20 |
Improper Input Validation |
|
Major |
Relationships |
|
Minor |
None |
58 |
Path Equivalence: Windows 8.3 Filename |
|
Major |
None |
|
Minor |
Research_Gaps |
59 |
Improper Link Resolution Before File Access ('Link Following') |
|
Major |
Research_Gaps |
|
Minor |
None |
61 |
UNIX Symbolic Link (Symlink) Following |
|
Major |
Research_Gaps |
|
Minor |
None |
62 |
UNIX Hard Link |
|
Major |
Research_Gaps |
|
Minor |
None |
65 |
Windows Hard Link |
|
Major |
Research_Gaps |
|
Minor |
None |
74 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
|
Major |
Demonstrative_Examples, Related_Attack_Patterns |
|
Minor |
None |
78 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
88 |
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') |
|
Major |
Applicable_Platforms, Demonstrative_Examples, Observed_Examples, References |
|
Minor |
None |
90 |
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') |
|
Major |
Research_Gaps |
|
Minor |
None |
93 |
Improper Neutralization of CRLF Sequences ('CRLF Injection') |
|
Major |
Research_Gaps |
|
Minor |
None |
94 |
Improper Control of Generation of Code ('Code Injection') |
|
Major |
Research_Gaps |
|
Minor |
None |
95 |
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
|
Major |
Research_Gaps |
|
Minor |
None |
98 |
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') |
|
Major |
Research_Gaps |
|
Minor |
None |
107 |
Struts: Unused Validation Form |
|
Major |
Relationships |
|
Minor |
None |
110 |
Struts: Validator Without Form Field |
|
Major |
Relationships |
|
Minor |
None |
124 |
Buffer Underwrite ('Buffer Underflow') |
|
Major |
Research_Gaps |
|
Minor |
None |
125 |
Out-of-bounds Read |
|
Major |
Research_Gaps |
|
Minor |
None |
138 |
Improper Neutralization of Special Elements |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
191 |
Integer Underflow (Wrap or Wraparound) |
|
Major |
Research_Gaps |
|
Minor |
None |
193 |
Off-by-one Error |
|
Major |
Research_Gaps |
|
Minor |
None |
250 |
Execution with Unnecessary Privileges |
|
Major |
Observed_Examples |
|
Minor |
None |
268 |
Privilege Chaining |
|
Major |
Research_Gaps |
|
Minor |
None |
269 |
Improper Privilege Management |
|
Major |
Relationships |
|
Minor |
None |
270 |
Privilege Context Switching Error |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
276 |
Incorrect Default Permissions |
|
Major |
Relationships |
|
Minor |
None |
285 |
Improper Authorization |
|
Major |
Relationships |
|
Minor |
None |
295 |
Improper Certificate Validation |
|
Major |
Relationships |
|
Minor |
None |
296 |
Improper Following of a Certificate's Chain of Trust |
|
Major |
Relationships |
|
Minor |
None |
327 |
Use of a Broken or Risky Cryptographic Algorithm |
|
Major |
Relationships |
|
Minor |
None |
329 |
Generation of Predictable IV with CBC Mode |
|
Major |
Relationships |
|
Minor |
None |
346 |
Origin Validation Error |
|
Major |
Relationships |
|
Minor |
None |
349 |
Acceptance of Extraneous Untrusted Data With Trusted Data |
|
Major |
Relationships |
|
Minor |
None |
358 |
Improperly Implemented Security Check for Standard |
|
Major |
Relationships |
|
Minor |
None |
362 |
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
|
Major |
Observed_Examples, Relationships |
|
Minor |
None |
364 |
Signal Handler Race Condition |
|
Major |
Relationships, Research_Gaps |
|
Minor |
None |
365 |
DEPRECATED: Race Condition in Switch |
|
Major |
Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Potential_Mitigations, References, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type |
|
Minor |
None |
366 |
Race Condition within a Thread |
|
Major |
Relationships |
|
Minor |
None |
367 |
Time-of-check Time-of-use (TOCTOU) Race Condition |
|
Major |
Demonstrative_Examples, References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
400 |
Uncontrolled Resource Consumption |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
