View: Entries with Maintenance Notes
Draft
Type: Implicit
Objective
CWE entries in this view have maintenance notes. Maintenance notes are an indicator that an entry might change significantly in future versions. This view was created due to feedback from the CWE Board and participants in the CWE Compatibility Summit in March 2021.
Audience
| Type | Description |
|---|---|
| Assessment Tool Vendors | Assessment vendors may use this view to anticipate future changes to CWE that will help them to better prepare customers for important changes in CWE. |
Membership
| ID | Name | Description |
|---|---|---|
| CWE-103 | Struts: Incomplete validate() Method Definition | This vulnerability occurs in a Struts application when a validator form either completely omits a validate() method or includes one but fails to call super.validate() within it. |
| CWE-1037 | Processor Optimization Removal or Modification of Security-critical Code | This vulnerability occurs when a processor's performance optimization unintentionally strips out or alters security-critical code that a developer intentionally placed in the software. |
| CWE-114 | Process Control | Process Control vulnerabilities occur when an application executes commands or loads libraries from an untrusted source or environment, allowing an attacker to run malicious code. |
| CWE-1188 | Initialization of a Resource with an Insecure Default | This vulnerability occurs when software uses an insecure default setting or value for a resource, assuming an administrator will change it later. |
| CWE-1204 | Generation of Weak Initialization Vector (IV) | This vulnerability occurs when software uses a weak or predictable Initialization Vector (IV) for cryptographic operations. Many encryption algorithms require IVs to be both unique and unpredictable to ensure security, and failing to meet these requirements can compromise the entire encryption process. |
| CWE-1240 | Use of a Cryptographic Primitive with a Risky Implementation | This weakness occurs when a product uses a custom, unverified, or non-compliant implementation of a cryptographic algorithm instead of a trusted, standard solution. |
| CWE-1241 | Use of Predictable Algorithm in Random Number Generator | This vulnerability occurs when a device or application relies on a predictable algorithm to generate pseudo-random numbers, making the output sequence foreseeable. |
| CWE-1253 | Incorrect Selection of Fuse Values | This vulnerability occurs when a hardware security fuse is incorrectly programmed to represent a 'secure' state as logic 0 (unblown). An attacker can permanently force the system into an insecure mode simply by blowing the fuse, which flips its value to logic 1. |
| CWE-1254 | Incorrect Comparison Logic Granularity | This vulnerability occurs when a system compares sensitive data, like passwords or authentication tokens, piece-by-piece instead of as a complete unit. If the comparison stops at the first mismatch, attackers can measure tiny timing differences to gradually guess the correct value. |
| CWE-1259 | Improper Restriction of Security Token Assignment | This vulnerability occurs when a System-on-a-Chip (SoC) fails to properly secure its Security Token mechanism. These tokens control which actions different system components are allowed to perform, but inadequate protection allows them to be manipulated. |
| CWE-1260 | Improper Handling of Overlap Between Protected Memory Ranges | This vulnerability occurs when a system incorrectly allows different memory protection ranges to overlap. This flaw can let attackers bypass security controls and access restricted memory areas. |
| CWE-1263 | Improper Physical Access Control | This vulnerability occurs when a device or system has areas meant to be physically secure, but the safeguards in place are too weak to stop someone with direct physical access from reaching restricted components or data. |
| CWE-1264 | Hardware Logic with Insecure De-Synchronization between Control and Data Channels | This vulnerability occurs when a hardware design incorrectly forwards data before its security or permission checks have finished processing. It's a timing flaw where the data channel gets ahead of the control channel, potentially leaking information. |
| CWE-1266 | Improper Scrubbing of Sensitive Data from Decommissioned Device | This vulnerability occurs when a system lacks a reliable method for administrators to permanently erase sensitive information before taking hardware or software out of service. The data scrubbing feature might be missing, ineffective, or flawed, leaving confidential data behind. |
| CWE-1268 | Policy Privileges are not Assigned Consistently Between Control and Data Agents | This vulnerability occurs when hardware access control policies are inconsistent, allowing an agent with control privileges to modify write permissions even when it shouldn't have direct write access. |
| CWE-1271 | Uninitialized Value on Reset for Registers Holding Security Settings | Security-critical hardware registers start with random, unpredictable values when a device powers on or resets, creating an immediate vulnerability window before software can initialize them. |
| CWE-1273 | Device Unlock Credential Sharing | This vulnerability occurs when the secret keys or passwords required to unlock a device's hidden features are shared between multiple organizations, creating a chain of trust where sensitive access can be leaked. |
| CWE-1278 | Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques | This vulnerability occurs when hardware lacks safeguards against physical inspection, allowing attackers to extract sensitive data by capturing and analyzing high-resolution images of the integrated circuit's internal structure. |
| CWE-1282 | Assumed-Immutable Data is Stored in Writable Memory | This vulnerability occurs when data that should be permanent and unchangeable—like a bootloader, device IDs, or one-time configuration settings—is placed in memory that can be rewritten or updated after deployment. |
| CWE-1283 | Mutable Attestation or Measurement Reporting Data | This vulnerability occurs when the hardware registers storing boot integrity measurements can be altered by an attacker, allowing them to forge verification data and hide a compromised boot process. |
| CWE-1284 | Improper Validation of Specified Quantity in Input | This vulnerability occurs when an application accepts user input meant to define a quantity—like a number, size, or count—but fails to properly check if that value is safe and reasonable before using it. |
| CWE-1285 | Improper Validation of Specified Index, Position, or Offset in Input | This vulnerability occurs when software accepts user input to determine a location—like an array index, file position, or memory offset—but fails to properly check if that location is safe and valid before using it. |
