5 |
J2EE Misconfiguration: Data Transmission Without Encryption |
|
Major |
Relationships |
|
Minor |
None |
6 |
J2EE Misconfiguration: Insufficient Session-ID Length |
|
Major |
Demonstrative_Examples, Relationships |
|
Minor |
None |
7 |
J2EE Misconfiguration: Missing Custom Error Page |
|
Major |
Demonstrative_Examples, Relationships |
|
Minor |
None |
8 |
J2EE Misconfiguration: Entity Bean Declared Remote |
|
Major |
Relationships |
|
Minor |
None |
9 |
J2EE Misconfiguration: Weak Access Permissions for EJB Methods |
|
Major |
Relationships |
|
Minor |
None |
11 |
ASP.NET Misconfiguration: Creating Debug Binary |
|
Major |
Relationships |
|
Minor |
None |
12 |
ASP.NET Misconfiguration: Missing Custom Error Page |
|
Major |
Demonstrative_Examples, Relationships |
|
Minor |
None |
13 |
ASP.NET Misconfiguration: Password in Configuration File |
|
Major |
Relationships |
|
Minor |
None |
14 |
Compiler Removal of Code to Clear Buffers |
|
Major |
Common_Consequences, References, Relationships |
|
Minor |
None |
15 |
External Control of System or Configuration Setting |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
20 |
Improper Input Validation |
|
Major |
Demonstrative_Examples, References, Related_Attack_Patterns, Relationships |
|
Minor |
None |
21 |
Pathname Traversal and Equivalence Errors |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
22 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
Major |
Demonstrative_Examples, References, Relationships |
|
Minor |
None |
23 |
Relative Path Traversal |
|
Major |
Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Relationships |
|
Minor |
None |
24 |
Path Traversal: '../filedir' |
|
Major |
Relationships |
|
Minor |
None |
25 |
Path Traversal: '/../filedir' |
|
Major |
Relationships |
|
Minor |
None |
26 |
Path Traversal: '/dir/../filename' |
|
Major |
Relationships |
|
Minor |
None |
27 |
Path Traversal: 'dir/../../filename' |
|
Major |
Observed_Examples, Relationships |
|
Minor |
None |
28 |
Path Traversal: '..\filedir' |
|
Major |
Observed_Examples, Relationships |
|
Minor |
None |
29 |
Path Traversal: '\..\filename' |
|
Major |
Observed_Examples, Relationships |
|
Minor |
None |
30 |
Path Traversal: '\dir\..\filename' |
|
Major |
Relationships |
|
Minor |
None |
31 |
Path Traversal: 'dir\..\..\filename' |
|
Major |
Observed_Examples, References, Relationships |
|
Minor |
None |
32 |
Path Traversal: '...' (Triple Dot) |
|
Major |
Relationships |
|
Minor |
None |
33 |
Path Traversal: '....' (Multiple Dot) |
|
Major |
Relationships |
|
Minor |
None |
34 |
Path Traversal: '....//' |
|
Major |
Observed_Examples, Relationships |
|
Minor |
None |
35 |
Path Traversal: '.../...//' |
|
Major |
Relationships |
|
Minor |
None |
36 |
Absolute Path Traversal |
|
Major |
Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Relationships |
|
Minor |
None |
37 |
Path Traversal: '/absolute/pathname/here' |
|
Major |
Relationships |
|
Minor |
None |
38 |
Path Traversal: '\absolute\pathname\here' |
|
Major |
Observed_Examples, Relationships |
|
Minor |
None |
39 |
Path Traversal: 'C:dirname' |
|
Major |
Common_Consequences, Observed_Examples, Relationships |
|
Minor |
None |
40 |
Path Traversal: '\\UNC\share\name\' (Windows UNC Share) |
|
Major |
Observed_Examples, References, Relationships |
|
Minor |
None |
41 |
Improper Resolution of Path Equivalence |
|
Major |
Common_Consequences, Observed_Examples, Relationships |
|
Minor |
None |
42 |
Path Equivalence: 'filename.' (Trailing Dot) |
|
Major |
Relationships |
|
Minor |
None |
43 |
Path Equivalence: 'filename....' (Multiple Trailing Dot) |
|
Major |
Relationships |
|
Minor |
None |
44 |
Path Equivalence: 'file.name' (Internal Dot) |
|
Major |
Relationships |
|
Minor |
None |
45 |
Path Equivalence: 'file...name' (Multiple Internal Dot) |
|
Major |
Relationships |
|
Minor |
None |
46 |
Path Equivalence: 'filename ' (Trailing Space) |
|
Major |
Relationships |
|
Minor |
None |
47 |
Path Equivalence: ' filename' (Leading Space) |
|
Major |
Relationships |
|
Minor |
None |
48 |
Path Equivalence: 'file name' (Internal Whitespace) |
|
Major |
Relationships |
|
Minor |
None |
49 |
Path Equivalence: 'filename/' (Trailing Slash) |
|
Major |
Observed_Examples, Relationships |
|
Minor |
None |
50 |
Path Equivalence: '//multiple/leading/slash' |
|
Major |
Observed_Examples, Relationships |
|
Minor |
None |
51 |
Path Equivalence: '/multiple//internal/slash' |
|
Major |
Relationships |
|
Minor |
None |
52 |
Path Equivalence: '/multiple/trailing/slash//' |
|
Major |
Relationships |
|
Minor |
None |
53 |
Path Equivalence: '\multiple\\internal\backslash' |
|
Major |
Relationships |
|
Minor |
None |
54 |
Path Equivalence: 'filedir\' (Trailing Backslash) |
|
Major |
Observed_Examples, Relationships |
|
Minor |
None |
55 |
Path Equivalence: '/./' (Single Dot Directory) |
|
Major |
Observed_Examples, Relationships |
|
Minor |
None |
56 |
Path Equivalence: 'filedir*' (Wildcard) |
|
Major |
Relationships |
|
Minor |
None |
57 |
Path Equivalence: 'fakedir/../realdir/filename' |
|
Major |
Observed_Examples, Relationships |
|
Minor |
None |
58 |
Path Equivalence: Windows 8.3 Filename |
|
Major |
References, Relationships |
|
Minor |
None |
59 |
Improper Link Resolution Before File Access ('Link Following') |
|
Major |
Common_Consequences, Observed_Examples, References, Relationships |
|
Minor |
None |
61 |
UNIX Symbolic Link (Symlink) Following |
|
Major |
Observed_Examples, References |
|
Minor |
None |
62 |
UNIX Hard Link |
|
Major |
Observed_Examples, References, Relationships |
|
Minor |
None |
64 |
Windows Shortcut Following (.LNK) |
|
Major |
Observed_Examples, Relationships |
|
Minor |
None |
65 |
Windows Hard Link |
|
Major |
Observed_Examples, References, Relationships |
|
Minor |
None |
66 |
Improper Handling of File Names that Identify Virtual Resources |
|
Major |
Relationships |
|
Minor |
None |
67 |
Improper Handling of Windows Device Names |
|
Major |
Observed_Examples, References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
69 |
Improper Handling of Windows ::DATA Alternate Data Stream |
|
Major |
Observed_Examples, References, Relationships |
|
Minor |
None |
71 |
Apple '.DS_Store' |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
72 |
Improper Handling of Apple HFS+ Alternate Data Stream Path |
|
Major |
Observed_Examples, Relationships |
|
Minor |
None |
73 |
External Control of File Name or Path |
|
Major |
Demonstrative_Examples, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings |
|
Minor |
None |
74 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
75 |
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) |
|
Major |
Relationships |
|
Minor |
None |
76 |
Improper Neutralization of Equivalent Special Elements |
|
Major |
Relationships |
|
Minor |
None |
77 |
Improper Neutralization of Special Elements used in a Command ('Command Injection') |
|
Major |
Common_Consequences, Demonstrative_Examples, References, Related_Attack_Patterns, Relationships |
|
Minor |
None |
78 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
|
Major |
Demonstrative_Examples, References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
79 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|
Major |
References, Relationships |
|
Minor |
None |
80 |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
81 |
Improper Neutralization of Script in an Error Message Web Page |
|
Major |
References, Relationships |
|
Minor |
None |
82 |
Improper Neutralization of Script in Attributes of IMG Tags in a Web Page |
|
Major |
Relationships |
|
Minor |
None |
83 |
Improper Neutralization of Script in Attributes in a Web Page |
|
Major |
Relationships |
|
Minor |
None |
84 |
Improper Neutralization of Encoded URI Schemes in a Web Page |
|
Major |
Relationships |
|
Minor |
None |
85 |
Doubled Character XSS Manipulations |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
86 |
Improper Neutralization of Invalid Characters in Identifiers in Web Pages |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
87 |
Improper Neutralization of Alternate XSS Syntax |
|
Major |
Relationships |
|
Minor |
None |
88 |
Argument Injection or Modification |
|
Major |
Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Related_Attack_Patterns, Relationships |
|
Minor |
None |
89 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
|
Major |
Potential_Mitigations, References, Related_Attack_Patterns, Relationships |
|
Minor |
None |
90 |
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') |
|
Major |
Common_Consequences, Observed_Examples, Related_Attack_Patterns, Relationships |
|
Minor |
None |
91 |
XML Injection (aka Blind XPath Injection) |
|
Major |
References, Relationships |
|
Minor |
None |
93 |
Improper Neutralization of CRLF Sequences ('CRLF Injection') |
|
Major |
Relationships |
|
Minor |
None |
94 |
Improper Control of Generation of Code ('Code Injection') |
|
Major |
Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Relationships |
|
Minor |
None |
95 |
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
|
Major |
Common_Consequences, Demonstrative_Examples, References, Relationships |
|
Minor |
None |
96 |