406 |
Insufficient Control of Network Message Volume (Network Amplification) |
|
Major |
Relationships |
|
Minor |
None |
415 |
Double Free |
|
Major |
Demonstrative_Examples, Observed_Examples |
|
Minor |
None |
426 |
Untrusted Search Path |
|
Major |
Research_Gaps |
|
Minor |
None |
427 |
Uncontrolled Search Path Element |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
428 |
Unquoted Search Path or Element |
|
Major |
Research_Gaps |
|
Minor |
None |
429 |
Handler Errors |
|
Major |
Research_Gaps |
|
Minor |
None |
434 |
Unrestricted Upload of File with Dangerous Type |
|
Major |
Research_Gaps |
|
Minor |
None |
436 |
Interpretation Conflict |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
444 |
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
451 |
User Interface (UI) Misrepresentation of Critical Information |
|
Major |
Relationships |
|
Minor |
None |
476 |
NULL Pointer Dereference |
|
Major |
Alternate_Terms |
|
Minor |
None |
506 |
Embedded Malicious Code |
|
Major |
Relationships |
|
Minor |
None |
557 |
Concurrency Issues |
|
Major |
Relationships |
|
Minor |
None |
601 |
URL Redirection to Untrusted Site ('Open Redirect') |
|
Major |
Relationships |
|
Minor |
None |
602 |
Client-Side Enforcement of Server-Side Security |
|
Major |
Research_Gaps |
|
Minor |
None |
610 |
Externally Controlled Reference to a Resource in Another Sphere |
|
Major |
Relationships |
|
Minor |
None |
612 |
Improper Authorization of Index Containing Sensitive Information |
|
Major |
None |
|
Minor |
Research_Gaps |
621 |
Variable Extraction Error |
|
Major |
Research_Gaps |
|
Minor |
None |
623 |
Unsafe ActiveX Control Marked Safe For Scripting |
|
Major |
Research_Gaps |
|
Minor |
None |
636 |
Not Failing Securely ('Failing Open') |
|
Major |
Relationships |
|
Minor |
None |
655 |
Insufficient Psychological Acceptability |
|
Major |
Relationships |
|
Minor |
None |
668 |
Exposure of Resource to Wrong Sphere |
|
Major |
Relationships |
|
Minor |
None |
669 |
Incorrect Resource Transfer Between Spheres |
|
Major |
Relationships |
|
Minor |
None |
684 |
Incorrect Provision of Specified Functionality |
|
Major |
Relationships |
|
Minor |
None |
697 |
Incorrect Comparison |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
703 |
Improper Check or Handling of Exceptional Conditions |
|
Major |
Relationships |
|
Minor |
None |
707 |
Improper Neutralization |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
710 |
Improper Adherence to Coding Standards |
|
Major |
Relationships |
|
Minor |
None |
754 |
Improper Check for Unusual or Exceptional Conditions |
|
Major |
Relationships |
|
Minor |
None |
755 |
Improper Handling of Exceptional Conditions |
|
Major |
Relationships |
|
Minor |
None |
776 |
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
788 |
Access of Memory Location After End of Buffer |
|
Major |
Description |
|
Minor |
None |
807 |
Reliance on Untrusted Inputs in a Security Decision |
|
Major |
Relationships |
|
Minor |
None |
822 |
Untrusted Pointer Dereference |
|
Major |
Research_Gaps |
|
Minor |
None |
823 |
Use of Out-of-range Pointer Offset |
|
Major |
Research_Gaps |
|
Minor |
None |
824 |
Access of Uninitialized Pointer |
|
Major |
Research_Gaps |
|
Minor |
None |
825 |
Expired Pointer Dereference |
|
Major |
Research_Gaps |
|
Minor |
None |
828 |
Signal Handler with Functionality that is not Asynchronous-Safe |
|
Major |
Observed_Examples |
|
Minor |
None |
841 |
Improper Enforcement of Behavioral Workflow |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
843 |
Access of Resource Using Incompatible Type ('Type Confusion') |
|
Major |
Research_Gaps |
|
Minor |
None |
912 |
Hidden Functionality |
|
Major |
Relationships |
|
Minor |
None |
943 |
Improper Neutralization of Special Elements in Data Query Logic |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
986 |
