Category: Encrypt Data
Draft
Summary
Weaknesses in this category are related to the design and architecture of data confidentiality in a system. Frequently these deal with the use of encryption libraries. The weaknesses in this category could lead to a degradation of the quality data encryption if they are not addressed when designing or implementing a secure architecture.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-256 | Plaintext Storage of a Password | This vulnerability occurs when an application stores user passwords as readable text instead of using secure, one-way hashing. This insecure practice exposes credentials in memory, files, or databases where attackers can easily retrieve them. |
| CWE-257 | Storing Passwords in a Recoverable Format | This vulnerability occurs when an application stores user passwords in a format that can be easily reversed or decrypted back to their original plaintext form. This practice, often called storing 'recoverable' passwords, defeats the core purpose of password protection. It allows anyone with access to the stored data—including attackers who breach the system or even malicious insiders—to obtain and reuse the actual passwords on other accounts, offering no real security advantage over storing them in plain text. |
| CWE-260 | Password in Configuration File | This vulnerability occurs when an application stores sensitive passwords directly within a configuration file, making them easily readable to anyone with access to that file. |
| CWE-261 | Weak Encoding for Password | Using simple encoding like Base64 to hide a password provides no real security, as it can be easily reversed. |
| CWE-311 | Missing Encryption of Sensitive Data | This vulnerability occurs when an application stores or sends sensitive information without first encrypting it, leaving the data exposed. |
| CWE-312 | Cleartext Storage of Sensitive Information | This vulnerability occurs when an application stores sensitive data like passwords, credit card numbers, or personal information in plain text, without any encryption. This unsecured data is kept in files, databases, caches, or logs that could be accessed by unauthorized users or systems. |
| CWE-313 | Cleartext Storage in a File or on Disk | This vulnerability occurs when an application writes sensitive data, such as passwords or personal information, directly to a file or disk without using encryption. |
| CWE-314 | Cleartext Storage in the Registry | This vulnerability occurs when an application saves sensitive data, like passwords or keys, as plain text in the Windows Registry. |
| CWE-315 | Cleartext Storage of Sensitive Information in a Cookie | This vulnerability occurs when an application directly stores sensitive data, like session tokens or personal details, in a browser cookie without encryption. |
| CWE-316 | Cleartext Storage of Sensitive Information in Memory | This vulnerability occurs when an application stores sensitive data, such as passwords or encryption keys, in memory without any form of encryption or protection. |
| CWE-317 | Cleartext Storage of Sensitive Information in GUI | This vulnerability occurs when an application stores sensitive data, such as passwords or personal information, in plain text within its graphical user interface (GUI) elements. |
| CWE-318 | Cleartext Storage of Sensitive Information in Executable | This vulnerability occurs when an application embeds sensitive information, like passwords or keys, directly within its executable code without encryption. |
| CWE-319 | Cleartext Transmission of Sensitive Information | This vulnerability occurs when an application sends sensitive data, such as passwords or personal information, over a network connection without using encryption. Attackers can easily intercept and read this unprotected data as it travels. |
| CWE-321 | Use of Hard-coded Cryptographic Key | This vulnerability occurs when an application embeds a fixed, unchangeable cryptographic key directly within its source code or configuration files. |
| CWE-323 | Reusing a Nonce, Key Pair in Encryption | This vulnerability occurs when a cryptographic nonce or key pair is reused, compromising the security of the encrypted data. |
| CWE-324 | Use of a Key Past its Expiration Date | This vulnerability occurs when an application continues to use a cryptographic key or password after its designated expiration date. Doing so dramatically increases the security risk by giving attackers more time to discover or crack the key. |
| CWE-325 | Missing Cryptographic Step | This vulnerability occurs when a software implementation skips a critical step in a cryptographic process, resulting in security that is significantly weaker than the intended algorithm provides. |
| CWE-326 | Inadequate Encryption Strength | This vulnerability occurs when an application protects sensitive information with encryption, but the specific algorithm or key strength used is too weak to withstand modern attack methods. |
| CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | The software relies on a cryptographic algorithm or protocol that is either fundamentally flawed or considered too weak by modern security standards. |
