_Notes
Minor Applicable_Platforms
78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Major References
Minor Applicable_Platforms, Observed_Examples
79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Major Background_Details, Observed_Examples
Minor Applicable_Platforms
80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Major None
Minor Applicable_Platforms, Observed_Examples
81 Improper Neutralization of Script in an Error Message Web Page
Major None
Minor Applicable_Platforms, Observed_Examples
82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
Major None
Minor Applicable_Platforms, Observed_Examples
83 Improper Neutralization of Script in Attributes in a Web Page
Major None
Minor Applicable_Platforms, Observed_Examples
84 Improper Neutralization of Encoded URI Schemes in a Web Page
Major None
Minor Applicable_Platforms, Observed_Examples
85 Doubled Character XSS Manipulations
Major None
Minor Applicable_Platforms, Observed_Examples
86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages
Major None
Minor Applicable_Platforms, Observed_Examples
87 Improper Neutralization of Alternate XSS Syntax
Major None
Minor Applicable_Platforms, Observed_Examples
88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Major Observed_Examples
Minor Applicable_Platforms
89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Major Observed_Examples, References
Minor Applicable_Platforms
90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Major Observed_Examples
Minor Applicable_Platforms
91 XML Injection (aka Blind XPath Injection)
Major None
Minor Applicable_Platforms
93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Major None
Minor Applicable_Platforms, Observed_Examples
94 Improper Control of Generation of Code ('Code Injection')
Major Observed_Examples
Minor None
95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Major Observed_Examples
Minor None
96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
Major Relationships, Taxonomy_Mappings
Minor Observed_Examples
97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
Major None
Minor Applicable_Platforms
98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Major References
Minor Observed_Examples
99 Improper Control of Resource Identifiers ('Resource Injection')
Major None
Minor Applicable_Platforms
112 Missing XML Validation
Major None
Minor Applicable_Platforms
113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Major Demonstrative_Examples, Related_Attack_Patterns
Minor Applicable_Platforms, Description, Observed_Examples
114 Process Control
Major None
Minor Applicable_Platforms
115 Misinterpretation of Input
Major None
Minor Applicable_Platforms, Observed_Examples
116 Improper Encoding or Escaping of Output
Major Observed_Examples
Minor Applicable_Platforms
117 Improper Output Neutralization for Logs
Major None
Minor Applicable_Platforms, Observed_Examples
118 Incorrect Access of Indexable Resource ('Range Error')
Major None
Minor Applicable_Platforms
119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Major Relationships, Taxonomy_Mappings
Minor Observed_Examples
120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Major References
Minor Observed_Examples
121 Stack-based Buffer Overflow
Major None
Minor Observed_Examples
122 Heap-based Buffer Overflow
Major None
Minor Observed_Examples
123 Write-what-where Condition
Major Relationships, Taxonomy_Mappings
Minor None
124 Buffer Underwrite ('Buffer Underflow')
Major None
Minor Observed_Examples
125 Out-of-bounds Read
Major Applicable_Platforms, Relationships, Taxonomy_Mappings
Minor Observed_Examples
126 Buffer Over-read
Major None
Minor Observed_Examples
129 Improper Validation of Array Index
Major References, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms, Observed_Examples
130 Improper Handling of Length Parameter Inconsistency
Major Taxonomy_Mappings
Minor Applicable_Platforms, Observed_Examples
131 Incorrect Calculation of Buffer Size
Major References
Minor Observed_Examples
134 Use of Externally-Controlled Format String
Major None
Minor Observed_Examples
138 Improper Neutralization of Special Elements
Major None
Minor Applicable_Platforms, Observed_Examples
141 Improper Neutralization of Parameter/Argument Delimiters
Major None
Minor Applicable_Platforms, Observed_Examples
142 Improper Neutralization of Value Delimiters
Major None
Minor Applicable_Platforms, Observed_Examples
143 Improper Neutralization of Record Delimiters
Major None
Minor Applicable_Platforms, Observed_Examples
144 Improper Neutralization of Line Delimiters
Major None
Minor Applicable_Platforms, Observed_Examples
145 Improper Neutralization of Section Delimiters
Major None
Minor Applicable_Platforms
146 Improper Neutralization of Expression/Command Delimiters
Major None
Minor Applicable_Platforms
147 Improper Neutralization of Input Terminators
Major None
Minor Applicable_Platforms, Observed_Examples
149 Improper Neutralization of Quoting Syntax
Major None
Minor Observed_Examples
150 Improper Neutralization of Escape, Meta, or Control Sequences
Major None
Minor Applicable_Platforms, Observed_Examples
151 Improper Neutralization of Comment Delimiters
Major None
Minor Applicable_Platforms, Observed_Examples
152 Improper Neutralization of Macro Symbols
Major None
Minor Applicable_Platforms, Observed_Examples
153 Improper Neutralization of Substitution Characters
Major None
Minor Applicable_Platforms, Observed_Examples
154 Improper Neutralization of Variable Name Delimiters
Major None
Minor Applicable_Platforms, Observed_Examples
155 Improper Neutralization of Wildcards or Matching Symbols
Major None
Minor Applicable_Platforms, Observed_Examples
156 Improper Neutralization of Whitespace
Major None
Minor Applicable_Platforms, Observed_Examples
157 Failure to Sanitize Paired Delimiters
Major None
Minor Applicable_Platforms, Observed_Examples
158 Improper Neutralization of Null Byte or NUL Character
Major None
Minor Applicable_Platforms, Observed_Examples
159 Improper Handling of Invalid Use of Special Elements
Major None
Minor Applicable_Platforms
160 Improper Neutralization of Leading Special Elements
Major None
Minor Applicable_Platforms
161 Improper Neutralization of Multiple Leading Special Elements
Major None
Minor Applicable_Platforms
162 Improper Neutralization of Trailing Special Elements
Major None
Minor Applicable_Platforms
163 Improper Neutralization of Multiple Trailing Special Elements
Major None
Minor Applicable_Platforms
164 Improper Neutralization of Internal Special Elements
Major None
Minor Applicable_Platforms
165 Improper Neutralization of Multiple Internal Special Elements
Major None
Minor Applicable_Platforms
166 Improper Handling of Missing Special Element
Major None
Minor Applicable_Platforms, Observed_Examples
167 Improper Handling of Additional Special Element
Major None
Minor Applicable_Platforms, Observed_Examples
168 Improper Handling of Inconsistent Special Elements
Major None
Minor Applicable_Platforms
170 Improper Null Termination
Major None
Minor Observed_Examples
172 Encoding Error
Major None
Minor Applicable_Platforms
173 Improper Handling of Alternate Encoding
Major None
Minor Applicable_Platforms
174 Double Decoding of the Same Data
Major None
Minor Applicable_Platforms, Observed_Examples
175 Improper Handling of Mixed Encoding
Major None
Minor Applicable_Platforms
176 Improper Handling of Unicode Encoding
Major None
Minor Applicable_Platforms, Observed_Examples
177 Improper Handling of URL Encoding (Hex Encoding)
Major None
Minor Applicable_Platforms, Observed_Examples
178 Improper Handling of Case Sensitivity
Major Observed_Examples
Minor Applicable_Platforms
179 Incorrect Behavior Order: Early Validation
Major None
Minor Applicable_Platforms, Observed_Examples
180 Incorrect Behavior Order: Validate Before Canonicalize
Major None
Minor Applicable_Platforms, Observed_Examples
181 Incorrect Behavior Order: Validate Before Filter
Major None
Minor Applicable_Platforms, Observed_Examples
182 Collapse of Data into Unsafe Value
Major None
Minor Applicable_Platforms, Observed_Examples