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') |
|
Major |
Common_Consequences, Demonstrative_Examples, Relationships |
|
Minor |
None |
97 |
Improper Neutralization of Server-Side Includes (SSI) Within a Web Page |
|
Major |
Relationships |
|
Minor |
None |
99 |
Improper Control of Resource Identifiers ('Resource Injection') |
|
Major |
Common_Consequences, Relationships |
|
Minor |
None |
100 |
Technology-Specific Input Validation Problems |
|
Major |
Relationships |
|
Minor |
None |
102 |
Struts: Duplicate Validation Forms |
|
Major |
Relationships |
|
Minor |
None |
103 |
Struts: Incomplete validate() Method Definition |
|
Major |
Relationships |
|
Minor |
None |
104 |
Struts: Form Bean Does Not Extend Validation Class |
|
Major |
Relationships |
|
Minor |
None |
105 |
Struts: Form Field Without Validator |
|
Major |
Relationships |
|
Minor |
None |
106 |
Struts: Plug-in Framework not in Use |
|
Major |
Relationships |
|
Minor |
None |
107 |
Struts: Unused Validation Form |
|
Major |
Relationships |
|
Minor |
None |
108 |
Struts: Unvalidated Action Form |
|
Major |
Relationships |
|
Minor |
None |
109 |
Struts: Validator Turned Off |
|
Major |
Relationships |
|
Minor |
None |
110 |
Struts: Validator Without Form Field |
|
Major |
Relationships |
|
Minor |
None |
111 |
Direct Use of Unsafe JNI |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
112 |
Missing XML Validation |
|
Major |
Relationships |
|
Minor |
None |
113 |
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') |
|
Major |
Common_Consequences, References, Relationships |
|
Minor |
None |
114 |
Process Control |
|
Major |
Relationships |
|
Minor |
None |
115 |
Misinterpretation of Input |
|
Major |
Relationships |
|
Minor |
None |
116 |
Improper Encoding or Escaping of Output |
|
Major |
References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
117 |
Improper Output Neutralization for Logs |
|
Major |
Common_Consequences, Relationships |
|
Minor |
None |
118 |
Improper Access of Indexable Resource ('Range Error') |
|
Major |
Relationships |
|
Minor |
None |
119 |
Improper Restriction of Operations within the Bounds of a Memory Buffer |
|
Major |
Demonstrative_Examples, Potential_Mitigations, References, Relationships |
|
Minor |
None |
120 |
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
|
Major |
References, Relationships |
|
Minor |
None |
121 |
Stack-based Buffer Overflow |
|
Major |
Demonstrative_Examples, References, Relationships |
|
Minor |
None |
122 |
Heap-based Buffer Overflow |
|
Major |
Demonstrative_Examples, References, Relationships |
|
Minor |
None |
123 |
Write-what-where Condition |
|
Major |
Common_Consequences, References, Relationships |
|
Minor |
None |
124 |
Buffer Underwrite ('Buffer Underflow') |
|
Major |
Demonstrative_Examples, References, Relationships |
|
Minor |
None |
125 |
Out-of-bounds Read |
|
Major |
Demonstrative_Examples, References, Relationships |
|
Minor |
None |
126 |
Buffer Over-read |
|
Major |
Demonstrative_Examples, Relationships |
|
Minor |
None |
127 |
Buffer Under-read |
|
Major |
Relationships |
|
Minor |
None |
128 |
Wrap-around Error |
|
Major |
Common_Consequences, Demonstrative_Examples, References, Relationships |
|
Minor |
None |
129 |
Improper Validation of Array Index |
|
Major |
Demonstrative_Examples, Potential_Mitigations, References, Relationships |
|
Minor |
None |
130 |
Improper Handling of Length Parameter Inconsistency |
|
Major |
Observed_Examples, Relationships |
|
Minor |
None |
131 |
Incorrect Calculation of Buffer Size |
|
Major |
Demonstrative_Examples, Potential_Mitigations, References, Relationships |
|
Minor |
None |
133 |
String Errors |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
134 |
Uncontrolled Format String |
|
Major |
Observed_Examples, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings |
|
Minor |
None |
135 |
Incorrect Calculation of Multi-Byte String Length |
|
Major |
Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings |
|
Minor |
None |
138 |
Improper Neutralization of Special Elements |
|
Major |
Common_Consequences, Relationships |
|
Minor |
None |
140 |
Improper Neutralization of Delimiters |
|
Major |
Relationships |
|
Minor |
None |
141 |
Improper Neutralization of Parameter/Argument Delimiters |
|
Major |
References, Relationships |
|
Minor |
None |
142 |
Improper Neutralization of Value Delimiters |
|
Major |
References, Relationships |
|
Minor |
None |
143 |
Improper Neutralization of Record Delimiters |
|
Major |
References, Relationships |
|
Minor |
None |
144 |
Improper Neutralization of Line Delimiters |
|
Major |
References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
145 |
Improper Neutralization of Section Delimiters |
|
Major |
References, Relationships |
|
Minor |
None |
146 |
Improper Neutralization of Expression/Command Delimiters |
|
Major |
References, Relationships |
|
Minor |
None |
147 |
Improper Neutralization of Input Terminators |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
148 |
Improper Neutralization of Input Leaders |
|
Major |
Relationships |
|
Minor |
None |
149 |
Improper Neutralization of Quoting Syntax |
|
Major |
Observed_Examples, Related_Attack_Patterns, Relationships |
|
Minor |
None |
150 |
Improper Neutralization of Escape, Meta, or Control Sequences |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
151 |
Improper Neutralization of Comment Delimiters |
|
Major |
Relationships |
|
Minor |
None |
152 |
Improper Neutralization of Macro Symbols |
|
Major |
Relationships |
|
Minor |
None |
153 |
Improper Neutralization of Substitution Characters |
|
Major |
Relationships |
|
Minor |
None |
154 |
Improper Neutralization of Variable Name Delimiters |
|
Major |
Relationships |
|
Minor |
None |
155 |
Improper Neutralization of Wildcards or Matching Symbols |
|
Major |
Relationships |
|
Minor |
None |
156 |
Improper Neutralization of Whitespace |
|
Major |
Relationships |
|
Minor |
None |
157 |
Failure to Sanitize Paired Delimiters |
|
Major |
Relationships |
|
Minor |
None |
158 |
Improper Neutralization of Null Byte or NUL Character |
|
Major |
Observed_Examples, References, Relationships |
|
Minor |
None |
159 |
Failure to Sanitize Special Element |
|
Major |
Relationships |
|
Minor |
None |
160 |
Improper Neutralization of Leading Special Elements |
|
Major |
Relationships |
|
Minor |
None |
161 |
Improper Neutralization of Multiple Leading Special Elements |
|
Major |
Relationships |
|
Minor |
None |
162 |
Improper Neutralization of Trailing Special Elements |
|
Major |
Relationships |
|
Minor |
None |
163 |
Improper Neutralization of Multiple Trailing Special Elements |
|
Major |
Relationships |
|
Minor |
None |
164 |
Improper Neutralization of Internal Special Elements |
|
Major |
Relationships |
|
Minor |
None |
165 |
Improper Neutralization of Multiple Internal Special Elements |
|
Major |
Relationships |
|
Minor |
None |
166 |
Improper Handling of Missing Special Element |
|
Major |
Relationships |
|
Minor |
None |
167 |
Improper Handling of Additional Special Element |
|
Major |
Relationships |
|
Minor |
None |
168 |
Improper Handling of Inconsistent Special Elements |
|
Major |
Relationships |
|
Minor |
None |
170 |
Improper Null Termination |
|
Major |
Relationships |
|
Minor |
None |
171 |
Cleansing, Canonicalization, and Comparison Errors |
|
Major |
References, Related_Attack_Patterns, Taxonomy_Mappings |
|
Minor |
None |
172 |
Encoding Error |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
173 |
Improper Handling of Alternate Encoding |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
174 |
Double Decoding of the Same Data |
|
Major |
Common_Consequences, Observed_Examples, Relationships |
|
Minor |
None |
175 |
Improper Handling of Mixed Encoding |
|
Major |
Relationships |
|
Minor |
None |
176 |
Improper Handling of Unicode Encoding |
|
Major |
Observed_Examples, References, Relationships |
|
Minor |
None |
177 |
Improper Handling of URL Encoding (Hex Encoding) |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
178 |
Improper Handling of Case Sensitivity |
|
Major |
Observed_Examples, Relationships |
|
Minor |
None |
179 |
Incorrect Behavior Order: Early Validation |
|
Major |
Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Relationships |
|
Minor |
None |
180 |
Incorrect Behavior Order: Validate Before Canonicalize |
|
Major |
Demonstrative_Examples, Observed_Examples, Related_Attack_Patterns, Relationships, Taxonomy_Mappings |
|
Minor |
None |
181 |
Incorrect Behavior Order: Validate Before Filter |
|
Major |
Demonstrative_Examples, Observed_Examples, Related_Attack_Patterns, Relationships |
|
Minor |
None |
182 |
Collapse of Data into Unsafe Value |
|
Major |
References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
183 |
Permissive Whitelist |
|
Major |
References, Relationships |
|
Minor |
None |
184 |
Incomplete Blacklist |
|
Major |
References, Related_Attack_Patterns, Relationships |
|
Minor |
None |
185 |
Incorrect Regular Expression |
|
Major |
Demonstrative_Examples, Related_Attack_Patterns, Relationships |
|
Minor |
None |
186 |
Overly Restrictive Regular Expression |
|
Major |
Relationships |
|
Minor |