SFP Secondary Cluster: Missing Lock |
|
Major |
Relationships |
|
Minor |
None |
1059 |
Insufficient Technical Documentation |
|
Major |
Applicable_Platforms, Common_Consequences, Description, Name, Potential_Mitigations, References, Relationships, Time_of_Introduction |
|
Minor |
None |
1104 |
Use of Unmaintained Third Party Components |
|
Major |
References, Relationships |
|
Minor |
None |
1164 |
Irrelevant Code |
|
Major |
Relationships |
|
Minor |
None |
1191 |
On-Chip Debug and Test Interface With Improper Access Control |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
1195 |
Manufacturing and Life Cycle Management Concerns |
|
Major |
Relationships |
|
Minor |
None |
1198 |
Privilege Separation and Access Control Issues |
|
Major |
Relationships |
|
Minor |
None |
1208 |
Cross-Cutting Problems |
|
Major |
Relationships |
|
Minor |
None |
1222 |
Insufficient Granularity of Address Regions Protected by Register Locks |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
1224 |
Improper Restriction of Write-Once Bit Fields |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
1225 |
Documentation Issues |
|
Major |
Description |
|
Minor |
None |
1231 |
Improper Prevention of Lock Bit Modification |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
1233 |
Security-Sensitive Hardware Controls with Missing Lock Bit Protection |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
1234 |
Hardware Internal or Debug Modes Allow Override of Locks |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
1242 |
Inclusion of Undocumented Features or Chicken Bits |
|
Major |
Relationships |
|
Minor |
None |
1244 |
Internal Asset Exposed to Unsafe Debug Access Level or State |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
1246 |
Improper Write Handling in Limited-write Non-Volatile Memories |
|
Major |
Applicable_Platforms |
|
Minor |
None |
1247 |
Improper Protection Against Voltage and Clock Glitches |
|
Major |
Applicable_Platforms, Relationships |
|
Minor |
None |
1250 |
Improper Preservation of Consistency Between Independent Representations of Shared State |
|
Major |
Applicable_Platforms |
|
Minor |
None |
1252 |
CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations |
|
Major |
Applicable_Platforms, Related_Attack_Patterns |
|
Minor |
None |
1256 |
Improper Restriction of Software Interfaces to Hardware Features |
|
Major |
Applicable_Platforms |
|
Minor |
None |
1257 |
Improper Access Control Applied to Mirrored or Aliased Memory Regions |
|
Major |
Applicable_Platforms, Related_Attack_Patterns |
|
Minor |
None |
1259 |
Improper Restriction of Security Token Assignment |
|
Major |
Applicable_Platforms, Related_Attack_Patterns |
|
Minor |
None |
1260 |
Improper Handling of Overlap Between Protected Memory Ranges |
|
Major |
Applicable_Platforms, Related_Attack_Patterns |
|
Minor |
None |
1261 |
Improper Handling of Single Event Upsets |
|
Major |
Relationships |
|
Minor |
None |
1262 |
Improper Access Control for Register Interface |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
1267 |
Policy Uses Obsolete Encoding |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
1268 |
Policy Privileges are not Assigned Consistently Between Control and Data Agents |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
1270 |
Generation of Incorrect Security Tokens |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
1274 |
Improper Access Control for Volatile Memory Containing Boot Code |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
1277 |
Firmware Not Updateable |
|
Major |
Detection_Factors, Observed_Examples, Potential_Mitigations, Relationships |
|
Minor |
None |
1278 |
Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques |
|
Major |
Relationships |
|
Minor |
None |
1279 |
Cryptographic Operations are run Before Supporting Units are Ready |
|
Major |
Applicable_Platforms |
|
Minor |