183 Permissive List of Allowed Inputs
Major None
Minor Applicable_Platforms, Observed_Examples
184 Incomplete List of Disallowed Inputs
Major None
Minor Applicable_Platforms, Observed_Examples
185 Incorrect Regular Expression
Major Demonstrative_Examples, Relationships
Minor Applicable_Platforms, Observed_Examples
186 Overly Restrictive Regular Expression
Major None
Minor Applicable_Platforms, Observed_Examples
187 Partial String Comparison
Major None
Minor Applicable_Platforms, Observed_Examples
189 Numeric Errors
Major References, Relationships
Minor None
190 Integer Overflow or Wraparound
Major Observed_Examples
Minor Applicable_Platforms
191 Integer Underflow (Wrap or Wraparound)
Major None
Minor Observed_Examples
193 Off-by-one Error
Major None
Minor Applicable_Platforms, Observed_Examples
194 Unexpected Sign Extension
Major None
Minor Observed_Examples
195 Signed to Unsigned Conversion Error
Major None
Minor Observed_Examples
197 Numeric Truncation Error
Major None
Minor Observed_Examples
198 Use of Incorrect Byte Ordering
Major None
Minor Applicable_Platforms
200 Exposure of Sensitive Information to an Unauthorized Actor
Major Demonstrative_Examples, Maintenance_Notes, Observed_Examples, References
Minor Applicable_Platforms
201 Insertion of Sensitive Information Into Sent Data
Major Observed_Examples
Minor Applicable_Platforms
202 Exposure of Sensitive Information Through Data Queries
Major None
Minor Applicable_Platforms
203 Observable Discrepancy
Major None
Minor Applicable_Platforms, Observed_Examples
204 Observable Response Discrepancy
Major None
Minor Applicable_Platforms, Observed_Examples
205 Observable Behavioral Discrepancy
Major None
Minor Applicable_Platforms, Observed_Examples
206 Observable Internal Behavioral Discrepancy
Major None
Minor Applicable_Platforms, Observed_Examples
207 Observable Behavioral Discrepancy With Equivalent Products
Major None
Minor Applicable_Platforms, Observed_Examples
208 Observable Timing Discrepancy
Major None
Minor Applicable_Platforms, Observed_Examples
209 Generation of Error Message Containing Sensitive Information
Major Demonstrative_Examples
Minor Applicable_Platforms, Observed_Examples
210 Self-generated Error Message Containing Sensitive Information
Major None
Minor Applicable_Platforms, Observed_Examples
211 Externally-Generated Error Message Containing Sensitive Information
Major None
Minor Applicable_Platforms, Observed_Examples
212 Improper Removal of Sensitive Information Before Storage or Transfer
Major None
Minor Applicable_Platforms, Observed_Examples
213 Exposure of Sensitive Information Due to Incompatible Policies
Major None
Minor Applicable_Platforms, Observed_Examples
214 Invocation of Process Using Visible Sensitive Information
Major None
Minor Applicable_Platforms, Observed_Examples
215 Insertion of Sensitive Information Into Debugging Code
Major None
Minor Applicable_Platforms, Observed_Examples
219 Storage of File with Sensitive Data Under Web Root
Major None
Minor Applicable_Platforms, Observed_Examples
220 Storage of File With Sensitive Data Under FTP Root
Major None
Minor Applicable_Platforms
221 Information Loss or Omission
Major None
Minor Applicable_Platforms
222 Truncation of Security-relevant Information
Major None
Minor Applicable_Platforms, Observed_Examples
223 Omission of Security-relevant Information
Major None
Minor Applicable_Platforms, Observed_Examples
224 Obscured Security-relevant Information by Alternate Name
Major None
Minor Applicable_Platforms, Observed_Examples
226 Sensitive Information in Resource Not Removed Before Reuse
Major None
Minor Applicable_Platforms, Observed_Examples
230 Improper Handling of Missing Values
Major None
Minor Applicable_Platforms, Observed_Examples
231 Improper Handling of Extra Values
Major None
Minor Applicable_Platforms
232 Improper Handling of Undefined Values
Major None
Minor Applicable_Platforms, Observed_Examples
234 Failure to Handle Missing Parameter
Major None
Minor Applicable_Platforms, Observed_Examples
235 Improper Handling of Extra Parameters
Major None
Minor Applicable_Platforms, Observed_Examples
236 Improper Handling of Undefined Parameters
Major None
Minor Applicable_Platforms, Observed_Examples
238 Improper Handling of Incomplete Structural Elements
Major None
Minor Applicable_Platforms
239 Failure to Handle Incomplete Element
Major None
Minor Applicable_Platforms, Observed_Examples
240 Improper Handling of Inconsistent Structural Elements
Major None
Minor Applicable_Platforms
241 Improper Handling of Unexpected Data Type
Major None
Minor Applicable_Platforms, Observed_Examples
249 DEPRECATED: Often Misused: Path Manipulation
Major Description
Minor None
250 Execution with Unnecessary Privileges
Major References
Minor Applicable_Platforms, Observed_Examples
252 Unchecked Return Value
Major None
Minor Applicable_Platforms, Observed_Examples
253 Incorrect Check of Function Return Value
Major None
Minor Applicable_Platforms
255 Credentials Management Errors
Major References
Minor None
256 Plaintext Storage of a Password
Major Demonstrative_Examples, Observed_Examples, References
Minor Applicable_Platforms
257 Storing Passwords in a Recoverable Format
Major None
Minor Applicable_Platforms
258 Empty Password in Configuration File
Major None
Minor Applicable_Platforms
259 Use of Hard-coded Password
Major Demonstrative_Examples, Observed_Examples, References
Minor Applicable_Platforms
260 Password in Configuration File
Major None
Minor Applicable_Platforms
261 Weak Encoding for Password
Major Relationships
Minor Applicable_Platforms
262 Not Using Password Aging
Major Description, Potential_Mitigations, References, Relationships
Minor Applicable_Platforms
263 Password Aging with Long Expiration
Major Description, Potential_Mitigations, References, Relationships
Minor Applicable_Platforms
264 Permissions, Privileges, and Access Controls
Major Maintenance_Notes, References
Minor None
266 Incorrect Privilege Assignment
Major References
Minor Applicable_Platforms, Observed_Examples
267 Privilege Defined With Unsafe Actions
Major References
Minor Applicable_Platforms, Observed_Examples
268 Privilege Chaining
Major References
Minor Applicable_Platforms, Observed_Examples
269 Improper Privilege Management
Major References
Minor Applicable_Platforms, Observed_Examples
270 Privilege Context Switching Error
Major References
Minor Applicable_Platforms, Observed_Examples
271 Privilege Dropping / Lowering Errors
Major None
Minor Applicable_Platforms, Observed_Examples
272 Least Privilege Violation
Major None
Minor Applicable_Platforms
273 Improper Check for Dropped Privileges
Major None
Minor Applicable_Platforms, Observed_Examples
274 Improper Handling of Insufficient Privileges
Major None
Minor Applicable_Platforms, Observed_Examples
276 Incorrect Default Permissions
Major None
Minor Applicable_Platforms, Observed_Examples
277 Insecure Inherited Permissions
Major None
Minor Applicable_Platforms, Observed_Examples
278 Insecure Preserved Inherited Permissions
Major None
Minor Applicable_Platforms, Observed_Examples
279 Incorrect Execution-Assigned Permissions
Major None
Minor Applicable_Platforms, Observed_Examples
280 Improper Handling of Insufficient Permissions or Privileges
Major None
Minor Applicable_Platforms, Observed_Examples
281 Improper Preservation of Permissions
Major None
Minor Applicable_Platforms, Observed_Examples
282 Improper Ownership Management
Major None
Minor Applicable_Platforms, Observed_Examples
283 Unverified Ownership
Major None
Minor Applicable_Platforms, Observed_Examples
284 Improper Access Control
Major References
Minor Observed_Examples
285 Improper Authorization
Major Observed_Examples
Minor Applicable_Platforms
286 Incorrect User Management
Major None
Minor Applicable_Platforms
287 Improper Authentication
Major Applicable_Platforms, Demonstrative_Examples, Observed_Examples, References, Relationships
Minor None
288 Authentication Bypass Using an Alternate Path or Channel
Major Relationships
Minor Applicable_Platforms, Observed_Examples
289 Authentication Bypass by Alternate Name
Major Relationships