None |
187 |
Partial Comparison |
|
Major |
Relationships |
|
Minor |
None |
188 |
Reliance on Data/Memory Layout |
|
Major |
References, Relationships |
|
Minor |
None |
190 |
Integer Overflow or Wraparound |
|
Major |
Common_Consequences, Demonstrative_Examples, References, Relationships |
|
Minor |
None |
191 |
Integer Underflow (Wrap or Wraparound) |
|
Major |
Common_Consequences, References, Relationships |
|
Minor |
None |
192 |
Integer Coercion Error |
|
Major |
Demonstrative_Examples, References |
|
Minor |
None |
193 |
Off-by-one Error |
|
Major |
Common_Consequences, Observed_Examples, References, Relationships |
|
Minor |
None |
194 |
Unexpected Sign Extension |
|
Major |
Demonstrative_Examples, Relationships |
|
Minor |
None |
195 |
Signed to Unsigned Conversion Error |
|
Major |
Demonstrative_Examples, References, Relationships |
|
Minor |
None |
196 |
Unsigned to Signed Conversion Error |
|
Major |
References, Relationships |
|
Minor |
None |
197 |
Numeric Truncation Error |
|
Major |
References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
198 |
Use of Incorrect Byte Ordering |
|
Major |
Relationships |
|
Minor |
None |
200 |
Information Exposure |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
201 |
Information Exposure Through Sent Data |
|
Major |
Relationships |
|
Minor |
None |
202 |
Exposure of Sensitive Data Through Data Queries |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
203 |
Information Exposure Through Discrepancy |
|
Major |
Common_Consequences, Demonstrative_Examples, Observed_Examples, Relationships |
|
Minor |
None |
204 |
Response Discrepancy Information Exposure |
|
Major |
Demonstrative_Examples, Observed_Examples, References, Relationships |
|
Minor |
None |
205 |
Information Exposure Through Behavioral Discrepancy |
|
Major |
Relationships |
|
Minor |
None |
206 |
Information Exposure of Internal State Through Behavioral Inconsistency |
|
Major |
Relationships |
|
Minor |
None |
207 |
Information Exposure Through an External Behavioral Inconsistency |
|
Major |
Relationships |
|
Minor |
None |
208 |
Information Exposure Through Timing Discrepancy |
|
Major |
Observed_Examples, Relationships |
|
Minor |
None |
209 |
Information Exposure Through an Error Message |
|
Major |
References, Related_Attack_Patterns, Relationships |
|
Minor |
None |
210 |
Information Exposure Through Generated Error Message |
|
Major |
References, Relationships |
|
Minor |
None |
211 |
Information Exposure Through External Error Message |
|
Major |
Relationships |
|
Minor |
None |
212 |
Improper Cross-boundary Removal of Sensitive Data |
|
Major |
Relationships |
|
Minor |
None |
213 |
Intentional Information Exposure |
|
Major |
Relationships |
|
Minor |
None |
214 |
Information Exposure Through Process Environment |
|
Major |
Relationships |
|
Minor |
None |
215 |
Information Exposure Through Debug Information |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
216 |
Containment Errors (Container Errors) |
|
Major |
Relationships |
|
Minor |
None |
219 |
Sensitive Data Under Web Root |
|
Major |
Relationships |
|
Minor |
None |
220 |
Sensitive Data Under FTP Root |
|
Major |
Relationships |
|
Minor |
None |
221 |
Information Loss or Omission |
|
Major |
Relationships |
|
Minor |
None |
222 |
Truncation of Security-relevant Information |
|
Major |
Common_Consequences, Relationships |
|
Minor |
None |
223 |
Omission of Security-relevant Information |
|
Major |
Common_Consequences, References, Relationships |
|
Minor |
None |
224 |
Obscured Security-relevant Information by Alternate Name |
|
Major |
References, Relationships |
|
Minor |
None |
226 |
Sensitive Information Uncleared Before Release |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
227 |
Improper Fulfillment of API Contract ('API Abuse') |
|
Major |
Relationships |
|
Minor |
None |
228 |
Improper Handling of Syntactically Invalid Structure |
|
Major |
Common_Consequences, Relationships |
|
Minor |
None |
229 |
Improper Handling of Values |
|
Major |
Relationships |
|
Minor |
None |
230 |
Improper Handling of Missing Values |
|
Major |
Relationships |
|
Minor |
None |
231 |
Improper Handling of Extra Values |
|
Major |
Relationships |
|
Minor |
None |
232 |
Improper Handling of Undefined Values |
|
Major |
Relationships |
|
Minor |
None |
233 |
Parameter Problems |
|
Major |
Relationships |
|
Minor |
None |
234 |
Failure to Handle Missing Parameter |
|
Major |
Observed_Examples, Relationships |
|
Minor |
None |
235 |
Improper Handling of Extra Parameters |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
236 |
Improper Handling of Undefined Parameters |
|
Major |
Relationships |
|
Minor |
None |
237 |
Improper Handling of Structural Elements |
|
Major |
Relationships |
|
Minor |
None |
238 |
Improper Handling of Incomplete Structural Elements |
|
Major |
Relationships |
|
Minor |
None |
239 |
Failure to Handle Incomplete Element |
|
Major |
Relationships |
|
Minor |
None |
240 |
Improper Handling of Inconsistent Structural Elements |
|
Major |
Relationships |
|
Minor |
None |
241 |
Improper Handling of Unexpected Data Type |
|
Major |
Relationships |
|
Minor |
None |
242 |
Use of Inherently Dangerous Function |
|
Major |
Relationships |
|
Minor |
None |
243 |
Creation of chroot Jail Without Changing Working Directory |
|
Major |
Relationships |
|
Minor |
None |
244 |
Improper Clearing of Heap Memory Before Release ('Heap Inspection') |
|
Major |
Relationships |
|
Minor |
None |
245 |
J2EE Bad Practices: Direct Management of Connections |
|
Major |
Relationships |
|
Minor |
None |
246 |
J2EE Bad Practices: Direct Use of Sockets |
|
Major |
Relationships |
|
Minor |
None |
247 |
Reliance on DNS Lookups in a Security Decision |
|
Major |
Demonstrative_Examples, References, Relationships |
|
Minor |
None |
248 |
Uncaught Exception |
|
Major |
Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings |
|
Minor |
None |
250 |
Execution with Unnecessary Privileges |
|
Major |
References, Related_Attack_Patterns, Relationships |
|
Minor |
None |
252 |
Unchecked Return Value |
|
Major |
Common_Consequences, References, Relationships |
|
Minor |
None |
253 |
Incorrect Check of Function Return Value |
|
Major |
Common_Consequences, Demonstrative_Examples, References, Relationships |
|
Minor |
None |
256 |
Plaintext Storage of a Password |
|
Major |
Demonstrative_Examples, References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
257 |
Storing Passwords in a Recoverable Format |
|
Major |
Demonstrative_Examples, Relationships |
|
Minor |
None |
258 |
Empty Password in Configuration File |
|
Major |
References, Relationships |
|
Minor |
None |
259 |
Use of Hard-coded Password |
|
Major |
References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
260 |
Password in Configuration File |
|
Major |
References, Relationships |
|
Minor |
None |
261 |
Weak Cryptography for Passwords |
|
Major |
References, Relationships |
|
Minor |
None |
262 |
Not Using Password Aging |
|
Major |
References, Relationships |
|
Minor |
None |
263 |
Password Aging with Long Expiration |
|
Major |
References, Relationships |
|
Minor |
None |
266 |
Incorrect Privilege Assignment |
|
Major |
Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings |
|
Minor |
None |
267 |
Privilege Defined With Unsafe Actions |
|
Major |
Common_Consequences, Demonstrative_Examples, Relationships |
|
Minor |
None |
268 |
Privilege Chaining |
|
Major |
Common_Consequences, Demonstrative_Examples, Relationships |
|
Minor |
None |
269 |
Improper Privilege Management |
|
Major |
References, Relationships |
|
Minor |
None |
270 |
Privilege Context Switching Error |
|
Major |
Common_Consequences, Relationships |
|
Minor |
None |
271 |
Privilege Dropping / Lowering Errors |
|
Major |
Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Relationships |
|
Minor |
None |
272 |
Least Privilege Violation |
|
Major |
Demonstrative_Examples, Relationships, Taxonomy_Mappings |
|
Minor |
None |
273 |
Improper Check for Dropped Privileges |
|
Major |
Observed_Examples, Relationships |
|
Minor |
None |
274 |
Improper Handling of Insufficient Privileges |
|
Major |
Relationships |
|
Minor |
None |
275 |
Permission Issues |
|
Major |
References |
|
Minor |
None |
276 |
Incorrect Default Permissions |
|
Major |
References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings |
|
Minor |
None |
277 |
Insecure Inherited Permissions |
|
Major |
Relationships |
|
Minor |
None |
278 |
Insecure Preserved Inherited Permissions |
|
Major |
Relationships |
|
Minor |
None |
279 |
Incorrect Execution-Assigned Permissions |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
280 |
Improper Handling of Insufficient Permissions or Privileges |
|
Major |
Relationships |
|
Minor |
None |
281 |
Improper Preservation of Permissions |
|
Major |
Observed_Examples, Relationships |
|
Minor |
None |
282 |
Improper Ownership Management |
|
Major |
Relationships |
|
Minor |
None |
283 |
Unverified Ownership |
|
Major |
Common_Consequences, Demonstrative_Examples, Relationships |
|
Minor |
None |
284 |
Improper Access Control |
|
Major |
References, Relationships |
|
Minor |
None |
285 |
