Category: SEI CERT Oracle Secure Coding Standard for Java - Guidelines 49. Miscellaneous (MSC)
Stable
Summary
Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Oracle Secure Coding Standard for Java.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-259 | Use of Hard-coded Password | This vulnerability occurs when an application embeds a password directly into its source code or configuration files. This hard-coded secret is then used either to authenticate incoming users or to connect to external services and databases. |
| CWE-311 | Missing Encryption of Sensitive Data | This vulnerability occurs when an application stores or sends sensitive information without first encrypting it, leaving the data exposed. |
| CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | The software relies on a cryptographic algorithm or protocol that is either fundamentally flawed or considered too weak by modern security standards. |
| CWE-330 | Use of Insufficiently Random Values | This vulnerability occurs when an application uses random values that are not sufficiently unpredictable in security-sensitive operations, making them easier for attackers to guess or calculate. |
| CWE-332 | Insufficient Entropy in PRNG | This vulnerability occurs when a Pseudo-Random Number Generator (PRNG) doesn't have enough randomness (entropy) to start with, or isn't using enough during operation. This makes its outputs predictable, undermining both system stability and security. |
| CWE-336 | Same Seed in Pseudo-Random Number Generator (PRNG) | This vulnerability occurs when a Pseudo-Random Number Generator (PRNG) is repeatedly initialized with the same starting seed value. |
| CWE-337 | Predictable Seed in Pseudo-Random Number Generator (PRNG) | This vulnerability occurs when a Pseudo-Random Number Generator (PRNG) uses an easily guessable starting value, like the current system time or a process ID, to begin its sequence. |
| CWE-400 | Uncontrolled Resource Consumption | This vulnerability occurs when an application fails to properly manage a finite resource, allowing an attacker to exhaust it and cause a denial of service. |
| CWE-401 | Missing Release of Memory after Effective Lifetime | This vulnerability occurs when a program allocates memory but fails to properly release it after it's no longer needed, causing a gradual accumulation of unused memory that can't be reclaimed by the system. |
| CWE-770 | Allocation of Resources Without Limits or Throttling | This vulnerability occurs when a system allows users or processes to request resources without any built-in caps or rate limits. Think of it as a buffet with no rules on how much one person can take, eventually leaving nothing for others and causing the system to fail. |
| CWE-798 | Use of Hard-coded Credentials | This vulnerability occurs when software contains built-in, unchangeable authentication secrets like passwords or encryption keys within its source code or configuration files. |
| CWE-1133 | Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java | CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.