Minor Applicable_Platforms, Observed_Examples
290 Authentication Bypass by Spoofing
Major Relationships
Minor Observed_Examples
291 Reliance on IP Address for Authentication
Major None
Minor Applicable_Platforms
293 Using Referer Field for Authentication
Major None
Minor Applicable_Platforms
294 Authentication Bypass by Capture-replay
Major Relationships
Minor Applicable_Platforms, Observed_Examples
295 Improper Certificate Validation
Major Observed_Examples, References
Minor Applicable_Platforms
296 Improper Following of a Certificate's Chain of Trust
Major None
Minor Applicable_Platforms, Observed_Examples
297 Improper Validation of Certificate with Host Mismatch
Major References
Minor Applicable_Platforms, Observed_Examples
298 Improper Validation of Certificate Expiration
Major None
Minor Applicable_Platforms
299 Improper Check for Certificate Revocation
Major None
Minor Applicable_Platforms, Observed_Examples
300 Channel Accessible by Non-Endpoint
Major None
Minor Applicable_Platforms, Observed_Examples
301 Reflection Attack in an Authentication Protocol
Major Relationships
Minor Applicable_Platforms, Observed_Examples
302 Authentication Bypass by Assumed-Immutable Data
Major Relationships
Minor Applicable_Platforms, Observed_Examples
303 Incorrect Implementation of Authentication Algorithm
Major Relationships
Minor Applicable_Platforms, Observed_Examples
304 Missing Critical Step in Authentication
Major Relationships
Minor Applicable_Platforms, Observed_Examples
305 Authentication Bypass by Primary Weakness
Major Relationships
Minor Applicable_Platforms, Observed_Examples
306 Missing Authentication for Critical Function
Major Applicable_Platforms, Demonstrative_Examples, Description, Observed_Examples, Potential_Mitigations, References, Relationship_Notes, Relationships
Minor None
307 Improper Restriction of Excessive Authentication Attempts
Major Demonstrative_Examples, Description, Observed_Examples, References, Relationships
Minor Applicable_Platforms
308 Use of Single-factor Authentication
Major Relationships
Minor Applicable_Platforms
309 Use of Password System for Primary Authentication
Major Relationships
Minor Applicable_Platforms
310 Cryptographic Issues
Major Maintenance_Notes, References
Minor None
311 Missing Encryption of Sensitive Data
Major None
Minor Applicable_Platforms, Observed_Examples
312 Cleartext Storage of Sensitive Information
Major Applicable_Platforms, Demonstrative_Examples, Description, Observed_Examples, Potential_Mitigations, References
Minor None
313 Cleartext Storage in a File or on Disk
Major None
Minor Applicable_Platforms, Observed_Examples
314 Cleartext Storage in the Registry
Major None
Minor Applicable_Platforms, Observed_Examples
315 Cleartext Storage of Sensitive Information in a Cookie
Major None
Minor Applicable_Platforms, Observed_Examples
316 Cleartext Storage of Sensitive Information in Memory
Major None
Minor Applicable_Platforms, Observed_Examples
317 Cleartext Storage of Sensitive Information in GUI
Major None
Minor Applicable_Platforms, Observed_Examples
318 Cleartext Storage of Sensitive Information in Executable
Major None
Minor Applicable_Platforms, Observed_Examples
319 Cleartext Transmission of Sensitive Information
Major Applicable_Platforms, Demonstrative_Examples, Observed_Examples, References
Minor None
321 Use of Hard-coded Cryptographic Key
Major Demonstrative_Examples, Observed_Examples, References
Minor Applicable_Platforms
322 Key Exchange without Entity Authentication
Major None
Minor Applicable_Platforms
323 Reusing a Nonce, Key Pair in Encryption
Major None
Minor Applicable_Platforms
324 Use of a Key Past its Expiration Date
Major None
Minor Applicable_Platforms
325 Missing Cryptographic Step
Major None
Minor Applicable_Platforms, Observed_Examples
326 Inadequate Encryption Strength
Major None
Minor Applicable_Platforms, Observed_Examples
327 Use of a Broken or Risky Cryptographic Algorithm
Major Demonstrative_Examples, Observed_Examples, References
Minor Applicable_Platforms
328 Use of Weak Hash
Major Demonstrative_Examples, Observed_Examples, References
Minor Applicable_Platforms
329 Generation of Predictable IV with CBC Mode
Major None
Minor Applicable_Platforms, Observed_Examples
330 Use of Insufficiently Random Values
Major Observed_Examples, Relationships
Minor Applicable_Platforms
331 Insufficient Entropy
Major None
Minor Applicable_Platforms, Observed_Examples
332 Insufficient Entropy in PRNG
Major None
Minor Applicable_Platforms, Observed_Examples
333 Improper Handling of Insufficient Entropy in TRNG
Major None
Minor Applicable_Platforms
334 Small Space of Random Values
Major None
Minor Applicable_Platforms, Observed_Examples
335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
Major Observed_Examples
Minor Applicable_Platforms
336 Same Seed in Pseudo-Random Number Generator (PRNG)
Major None
Minor Applicable_Platforms
337 Predictable Seed in Pseudo-Random Number Generator (PRNG)
Major Observed_Examples
Minor Applicable_Platforms
338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Major None
Minor Applicable_Platforms, Observed_Examples
339 Small Seed Space in PRNG
Major None
Minor Applicable_Platforms, Observed_Examples
341 Predictable from Observable State
Major None
Minor Applicable_Platforms, Observed_Examples
342 Predictable Exact Value from Previous Values
Major None
Minor Applicable_Platforms, Observed_Examples
343 Predictable Value Range from Previous Values
Major None
Minor Applicable_Platforms
344 Use of Invariant Value in Dynamically Changing Context
Major None
Minor Applicable_Platforms, Observed_Examples
345 Insufficient Verification of Data Authenticity
Major None
Minor Applicable_Platforms
346 Origin Validation Error
Major None
Minor Applicable_Platforms, Observed_Examples
347 Improper Verification of Cryptographic Signature
Major None
Minor Applicable_Platforms, Observed_Examples
348 Use of Less Trusted Source
Major None
Minor Applicable_Platforms, Observed_Examples
349 Acceptance of Extraneous Untrusted Data With Trusted Data
Major None
Minor Applicable_Platforms, Observed_Examples
350 Reliance on Reverse DNS Resolution for a Security-Critical Action
Major Relationships
Minor Applicable_Platforms, Observed_Examples
351 Insufficient Type Distinction
Major None
Minor Applicable_Platforms, Observed_Examples
352 Cross-Site Request Forgery (CSRF)
Major None
Minor Applicable_Platforms, Observed_Examples
353 Missing Support for Integrity Check
Major None
Minor Applicable_Platforms
354 Improper Validation of Integrity Check Value
Major None
Minor Applicable_Platforms
356 Product UI does not Warn User of Unsafe Actions
Major None
Minor Applicable_Platforms, Observed_Examples
357 Insufficient UI Warning of Dangerous Operations
Major None
Minor Applicable_Platforms, Observed_Examples
358 Improperly Implemented Security Check for Standard
Major None
Minor Applicable_Platforms, Observed_Examples
359 Exposure of Private Personal Information to an Unauthorized Actor
Major None
Minor Applicable_Platforms
360 Trust of System Event Data
Major None
Minor Applicable_Platforms
362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Major Observed_Examples, References
Minor None
363 Race Condition Enabling Link Following
Major None
Minor Applicable_Platforms
364 Signal Handler Race Condition
Major None
Minor Observed_Examples
367 Time-of-check Time-of-use (TOCTOU) Race Condition
Major None
Minor Applicable_Platforms, Observed_Examples
368 Context Switching Race Condition
Major None
Minor Applicable_Platforms, Observed_Examples
369 Divide By Zero
Major References
Minor Observed_Examples
370 Missing Check for Certificate Revocation after Initial Check
Major None
Minor Applicable_Platforms
372 Incomplete Internal State Distinction
Major None
Minor Applicable_Platforms
377 Insecure Temporary File
Major None
Minor Applicable_Platforms
378 Creation of Temporary File With Insecure Permissions
Major None
Minor Applicable_Platforms
379 Creation of Temporary File in Directory with Insecure Permissions
Major None
Minor Applicable_Platforms
384 Session Fixation
Major None