Improper Authorization |
|
Major |
Demonstrative_Examples, Potential_Mitigations, References, Related_Attack_Patterns, Relationships |
|
Minor |
None |
286 |
Incorrect User Management |
|
Major |
Relationships |
|
Minor |
None |
287 |
Improper Authentication |
|
Major |
Relationships |
|
Minor |
None |
288 |
Authentication Bypass Using an Alternate Path or Channel |
|
Major |
Observed_Examples, Related_Attack_Patterns, Relationships |
|
Minor |
None |
289 |
Authentication Bypass by Alternate Name |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
290 |
Authentication Bypass by Spoofing |
|
Major |
Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Related_Attack_Patterns, Relationships |
|
Minor |
None |
291 |
Trusting Self-reported IP Address |
|
Major |
Demonstrative_Examples, Relationships |
|
Minor |
None |
292 |
Trusting Self-reported DNS Name |
|
Major |
Demonstrative_Examples, Relationships |
|
Minor |
None |
293 |
Using Referer Field for Authentication |
|
Major |
Common_Consequences, Demonstrative_Examples, References, Relationships |
|
Minor |
None |
294 |
Authentication Bypass by Capture-replay |
|
Major |
Observed_Examples, Relationships |
|
Minor |
None |
295 |
Certificate Issues |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
296 |
Improper Following of Chain of Trust for Certificate Validation |
|
Major |
References, Relationships |
|
Minor |
None |
297 |
Improper Validation of Host-specific Certificate Data |
|
Major |
References, Relationships |
|
Minor |
None |
298 |
Improper Validation of Certificate Expiration |
|
Major |
References, Relationships |
|
Minor |
None |
299 |
Improper Check for Certificate Revocation |
|
Major |
References, Relationships |
|
Minor |
None |
300 |
Channel Accessible by Non-Endpoint ('Man-in-the-Middle') |
|
Major |
Common_Consequences, Related_Attack_Patterns, Relationships, Taxonomy_Mappings |
|
Minor |
None |
301 |
Reflection Attack in an Authentication Protocol |
|
Major |
Observed_Examples, References, Relationships |
|
Minor |
None |
302 |
Authentication Bypass by Assumed-Immutable Data |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
303 |
Incorrect Implementation of Authentication Algorithm |
|
Major |
Relationships |
|
Minor |
None |
304 |
Missing Critical Step in Authentication |
|
Major |
Common_Consequences, Relationships |
|
Minor |
None |
305 |
Authentication Bypass by Primary Weakness |
|
Major |
Observed_Examples, Relationships |
|
Minor |
None |
306 |
Missing Authentication for Critical Function |
|
Major |
Potential_Mitigations, Relationships |
|
Minor |
None |
307 |
Improper Restriction of Excessive Authentication Attempts |
|
Major |
Relationships |
|
Minor |
None |
308 |
Use of Single-factor Authentication |
|
Major |
Relationships |
|
Minor |
None |
309 |
Use of Password System for Primary Authentication |
|
Major |
Relationships |
|
Minor |
None |
311 |
Missing Encryption of Sensitive Data |
|
Major |
Demonstrative_Examples, References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
312 |
Cleartext Storage of Sensitive Information |
|
Major |
Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Related_Attack_Patterns, Relationships |
|
Minor |
None |
313 |
Plaintext Storage in a File or on Disk |
|
Major |
Demonstrative_Examples, Relationships |
|
Minor |
None |
314 |
Plaintext Storage in the Registry |
|
Major |
Relationships |
|
Minor |
None |
315 |
Plaintext Storage in a Cookie |
|
Major |
Demonstrative_Examples, Relationships |
|
Minor |
None |
316 |
Plaintext Storage in Memory |
|
Major |
Relationships |
|
Minor |
None |
317 |
Plaintext Storage in GUI |
|
Major |
Relationships |
|
Minor |
None |
318 |
Plaintext Storage in Executable |
|
Major |
Relationships |
|
Minor |
None |
319 |
Cleartext Transmission of Sensitive Information |
|
Major |
Demonstrative_Examples, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings |
|
Minor |
None |
321 |
Use of Hard-coded Cryptographic Key |
|
Major |
Demonstrative_Examples, Relationships |
|
Minor |
None |
322 |
Key Exchange without Entity Authentication |
|
Major |
References, Relationships |
|
Minor |
None |
323 |
Reusing a Nonce, Key Pair in Encryption |
|
Major |
Relationships |
|
Minor |
None |
324 |
Use of a Key Past its Expiration Date |
|
Major |
References, Relationships |
|
Minor |
None |
325 |
Missing Required Cryptographic Step |
|
Major |
Common_Consequences, Relationships |
|
Minor |
None |
326 |
Inadequate Encryption Strength |
|
Major |
References, Relationships |
|
Minor |
None |
327 |
Use of a Broken or Risky Cryptographic Algorithm |
|
Major |
References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings |
|
Minor |
None |
328 |
Reversible One-Way Hash |
|
Major |
References, Related_Attack_Patterns, Relationships |
|
Minor |
None |
329 |
Not Using a Random IV with CBC Mode |
|
Major |
References, Relationships |
|
Minor |
None |
330 |
Use of Insufficiently Random Values |
|
Major |
Demonstrative_Examples, Observed_Examples, References, Relationships |
|
Minor |
None |
331 |
Insufficient Entropy |
|
Major |
Common_Consequences, Demonstrative_Examples, References, Relationships |
|
Minor |
None |
332 |
Insufficient Entropy in PRNG |
|
Major |
Common_Consequences, Demonstrative_Examples, Relationships |
|
Minor |
None |
333 |
Improper Handling of Insufficient Entropy in TRNG |
|
Major |
Relationships |
|
Minor |
None |
334 |
Small Space of Random Values |
|
Major |
Common_Consequences, Demonstrative_Examples, References, Relationships |
|
Minor |
None |
335 |
PRNG Seed Error |
|
Major |
Common_Consequences, References, Relationships |
|
Minor |
None |
336 |
Same Seed in PRNG |
|
Major |
Relationships |
|
Minor |
None |
337 |
Predictable Seed in PRNG |
|
Major |
References, Relationships |
|
Minor |
None |
338 |
Use of Cryptographically Weak PRNG |
|
Major |
Common_Consequences, Observed_Examples, References, Relationships |
|
Minor |
None |
339 |
Small Seed Space in PRNG |
|
Major |
Relationships |
|
Minor |
None |
340 |
Predictability Problems |
|
Major |
References, Relationships |
|
Minor |
None |
341 |
Predictable from Observable State |
|
Major |
Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Relationships |
|
Minor |
None |
342 |
Predictable Exact Value from Previous Values |
|
Major |
Observed_Examples, References, Relationships |
|
Minor |
None |
343 |
Predictable Value Range from Previous Values |
|
Major |
References, Relationships |
|
Minor |
None |
344 |
Use of Invariant Value in Dynamically Changing Context |
|
Major |
Relationships |
|
Minor |
None |
345 |
Insufficient Verification of Data Authenticity |
|
Major |
References, Related_Attack_Patterns, Relationships |
|
Minor |
None |
346 |
Origin Validation Error |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
347 |
Improper Verification of Cryptographic Signature |
|
Major |
Common_Consequences, Related_Attack_Patterns, Relationships, Taxonomy_Mappings |
|
Minor |
None |
348 |
Use of Less Trusted Source |
|
Major |
Common_Consequences, Demonstrative_Examples, Observed_Examples, Related_Attack_Patterns, Relationships |
|
Minor |
None |
349 |
Acceptance of Extraneous Untrusted Data With Trusted Data |
|
Major |
Common_Consequences, Related_Attack_Patterns, Relationships, Taxonomy_Mappings |
|
Minor |
None |
350 |
Improperly Trusted Reverse DNS |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
351 |
Insufficient Type Distinction |
|
Major |
Relationships |
|
Minor |
None |
352 |
Cross-Site Request Forgery (CSRF) |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
353 |
Missing Support for Integrity Check |
|
Major |
References, Relationships |
|
Minor |
None |
354 |
Improper Validation of Integrity Check Value |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
356 |
Product UI does not Warn User of Unsafe Actions |
|
Major |
Relationships |
|
Minor |
None |
357 |
Insufficient UI Warning of Dangerous Operations |
|
Major |
Relationships |
|
Minor |
None |
358 |
Improperly Implemented Security Check for Standard |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
359 |
Privacy Violation |
|
Major |
Related_Attack_Patterns, Relationships, Taxonomy_Mappings |
|
Minor |
None |
360 |
Trust of System Event Data |
|
Major |
Relationships |
|
Minor |
None |
361 |
Time and State |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
362 |
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
|
Major |
Potential_Mitigations, References, Relationships |
|
Minor |
None |
363 |
Race Condition Enabling Link Following |
|
Major |
Demonstrative_Examples, References, Relationships |
|
Minor |
None |
364 |
Signal Handler Race Condition |
|
Major |
Demonstrative_Examples, References, Relationships |
|
Minor |
None |
365 |
Race Condition in Switch |
|
Major |
Demonstrative_Examples, References, Relationships |
|
Minor |
None |
366 |
Race Condition within a Thread |
|
Major |
References, Relationships |
|
Minor |
None |
367 |
Time-of-check Time-of-use (TOCTOU) Race Condition |
|
Major |
Demonstrative_Examples, Observed_Examples, References, Relationships |
|
Minor |
None |
368 |
Context Switching Race Condition |
|
Major |
References, Relationships |
|
Minor |
None |
369 |