| CWE-328 | Use of Weak Hash | This vulnerability occurs when software uses a hashing algorithm that is cryptographically weak, allowing attackers to feasibly reverse the hash to find the original input, find a different input that creates the same hash, or discover collisions where two inputs produce identical hash values. |
| CWE-330 | Use of Insufficiently Random Values | This vulnerability occurs when an application uses random values that are not sufficiently unpredictable in security-sensitive operations, making them easier for attackers to guess or calculate. |
| CWE-331 | Insufficient Entropy | This vulnerability occurs when a system's random number generator or algorithm lacks sufficient unpredictability, creating patterns or predictable outputs that are easier for attackers to guess. |
| CWE-332 | Insufficient Entropy in PRNG | This vulnerability occurs when a Pseudo-Random Number Generator (PRNG) doesn't have enough randomness (entropy) to start with, or isn't using enough during operation. This makes its outputs predictable, undermining both system stability and security. |
| CWE-333 | Improper Handling of Insufficient Entropy in TRNG | This vulnerability occurs when a system fails to properly manage the limited or unpredictable output rate of a true random number generator (TRNG), potentially causing failures, delays, or weakened security. |
| CWE-334 | Small Space of Random Values | This vulnerability occurs when a system uses a random number generator that produces too few possible values. Attackers can easily predict or guess these values through brute force attacks. |
| CWE-335 | Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) | This vulnerability occurs when a Pseudo-Random Number Generator (PRNG) is used, but its initial seed value is not handled securely or predictably, compromising the randomness of its output. |
| CWE-336 | Same Seed in Pseudo-Random Number Generator (PRNG) | This vulnerability occurs when a Pseudo-Random Number Generator (PRNG) is repeatedly initialized with the same starting seed value. |
| CWE-337 | Predictable Seed in Pseudo-Random Number Generator (PRNG) | This vulnerability occurs when a Pseudo-Random Number Generator (PRNG) uses an easily guessable starting value, like the current system time or a process ID, to begin its sequence. |
| CWE-338 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) | This vulnerability occurs when software uses a pseudo-random number generator (PRNG) that is not cryptographically strong for security-sensitive operations, such as generating keys, tokens, or initialization vectors. |
| CWE-339 | Small Seed Space in PRNG | This vulnerability occurs when a Pseudo-Random Number Generator (PRNG) uses a seed that has too few possible values, making it easy for an attacker to guess through brute force. |
| CWE-347 | Improper Verification of Cryptographic Signature | This vulnerability occurs when an application fails to properly check the digital signature on data, or skips the verification step entirely, allowing tampered or forged information to be accepted as legitimate. |
| CWE-522 | Insufficiently Protected Credentials | This vulnerability occurs when an application handles sensitive credentials like passwords or API keys in an insecure way, making them easy for attackers to steal during transmission or while stored. |
| CWE-523 | Unprotected Transport of Credentials | This vulnerability occurs when a login page or authentication system transmits user credentials (like usernames and passwords) over a network without proper encryption, exposing them to interception. |
| CWE-757 | Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') | This vulnerability occurs when a protocol or system allows negotiating a security algorithm (like encryption) but chooses a weaker option than the strongest one both parties support, creating an unnecessary security gap. |
| CWE-759 | Use of a One-Way Hash without a Salt | This vulnerability occurs when a system uses a one-way hash function (like MD5 or SHA-256) to protect sensitive data like passwords, but fails to add a unique random value called a salt before hashing. |
| CWE-760 | Use of a One-Way Hash with a Predictable Salt | This vulnerability occurs when an application uses a one-way hash (like for password storage) but combines it with a predictable or easily guessed salt. This undermines the security benefit of salting, making pre-computed attack methods like rainbow tables highly effective. |
| CWE-780 | Use of RSA Algorithm without OAEP | This vulnerability occurs when an application implements RSA encryption but fails to use Optimal Asymmetric Encryption Padding (OAEP), significantly weakening the cryptographic protection. |
| CWE-922 | Insecure Storage of Sensitive Information | This vulnerability occurs when an application stores sensitive data—like credentials, personal information, or encryption keys—without enforcing proper access controls, allowing unauthorized users to read or modify it. |
| CWE-1008 | Architectural Concepts | This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.