Minor Applicable_Platforms
385 Covert Timing Channel
Major Maintenance_Notes
Minor Applicable_Platforms
386 Symbolic Name not Mapping to Correct Object
Major None
Minor Applicable_Platforms
390 Detection of Error Condition Without Action
Major None
Minor Applicable_Platforms
391 Unchecked Error Condition
Major None
Minor Applicable_Platforms
392 Missing Report of Error Condition
Major None
Minor Applicable_Platforms, Observed_Examples
393 Return of Wrong Status Code
Major None
Minor Applicable_Platforms, Observed_Examples
394 Unexpected Status Code or Return Value
Major None
Minor Applicable_Platforms, Observed_Examples
399 Resource Management Errors
Major References
Minor None
400 Uncontrolled Resource Consumption
Major Observed_Examples, Relationships
Minor Applicable_Platforms
401 Missing Release of Memory after Effective Lifetime
Major Taxonomy_Mappings
Minor Observed_Examples
403 Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
Major None
Minor Applicable_Platforms, Observed_Examples
404 Improper Resource Shutdown or Release
Major Relationships
Minor Applicable_Platforms, Observed_Examples
405 Asymmetric Resource Consumption (Amplification)
Major None
Minor Applicable_Platforms
406 Insufficient Control of Network Message Volume (Network Amplification)
Major None
Minor Applicable_Platforms, Observed_Examples
407 Inefficient Algorithmic Complexity
Major Alternate_Terms, Observed_Examples, Relationships
Minor Applicable_Platforms
408 Incorrect Behavior Order: Early Amplification
Major None
Minor Applicable_Platforms, Observed_Examples
409 Improper Handling of Highly Compressed Data (Data Amplification)
Major None
Minor Applicable_Platforms, Observed_Examples
410 Insufficient Resource Pool
Major None
Minor Applicable_Platforms, Observed_Examples
412 Unrestricted Externally Accessible Lock
Major None
Minor Applicable_Platforms, Observed_Examples
413 Improper Resource Locking
Major None
Minor Applicable_Platforms
414 Missing Lock Check
Major None
Minor Applicable_Platforms, Observed_Examples
415 Double Free
Major None
Minor Observed_Examples
416 Use After Free
Major Description, Relationships, Taxonomy_Mappings
Minor Observed_Examples
419 Unprotected Primary Channel
Major None
Minor Applicable_Platforms
420 Unprotected Alternate Channel
Major None
Minor Applicable_Platforms, Observed_Examples
421 Race Condition During Access to Alternate Channel
Major None
Minor Applicable_Platforms, Observed_Examples
422 Unprotected Windows Messaging Channel ('Shatter')
Major None
Minor Applicable_Platforms, Observed_Examples
424 Improper Protection of Alternate Path
Major None
Minor Applicable_Platforms
425 Direct Request ('Forced Browsing')
Major Relationships
Minor Applicable_Platforms, Observed_Examples
426 Untrusted Search Path
Major None
Minor Applicable_Platforms, Observed_Examples
427 Uncontrolled Search Path Element
Major Observed_Examples
Minor Applicable_Platforms
428 Unquoted Search Path or Element
Major None
Minor Applicable_Platforms, Observed_Examples
430 Deployment of Wrong Handler
Major None
Minor Applicable_Platforms, Observed_Examples
431 Missing Handler
Major None
Minor Applicable_Platforms
432 Dangerous Signal Handler not Disabled During Sensitive Operations
Major None
Minor Applicable_Platforms
433 Unparsed Raw Web Content Delivery
Major None
Minor Applicable_Platforms, Observed_Examples
434 Unrestricted Upload of File with Dangerous Type
Major References
Minor Applicable_Platforms, Observed_Examples
435 Improper Interaction Between Multiple Correctly-Behaving Entities
Major None
Minor Applicable_Platforms
436 Interpretation Conflict
Major None
Minor Applicable_Platforms, Observed_Examples
437 Incomplete Model of Endpoint Features
Major None
Minor Applicable_Platforms
439 Behavioral Change in New Version or Environment
Major None
Minor Applicable_Platforms, Observed_Examples
440 Expected Behavior Violation
Major None
Minor Applicable_Platforms, Observed_Examples
441 Unintended Proxy or Intermediary ('Confused Deputy')
Major Related_Attack_Patterns
Minor Applicable_Platforms, Observed_Examples
444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Major Related_Attack_Patterns
Minor Applicable_Platforms, Common_Consequences, Observed_Examples, References
446 UI Discrepancy for Security Feature
Major None
Minor Applicable_Platforms, Observed_Examples
447 Unimplemented or Unsupported Feature in UI
Major None
Minor Applicable_Platforms, Observed_Examples
448 Obsolete Feature in UI
Major None
Minor Applicable_Platforms
449 The UI Performs the Wrong Action
Major None
Minor Applicable_Platforms, Observed_Examples
450 Multiple Interpretations of UI Input
Major None
Minor Applicable_Platforms
451 User Interface (UI) Misrepresentation of Critical Information
Major None
Minor Applicable_Platforms, Observed_Examples
453 Insecure Default Variable Initialization
Major None
Minor Applicable_Platforms
454 External Initialization of Trusted Variables or Data Stores
Major None
Minor Applicable_Platforms, Observed_Examples
455 Non-exit on Failed Initialization
Major None
Minor Applicable_Platforms, Observed_Examples
456 Missing Initialization of a Variable
Major None
Minor Applicable_Platforms, Observed_Examples
457 Use of Uninitialized Variable
Major None
Minor Applicable_Platforms, Observed_Examples
459 Incomplete Cleanup
Major None
Minor Applicable_Platforms, Observed_Examples
469 Use of Pointer Subtraction to Determine Size
Major Relationships, Taxonomy_Mappings
Minor None
470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Major None
Minor Observed_Examples
471 Modification of Assumed-Immutable Data (MAID)
Major None
Minor Applicable_Platforms, Observed_Examples
472 External Control of Assumed-Immutable Web Parameter
Major None
Minor Applicable_Platforms, Observed_Examples
473 PHP External Variable Modification
Major None
Minor Observed_Examples
474 Use of Function with Inconsistent Implementations
Major None
Minor Applicable_Platforms
475 Undefined Behavior for Input to API
Major None
Minor Applicable_Platforms
476 NULL Pointer Dereference
Major Alternate_Terms, Applicable_Platforms, Observed_Examples
Minor None
477 Use of Obsolete Function
Major None
Minor Applicable_Platforms
478 Missing Default Case in Multiple Condition Expression
Major Applicable_Platforms, Demonstrative_Examples, Description, Name, Potential_Mitigations
Minor None
479 Signal Handler Use of a Non-reentrant Function
Major None
Minor Observed_Examples
480 Use of Incorrect Operator
Major None
Minor Applicable_Platforms
483 Incorrect Block Delimitation
Major None
Minor Observed_Examples
488 Exposure of Data Element to Wrong Session
Major None
Minor Applicable_Platforms
489 Active Debug Code
Major None
Minor Applicable_Platforms
492 Use of Inner Class Containing Sensitive Data
Major Demonstrative_Examples
Minor None
494 Download of Code Without Integrity Check
Major References, Related_Attack_Patterns
Minor Applicable_Platforms, Observed_Examples
497 Exposure of Sensitive System Information to an Unauthorized Control Sphere
Major Related_Attack_Patterns
Minor Applicable_Platforms
501 Trust Boundary Violation
Major None
Minor Applicable_Platforms
502 Deserialization of Untrusted Data
Major Applicable_Platforms
Minor Observed_Examples
507 Trojan Horse
Major Related_Attack_Patterns
Minor None
511 Logic/Time Bomb
Major None
Minor Applicable_Platforms
514 Covert Channel
Major Maintenance_Notes
Minor None
515 Covert Storage Channel
Major Maintenance_Notes
Minor None
521 Weak Password Requirements
Major Observed_Examples, Potential_Mitigations, Relationships
Minor Applicable_Platforms
522 Insufficiently Protected Credentials
Major Demonstrative_Examples, Observed_Examples, References, Relationships
Minor None
532 Insertion of Sensitive Information into Log File
Major None
Minor Observed_Examples
538 Insertion of Sensitive Information into Externally-Accessible File or Directory
Major None
Minor Applicable_Platforms
546 Suspicious Comment
Major None
Minor Applicable_Platforms
561 Dead Code
Major None
Minor Applicable_Platforms, Observed_Examples
570 Expression is Always False