Divide By Zero |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
370 |
Missing Check for Certificate Revocation after Initial Check |
|
Major |
References, Relationships |
|
Minor |
None |
372 |
Incomplete Internal State Distinction |
|
Major |
Relationships |
|
Minor |
None |
374 |
Passing Mutable Objects to an Untrusted Method |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
375 |
Returning a Mutable Object to an Untrusted Caller |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
377 |
Insecure Temporary File |
|
Major |
References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
378 |
Creation of Temporary File With Insecure Permissions |
|
Major |
Relationships |
|
Minor |
None |
379 |
Creation of Temporary File in Directory with Incorrect Permissions |
|
Major |
References, Relationships |
|
Minor |
None |
382 |
J2EE Bad Practices: Use of System.exit() |
|
Major |
Relationships |
|
Minor |
None |
383 |
J2EE Bad Practices: Direct Use of Threads |
|
Major |
Relationships |
|
Minor |
None |
385 |
Covert Timing Channel |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
386 |
Symbolic Name not Mapping to Correct Object |
|
Major |
Relationships |
|
Minor |
None |
388 |
Error Handling |
|
Major |
References |
|
Minor |
None |
390 |
Detection of Error Condition Without Action |
|
Major |
Common_Consequences, References, Relationships |
|
Minor |
None |
391 |
Unchecked Error Condition |
|
Major |
Relationships |
|
Minor |
None |
392 |
Missing Report of Error Condition |
|
Major |
Common_Consequences, Relationships |
|
Minor |
None |
393 |
Return of Wrong Status Code |
|
Major |
Common_Consequences, Relationships |
|
Minor |
None |
394 |
Unexpected Status Code or Return Value |
|
Major |
Relationships |
|
Minor |
None |
395 |
Use of NullPointerException Catch to Detect NULL Pointer Dereference |
|
Major |
Relationships |
|
Minor |
None |
396 |
Declaration of Catch for Generic Exception |
|
Major |
References, Relationships |
|
Minor |
None |
397 |
Declaration of Throws for Generic Exception |
|
Major |
Relationships |
|
Minor |
None |
398 |
Indicator of Poor Code Quality |
|
Major |
Relationships |
|
Minor |
None |
400 |
Uncontrolled Resource Consumption ('Resource Exhaustion') |
|
Major |
Demonstrative_Examples, Related_Attack_Patterns, Relationships, Taxonomy_Mappings |
|
Minor |
None |
401 |
Improper Release of Memory Before Removing Last Reference ('Memory Leak') |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
402 |
Transmission of Private Resources into a New Sphere ('Resource Leak') |
|
Major |
Relationships |
|
Minor |
None |
403 |
Exposure of File Descriptor to Unintended Control Sphere |
|
Major |
Relationships |
|
Minor |
None |
404 |
Improper Resource Shutdown or Release |
|
Major |
Demonstrative_Examples, References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
405 |
Asymmetric Resource Consumption (Amplification) |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
406 |
Insufficient Control of Network Message Volume (Network Amplification) |
|
Major |
Common_Consequences, Relationships |
|
Minor |
None |
407 |
Algorithmic Complexity |
|
Major |
Observed_Examples, Relationships |
|
Minor |
None |
408 |
Incorrect Behavior Order: Early Amplification |
|
Major |
Common_Consequences, Relationships |
|
Minor |
None |
409 |
Improper Handling of Highly Compressed Data (Data Amplification) |
|
Major |
Common_Consequences, Demonstrative_Examples, Observed_Examples, Relationships, Taxonomy_Mappings |
|
Minor |
None |
410 |
Insufficient Resource Pool |
|
Major |
Relationships |
|
Minor |
None |
412 |
Unrestricted Externally Accessible Lock |
|
Major |
Demonstrative_Examples, Relationships |
|
Minor |
None |
413 |
Improper Resource Locking |
|
Major |
Demonstrative_Examples, Relationships |
|
Minor |
None |
414 |
Missing Lock Check |
|
Major |
Relationships |
|
Minor |
None |
415 |
Double Free |
|
Major |
References, Relationships |
|
Minor |
None |
416 |
Use After Free |
|
Major |
References, Relationships |
|
Minor |
None |
419 |
Unprotected Primary Channel |
|
Major |
Relationships |
|
Minor |
None |
420 |
Unprotected Alternate Channel |
|
Major |
Relationships |
|
Minor |
None |
421 |
Race Condition During Access to Alternate Channel |
|
Major |
References, Relationships |
|
Minor |
None |
422 |
Unprotected Windows Messaging Channel ('Shatter') |
|
Major |
References, Relationships |
|
Minor |
None |
424 |
Improper Protection of Alternate Path |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
425 |
Direct Request ('Forced Browsing') |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
426 |
Untrusted Search Path |
|
Major |
Demonstrative_Examples, References |
|
Minor |
None |
427 |
Uncontrolled Search Path Element |
|
Major |
Observed_Examples, Related_Attack_Patterns, Relationships |
|
Minor |
None |
428 |
Unquoted Search Path or Element |
|
Major |
References, Relationships |
|
Minor |
None |
430 |
Deployment of Wrong Handler |
|
Major |
References, Relationships |
|
Minor |
None |
431 |
Missing Handler |
|
Major |
References, Relationships |
|
Minor |
None |
432 |
Dangerous Signal Handler not Disabled During Sensitive Operations |
|
Major |
Relationships |
|
Minor |
None |
433 |
Unparsed Raw Web Content Delivery |
|
Major |
References, Relationships |
|
Minor |
None |
434 |
Unrestricted Upload of File with Dangerous Type |
|
Major |
References, Relationships |
|
Minor |
None |
435 |
Interaction Error |
|
Major |
Relationships |
|
Minor |
None |
436 |
Interpretation Conflict |
|
Major |
Relationships |
|
Minor |
None |
437 |
Incomplete Model of Endpoint Features |
|
Major |
Relationships |
|
Minor |
None |
439 |
Behavioral Change in New Version or Environment |
|
Major |
Relationships |
|
Minor |
None |
440 |
Expected Behavior Violation |
|
Major |
Relationships |
|
Minor |
None |
441 |
Unintended Proxy/Intermediary |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
444 |
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') |
|
Major |
Common_Consequences, Relationships |
|
Minor |
None |
446 |
UI Discrepancy for Security Feature |
|
Major |
Relationships |
|
Minor |
None |
447 |
Unimplemented or Unsupported Feature in UI |
|
Major |
Relationships |
|
Minor |
None |
448 |
Obsolete Feature in UI |
|
Major |
Relationships |
|
Minor |
None |
449 |
The UI Performs the Wrong Action |
|
Major |
Relationships |
|
Minor |
None |
450 |
Multiple Interpretations of UI Input |
|
Major |
Relationships |
|
Minor |
None |
451 |
UI Misrepresentation of Critical Information |
|
Major |
Relationships |
|
Minor |
None |
453 |
Insecure Default Variable Initialization |
|
Major |
Common_Consequences, Demonstrative_Examples, Relationships |
|
Minor |
None |
454 |
External Initialization of Trusted Variables or Data Stores |
|
Major |
Common_Consequences, Relationships, Taxonomy_Mappings |
|
Minor |
None |
455 |
Non-exit on Failed Initialization |
|
Major |
Common_Consequences, Demonstrative_Examples, Relationships |
|
Minor |
None |
456 |
Missing Initialization |
|
Major |
References, Relationships |
|
Minor |
None |
457 |
Use of Uninitialized Variable |
|
Major |
References, Relationships |
|
Minor |
None |
459 |
Incomplete Cleanup |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
460 |
Improper Cleanup on Thrown Exception |
|
Major |
Relationships |
|
Minor |
None |
462 |
Duplicate Key in Associative List (Alist) |
|
Major |
Relationships |
|
Minor |
None |
463 |
Deletion of Data Structure Sentinel |
|
Major |
References, Relationships |
|
Minor |
None |
464 |
Addition of Data Structure Sentinel |
|
Major |
Relationships |
|
Minor |
None |
466 |
Return of Pointer Value Outside of Expected Range |
|
Major |
Potential_Mitigations, References, Relationships |
|
Minor |
None |
467 |
Use of sizeof() on a Pointer Type |
|
Major |
Relationships |
|
Minor |
None |
468 |
Incorrect Pointer Scaling |
|
Major |
Demonstrative_Examples, References, Relationships |
|
Minor |
None |
469 |
Use of Pointer Subtraction to Determine Size |
|
Major |
Relationships |
|
Minor |
None |
470 |
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
471 |
Modification of Assumed-Immutable Data (MAID) |
|
Major |
Relationships |
|
Minor |
None |
472 |
External Control of Assumed-Immutable Web Parameter |
|
Major |
Demonstrative_Examples, References, Relationships |
|
Minor |
None |
473 |
PHP External Variable Modification |
|
Major |
Relationships |
|
Minor |
None |
474 |
Use of Function with Inconsistent Implementations |
|
Major |
Relationships |
|
Minor |
None |
475 |
Undefined Behavior for Input to API |
|
Major |
Relationships |
|
Minor |
None |
476 |
NULL Pointer Dereference |
|
Major |
Observed_Examples, Related_Attack_Patterns, Relationships |
|
Minor |
None |
477 |
Use of Obsolete Functions |
|
Major |
Relationships |
|
Minor |
None |
478 |
Missing Default Case in Switch Statement |
|
Major |
References, Relationships |
|
Minor |
None |
479 |
Signal Handler Use of a Non-reentrant Function |
|
Major |
References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
480 |
Use of Incorrect Operator |
|
Major |
Common_Consequences, References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
481 |