| CWE-1286 | Improper Validation of Syntactic Correctness of Input | This vulnerability occurs when software expects input in a specific, well-structured format but fails to properly check that the incoming data actually follows those rules. |
| CWE-1287 | Improper Validation of Specified Type of Input | This vulnerability occurs when software expects a specific type of data as input but fails to properly check that the incoming data actually matches that type. |
| CWE-1288 | Improper Validation of Consistency within Input | This vulnerability occurs when an application accepts structured input containing multiple related fields but fails to verify that the values across those fields are logically consistent with each other. |
| CWE-1289 | Improper Validation of Unsafe Equivalence in Input | This vulnerability occurs when an application accepts user input as a reference (like a file path or resource identifier) but fails to properly check if that input is functionally equivalent to a dangerous or restricted value. |
| CWE-1294 | Insecure Security Identifier Mechanism | This vulnerability occurs when a System-on-Chip (SoC) implements a Security Identifier mechanism to control transaction permissions, but the implementation contains flaws that undermine its security. |
| CWE-1296 | Incorrect Chaining or Granularity of Debug Components | This vulnerability occurs when hardware debug components, such as test ports and scan chains, are incorrectly connected or organized within a chip's design. This misconfiguration can create unintended access paths, potentially exposing sensitive internal data or functions. |
| CWE-1297 | Unprotected Confidential Information on Device is Accessible by OSAT Vendors | This vulnerability occurs when a semiconductor chip does not properly secure sensitive data, making it accessible to third-party Outsourced Semiconductor Assembly and Test (OSAT) vendors during the manufacturing process. |
| CWE-1301 | Insufficient or Incomplete Data Removal within Hardware Component | The product's data removal process fails to completely erase all data from hardware components, potentially leaving sensitive information behind. |
| CWE-1303 | Non-Transparent Sharing of Microarchitectural Resources | This vulnerability occurs when a processor's internal performance features, like caches and branch predictors, are unintentionally shared between different software contexts. This breaks the expected isolation, allowing data to leak across security boundaries. |
| CWE-131 | Incorrect Calculation of Buffer Size | This vulnerability occurs when a program miscalculates the amount of memory needed for a buffer, potentially leading to a buffer overflow that can crash the software or allow attackers to execute malicious code. |
| CWE-1316 | Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges | This vulnerability occurs when a hardware fabric's address map incorrectly allows protected and unprotected memory regions to overlap. Attackers can exploit this overlap to bypass security controls and access restricted data or functions. |
| CWE-1319 | Improper Protection against Electromagnetic Fault Injection (EM-FI) | This vulnerability occurs when a hardware device lacks sufficient shielding against electromagnetic interference, allowing attackers to disrupt its internal operations. By inducing targeted electromagnetic pulses, an attacker can force the device to malfunction, potentially bypassing security checks or leaking sensitive data. |
| CWE-1336 | Improper Neutralization of Special Elements Used in a Template Engine | This vulnerability occurs when an application uses a template engine to process user-controlled input but fails to properly sanitize special syntax characters. Attackers can inject template expressions or directives that the engine executes, leading to unintended code execution. |
| CWE-1342 | Information Exposure through Microarchitectural State after Transient Execution | This vulnerability occurs when a CPU fails to completely erase temporary data traces left behind by speculative execution or error recovery processes. These lingering microarchitectural hints can be analyzed through side-channels to leak sensitive information. |
| CWE-1357 | Reliance on Insufficiently Trustworthy Component | This weakness occurs when a system integrates a component that cannot be fully trusted to meet security, reliability, and maintenance standards, creating risk for the entire product. |
| CWE-1386 | Insecure Operation on Windows Junction / Mount Point | This vulnerability occurs when a Windows application opens a file or directory without properly validating that the path is not a symbolic link (junction or mount point) pointing to a location outside the application's intended security boundary. |
| CWE-1426 | Improper Validation of Generative AI Output | This vulnerability occurs when an application uses a generative AI model (like an LLM) but fails to properly check the AI's output before using it. Without this validation, the AI's responses might contain security flaws, harmful content, or data leaks that violate the application's intended policies. |
| CWE-159 | Improper Handling of Invalid Use of Special Elements | This vulnerability occurs when an application fails to properly validate or neutralize special characters and control elements within user-supplied input. Without this filtering, attackers can inject these elements to manipulate the application's logic, leading to security breaches or system instability. |
| CWE-170 | Improper Null Termination | This weakness occurs when software fails to properly end a string or array with the required null character or equivalent terminator. |
| CWE-172 | Encoding Error | This vulnerability occurs when software incorrectly transforms data between different formats, leading to corrupted or misinterpreted information that can break functionality or create security gaps. |
| CWE-192 | Integer Coercion Error | An integer coercion error occurs when a program incorrectly converts, extends, or truncates a number between different data types, leading to unexpected values. |
| CWE-194 | Unexpected Sign Extension | This vulnerability occurs when a signed number from a smaller data type is moved or cast to a larger type, causing its sign bit to be incorrectly extended. If the original value is negative, this sign extension can fill the new, higher-order bits with '1's, leading to unexpectedly large positive values and causing logic errors, buffer overflows, or security bypasses. |
| CWE-20 | Improper Input Validation | This vulnerability occurs when an application accepts data from an external source but fails to properly verify that the data is safe and correctly formatted before using it. This missing or flawed validation check allows malicious or malformed inputs to disrupt the application's logic or security. |
| CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | This weakness occurs when an application unintentionally reveals sensitive data to someone who shouldn't have access to it. |
| CWE-202 | Exposure of Sensitive Information Through Data Queries | This vulnerability occurs when an attacker uses statistical analysis on aggregated or anonymized data to uncover sensitive details about individuals, even when direct identifiers are removed. |
| CWE-208 | Observable Timing Discrepancy | This vulnerability occurs when an application takes measurably different amounts of time to perform different operations, such as checking a password or processing a request. An attacker can observe these timing differences to learn sensitive information, like whether a username is valid or a cryptographic key guess is correct. |
| CWE-213 | Exposure of Sensitive Information Due to Incompatible Policies | This vulnerability occurs when a system's data handling aligns with the developer's security rules but accidentally reveals information that other stakeholders—like users or administrators—consider confidential. Essentially, the developer's policy conflicts with the security expectations of the people who use or manage the product. |
| CWE-226 | Sensitive Information in Resource Not Removed Before Reuse | This vulnerability occurs when a system releases a resource like memory or a file for reuse but fails to erase the sensitive data it previously contained. The old information remains accessible when the resource is allocated to a new process or used in a different context. |
| CWE-228 | Improper Handling of Syntactically Invalid Structure | This vulnerability occurs when software fails to properly reject or process input that doesn't follow the expected format or structure, often leading to crashes or unexpected behavior. |
| CWE-234 | Failure to Handle Missing Parameter | This vulnerability occurs when a function or method receives fewer arguments than it expects. The function will still attempt to process its expected number of parameters, which can lead to reading undefined, stale, or arbitrary values from the program's memory or stack, causing crashes or unexpected behavior. |
| CWE-250 | Execution with Unnecessary Privileges | This vulnerability occurs when software runs with higher permissions than it actually needs to perform its tasks. This excessive privilege creates security risks by opening doors to new attacks or making existing weaknesses more dangerous. |
| CWE-257 | Storing Passwords in a Recoverable Format | This vulnerability occurs when an application stores user passwords in a format that can be easily reversed or decrypted back to their original plaintext form. This practice, often called storing 'recoverable' passwords, defeats the core purpose of password protection. It allows anyone with access to the stored data—including attackers who breach the system or even malicious insiders—to obtain and reuse the actual passwords on other accounts, offering no real security advantage over storing them in plain text. |
| CWE-259 | Use of Hard-coded Password | This vulnerability occurs when an application embeds a password directly into its source code or configuration files. This hard-coded secret is then used either to authenticate incoming users or to connect to external services and databases. |
| CWE-263 | Password Aging with Long Expiration | The system enforces password changes, but the time allowed between changes is excessively long, weakening security. |
| CWE-267 | Privilege Defined With Unsafe Actions | This vulnerability occurs when a system grants a user, role, or process a specific permission that can be misused to perform dangerous, unintended actions. The permission itself is correctly assigned, but its scope is too broad or allows for unsafe operations. |
| CWE-269 | Improper Privilege Management | This vulnerability occurs when an application fails to correctly manage user permissions, allowing someone to perform actions or access data beyond their intended authority. |
| CWE-271 | Privilege Dropping / Lowering Errors | This vulnerability occurs when a system or process fails to reduce its elevated permissions before transferring control of a resource to a less-privileged user or component. |
| CWE-272 | Least Privilege Violation | This vulnerability occurs when software fails to reduce its elevated system privileges after completing a sensitive operation, leaving it with unnecessary and dangerous access rights. |
| CWE-274 | Improper Handling of Insufficient Privileges | This vulnerability occurs when an application fails to properly manage situations where it lacks the necessary permissions to execute an action. This flawed handling can lead to crashes, data corruption, or unintended security bypasses. |
| CWE-280 | Improper Handling of Insufficient Permissions or Privileges | This vulnerability occurs when a system fails to properly manage situations where it lacks the necessary permissions to perform an action or access a resource. This flawed handling can force the application into unintended states or error paths, potentially leading to crashes, data corruption, or security bypasses. |
| CWE-282 | Improper Ownership Management | This vulnerability occurs when a system incorrectly assigns or fails to verify which user or process rightfully controls a specific object or resource. |
| CWE-284 | Improper Access Control | The software fails to properly limit who can access a resource, allowing unauthorized users or systems to interact with it. |
| CWE-286 | Incorrect User Management | This vulnerability occurs when an application incorrectly handles user accounts, roles, or group memberships, leading to improper access control. |
| CWE-287 | Improper Authentication | Improper Authentication occurs when a system fails to properly verify a user's claimed identity, allowing access without sufficient proof of who they are. |
| CWE-300 | Channel Accessible by Non-Endpoint | This vulnerability occurs when a system fails to properly verify who is on the other end of a communication link or to secure the channel itself. This allows an unauthorized third party to access or manipulate the communication as if they were a legitimate participant. |
| CWE-301 | Reflection Attack in an Authentication Protocol | A reflection attack is a flaw in mutual authentication protocols that allows an attacker to impersonate a legitimate user without knowing the secret key. This happens when an attacker can bounce, or 'reflect,' a server's own challenge back to it using a second connection, tricking the system into granting access. |
| CWE-319 | Cleartext Transmission of Sensitive Information | This vulnerability occurs when an application sends sensitive data, such as passwords or personal information, over a network connection without using encryption. Attackers can easily intercept and read this unprotected data as it travels. |