Major None
Minor Applicable_Platforms
571 Expression is Always True
Major None
Minor Applicable_Platforms
573 Improper Following of Specification by Caller
Major None
Minor Observed_Examples
582 Array Declared Public, Final, and Static
Major Taxonomy_Mappings
Minor None
593 Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
Major Relationships
Minor None
595 Comparison of Object References Instead of Object Contents
Major None
Minor Applicable_Platforms
601 URL Redirection to Untrusted Site ('Open Redirect')
Major Observed_Examples
Minor Applicable_Platforms
602 Client-Side Enforcement of Server-Side Security
Major Demonstrative_Examples, Description, Observed_Examples, References, Relationships
Minor Applicable_Platforms
603 Use of Client-Side Authentication
Major Demonstrative_Examples, Observed_Examples, References, Relationships
Minor None
605 Multiple Binds to the Same Port
Major None
Minor Applicable_Platforms
611 Improper Restriction of XML External Entity Reference
Major None
Minor Observed_Examples
612 Improper Authorization of Index Containing Sensitive Information
Major None
Minor Applicable_Platforms
614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Major None
Minor Observed_Examples
615 Inclusion of Sensitive Information in Source Code Comments
Major None
Minor Observed_Examples
616 Incomplete Identification of Uploaded File Variables (PHP)
Major None
Minor Observed_Examples
617 Reachable Assertion
Major None
Minor Observed_Examples
618 Exposed Unsafe ActiveX Method
Major None
Minor Observed_Examples
620 Unverified Password Change
Major Relationships
Minor Applicable_Platforms, Observed_Examples
621 Variable Extraction Error
Major None
Minor Observed_Examples
622 Improper Validation of Function Hook Arguments
Major None
Minor Applicable_Platforms, Observed_Examples
623 Unsafe ActiveX Control Marked Safe For Scripting
Major None
Minor Observed_Examples
624 Executable Regular Expression Error
Major None
Minor Observed_Examples
625 Permissive Regular Expression
Major Demonstrative_Examples
Minor Observed_Examples
626 Null Byte Interaction Error (Poison Null Byte)
Major None
Minor Observed_Examples
627 Dynamic Variable Evaluation
Major None
Minor Observed_Examples
628 Function Call with Incorrectly Specified Arguments
Major None
Minor Applicable_Platforms, Observed_Examples
636 Not Failing Securely ('Failing Open')
Major References
Minor Applicable_Platforms, Observed_Examples
637 Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')
Major References
Minor Applicable_Platforms, Observed_Examples
638 Not Using Complete Mediation
Major References
Minor Applicable_Platforms, Observed_Examples
639 Authorization Bypass Through User-Controlled Key
Major None
Minor Applicable_Platforms
640 Weak Password Recovery Mechanism for Forgotten Password
Major Relationships
Minor Applicable_Platforms
641 Improper Restriction of Names for Files and Other Resources
Major None
Minor Applicable_Platforms
642 External Control of Critical State Data
Major None
Minor Applicable_Platforms, Observed_Examples
643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')
Major None
Minor Applicable_Platforms
644 Improper Neutralization of HTTP Headers for Scripting Syntax
Major None
Minor Applicable_Platforms, Observed_Examples
645 Overly Restrictive Account Lockout Mechanism
Major None
Minor Applicable_Platforms
646 Reliance on File Name or Extension of Externally-Supplied File
Major None
Minor Applicable_Platforms
647 Use of Non-Canonical URL Paths for Authorization Decisions
Major None
Minor Applicable_Platforms
648 Incorrect Use of Privileged APIs
Major None
Minor Applicable_Platforms, Observed_Examples
649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
Major None
Minor Applicable_Platforms, Observed_Examples
650 Trusting HTTP Permission Methods on the Server Side
Major None
Minor Applicable_Platforms
651 Exposure of WSDL File Containing Sensitive Information
Major None
Minor Applicable_Platforms
652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
Major None
Minor Applicable_Platforms
653 Improper Isolation or Compartmentalization
Major References
Minor Applicable_Platforms, Observed_Examples
654 Reliance on a Single Factor in a Security Decision
Major References
Minor Applicable_Platforms
655 Insufficient Psychological Acceptability
Major References
Minor Applicable_Platforms
656 Reliance on Security Through Obscurity
Major Demonstrative_Examples, References
Minor Applicable_Platforms, Observed_Examples
657 Violation of Secure Design Principles
Major References
Minor None
663 Use of a Non-reentrant Function in a Concurrent Context
Major None
Minor Observed_Examples
664 Improper Control of a Resource Through its Lifetime
Major Relationships
Minor Applicable_Platforms
665 Improper Initialization
Major None
Minor Applicable_Platforms, Observed_Examples
667 Improper Locking
Major None
Minor Observed_Examples
668 Exposure of Resource to Wrong Sphere
Major References
Minor None
669 Incorrect Resource Transfer Between Spheres
Major Relationships
Minor None
670 Always-Incorrect Control Flow Implementation
Major None
Minor Observed_Examples
672 Operation on a Resource after Expiration or Release
Major None
Minor Applicable_Platforms, Observed_Examples
674 Uncontrolled Recursion
Major Demonstrative_Examples
Minor Applicable_Platforms, Observed_Examples
675 Multiple Operations on Resource in Single-Operation Context
Major None
Minor Applicable_Platforms
676 Use of Potentially Dangerous Function
Major None
Minor Observed_Examples
680 Integer Overflow to Buffer Overflow
Major None
Minor Applicable_Platforms, Observed_Examples
681 Incorrect Conversion between Numeric Types
Major None
Minor Applicable_Platforms, Observed_Examples
682 Incorrect Calculation
Major None
Minor Applicable_Platforms, Observed_Examples
683 Function Call With Incorrect Order of Arguments
Major None
Minor Observed_Examples
688 Function Call With Incorrect Variable or Reference as Argument
Major None
Minor Observed_Examples
689 Permission Race Condition During Resource Copy
Major None
Minor Observed_Examples
690 Unchecked Return Value to NULL Pointer Dereference
Major None
Minor Observed_Examples
691 Insufficient Control Flow Management
Major None
Minor Applicable_Platforms
692 Incomplete Denylist to Cross-Site Scripting
Major None
Minor Applicable_Platforms, Observed_Examples
693 Protection Mechanism Failure
Major None
Minor Applicable_Platforms
694 Use of Multiple Resources with Duplicate Identifier
Major None
Minor Applicable_Platforms, Observed_Examples
696 Incorrect Behavior Order
Major None
Minor Observed_Examples
697 Incorrect Comparison
Major None
Minor Applicable_Platforms, Observed_Examples
698 Execution After Redirect (EAR)
Major References
Minor Observed_Examples
703 Improper Check or Handling of Exceptional Conditions
Major None
Minor Applicable_Platforms
704 Incorrect Type Conversion or Cast
Major Relationships
Minor Applicable_Platforms
705 Incorrect Control Flow Scoping
Major None
Minor Applicable_Platforms, Observed_Examples
706 Use of Incorrectly-Resolved Name or Reference
Major None
Minor Applicable_Platforms
707 Improper Neutralization
Major None
Minor Applicable_Platforms
708 Incorrect Ownership Assignment
Major None
Minor Applicable_Platforms, Observed_Examples
710 Improper Adherence to Coding Standards
Major None
Minor Applicable_Platforms
732 Incorrect Permission Assignment for Critical Resource
Major Demonstrative_Examples, Observed_Examples, References
Minor Applicable_Platforms
733 Compiler Optimization Removal or Modification of Security-critical Code
Major None
Minor Observed_Examples
749 Exposed Dangerous Method or Function
Major None
Minor Applicable_Platforms, Observed_Examples
754 Improper Check for Unusual or Exceptional Conditions
Major None
Minor Applicable_Platforms, Observed_Examples
755 Improper Handling of Exceptional Conditions
Major None
Minor Applicable_Platforms, Observed_Examples
757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
Major None
Minor Observed_Examples
758 Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
Major None