None |
1282 |
Assumed-Immutable Data is Stored in Writable Memory |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
1283 |
Mutable Attestation or Measurement Reporting Data |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
1286 |
Improper Validation of Syntactic Correctness of Input |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
1290 |
Incorrect Decoding of Security Identifiers |
|
Major |
Applicable_Platforms |
|
Minor |
None |
1292 |
Incorrect Conversion of Security Identifiers |
|
Major |
Applicable_Platforms |
|
Minor |
None |
1294 |
Insecure Security Identifier Mechanism |
|
Major |
Applicable_Platforms, Related_Attack_Patterns |
|
Minor |
None |
1296 |
Incorrect Chaining or Granularity of Debug Components |
|
Major |
Applicable_Platforms, Related_Attack_Patterns |
|
Minor |
None |
1297 |
Unprotected Confidential Information on Device is Accessible by OSAT Vendors |
|
Major |
Applicable_Platforms |
|
Minor |
None |
1299 |
Missing Protection Mechanism for Alternate Hardware Interface |
|
Major |
Applicable_Platforms, Common_Consequences, Related_Attack_Patterns |
|
Minor |
None |
1302 |
Missing Security Identifier |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
1310 |
Missing Ability to Patch ROM Code |
|
Major |
Applicable_Platforms, Common_Consequences, Potential_Mitigations, Relationships |
|
Minor |
None |
1312 |
Missing Protection for Mirrored Regions in On-Chip Fabric Firewall |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
1313 |
Hardware Allows Activation of Test or Debug Logic at Runtime |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
1314 |
Missing Write Protection for Parametric Data Values |
|
Major |
Applicable_Platforms |
|
Minor |
None |
1316 |
Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges |
|
Major |
Applicable_Platforms, Related_Attack_Patterns |
|
Minor |
None |
1317 |
Missing Security Checks in Fabric Bridge |
|
Major |
Applicable_Platforms |
|
Minor |
None |
1318 |
Missing Support for Security Features in On-chip Fabrics or Buses |
|
Major |
Applicable_Platforms |
|
Minor |
None |
1319 |
Improper Protection against Electromagnetic Fault Injection (EM-FI) |
|
Major |
Applicable_Platforms |
|
Minor |
None |
1320 |
Improper Protection for Out of Bounds Signal Level Alerts |
|
Major |
Applicable_Platforms |
|
Minor |
None |
1324 |
Sensitive Information Accessible by Physical Probing of JTAG Interface |
|
Major |
Applicable_Platforms |
|
Minor |
None |
1326 |
Missing Immutable Root of Trust in Hardware |
|
Major |
Applicable_Platforms, Related_Attack_Patterns |
|
Minor |
None |
1328 |
Security Version Number Mutable to Older Versions |
|
Major |
Applicable_Platforms |
|
Minor |
None |
1329 |
Reliance on Component That is Not Updateable |
|
Major |
Common_Consequences, Description, Detection_Factors, Maintenance_Notes, Modes_of_Introduction, Observed_Examples, Potential_Mitigations, References, Relationships, Time_of_Introduction, Weakness_Ordinalities |
|
Minor |
None |
1330 |
Remanent Data Readable after Memory Erase |
|
Major |
Applicable_Platforms |
|
Minor |
None |
1331 |
Improper Isolation of Shared Resources in Network On Chip (NoC) |
|
Major |
Applicable_Platforms, References |
|
Minor |
None |
1332 |
Improper Handling of Faults that Lead to Instruction Skips |
|
Major |
Potential_Mitigations, References, Relationships |
|
Minor |
None |
1333 |
Inefficient Regular Expression Complexity |
|
Major |
Observed_Examples, Potential_Mitigations |
|
Minor |
None |
1338 |
Improper Protections Against Hardware Overheating |
|
Major |
Applicable_Platforms, Relationships |
|
Minor |
None |
1341 |
Multiple Releases of Same Resource or Handle |
|
Major |
Demonstrative_Examples, Description, Potential_Mitigations |
|
Minor |
None |
1351 |
Improper Handling of Hardware Behavior in Exceptionally Cold Environments |
|
Major |
Relationships |
|
Minor |
References |