| CWE-32 | Path Traversal: '...' (Triple Dot) | This vulnerability occurs when an application builds file paths using user input but fails to properly filter out '...' (triple dot) sequences. Attackers can exploit this to escape restricted directories and access unauthorized files or folders on the server. |
| CWE-321 | Use of Hard-coded Cryptographic Key | This vulnerability occurs when an application embeds a fixed, unchangeable cryptographic key directly within its source code or configuration files. |
| CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | The software relies on a cryptographic algorithm or protocol that is either fundamentally flawed or considered too weak by modern security standards. |
| CWE-328 | Use of Weak Hash | This vulnerability occurs when software uses a hashing algorithm that is cryptographically weak, allowing attackers to feasibly reverse the hash to find the original input, find a different input that creates the same hash, or discover collisions where two inputs produce identical hash values. |
| CWE-329 | Generation of Predictable IV with CBC Mode | This vulnerability occurs when software uses a predictable or reused Initialization Vector (IV) with Cipher Block Chaining (CBC) mode encryption. Predictable IVs undermine the security of CBC, making encrypted data vulnerable to dictionary and chosen-plaintext attacks, especially when the same key is used multiple times. |
| CWE-33 | Path Traversal: '....' (Multiple Dot) | This vulnerability occurs when an application builds file paths using user input but fails to properly filter sequences of multiple dots ('....'). Attackers can exploit this to break out of the intended directory and access unauthorized files or folders elsewhere on the system. |
| CWE-330 | Use of Insufficiently Random Values | This vulnerability occurs when an application uses random values that are not sufficiently unpredictable in security-sensitive operations, making them easier for attackers to guess or calculate. |
| CWE-331 | Insufficient Entropy | This vulnerability occurs when a system's random number generator or algorithm lacks sufficient unpredictability, creating patterns or predictable outputs that are easier for attackers to guess. |
| CWE-332 | Insufficient Entropy in PRNG | This vulnerability occurs when a Pseudo-Random Number Generator (PRNG) doesn't have enough randomness (entropy) to start with, or isn't using enough during operation. This makes its outputs predictable, undermining both system stability and security. |
| CWE-333 | Improper Handling of Insufficient Entropy in TRNG | This vulnerability occurs when a system fails to properly manage the limited or unpredictable output rate of a true random number generator (TRNG), potentially causing failures, delays, or weakened security. |
| CWE-334 | Small Space of Random Values | This vulnerability occurs when a system uses a random number generator that produces too few possible values. Attackers can easily predict or guess these values through brute force attacks. |
| CWE-335 | Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) | This vulnerability occurs when a Pseudo-Random Number Generator (PRNG) is used, but its initial seed value is not handled securely or predictably, compromising the randomness of its output. |
| CWE-336 | Same Seed in Pseudo-Random Number Generator (PRNG) | This vulnerability occurs when a Pseudo-Random Number Generator (PRNG) is repeatedly initialized with the same starting seed value. |
| CWE-337 | Predictable Seed in Pseudo-Random Number Generator (PRNG) | This vulnerability occurs when a Pseudo-Random Number Generator (PRNG) uses an easily guessable starting value, like the current system time or a process ID, to begin its sequence. |
| CWE-338 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) | This vulnerability occurs when software uses a pseudo-random number generator (PRNG) that is not cryptographically strong for security-sensitive operations, such as generating keys, tokens, or initialization vectors. |
| CWE-339 | Small Seed Space in PRNG | This vulnerability occurs when a Pseudo-Random Number Generator (PRNG) uses a seed that has too few possible values, making it easy for an attacker to guess through brute force. |
| CWE-340 | Generation of Predictable Numbers or Identifiers | This vulnerability occurs when a system creates numbers or identifiers that are too easy to guess, undermining security mechanisms that rely on unpredictability. |
| CWE-341 | Predictable from Observable State | This vulnerability occurs when an attacker can guess or deduce sensitive values, like random numbers or identifiers, by observing predictable system or network characteristics such as timestamps, process IDs, or other public information. |
| CWE-342 | Predictable Exact Value from Previous Values | This vulnerability occurs when a system uses a predictable sequence for generating values, allowing an attacker to accurately guess future numbers by analyzing past ones. |
| CWE-343 | Predictable Value Range from Previous Values | This vulnerability occurs when a system's random number generator produces values that, after observing previous outputs, allow an attacker to predict a limited range for the next value. |
| CWE-345 | Insufficient Verification of Data Authenticity | This vulnerability occurs when an application fails to properly check where data comes from or confirm its legitimacy, allowing untrusted or forged information to be processed as valid. |
| CWE-346 | Origin Validation Error | This vulnerability occurs when an application fails to properly confirm the true origin of incoming data or communication, allowing attackers to spoof their source. |
| CWE-350 | Reliance on Reverse DNS Resolution for a Security-Critical Action | This vulnerability occurs when an application uses a reverse DNS lookup on an IP address to get a hostname and then uses that hostname for a security decision—like access control or logging—without verifying that the IP address actually belongs to that hostname. |
| CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | This vulnerability occurs when an application fails to adequately protect sensitive personal data, allowing access to individuals who either lack proper authorization or haven't provided necessary consent for its use. |
| CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | A race condition occurs when multiple processes or threads access a shared resource simultaneously without proper coordination, creating a timing window where the resource's state can be unexpectedly altered, leading to unpredictable behavior or security vulnerabilities. |
| CWE-372 | Incomplete Internal State Distinction | This vulnerability occurs when an application fails to accurately track its own operational state. The system incorrectly assumes it's in one mode or condition when it's actually in another, leading to security-critical actions being performed with the wrong assumptions. |