Minor Observed_Examples
759 Use of a One-Way Hash without a Salt
Major None
Minor Observed_Examples
760 Use of a One-Way Hash with a Predictable Salt
Major None
Minor Observed_Examples
761 Free of Pointer not at Start of Buffer
Major None
Minor Observed_Examples
765 Multiple Unlocks of a Critical Resource
Major None
Minor Observed_Examples
766 Critical Data Element Declared Public
Major None
Minor Observed_Examples
770 Allocation of Resources Without Limits or Throttling
Major Observed_Examples, References
Minor Applicable_Platforms
771 Missing Reference to Active Allocated Resource
Major Relationships, Taxonomy_Mappings
Minor None
772 Missing Release of Resource after Effective Lifetime
Major Relationships, Taxonomy_Mappings
Minor Observed_Examples
773 Missing Reference to Active File Descriptor or Handle
Major Relationships, Taxonomy_Mappings
Minor None
775 Missing Release of File Descriptor or Handle after Effective Lifetime
Major Relationships, Taxonomy_Mappings
Minor Observed_Examples
776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Major None
Minor Observed_Examples
777 Regular Expression without Anchors
Major Demonstrative_Examples, Observed_Examples
Minor None
778 Insufficient Logging
Major Demonstrative_Examples, Potential_Mitigations
Minor Applicable_Platforms, Observed_Examples
779 Logging of Excessive Data
Major None
Minor Applicable_Platforms, Observed_Examples
781 Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code
Major None
Minor Observed_Examples
782 Exposed IOCTL with Insufficient Access Control
Major None
Minor Observed_Examples
783 Operator Precedence Logic Error
Major None
Minor Applicable_Platforms, Observed_Examples
784 Reliance on Cookies without Validation and Integrity Checking in a Security Decision
Major None
Minor Applicable_Platforms, Observed_Examples
786 Access of Memory Location Before Start of Buffer
Major None
Minor Observed_Examples
787 Out-of-bounds Write
Major Applicable_Platforms
Minor Observed_Examples
788 Access of Memory Location After End of Buffer
Major None
Minor Observed_Examples
789 Memory Allocation with Excessive Size Value
Major Observed_Examples
Minor Applicable_Platforms
798 Use of Hard-coded Credentials
Major Applicable_Platforms, Demonstrative_Examples, Observed_Examples, References, Relationships
Minor None
799 Improper Control of Interaction Frequency
Major None
Minor Applicable_Platforms, Observed_Examples
804 Guessable CAPTCHA
Major Description, Relationships
Minor Applicable_Platforms
805 Buffer Access with Incorrect Length Value
Major References
Minor Observed_Examples
807 Reliance on Untrusted Inputs in a Security Decision
Major None
Minor Applicable_Platforms, Observed_Examples
822 Untrusted Pointer Dereference
Major None
Minor Observed_Examples
823 Use of Out-of-range Pointer Offset
Major None
Minor Observed_Examples
824 Access of Uninitialized Pointer
Major None
Minor Observed_Examples
825 Expired Pointer Dereference
Major None
Minor Observed_Examples
826 Premature Release of Resource During Expected Lifetime
Major None
Minor Observed_Examples
827 Improper Control of Document Type Definition
Major None
Minor Observed_Examples
828 Signal Handler with Functionality that is not Asynchronous-Safe
Major None
Minor Observed_Examples
829 Inclusion of Functionality from Untrusted Control Sphere
Major References, Related_Attack_Patterns
Minor Observed_Examples
832 Unlock of a Resource that is not Locked
Major None
Minor Observed_Examples
833 Deadlock
Major None
Minor Observed_Examples
834 Excessive Iteration
Major None
Minor Observed_Examples
835 Loop with Unreachable Exit Condition ('Infinite Loop')
Major None
Minor Applicable_Platforms, Observed_Examples
836 Use of Password Hash Instead of Password for Authentication
Major Relationships
Minor Applicable_Platforms, Observed_Examples
837 Improper Enforcement of a Single, Unique Action
Major None
Minor Applicable_Platforms, Observed_Examples
838 Inappropriate Encoding for Output Context
Major None
Minor Applicable_Platforms, Observed_Examples
839 Numeric Range Comparison Without Minimum Check
Major None
Minor Observed_Examples
840 Business Logic Errors
Major Terminology_Notes
Minor None
841 Improper Enforcement of Behavioral Workflow
Major None
Minor Observed_Examples
842 Placement of User into Incorrect Group
Major None
Minor Applicable_Platforms, Observed_Examples
843 Access of Resource Using Incompatible Type ('Type Confusion')
Major None
Minor Observed_Examples
862 Missing Authorization
Major Observed_Examples
Minor Applicable_Platforms
863 Incorrect Authorization
Major Observed_Examples
Minor Applicable_Platforms
908 Use of Uninitialized Resource
Major None
Minor Applicable_Platforms, Observed_Examples
909 Missing Initialization of Resource
Major None
Minor Applicable_Platforms, Observed_Examples
910 Use of Expired File Descriptor
Major None
Minor Applicable_Platforms
911 Improper Update of Reference Count
Major None
Minor Applicable_Platforms, Observed_Examples
914 Improper Control of Dynamically-Identified Variables
Major None
Minor Observed_Examples
915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
Major None
Minor Applicable_Platforms, Observed_Examples
916 Use of Password Hash With Insufficient Computational Effort
Major None
Minor Applicable_Platforms, Observed_Examples
917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Major None
Minor Observed_Examples
918 Server-Side Request Forgery (SSRF)
Major Observed_Examples
Minor Applicable_Platforms
920 Improper Restriction of Power Consumption
Major None
Minor Applicable_Platforms
921 Storage of Sensitive Data in a Mechanism without Access Control
Major None
Minor Applicable_Platforms
922 Insecure Storage of Sensitive Information
Major Common_Consequences, Relationship_Notes
Minor Applicable_Platforms
923 Improper Restriction of Communication Channel to Intended Endpoints
Major Related_Attack_Patterns, Relationships
Minor Applicable_Platforms
924 Improper Enforcement of Message Integrity During Transmission in a Communication Channel
Major None
Minor Applicable_Platforms
925 Improper Verification of Intent by Broadcast Receiver
Major Relationships
Minor Applicable_Platforms
926 Improper Export of Android Application Components
Major Background_Details
Minor Applicable_Platforms
927 Use of Implicit Intent for Sensitive Communication
Major None
Minor Applicable_Platforms
939 Improper Authorization in Handler for Custom URL Scheme
Major None
Minor Observed_Examples
940 Improper Verification of Source of a Communication Channel
Major Relationships
Minor Applicable_Platforms, Observed_Examples
941 Incorrectly Specified Destination in a Communication Channel
Major None
Minor Applicable_Platforms, Observed_Examples
942 Permissive Cross-domain Policy with Untrusted Domains
Major None
Minor Applicable_Platforms, Observed_Examples
943 Improper Neutralization of Special Elements in Data Query Logic
Major None
Minor Applicable_Platforms, Observed_Examples
970 SFP Secondary Cluster: Faulty Buffer Access
Major Relationships
Minor None
971 SFP Secondary Cluster: Faulty Pointer Use
Major Relationships
Minor None
982 SFP Secondary Cluster: Failure to Release Resource
Major Relationships
Minor None
983 SFP Secondary Cluster: Faulty Resource Use
Major Relationships
Minor None
990 SFP Secondary Cluster: Tainted Input to Command
Major Relationships
Minor None
998 SFP Secondary Cluster: Glitch in Computation
Major Relationships
Minor None
999 DEPRECATED: Weaknesses without Software Fault Patterns
Major Description, Name, Type, View_Audience, View_Filter
Minor None
1003 Weaknesses for Simplified Mapping of Published Vulnerabilities
Major Relationships
Minor None
1004 Sensitive Cookie Without 'HttpOnly' Flag
Major None
Minor Applicable_Platforms, Observed_Examples
1007 Insufficient Visual Distinction of Homoglyphs Presented to User
Major Demonstrative_Examples
Minor Applicable_Platforms, Description, Observed_Examples
1021 Improper Restriction of Rendered UI Layers or Frames
Major None
Minor Observed_Examples
1023 Incomplete Comparison with Missing Factors
Major None
Minor Applicable_Platforms