Assigning instead of Comparing |
|
Major |
References, Relationships |
|
Minor |
None |
482 |
Comparing instead of Assigning |
|
Major |
References, Relationships |
|
Minor |
None |
483 |
Incorrect Block Delimitation |
|
Major |
Relationships |
|
Minor |
None |
484 |
Omitted Break Statement in Switch |
|
Major |
Common_Consequences, References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
485 |
Insufficient Encapsulation |
|
Major |
Relationships |
|
Minor |
None |
486 |
Comparison of Classes by Name |
|
Major |
Demonstrative_Examples, Relationships, Taxonomy_Mappings |
|
Minor |
None |
487 |
Reliance on Package-level Scope |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
488 |
Exposure of Data Element to Wrong Session |
|
Major |
Relationships |
|
Minor |
None |
489 |
Leftover Debug Code |
|
Major |
Relationships |
|
Minor |
None |
491 |
Public cloneable() Method Without Final ('Object Hijack') |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
492 |
Use of Inner Class Containing Sensitive Data |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
493 |
Critical Public Variable Without Final Modifier |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
494 |
Download of Code Without Integrity Check |
|
Major |
References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
495 |
Private Array-Typed Field Returned From A Public Method |
|
Major |
Common_Consequences, Relationships |
|
Minor |
None |
496 |
Public Data Assigned to Private Array-Typed Field |
|
Major |
Common_Consequences, Relationships |
|
Minor |
None |
497 |
Exposure of System Data to an Unauthorized Control Sphere |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
498 |
Cloneable Class Containing Sensitive Information |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
499 |
Serializable Class Containing Sensitive Data |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
500 |
Public Static Field Not Marked Final |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
501 |
Trust Boundary Violation |
|
Major |
Relationships |
|
Minor |
None |
502 |
Deserialization of Untrusted Data |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
506 |
Embedded Malicious Code |
|
Major |
Relationships |
|
Minor |
None |
507 |
Trojan Horse |
|
Major |
Relationships |
|
Minor |
None |
508 |
Non-Replicating Malicious Code |
|
Major |
Relationships |
|
Minor |
None |
509 |
Replicating Malicious Code (Virus or Worm) |
|
Major |
Relationships |
|
Minor |
None |
510 |
Trapdoor |
|
Major |
Relationships |
|
Minor |
None |
511 |
Logic/Time Bomb |
|
Major |
Relationships |
|
Minor |
None |
512 |
Spyware |
|
Major |
Relationships |
|
Minor |
None |
514 |
Covert Channel |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
515 |
Covert Storage Channel |
|
Major |
Relationships |
|
Minor |
None |
520 |
.NET Misconfiguration: Use of Impersonation |
|
Major |
Relationships |
|
Minor |
None |
521 |
Weak Password Requirements |
|
Major |
Common_Consequences, References, Relationships |
|
Minor |
None |
522 |
Insufficiently Protected Credentials |
|
Major |
Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Related_Attack_Patterns, Relationships |
|
Minor |
None |
523 |
Unprotected Transport of Credentials |
|
Major |
Relationships |
|
Minor |
None |
524 |
Information Exposure Through Caching |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
525 |
Information Exposure Through Browser Caching |
|
Major |
Relationships |
|
Minor |
None |
526 |
Information Exposure Through Environmental Variables |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
527 |
Exposure of CVS Repository to an Unauthorized Control Sphere |
|
Major |
Relationships |
|
Minor |
None |
528 |
Exposure of Core Dump File to an Unauthorized Control Sphere |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
529 |
Exposure of Access Control List Files to an Unauthorized Control Sphere |
|
Major |
Relationships |
|
Minor |
None |
530 |
Exposure of Backup File to an Unauthorized Control Sphere |
|
Major |
Relationships |
|
Minor |
None |
531 |
Information Exposure Through Test Code |
|
Major |
Relationships |
|
Minor |
None |
532 |
Information Exposure Through Log Files |
|
Major |
Related_Attack_Patterns, Relationships, Taxonomy_Mappings |
|
Minor |
None |
533 |
Information Exposure Through Server Log Files |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
534 |
Information Exposure Through Debug Log Files |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
535 |
Information Exposure Through Shell Error Message |
|
Major |
Relationships |
|
Minor |
None |
536 |
Information Exposure Through Servlet Runtime Error Message |
|
Major |
Relationships |
|
Minor |
None |
537 |
Information Exposure Through Java Runtime Error Message |
|
Major |
Relationships |
|
Minor |
None |
538 |
File and Directory Information Exposure |
|
Major |
References, Related_Attack_Patterns, Relationships |
|
Minor |
None |
539 |
Information Exposure Through Persistent Cookies |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
540 |
Information Exposure Through Source Code |
|
Major |
Relationships |
|
Minor |
None |
541 |
Information Exposure Through Include Source Code |
|
Major |
Relationships |
|
Minor |
None |
542 |
Information Exposure Through Cleanup Log Files |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
543 |
Use of Singleton Pattern Without Synchronization in a Multithreaded Context |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
544 |
Missing Standardized Error Handling Mechanism |
|
Major |
Relationships |
|
Minor |
None |
545 |
Use of Dynamic Class Loading |
|
Major |
Common_Consequences, Relationships |
|
Minor |
None |
546 |
Suspicious Comment |
|
Major |
Common_Consequences, Relationships |
|
Minor |
None |
547 |
Use of Hard-coded, Security-relevant Constants |
|
Major |
Common_Consequences, Relationships |
|
Minor |
None |
548 |
Information Exposure Through Directory Listing |
|
Major |
Relationships |
|
Minor |
None |
549 |
Missing Password Field Masking |
|
Major |
References, Relationships |
|
Minor |
None |
550 |
Information Exposure Through Server Error Message |
|
Major |
Relationships |
|
Minor |
None |
551 |
Incorrect Behavior Order: Authorization Before Parsing and Canonicalization |
|
Major |
Relationships |
|
Minor |
None |
552 |
Files or Directories Accessible to External Parties |
|
Major |
Relationships |
|
Minor |
None |
553 |
Command Shell in Externally Accessible Directory |
|
Major |
Relationships |
|
Minor |
None |
554 |
ASP.NET Misconfiguration: Not Using Input Validation Framework |
|
Major |
Relationships |
|
Minor |
None |
555 |
J2EE Misconfiguration: Plaintext Password in Configuration File |
|
Major |
Relationships |
|
Minor |
None |
556 |
ASP.NET Misconfiguration: Use of Identity Impersonation |
|
Major |
Relationships |
|
Minor |
None |
558 |
Use of getlogin() in Multithreaded Application |
|
Major |
Relationships |
|
Minor |
None |
560 |
Use of umask() with chmod-style Argument |
|
Major |
Relationships |
|
Minor |
None |
561 |
Dead Code |
|
Major |
Common_Consequences, Relationships |
|
Minor |
None |
562 |
Return of Stack Variable Address |
|
Major |
Relationships |
|
Minor |
None |
563 |
Unused Variable |
|
Major |
Common_Consequences, Relationships |
|
Minor |
None |
564 |
SQL Injection: Hibernate |
|
Major |
Relationships |
|
Minor |
None |
565 |
Reliance on Cookies without Validation and Integrity Checking |
|
Major |
Demonstrative_Examples, Relationships |
|
Minor |
None |
566 |
Authorization Bypass Through User-Controlled SQL Primary Key |
|
Major |
Relationships |
|
Minor |
None |
567 |
Unsynchronized Access to Shared Data in a Multithreaded Context |
|
Major |
Relationships |
|
Minor |
None |
568 |
finalize() Method Without super.finalize() |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
570 |
Expression is Always False |
|
Major |
Relationships |
|
Minor |
None |
571 |
Expression is Always True |
|
Major |
Relationships |
|
Minor |
None |
572 |
Call to Thread run() instead of start() |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
573 |
Improper Following of Specification by Caller |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
574 |
EJB Bad Practices: Use of Synchronization Primitives |
|
Major |
Relationships |
|
Minor |
None |
575 |
EJB Bad Practices: Use of AWT Swing |
|
Major |
Relationships |
|
Minor |
None |
576 |
EJB Bad Practices: Use of Java I/O |
|
Major |
Relationships |
|
Minor |
None |
577 |
EJB Bad Practices: Use of Sockets |
|
Major |
Relationships |
|
Minor |
None |
578 |
EJB Bad Practices: Use of Class Loader |
|
Major |
Relationships |
|
Minor |
None |
579 |
J2EE Bad Practices: Non-serializable Object Stored in Session |
|
Major |
Relationships |
|
Minor |
None |
580 |
clone() Method Without super.clone() |
|
Major |
Relationships |
|
Minor |
None |
581 |
Object Model Violation: Just One of Equals and Hashcode Defined |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
582 |
Array Declared Public, Final, and Static |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
583 |
finalize() Method Declared Public |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
584 |