| CWE-385 | Covert Timing Channel | A covert timing channel is a security flaw where an attacker can deduce secret information by observing how long certain operations take to execute. Instead of directly reading data, they analyze timing variations in system behavior to infer protected details. |
| CWE-391 | Unchecked Error Condition | This vulnerability occurs when a program fails to properly check or handle error conditions, such as exceptions or return codes. By ignoring these failures, the software can enter an unexpected state that attackers might exploit, often without any logging or user notification. |
| CWE-400 | Uncontrolled Resource Consumption | This vulnerability occurs when an application fails to properly manage a finite resource, allowing an attacker to exhaust it and cause a denial of service. |
| CWE-428 | Unquoted Search Path or Element | This vulnerability occurs when a program uses a file path or command that contains spaces and is not enclosed in quotes. The operating system may misinterpret where the executable file is located, potentially allowing an attacker to run a malicious program with higher privileges. |
| CWE-441 | Unintended Proxy or Intermediary ('Confused Deputy') | A confused deputy vulnerability occurs when a system receives a request from a client and forwards it to an external destination without properly identifying the original source. This makes the system appear to be the originator of the request, effectively turning it into an unintended proxy for the client. |
| CWE-446 | UI Discrepancy for Security Feature | This vulnerability occurs when a user interface incorrectly displays a security feature as active or properly configured, misleading users into believing they are protected when they are not. |
| CWE-451 | User Interface (UI) Misrepresentation of Critical Information | This vulnerability occurs when a user interface fails to accurately display or highlight crucial information, potentially misleading users about the true state of the system or the source of data. Attackers exploit this weakness to trick users into performing unintended actions, often as part of phishing campaigns or other deception-based attacks. |
| CWE-453 | Insecure Default Variable Initialization | This vulnerability occurs when software sets an internal variable to an insecure or unnecessarily weak default value during initialization, rather than using the most secure option available. |
| CWE-466 | Return of Pointer Value Outside of Expected Range | This vulnerability occurs when a function returns a memory pointer that points outside the expected buffer range, potentially exposing unrelated memory or causing crashes. |
| CWE-502 | Deserialization of Untrusted Data | This vulnerability occurs when an application accepts and processes serialized data from an untrusted source without proper validation, allowing an attacker to manipulate the data to execute malicious code or cause unexpected behavior. |
| CWE-514 | Covert Channel | A covert channel is a hidden communication path that allows data to be transmitted in a way that bypasses the system's intended security controls and monitoring. |
| CWE-515 | Covert Storage Channel | A covert storage channel is a type of security flaw where one process secretly encodes data into a shared system resource (like a file, memory bit, or status flag), and another unauthorized process later reads that resource to extract the hidden information. |
| CWE-538 | Insertion of Sensitive Information into Externally-Accessible File or Directory | This vulnerability occurs when an application unintentionally stores confidential data—like passwords, API keys, or personal user details—in a location that is publicly accessible or readable by unauthorized users. Even if the file itself is intended to be available, the sensitive information within it should not be. |
| CWE-600 | Uncaught Exception in Servlet | This vulnerability occurs when a Java Servlet fails to properly catch and handle exceptions, potentially exposing sensitive system information in error messages. |
| CWE-610 | Externally Controlled Reference to a Resource in Another Sphere | This vulnerability occurs when an application uses user-supplied input to reference a resource located outside its intended security boundary, allowing attackers to redirect operations to unintended locations. |
| CWE-640 | Weak Password Recovery Mechanism for Forgotten Password | This vulnerability occurs when an application's password reset or recovery feature is poorly designed or implemented, allowing attackers to bypass authentication and hijack user accounts. |
| CWE-654 | Reliance on a Single Factor in a Security Decision | This vulnerability occurs when a system's security check depends almost entirely on just one condition, object, or piece of data to decide whether to grant access to sensitive resources or actions. It's like having a single, easily compromised lock on a vault, instead of a layered defense. |
| CWE-655 | Insufficient Psychological Acceptability | This weakness occurs when security features are so cumbersome or confusing that well-intentioned users feel forced to turn them off or find workarounds, defeating their purpose entirely. |
| CWE-657 | Violation of Secure Design Principles | This weakness occurs when a system's architecture or design fails to follow fundamental security principles, creating a flawed foundation that can lead to multiple vulnerabilities. |
| CWE-662 | Improper Synchronization | This vulnerability occurs when a multi-threaded or multi-process application allows shared resources to be accessed by multiple threads or processes simultaneously, without proper safeguards to enforce exclusive access. |
| CWE-664 | Improper Control of a Resource Through its Lifetime | This vulnerability occurs when software fails to properly manage a resource throughout its entire lifecycle—from creation and active use to its final release or destruction. |
| CWE-667 | Improper Locking | This vulnerability occurs when a program fails to correctly acquire or release a lock on a shared resource, such as a file, database record, or memory location. This improper synchronization allows other processes or threads to interfere, leading to corrupted data, crashes, or unpredictable behavior. |
| CWE-670 | Always-Incorrect Control Flow Implementation | This weakness occurs when a section of code is structured in a way that always executes incorrectly, regardless of input or conditions. The control flow logic is fundamentally flawed and does not match the intended algorithm. |
| CWE-697 | Incorrect Comparison | This weakness occurs when a security-critical decision relies on a flawed comparison between two pieces of data. The incorrect logic can create a gap that attackers exploit to bypass checks or trigger unintended behavior. |