1024 Comparison of Incompatible Types
Major None
Minor Applicable_Platforms
1025 Comparison Using Wrong Factors
Major None
Minor Applicable_Platforms
1037 Processor Optimization Removal or Modification of Security-critical Code
Major Applicable_Platforms, Maintenance_Notes
Minor Observed_Examples
1038 Insecure Automated Optimizations
Major None
Minor Applicable_Platforms
1039 Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations
Major None
Minor Applicable_Platforms
1041 Use of Redundant Code
Major Applicable_Platforms, Demonstrative_Examples, Potential_Mitigations
Minor None
1059 Insufficient Technical Documentation
Major None
Minor Applicable_Platforms
1069 Empty Exception Block
Major Applicable_Platforms, Demonstrative_Examples, Potential_Mitigations
Minor None
1104 Use of Unmaintained Third Party Components
Major References
Minor None
1116 Inaccurate Comments
Major Applicable_Platforms, Demonstrative_Examples, Potential_Mitigations
Minor None
1173 Improper Use of Validation Framework
Major None
Minor Applicable_Platforms
1189 Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
Major Detection_Factors
Minor Applicable_Platforms, Observed_Examples
1190 DMA Device Enabled Too Early in Boot Phase
Major None
Minor Applicable_Platforms
1191 On-Chip Debug and Test Interface With Improper Access Control
Major Description, Related_Attack_Patterns
Minor Applicable_Platforms, Demonstrative_Examples, Observed_Examples, References
1192 System-on-Chip (SoC) Using Components without Unique, Immutable Identifiers
Major None
Minor Applicable_Platforms
1195 Manufacturing and Life Cycle Management Concerns
Major Relationships
Minor None
1203 Peripherals, On-chip Fabric, and Interface/IO Problems
Major Relationships
Minor None
1204 Generation of Weak Initialization Vector (IV)
Major None
Minor Applicable_Platforms, Observed_Examples, References
1206 Power, Clock, Thermal, and Reset Concerns
Major Name
Minor None
1208 Cross-Cutting Problems
Major Relationships
Minor None
1209 Failure to Disable Reserved Bits
Major Demonstrative_Examples
Minor Applicable_Platforms
1220 Insufficient Granularity of Access Control
Major None
Minor Applicable_Platforms
1221 Incorrect Register Defaults or Module Parameters
Major Demonstrative_Examples
Minor Applicable_Platforms
1222 Insufficient Granularity of Address Regions Protected by Register Locks
Major None
Minor Applicable_Platforms
1223 Race Condition for Write-Once Attributes
Major Demonstrative_Examples
Minor None
1224 Improper Restriction of Write-Once Bit Fields
Major Demonstrative_Examples
Minor None
1229 Creation of Emergent Resource
Major None
Minor Applicable_Platforms
1230 Exposure of Sensitive Information Through Metadata
Major None
Minor Applicable_Platforms
1231 Improper Prevention of Lock Bit Modification
Major None
Minor Applicable_Platforms, Demonstrative_Examples, Observed_Examples
1232 Improper Lock Behavior After Power State Transition
Major None
Minor Applicable_Platforms
1233 Security-Sensitive Hardware Controls with Missing Lock Bit Protection
Major None
Minor Applicable_Platforms, Demonstrative_Examples, Observed_Examples
1234 Hardware Internal or Debug Modes Allow Override of Locks
Major Demonstrative_Examples
Minor Applicable_Platforms
1235 Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations
Major None
Minor Applicable_Platforms
1236 Improper Neutralization of Formula Elements in a CSV File
Major None
Minor Applicable_Platforms, Observed_Examples
1239 Improper Zeroization of Hardware Register
Major None
Minor Applicable_Platforms
1240 Use of a Cryptographic Primitive with a Risky Implementation
Major None
Minor Applicable_Platforms, Observed_Examples
1242 Inclusion of Undocumented Features or Chicken Bits
Major None
Minor Applicable_Platforms
1243 Sensitive Non-Volatile Information Not Protected During Debug
Major Relationships
Minor Applicable_Platforms
1244 Internal Asset Exposed to Unsafe Debug Access Level or State
Major None
Minor Applicable_Platforms, Observed_Examples
1245 Improper Finite State Machines (FSMs) in Hardware Logic
Major Demonstrative_Examples
Minor Applicable_Platforms
1246 Improper Write Handling in Limited-write Non-Volatile Memories
Major Demonstrative_Examples, Relationships, Research_Gaps
Minor Applicable_Platforms
1247 Improper Protection Against Voltage and Clock Glitches
Major Demonstrative_Examples, References
Minor Applicable_Platforms, Observed_Examples
1248 Semiconductor Defects in Hardware Logic with Security-Sensitive Implications
Major None
Minor Applicable_Platforms
1249 Application-Level Admin Tool with Inconsistent View of Underlying Operating System
Major None
Minor Applicable_Platforms
1250 Improper Preservation of Consistency Between Independent Representations of Shared State
Major None
Minor Applicable_Platforms
1251 Mirrored Regions with Different Values
Major None
Minor Applicable_Platforms
1252 CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations
Major None
Minor Applicable_Platforms
1253 Incorrect Selection of Fuse Values
Major None
Minor Applicable_Platforms
1254 Incorrect Comparison Logic Granularity
Major Demonstrative_Examples
Minor Applicable_Platforms, Observed_Examples
1255 Comparison Logic is Vulnerable to Power Side-Channel Attacks
Major Demonstrative_Examples
Minor Applicable_Platforms, Observed_Examples
1256 Improper Restriction of Software Interfaces to Hardware Features
Major None
Minor Applicable_Platforms, Observed_Examples
1257 Improper Access Control Applied to Mirrored or Aliased Memory Regions
Major Demonstrative_Examples
Minor Applicable_Platforms
1258 Exposure of Sensitive System Information Due to Uncleared Debug Information
Major None
Minor Applicable_Platforms
1259 Improper Restriction of Security Token Assignment
Major None
Minor Applicable_Platforms, Demonstrative_Examples
1260 Improper Handling of Overlap Between Protected Memory Ranges
Major None
Minor Applicable_Platforms, Observed_Examples
1261 Improper Handling of Single Event Upsets
Major None
Minor Applicable_Platforms
1262 Improper Access Control for Register Interface
Major None
Minor Applicable_Platforms, Observed_Examples
1263 Improper Physical Access Control
Major Relationships
Minor Applicable_Platforms
1264 Hardware Logic with Insecure De-Synchronization between Control and Data Channels
Major Maintenance_Notes
Minor Applicable_Platforms, Observed_Examples
1265 Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls
Major References
Minor Applicable_Platforms, Demonstrative_Examples, Observed_Examples, Potential_Mitigations
1266 Improper Scrubbing of Sensitive Data from Decommissioned Device
Major None
Minor Applicable_Platforms
1267 Policy Uses Obsolete Encoding
Major Demonstrative_Examples
Minor Applicable_Platforms
1268 Policy Privileges are not Assigned Consistently Between Control and Data Agents
Major Demonstrative_Examples
Minor Applicable_Platforms
1269 Product Released in Non-Release Configuration
Major None
Minor Applicable_Platforms, Description, Observed_Examples
1270 Generation of Incorrect Security Tokens
Major Demonstrative_Examples
Minor Applicable_Platforms
1271 Uninitialized Value on Reset for Registers Holding Security Settings
Major Demonstrative_Examples
Minor Applicable_Platforms
1272 Sensitive Information Uncleared Before Debug/Power State Transition
Major Applicable_Platforms
Minor Observed_Examples
1273 Device Unlock Credential Sharing
Major Description
Minor Applicable_Platforms, Demonstrative_Examples
1274 Improper Access Control for Volatile Memory Containing Boot Code
Major None
Minor Applicable_Platforms, Observed_Examples
1275 Sensitive Cookie with Improper SameSite Attribute
Major Demonstrative_Examples
Minor Applicable_Platforms
1276 Hardware Child Block Incorrectly Connected to Parent System
Major Demonstrative_Examples
Minor Applicable_Platforms
1277 Firmware Not Updateable
Major Related_Attack_Patterns
Minor Applicable_Platforms, Observed_Examples
1278 Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques
Major Relationships
Minor Applicable_Platforms
1279 Cryptographic Operations are run Before Supporting Units are Ready