Return Inside Finally Block |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
585 |
Empty Synchronized Block |
|
Major |
Relationships |
|
Minor |
None |
586 |
Explicit Call to Finalize() |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
587 |
Assignment of a Fixed Address to a Pointer |
|
Major |
Demonstrative_Examples, Relationships |
|
Minor |
None |
588 |
Attempt to Access Child of a Non-structure Pointer |
|
Major |
Relationships |
|
Minor |
None |
589 |
Call to Non-ubiquitous API |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
590 |
Free of Memory not on the Heap |
|
Major |
Relationships |
|
Minor |
None |
591 |
Sensitive Data Storage in Improperly Locked Memory |
|
Major |
Relationships |
|
Minor |
None |
592 |
Authentication Bypass Issues |
|
Major |
References, Relationships |
|
Minor |
None |
593 |
Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created |
|
Major |
Relationships |
|
Minor |
None |
594 |
J2EE Framework: Saving Unserializable Objects to Disk |
|
Major |
Relationships |
|
Minor |
None |
595 |
Comparison of Object References Instead of Object Contents |
|
Major |
Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings |
|
Minor |
None |
596 |
Incorrect Semantic Object Comparison |
|
Major |
Relationships |
|
Minor |
None |
597 |
Use of Wrong Operator in String Comparison |
|
Major |
Demonstrative_Examples, References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
598 |
Information Exposure Through Query Strings in GET Request |
|
Major |
Relationships |
|
Minor |
None |
599 |
Trust of OpenSSL Certificate Without Validation |
|
Major |
Relationships |
|
Minor |
None |
600 |
Uncaught Exception in Servlet |
|
Major |
Demonstrative_Examples, Relationships |
|
Minor |
None |
601 |
URL Redirection to Untrusted Site ('Open Redirect') |
|
Major |
Relationships |
|
Minor |
None |
602 |
Client-Side Enforcement of Server-Side Security |
|
Major |
Relationships |
|
Minor |
None |
603 |
Use of Client-Side Authentication |
|
Major |
References, Relationships |
|
Minor |
None |
605 |
Multiple Binds to the Same Port |
|
Major |
Relationships |
|
Minor |
None |
606 |
Unchecked Input for Loop Condition |
|
Major |
References, Relationships |
|
Minor |
None |
607 |
Public Static Final Field References Mutable Object |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
608 |
Struts: Non-private Field in ActionForm Class |
|
Major |
Relationships |
|
Minor |
None |
609 |
Double-Checked Locking |
|
Major |
Demonstrative_Examples, References, Relationships |
|
Minor |
None |
610 |
Externally Controlled Reference to a Resource in Another Sphere |
|
Major |
Relationships |
|
Minor |
None |
611 |
Information Exposure Through XML External Entity Reference |
|
Major |
Relationships |
|
Minor |
None |
612 |
Information Exposure Through Indexing of Private Data |
|
Major |
Relationships |
|
Minor |
None |
613 |
Insufficient Session Expiration |
|
Major |
Relationships |
|
Minor |
None |
614 |
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute |
|
Major |
Relationships |
|
Minor |
None |
615 |
Information Exposure Through Comments |
|
Major |
Relationships |
|
Minor |
None |
616 |
Incomplete Identification of Uploaded File Variables (PHP) |
|
Major |
Observed_Examples, Relationships |
|
Minor |
None |
617 |
Reachable Assertion |
|
Major |
Common_Consequences, Observed_Examples, Relationships, Taxonomy_Mappings |
|
Minor |
None |
618 |
Exposed Unsafe ActiveX Method |
|
Major |
References, Relationships |
|
Minor |
None |
619 |
Dangling Database Cursor ('Cursor Injection') |
|
Major |
Relationships |
|
Minor |
None |
620 |
Unverified Password Change |
|
Major |
Demonstrative_Examples, Observed_Examples, References, Relationships |
|
Minor |
None |
621 |
Variable Extraction Error |
|
Major |
Common_Consequences, Demonstrative_Examples, Relationships |
|
Minor |
None |
622 |
Unvalidated Function Hook Arguments |
|
Major |
Relationships |
|
Minor |
None |
623 |
Unsafe ActiveX Control Marked Safe For Scripting |
|
Major |
References, Relationships |
|
Minor |
None |
624 |
Executable Regular Expression Error |
|
Major |
Relationships |
|
Minor |
None |
625 |
Permissive Regular Expression |
|
Major |
Demonstrative_Examples, References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
626 |
Null Byte Interaction Error (Poison Null Byte) |
|
Major |
Relationships |
|
Minor |
None |
627 |
Dynamic Variable Evaluation |
|
Major |
Common_Consequences, Relationships |
|
Minor |
None |
628 |
Function Call with Incorrectly Specified Arguments |
|
Major |
Common_Consequences, Demonstrative_Examples, Relationships |
|
Minor |
None |
630 |
Weaknesses Examined by SAMATE |
|
Major |
References |
|
Minor |
None |
636 |
Not Failing Securely ('Failing Open') |
|
Major |
Relationships |
|
Minor |
None |
637 |
Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism') |
|
Major |
Relationships |
|
Minor |
None |
638 |
Not Using Complete Mediation |
|
Major |
Relationships |
|
Minor |
None |
639 |
Authorization Bypass Through User-Controlled Key |
|
Major |
Relationships |
|
Minor |
None |
640 |
Weak Password Recovery Mechanism for Forgotten Password |
|
Major |
References, Relationships |
|
Minor |
None |
641 |
Improper Restriction of Names for Files and Other Resources |
|
Major |
Observed_Examples, Relationships |
|
Minor |
None |
642 |
External Control of Critical State Data |
|
Major |
Demonstrative_Examples, Potential_Mitigations, References, Relationships |
|
Minor |
None |
643 |
Improper Neutralization of Data within XPath Expressions ('XPath Injection') |
|
Major |
References, Relationships |
|
Minor |
None |
644 |
Improper Neutralization of HTTP Headers for Scripting Syntax |
|
Major |
Relationships |
|
Minor |
None |
645 |
Overly Restrictive Account Lockout Mechanism |
|
Major |
Relationships |
|
Minor |
None |
646 |
Reliance on File Name or Extension of Externally-Supplied File |
|
Major |
Relationships |
|
Minor |
None |
647 |
Use of Non-Canonical URL Paths for Authorization Decisions |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
648 |
Incorrect Use of Privileged APIs |
|
Major |
Relationships |
|
Minor |
None |
649 |
Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
650 |
Trusting HTTP Permission Methods on the Server Side |
|
Major |
Relationships |
|
Minor |
None |
651 |
Information Exposure Through WSDL File |
|
Major |
Relationships |
|
Minor |
None |
652 |
Improper Neutralization of Data within XQuery Expressions ('XQuery Injection') |
|
Major |
Relationships |
|
Minor |
None |
653 |
Insufficient Compartmentalization |
|
Major |
Relationships |
|
Minor |
None |
654 |
Reliance on a Single Factor in a Security Decision |
|
Major |
Relationships |
|
Minor |
None |
655 |
Insufficient Psychological Acceptability |
|
Major |
References, Relationships |
|
Minor |
None |
656 |
Reliance on Security Through Obscurity |
|
Major |
Relationships |
|
Minor |
None |
657 |
Violation of Secure Design Principles |
|
Major |
Relationships |
|
Minor |
None |
662 |
Improper Synchronization |
|
Major |
Relationships |
|
Minor |
None |
663 |
Use of a Non-reentrant Function in a Concurrent Context |
|
Major |
Relationships |
|
Minor |
None |
664 |
Improper Control of a Resource Through its Lifetime |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
665 |
Improper Initialization |
|
Major |
Demonstrative_Examples, References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
666 |
Operation on Resource in Wrong Phase of Lifetime |
|
Major |
Relationships |
|
Minor |
None |
667 |
Improper Locking |
|
Major |
Demonstrative_Examples, Observed_Examples, Relationships |
|
Minor |
None |
668 |
Exposure of Resource to Wrong Sphere |
|
Major |
Relationships |
|
Minor |
None |
669 |
Incorrect Resource Transfer Between Spheres |
|
Major |
Relationships |
|
Minor |
None |
670 |
Always-Incorrect Control Flow Implementation |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
671 |
Lack of Administrator Control over Security |
|
Major |
Relationships |
|
Minor |
None |
672 |
Operation on a Resource after Expiration or Release |
|
Major |
Common_Consequences, Demonstrative_Examples, Relationships |
|
Minor |
None |
673 |
External Influence of Sphere Definition |
|
Major |
Relationships |
|
Minor |
None |
674 |
Uncontrolled Recursion |
|
Major |
Relationships |
|
Minor |
None |
675 |
Duplicate Operations on Resource |
|
Major |
Relationships |
|
Minor |
None |
676 |
Use of Potentially Dangerous Function |
|
Major |
References, Related_Attack_Patterns, Relationships, Weakness_Ordinalities |
|
Minor |
None |
681 |
Incorrect Conversion between Numeric Types |
|
Major |
Demonstrative_Examples, References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
682 |
Incorrect Calculation |
|
Major |
Demonstrative_Examples, References, Relationships |
|
Minor |
None |
683 |
Function Call With Incorrect Order of Arguments |
|
Major |
Demonstrative_Examples, Relationships |
|
Minor |
None |
684 |
Incorrect Provision of Specified Functionality |
|
Major |
Relationships |
|
Minor |
None |
685 |
Function Call With Incorrect Number of Arguments |
|
Major |
Relationships |
|
Minor |
None |
686 |