| CWE-707 | Improper Neutralization | This vulnerability occurs when an application fails to properly validate or sanitize structured data before it's received from an external source or sent to another component. This allows malformed messages to be processed, which can lead to misinterpretation and security breaches. |
| CWE-708 | Incorrect Ownership Assignment | This vulnerability occurs when a system grants ownership of a resource to an entity that should not have that level of control, placing it outside the intended security boundary. |
| CWE-73 | External Control of File Name or Path | This vulnerability occurs when an application uses unvalidated user input to construct file or directory paths for filesystem operations. |
| CWE-732 | Incorrect Permission Assignment for Critical Resource | This vulnerability occurs when a system grants overly permissive access to a sensitive resource, allowing unauthorized users or processes to read or alter it. |
| CWE-760 | Use of a One-Way Hash with a Predictable Salt | This vulnerability occurs when an application uses a one-way hash (like for password storage) but combines it with a predictable or easily guessed salt. This undermines the security benefit of salting, making pre-computed attack methods like rainbow tables highly effective. |
| CWE-761 | Free of Pointer not at Start of Buffer | This vulnerability occurs when a program incorrectly frees a memory pointer that no longer points to the beginning of the allocated heap buffer, often due to pointer arithmetic. |
| CWE-763 | Release of Invalid Pointer or Reference | This vulnerability occurs when a program tries to free a memory resource back to the system but uses an incorrect deallocation method or calls the correct method improperly. |
| CWE-764 | Multiple Locks of a Critical Resource | This vulnerability occurs when a critical resource, such as a file, data structure, or connection, is locked more times than the software logic intended, putting the system into an unstable or unresponsive state. |
| CWE-765 | Multiple Unlocks of a Critical Resource | This vulnerability occurs when a critical resource, like a lock or semaphore, is unlocked more times than it was locked, putting the system into an unexpected and potentially unstable state. |
| CWE-767 | Access to Critical Private Variable via Public Method | This vulnerability occurs when a class exposes a public method that directly accesses or alters a private variable. |
| CWE-772 | Missing Release of Resource after Effective Lifetime | This vulnerability occurs when a program fails to properly release a system resource—like memory, file handles, or network sockets—after it is no longer needed. This leads to a gradual accumulation of unused resources, known as a resource leak. |
| CWE-780 | Use of RSA Algorithm without OAEP | This vulnerability occurs when an application implements RSA encryption but fails to use Optimal Asymmetric Encryption Padding (OAEP), significantly weakening the cryptographic protection. |
| CWE-784 | Reliance on Cookies without Validation and Integrity Checking in a Security Decision | This vulnerability occurs when an application makes security decisions—like granting access or verifying identity—based solely on cookie data without first confirming the cookie's authenticity or integrity. |
| CWE-785 | Use of Path Manipulation Function without Maximum-sized Buffer | This vulnerability occurs when a program uses a path manipulation function but supplies an output buffer that is too small to hold the maximum possible path length, such as PATH_MAX. |
| CWE-798 | Use of Hard-coded Credentials | This vulnerability occurs when software contains built-in, unchangeable authentication secrets like passwords or encryption keys within its source code or configuration files. |
| CWE-820 | Missing Synchronization | This vulnerability occurs when multiple parts of your application (like threads or processes) use the same resource—such as a variable, file, or data structure—without proper coordination to control who accesses it and when. |
| CWE-821 | Incorrect Synchronization | This vulnerability occurs when multiple parts of a program, such as threads or processes, access a shared resource like a variable, file, or data structure without proper coordination, leading to a race condition. |
| CWE-822 | Untrusted Pointer Dereference | This vulnerability occurs when software takes a value from an untrusted source, treats it as a memory address (a pointer), and then accesses that memory location directly for reading or writing. |
| CWE-823 | Use of Out-of-range Pointer Offset | This vulnerability occurs when a program calculates a new memory address using a valid pointer and an offset, but the resulting address points outside the intended, safe memory region, such as beyond the bounds of an array or structure. |
| CWE-824 | Access of Uninitialized Pointer | This vulnerability occurs when a program tries to use a pointer variable before it has been assigned a valid memory address. |
| CWE-825 | Expired Pointer Dereference | This vulnerability occurs when a program tries to use a pointer that still points to a memory location that has already been freed or released. |
| CWE-91 | XML Injection (aka Blind XPath Injection) | XML Injection occurs when an application fails to properly validate or escape user-controlled input before including it in XML documents or queries. This allows attackers to inject malicious XML elements or syntax, potentially altering the document's structure, extracting sensitive data, or disrupting processing logic. |
| CWE-915 | Improperly Controlled Modification of Dynamically-Determined Object Attributes | This vulnerability occurs when an application accepts user input that specifies which object attributes or fields to create or update, but fails to restrict which specific attributes can be changed. Attackers can exploit this to modify sensitive internal properties they shouldn't have access to. |
| CWE-917 | Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') | Expression Language Injection occurs when an application uses untrusted, external input to build an expression language statement—common in frameworks like Java Server Pages (JSP)—without properly sanitizing it. This allows an attacker to inject malicious expressions that alter the intended logic and execute arbitrary code when the statement is processed. |
| CWE-922 | Insecure Storage of Sensitive Information | This vulnerability occurs when an application stores sensitive data—like credentials, personal information, or encryption keys—without enforcing proper access controls, allowing unauthorized users to read or modify it. |
| CWE-924 | Improper Enforcement of Message Integrity During Transmission in a Communication Channel | This vulnerability occurs when an application receives data over a network but fails to properly verify that the information wasn't altered in transit. |
