Category: SEI CERT Oracle Secure Coding Standard for Java - Guidelines 13. Input Output (FIO)
Stable
Summary
Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-180 | Incorrect Behavior Order: Validate Before Canonicalize | This vulnerability occurs when a system checks user input for malicious content before standardizing its format, allowing specially crafted data to bypass security checks. |
| CWE-198 | Use of Incorrect Byte Ordering | This vulnerability occurs when software processes data from another system without considering byte order (endianness), such as big-endian or little-endian. This mismatch can cause the program to misinterpret numbers or values, leading to incorrect calculations, crashes, or security flaws. |
| CWE-276 | Incorrect Default Permissions | This vulnerability occurs when software installation scripts set overly permissive file or directory access rights by default. Instead of restricting write access to authorized users or processes, the installation allows unintended actors to modify, delete, or corrupt critical application files. |
| CWE-279 | Incorrect Execution-Assigned Permissions | This vulnerability occurs when a running application incorrectly changes an object's access permissions, overriding the security settings that a user or administrator intentionally configured. |
| CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | This vulnerability occurs when an application fails to adequately protect sensitive personal data, allowing access to individuals who either lack proper authorization or haven't provided necessary consent for its use. |
| CWE-377 | Insecure Temporary File | This vulnerability occurs when an application creates temporary files with insecure permissions or in predictable locations, allowing attackers to read, modify, or delete sensitive data. |
| CWE-404 | Improper Resource Shutdown or Release | This vulnerability occurs when a program fails to properly close or release a system resource—like a file handle, database connection, or memory block—after it's no longer needed, preventing its reuse. |
| CWE-405 | Asymmetric Resource Consumption (Amplification) | This vulnerability occurs when a system allows an attacker to trigger a disproportionate amount of resource consumption—like CPU, memory, or bandwidth—with minimal effort on their part. The attacker's small input causes a large, inefficient output, creating an unfair 'asymmetric' advantage. |
| CWE-459 | Incomplete Cleanup | This vulnerability occurs when an application fails to properly remove temporary files, data structures, or system resources after they are no longer needed. |
| CWE-532 | Insertion of Sensitive Information into Log File | This vulnerability occurs when an application unintentionally writes confidential data, such as passwords or API keys, into its log files. |
| CWE-647 | Use of Non-Canonical URL Paths for Authorization Decisions | This vulnerability occurs when an application's authorization logic relies on specific URL paths but fails to enforce a single, standardized format. Attackers can bypass access controls by using alternative, equivalent URL formats that the system doesn't recognize as the same protected resource. |
| CWE-67 | Improper Handling of Windows Device Names | This vulnerability occurs when an application builds file paths from user input but fails to properly recognize or handle Windows reserved device names like AUX, CON, or COM1. Attackers can exploit this by submitting these special names, which typically causes the application to crash, hang, or leak sensitive information when it tries to access them as regular files. |
| CWE-705 | Incorrect Control Flow Scoping | This vulnerability occurs when a program fails to return execution to the correct point in the code after finishing a specific operation or handling an error. Instead of resuming normal flow, it may jump to an unintended location, leading to unpredictable behavior or security issues. |
| CWE-732 | Incorrect Permission Assignment for Critical Resource | This vulnerability occurs when a system grants overly permissive access to a sensitive resource, allowing unauthorized users or processes to read or alter it. |
| CWE-770 | Allocation of Resources Without Limits or Throttling | This vulnerability occurs when a system allows users or processes to request resources without any built-in caps or rate limits. Think of it as a buffet with no rules on how much one person can take, eventually leaving nothing for others and causing the system to fail. |
| CWE-1133 | Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java | CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.