Function Call With Incorrect Argument Type |
|
Major |
Relationships |
|
Minor |
None |
687 |
Function Call With Incorrectly Specified Argument Value |
|
Major |
Demonstrative_Examples, Relationships |
|
Minor |
None |
688 |
Function Call With Incorrect Variable or Reference as Argument |
|
Major |
Demonstrative_Examples, Relationships |
|
Minor |
None |
689 |
Permission Race Condition During Resource Copy |
|
Major |
References |
|
Minor |
None |
691 |
Insufficient Control Flow Management |
|
Major |
Relationships |
|
Minor |
None |
692 |
Incomplete Blacklist to Cross-Site Scripting |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
693 |
Protection Mechanism Failure |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
694 |
Use of Multiple Resources with Duplicate Identifier |
|
Major |
Relationships |
|
Minor |
None |
695 |
Use of Low-Level Functionality |
|
Major |
Relationships |
|
Minor |
None |
696 |
Incorrect Behavior Order |
|
Major |
Related_Attack_Patterns, Relationships, Weakness_Ordinalities |
|
Minor |
None |
697 |
Insufficient Comparison |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
698 |
Redirect Without Exit |
|
Major |
Common_Consequences, Demonstrative_Examples, Relationships |
|
Minor |
None |
703 |
Improper Check or Handling of Exceptional Conditions |
|
Major |
References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
704 |
Incorrect Type Conversion or Cast |
|
Major |
Relationships |
|
Minor |
None |
705 |
Incorrect Control Flow Scoping |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
706 |
Use of Incorrectly-Resolved Name or Reference |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
707 |
Improper Enforcement of Message or Data Structure |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
708 |
Incorrect Ownership Assignment |
|
Major |
Common_Consequences, Relationships |
|
Minor |
None |
710 |
Coding Standards Violation |
|
Major |
Relationships |
|
Minor |
None |
713 |
OWASP Top Ten 2007 Category A2 - Injection Flaws |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
714 |
OWASP Top Ten 2007 Category A3 - Malicious File Execution |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
721 |
OWASP Top Ten 2007 Category A10 - Failure to Restrict URL Access |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
732 |
Incorrect Permission Assignment for Critical Resource |
|
Major |
References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings |
|
Minor |
None |
733 |
Compiler Optimization Removal or Modification of Security-critical Code |
|
Major |
Relationships |
|
Minor |
None |
749 |
Exposed Dangerous Method or Function |
|
Major |
Relationships |
|
Minor |
None |
754 |
Improper Check for Unusual or Exceptional Conditions |
|
Major |
Relationships |
|
Minor |
None |
755 |
Improper Handling of Exceptional Conditions |
|
Major |
Relationships |
|
Minor |
None |
756 |
Missing Custom Error Page |
|
Major |
Common_Consequences, Demonstrative_Examples, Relationships |
|
Minor |
None |
757 |
Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') |
|
Major |
Relationships |
|
Minor |
None |
758 |
Reliance on Undefined, Unspecified, or Implementation-Defined Behavior |
|
Major |
Relationships |
|
Minor |
None |
759 |
Use of a One-Way Hash without a Salt |
|
Major |
References, Related_Attack_Patterns, Relationships |
|
Minor |
None |
760 |
Use of a One-Way Hash with a Predictable Salt |
|
Major |
References, Relationships |
|
Minor |
None |
761 |
Free of Pointer not at Start of Buffer |
|
Major |
Demonstrative_Examples, Relationships |
|
Minor |
None |
762 |
Mismatched Memory Management Routines |
|
Major |
Demonstrative_Examples, Relationships |
|
Minor |
None |
763 |
Release of Invalid Pointer or Reference |
|
Major |
Common_Consequences, Demonstrative_Examples, Relationships |
|
Minor |
None |
764 |
Multiple Locks of a Critical Resource |
|
Major |
Relationships |
|
Minor |
None |
765 |
Multiple Unlocks of a Critical Resource |
|
Major |
Relationships |
|
Minor |
None |
766 |
Critical Variable Declared Public |
|
Major |
Relationships |
|
Minor |
None |
767 |
Access to Critical Private Variable via Public Method |
|
Major |
Relationships |
|
Minor |
None |
768 |
Incorrect Short Circuit Evaluation |
|
Major |
Relationships |
|
Minor |
None |
770 |
Allocation of Resources Without Limits or Throttling |
|
Major |
Demonstrative_Examples, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings |
|
Minor |
None |
771 |
Missing Reference to Active Allocated Resource |
|
Major |
Relationships |
|
Minor |
None |
772 |
Missing Release of Resource after Effective Lifetime |
|
Major |
Demonstrative_Examples, Relationships, Taxonomy_Mappings |
|
Minor |
None |
773 |
Missing Reference to Active File Descriptor or Handle |
|
Major |
Relationships |
|
Minor |
None |
774 |
Allocation of File Descriptors or Handles Without Limits or Throttling |
|
Major |
References, Relationships |
|
Minor |
None |
775 |
Missing Release of File Descriptor or Handle after Effective Lifetime |
|
Major |
References, Relationships |
|
Minor |
None |
776 |
Unrestricted Recursive Entity References in DTDs ('XML Bomb') |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
778 |
Insufficient Logging |
|
Major |
References |
|
Minor |
None |
783 |
Operator Precedence Logic Error |
|
Major |
Demonstrative_Examples, References, Relationships |
|
Minor |
None |
785 |
Use of Path Manipulation Function without Maximum-sized Buffer |
|
Major |
Relationships |
|
Minor |
None |
786 |
Access of Memory Location Before Start of Buffer |
|
Major |
Common_Consequences, Demonstrative_Examples, Observed_Examples, Relationships |
|
Minor |
None |
788 |
Access of Memory Location After End of Buffer |
|
Major |
Common_Consequences, Demonstrative_Examples, Observed_Examples, Relationships |
|
Minor |
None |
789 |
Uncontrolled Memory Allocation |
|
Major |
References |
|
Minor |
None |
798 |
Use of Hard-coded Credentials |
|
Major |
Demonstrative_Examples, Related_Attack_Patterns, Relationships, Taxonomy_Mappings |
|
Minor |
None |
805 |
Buffer Access with Incorrect Length Value |
|
Major |
Potential_Mitigations, References, Relationships |
|
Minor |
None |
806 |
Buffer Access Using Size of Source Buffer |
|
Major |
Potential_Mitigations, References |
|
Minor |
None |
807 |
Reliance on Untrusted Inputs in a Security Decision |
|
Major |
Demonstrative_Examples, References, Relationships |
|
Minor |
None |
821 |
Incorrect Synchronization |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
822 |
Untrusted Pointer Dereference |
|
Major |
Relationships |
|
Minor |
None |
823 |
Use of Out-of-range Pointer Offset |
|
Major |
References |
|
Minor |
None |
824 |
Access of Uninitialized Pointer |
|
Major |
References |
|
Minor |
None |
825 |
Expired Pointer Dereference |
|
Major |
Demonstrative_Examples, Relationships |
|
Minor |
None |
828 |
Signal Handler with Functionality that is not Asynchronous-Safe |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
829 |
Inclusion of Functionality from Untrusted Control Sphere |
|
Major |
Demonstrative_Examples, References, Related_Attack_Patterns, Relationships |
|
Minor |
None |
830 |
Inclusion of Web Functionality from an Untrusted Source |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
833 |
Deadlock |
|
Major |
References |
|
Minor |
None |
834 |
Excessive Iteration |
|
Major |
References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
835 |
Loop with Unreachable Exit Condition ('Infinite Loop') |
|
Major |
Demonstrative_Examples, References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
837 |
Improper Enforcement of a Single, Unique Action |
|
Major |
Observed_Examples |
|
Minor |
None |
838 |
Inappropriate Encoding for Output Context |
|
Major |
Potential_Mitigations, References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
839 |
Numeric Range Comparison Without Minimum Check |
|
Major |
Demonstrative_Examples, References, Relationships |
|
Minor |
None |
841 |
Improper Enforcement of Behavioral Workflow |
|
Major |
Demonstrative_Examples, Observed_Examples, Relationships |
|
Minor |
None |
843 |
Access of Resource Using Incompatible Type ('Type Confusion') |
|
Major |
References |
|
Minor |
None |
847 |
CERT Java Secure Coding Section 02 - Expressions (EXP) |
|
Major |
Relationships |
|
Minor |
None |
849 |
CERT Java Secure Coding Section 04 - Object Orientation (OBJ) |
|
Major |
Relationships |
|
Minor |
None |
850 |
CERT Java Secure Coding Section 05 - Methods (MET) |
|
Major |
Relationships |
|
Minor |
None |
854 |
CERT Java Secure Coding Section 09 - Thread APIs (THI) |
|
Major |
Relationships |
|
Minor |
None |
857 |
CERT Java Secure Coding Section 12 - Input Output (FIO) |
|
Major |
Relationships |
|
Minor |
None |
860 |
CERT Java Secure Coding Section 15 - Runtime Environment (ENV) |
|
Major |
Relationships |
|
Minor |
None |
861 |
CERT Java Secure Coding Section 49 - Miscellaneous (MSC) |
|
Major |
Relationships |
|
Minor |
None |
862 |
Missing Authorization |
|
Major |
Demonstrative_Examples, Observed_Examples, References, Relationships |
|
Minor |
None |
863 |
Incorrect Authorization |
|
Major |
References, Relationships |
|
Minor |
None |