Major Demonstrative_Examples
Minor Applicable_Platforms
1280 Access Control Check Implemented After Asset is Accessed
Major Demonstrative_Examples
Minor Applicable_Platforms
1281 Sequence of Processor Instructions Leads to Unexpected Behavior
Major Applicable_Platforms, Demonstrative_Examples
Minor Description, Observed_Examples
1282 Assumed-Immutable Data is Stored in Writable Memory
Major None
Minor Applicable_Platforms
1283 Mutable Attestation or Measurement Reporting Data
Major None
Minor Applicable_Platforms
1284 Improper Validation of Specified Quantity in Input
Major Observed_Examples, Relationships
Minor Applicable_Platforms
1285 Improper Validation of Specified Index, Position, or Offset in Input
Major None
Minor Applicable_Platforms, Observed_Examples
1286 Improper Validation of Syntactic Correctness of Input
Major Observed_Examples
Minor Applicable_Platforms
1287 Improper Validation of Specified Type of Input
Major None
Minor Applicable_Platforms, Observed_Examples
1288 Improper Validation of Consistency within Input
Major None
Minor Applicable_Platforms, Observed_Examples
1289 Improper Validation of Unsafe Equivalence in Input
Major Observed_Examples
Minor Applicable_Platforms
1290 Incorrect Decoding of Security Identifiers
Major Demonstrative_Examples, Related_Attack_Patterns
Minor Applicable_Platforms, Description
1291 Public Key Re-Use for Signing both Debug and Production Code
Major None
Minor Applicable_Platforms, Description
1292 Incorrect Conversion of Security Identifiers
Major Demonstrative_Examples, Related_Attack_Patterns
Minor Applicable_Platforms
1293 Missing Source Correlation of Multiple Independent Data
Major None
Minor Applicable_Platforms
1294 Insecure Security Identifier Mechanism
Major None
Minor Applicable_Platforms
1295 Debug Messages Revealing Unnecessary Information
Major References
Minor Applicable_Platforms, Demonstrative_Examples, Description, Observed_Examples
1296 Incorrect Chaining or Granularity of Debug Components
Major None
Minor Applicable_Platforms, Observed_Examples
1297 Unprotected Confidential Information on Device is Accessible by OSAT Vendors
Major None
Minor Applicable_Platforms, Potential_Mitigations
1299 Missing Protection Mechanism for Alternate Hardware Interface
Major None
Minor Applicable_Platforms, Demonstrative_Examples, Observed_Examples
1300 Improper Protection of Physical Side Channels
Major References, Relationships
Minor Applicable_Platforms, Observed_Examples
1301 Insufficient or Incomplete Data Removal within Hardware Component
Major None
Minor Applicable_Platforms, References
1302 Missing Security Identifier
Major Demonstrative_Examples
Minor Applicable_Platforms
1303 Non-Transparent Sharing of Microarchitectural Resources
Major Demonstrative_Examples, Maintenance_Notes
Minor Applicable_Platforms, Description
1304 Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation
Major None
Minor Applicable_Platforms, Potential_Mitigations
1310 Missing Ability to Patch ROM Code
Major References, Related_Attack_Patterns
Minor Applicable_Platforms
1311 Improper Translation of Security Attributes by Fabric Bridge
Major Demonstrative_Examples
Minor Applicable_Platforms
1312 Missing Protection for Mirrored Regions in On-Chip Fabric Firewall
Major None
Minor Applicable_Platforms, Demonstrative_Examples
1313 Hardware Allows Activation of Test or Debug Logic at Runtime
Major None
Minor Applicable_Platforms
1314 Missing Write Protection for Parametric Data Values
Major None
Minor Applicable_Platforms, Observed_Examples
1315 Improper Setting of Bus Controlling Capability in Fabric End-point
Major None
Minor Applicable_Platforms, Demonstrative_Examples
1316 Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges
Major References
Minor Applicable_Platforms, Demonstrative_Examples, Observed_Examples
1317 Improper Access Control in Fabric Bridge
Major Demonstrative_Examples, Description, Detection_Factors, Name, Potential_Mitigations
Minor Applicable_Platforms, Observed_Examples
1318 Missing Support for Security Features in On-chip Fabrics or Buses
Major None
Minor Applicable_Platforms
1319 Improper Protection against Electromagnetic Fault Injection (EM-FI)
Major Potential_Mitigations, References, Relationships
Minor Applicable_Platforms
1320 Improper Protection for Outbound Error Messages and Alert Signals
Major Name
Minor Applicable_Platforms
1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Major None
Minor Observed_Examples
1323 Improper Management of Sensitive Trace Data
Major None
Minor Applicable_Platforms
1324 Sensitive Information Accessible by Physical Probing of JTAG Interface
Major None
Minor Applicable_Platforms
1325 Improperly Controlled Sequential Memory Allocation
Major None
Minor Applicable_Platforms, Observed_Examples
1326 Missing Immutable Root of Trust in Hardware
Major None
Minor Applicable_Platforms
1327 Binding to an Unrestricted IP Address
Major None
Minor Applicable_Platforms
1328 Security Version Number Mutable to Older Versions
Major None
Minor Applicable_Platforms
1329 Reliance on Component That is Not Updateable
Major None
Minor Applicable_Platforms, Observed_Examples
1330 Remanent Data Readable after Memory Erase
Major None
Minor Applicable_Platforms, Observed_Examples
1331 Improper Isolation of Shared Resources in Network On Chip (NoC)
Major None
Minor Applicable_Platforms
1332 Improper Handling of Faults that Lead to Instruction Skips
Major References
Minor Applicable_Platforms, Observed_Examples
1333 Inefficient Regular Expression Complexity
Major Observed_Examples, Relationships
Minor Applicable_Platforms
1334 Unauthorized Error Injection Can Degrade Hardware Redundancy
Major None
Minor Applicable_Platforms
1335 Incorrect Bitwise Shift of Integer
Major Demonstrative_Examples, Observed_Examples
Minor Applicable_Platforms
1336 Improper Neutralization of Special Elements Used in a Template Engine
Major None
Minor Applicable_Platforms, Observed_Examples
1338 Improper Protections Against Hardware Overheating
Major Related_Attack_Patterns
Minor Applicable_Platforms
1339 Insufficient Precision or Accuracy of a Real Number
Major Demonstrative_Examples
Minor Applicable_Platforms, Description, Observed_Examples
1341 Multiple Releases of Same Resource or Handle
Major References
Minor Applicable_Platforms, Observed_Examples
1342 Information Exposure through Microarchitectural State after Transient Execution
Major Demonstrative_Examples, Maintenance_Notes, Related_Attack_Patterns
Minor Applicable_Platforms, Observed_Examples
1345 OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
Major References
Minor None
1346 OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Major References
Minor None
1347 OWASP Top Ten 2021 Category A03:2021 - Injection
Major References
Minor None
1348 OWASP Top Ten 2021 Category A04:2021 - Insecure Design
Major References
Minor None
1349 OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Major References
Minor None
1351 Improper Handling of Hardware Behavior in Exceptionally Cold Environments
Major References, Related_Attack_Patterns
Minor Applicable_Platforms
1352 OWASP Top Ten 2021 Category A06:2021 - Vulnerable and Outdated Components
Major References
Minor None
1353 OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
Major References
Minor None
1354 OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures
Major References
Minor None
1355 OWASP Top Ten 2021 Category A09:2021 - Security Logging and Monitoring Failures
Major References
Minor None
1356 OWASP Top Ten 2021 Category A10:2021 - Server-Side Request Forgery (SSRF)
Major References
Minor None
1357 Reliance on Uncontrolled Component
Major References
Minor Applicable_Platforms, Observed_Examples
1384 Improper Handling of Physical or Environmental Conditions
Major References
Minor None
1385 Missing Origin Validation in WebSockets
Major None
Minor Applicable_Platforms, Observed_Examples, References
1386 Insecure Operation on Windows Junction / Mount Point
Major None
Minor Applicable_Platforms, Observed_Examples
Page Last Updated: October 13, 2022