| CWE-925 | Improper Verification of Intent by Broadcast Receiver | This vulnerability occurs when an Android app's Broadcast Receiver accepts an Intent without confirming it originated from a trusted, authorized source, such as the operating system. |
| CWE-99 | Improper Control of Resource Identifiers ('Resource Injection') | This vulnerability occurs when an application accepts user input as a resource identifier (like a file path or port number) without proper validation, allowing an attacker to access or manipulate resources outside the intended scope. |
| CWE-1345 | OWASP Top Ten 2021 Category A01:2021 - Broken Access Control | Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top Ten 2021. |
| CWE-1346 | OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures | Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top Ten 2021. |
| CWE-1347 | OWASP Top Ten 2021 Category A03:2021 - Injection | Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top Ten 2021. |
| CWE-1348 | OWASP Top Ten 2021 Category A04:2021 - Insecure Design | Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top Ten 2021. |
| CWE-1349 | OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration | Weaknesses in this category are related to the A05 category "Security Misconfiguration" in the OWASP Top Ten 2021. |
| CWE-1352 | OWASP Top Ten 2021 Category A06:2021 - Vulnerable and Outdated Components | Weaknesses in this category are related to the A06 category "Vulnerable and Outdated Components" in the OWASP Top Ten 2021. |
| CWE-1353 | OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures | Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top Ten 2021. |
| CWE-1354 | OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures | Weaknesses in this category are related to the A08 category "Software and Data Integrity Failures" in the OWASP Top Ten 2021. |
| CWE-1355 | OWASP Top Ten 2021 Category A09:2021 - Security Logging and Monitoring Failures | Weaknesses in this category are related to the A09 category "Security Logging and Monitoring Failures" in the OWASP Top Ten 2021. |
| CWE-1356 | OWASP Top Ten 2021 Category A10:2021 - Server-Side Request Forgery (SSRF) | Weaknesses in this category are related to the A10 category "Server-Side Request Forgery (SSRF)" in the OWASP Top Ten 2021. |
| CWE-1359 | ICS Communications | Weaknesses in this category are related to the "ICS Communications" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. |
| CWE-1360 | ICS Dependencies (& Architecture) | Weaknesses in this category are related to the "ICS Dependencies (& Architecture)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. |
| CWE-1361 | ICS Supply Chain | Weaknesses in this category are related to the "ICS Supply Chain" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. |
| CWE-1362 | ICS Engineering (Constructions/Deployment) | Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. |
| CWE-1363 | ICS Operations (& Maintenance) | Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. |
| CWE-1364 | ICS Communications: Zone Boundary Failures | Weaknesses in this category are related to the "Zone Boundary Failures" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Within an ICS system, for traffic that crosses through network zone boundaries, vulnerabilities arise when those boundaries were designed for safety or other purposes but are being repurposed for security." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| CWE-1365 | ICS Communications: Unreliability | Weaknesses in this category are related to the "Unreliability" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Vulnerabilities arise in reaction to disruptions in the physical layer (e.g. creating electrical noise) used to carry the traffic." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| CWE-1366 | ICS Communications: Frail Security in Protocols | Weaknesses in this category are related to the "Frail Security in Protocols" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Vulnerabilities arise as a result of mis-implementation or incomplete implementation of security in ICS implementations of communication protocols." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| CWE-1367 | ICS Dependencies (& Architecture): External Physical Systems | Weaknesses in this category are related to the "External Physical Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Due to the highly interconnected technologies in use, an external dependency on another physical system could cause an availability interruption for the protected system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| CWE-1368 | ICS Dependencies (& Architecture): External Digital Systems | Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Due to the highly interconnected technologies in use, an external dependency on another digital system could cause a confidentiality, integrity, or availability incident for the protected system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| CWE-1369 | ICS Supply Chain: IT/OT Convergence/Expansion | Weaknesses in this category are related to the "IT/OT Convergence/Expansion" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The increased penetration of DER devices and smart loads make emerging ICS networks more like IT networks and thus susceptible to vulnerabilities similar to those of IT networks." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| CWE-1370 | ICS Supply Chain: Common Mode Frailties | Weaknesses in this category are related to the "Common Mode Frailties" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "At the component level, most ICS systems are assembled from common parts made by other companies. One or more of these common parts might contain a vulnerability that could result in a wide-spread incident." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| CWE-1371 | ICS Supply Chain: Poorly Documented or Undocumented Features | Weaknesses in this category are related to the "Poorly Documented or Undocumented Features" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Undocumented capabilities and configurations pose a risk by not having a clear understanding of what the device is specifically supposed to do and only do. Therefore possibly opening up the attack surface and vulnerabilities." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| CWE-1372 | ICS Supply Chain: OT Counterfeit and Malicious Corruption | Weaknesses in this category are related to the "OT Counterfeit and Malicious Corruption" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "In ICS, when this procurement process results in a vulnerability or component damage, it can have grid impacts or cause physical harm." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| CWE-1373 | ICS Engineering (Construction/Deployment): Trust Model Problems | Weaknesses in this category are related to the "Trust Model Problems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Assumptions made about the user during the design or construction phase may result in vulnerabilities after the system is installed if the user operates it using a different security approach or process than what was designed or built." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| CWE-1374 | ICS Engineering (Construction/Deployment): Maker Breaker Blindness | Weaknesses in this category are related to the "Maker Breaker Blindness" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Lack of awareness of deliberate attack techniques by people (vs failure modes from natural causes like weather or metal fatigue) may lead to insufficient security controls being built into ICS systems." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| CWE-1375 | ICS Engineering (Construction/Deployment): Gaps in Details/Data | Weaknesses in this category are related to the "Gaps in Details/Data" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Highly complex systems are often operated by personnel who have years of experience in managing that particular facility or plant. Much of their knowledge is passed along through verbal or hands-on training but may not be fully documented in written practices and procedures." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| CWE-1376 | ICS Engineering (Construction/Deployment): Security Gaps in Commissioning | Weaknesses in this category are related to the "Security Gaps in Commissioning" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "As a large system is brought online components of the system may remain vulnerable until the entire system is operating and functional and security controls are put in place. This creates a window of opportunity for an adversary during the commissioning process." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| CWE-1377 | ICS Engineering (Construction/Deployment): Inherent Predictability in Design | Weaknesses in this category are related to the "Inherent Predictability in Design" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The commonality of design (in ICS/SCADA architectures) for energy systems and environments opens up the possibility of scaled compromise by leveraging the inherent predictability in the design." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| CWE-1378 | ICS Operations (& Maintenance): Gaps in obligations and training | Weaknesses in this category are related to the "Gaps in obligations and training" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "OT ownership and responsibility for identifying and mitigating vulnerabilities are not clearly defined or communicated within an organization, leaving environments unpatched, exploitable, and with a broader attack surface." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| CWE-1379 | ICS Operations (& Maintenance): Human factors in ICS environments | Weaknesses in this category are related to the "Human factors in ICS environments" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Environmental factors in ICS including physical duress, system complexities, and isolation may result in security gaps or inadequacies in the performance of individual duties and responsibilities." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| CWE-1380 | ICS Operations (& Maintenance): Post-analysis changes | Weaknesses in this category are related to the "Post-analysis changes" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Changes made to a previously analyzed and approved ICS environment can introduce new security vulnerabilities (as opposed to safety)." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| CWE-1381 | ICS Operations (& Maintenance): Exploitable Standard Operational Procedures | Weaknesses in this category are related to the "Exploitable Standard Operational Procedures" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Standard ICS Operational Procedures developed for safety and operational functionality in a closed, controlled communications environment can introduce vulnerabilities in a more connected environment." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| CWE-1382 | ICS Operations (& Maintenance): Emerging Energy Technologies | Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "With the rapid evolution of the energy system accelerated by the emergence of new technologies such as DERs, electric vehicles, advanced communications (5G+), novel and diverse challenges arise for secure and resilient operation of the system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| CWE-1383 | ICS Operations (& Maintenance): Compliance/Conformance with Regulatory Requirements | Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The ICS environment faces overlapping regulatory regimes and authorities with multiple focus areas (e.g., operational resiliency, physical safety, interoperability, and security) which can result in cyber security vulnerabilities when implemented as written due to gaps in considerations, outdatedness, or conflicting requirements." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| CWE-16 | Configuration | Weaknesses in this category are typically introduced during the configuration of the software. |
| CWE-264 | Permissions, Privileges, and Access Controls | Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control. |
| CWE-320 | Key Management Errors | Weaknesses in this category are related to errors in the management of cryptographic keys. |
| CWE-387 | Signal Errors | Weaknesses in this category are related to the improper handling of signals. |
| CWE-1003 | Weaknesses for Simplified Mapping of Published Vulnerabilities | CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete. It is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex navigation of the entire CWE corpus. |
| CWE-1344 | Weaknesses in OWASP Top Ten (2021) | CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2021. |
| CWE-1358 | Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS | CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| CWE-1424 | Weaknesses Addressed by ISA/IEC 62443 Requirements | This view (slice) covers weaknesses that are addressed by following requirements in the ISA/IEC 62443 series of standards for industrial automation and control systems (IACS). Members of the CWE ICS/OT SIG analyzed a set of CWEs and mapped them to specific requirements covered by ISA/IEC 62443. These mappings are recorded in Taxonomy_Mapping elements. |
| CWE-635 | Weaknesses Originally Used by NVD from 2008 to 2016 | CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects. |
Mapping Notes
Usage: Prohibited
Reasons: View
Rationale:
This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities.
Comment:
Use this View or other Views to search and navigate for the appropriate weakness.