Category: Comprehensive Categorization: Access Control
Incomplete
Summary
Weaknesses in this category are related to access control.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1004 | Sensitive Cookie Without 'HttpOnly' Flag | This vulnerability occurs when an application stores sensitive data in a cookie but fails to set the 'HttpOnly' flag, leaving the cookie accessible to client-side scripts. |
| CWE-1021 | Improper Restriction of Rendered UI Layers or Frames | This vulnerability occurs when a web application fails to properly control whether its pages can be embedded within frames or UI layers from other websites, potentially misleading users about which site they are interacting with. |
| CWE-1022 | Use of Web Link to Untrusted Target with window.opener Access | This vulnerability occurs when a web application links to an external, untrusted site without protecting its own window from being manipulated by that site. Specifically, it fails to prevent the external page from altering security-sensitive properties of the `window.opener` object, such as the page's location. |
| CWE-1191 | On-Chip Debug and Test Interface With Improper Access Control | This vulnerability occurs when a hardware chip's debug or test interface (like JTAG) lacks proper access controls. Without correct authorization checks, unauthorized users can read or modify sensitive internal registers and bypass the chip's built-in security protections. |
| CWE-1220 | Insufficient Granularity of Access Control | This vulnerability occurs when a system's access controls are too broad, allowing unauthorized users or processes to read or modify sensitive resources. Instead of implementing precise, fine-grained permissions, the security policy uses overly permissive rules that fail to properly restrict access to critical assets like configuration data, keys, or system registers. |
| CWE-1222 | Insufficient Granularity of Address Regions Protected by Register Locks | This vulnerability occurs when a hardware design uses a single lock bit to protect a large, coarse block of memory addresses. This lack of granularity creates a conflict: the system needs to lock critical configuration settings early for security, but software also needs to write to other parts of that same address region during normal operation, which the lock incorrectly prevents. |
| CWE-1224 | Improper Restriction of Write-Once Bit Fields | This vulnerability occurs when hardware write-once protection mechanisms, often called 'sticky bits,' are incorrectly implemented, allowing software to reprogram them multiple times. |
| CWE-1230 | Exposure of Sensitive Information Through Metadata | This vulnerability occurs when an application protects the primary source of sensitive data but fails to secure the metadata derived from it. Attackers can then access this secondary information, which may leak critical details about the original content. |
| CWE-1231 | Improper Prevention of Lock Bit Modification | This vulnerability occurs when hardware or firmware uses a lock bit to protect critical system registers or memory regions, but fails to properly prevent that lock bit from being changed after it has been enabled. This design flaw allows attackers to bypass hardware-enforced security restrictions. |
| CWE-1233 | Security-Sensitive Hardware Controls with Missing Lock Bit Protection | This vulnerability occurs when a hardware device uses a lock bit to protect critical configuration registers, but the lock fails to prevent writes to all registers that can alter the protected system settings. Essentially, the security mechanism is incomplete, allowing software to bypass it and modify sensitive hardware configurations. |
| CWE-1242 | Inclusion of Undocumented Features or Chicken Bits | This vulnerability occurs when a hardware device or chip includes undocumented configuration bits (often called 'chicken bits') or hidden features that can disable security controls or enable privileged functions. |
| CWE-1243 | Sensitive Non-Volatile Information Not Protected During Debug | This vulnerability occurs when security-critical data stored in hardware fuses is left unprotected and accessible during debug modes. |
| CWE-1244 | Internal Asset Exposed to Unsafe Debug Access Level or State | This vulnerability occurs when a system's debug or test interface supports multiple access levels, but an internal asset is incorrectly assigned a permissive debug access level. This mistake allows untrusted debug agents to access sensitive internal assets they should not be able to reach. |
| CWE-1252 | CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations | This vulnerability occurs when a CPU's hardware is not set up to enforce a strict separation between writing data to memory and executing instructions from it. Without this hardware-level protection, attackers can potentially write malicious code into memory and then run it. |
| CWE-1256 | Improper Restriction of Software Interfaces to Hardware Features | This vulnerability occurs when a system's software interfaces to hardware features—like power, clock, or performance management—are not properly locked down. This allows attackers to misuse these interfaces from software to tamper with hardware memory or registers, or to gather sensitive data by observing physical side effects, without needing physical access to the device. |
| CWE-1257 | Improper Access Control Applied to Mirrored or Aliased Memory Regions | This vulnerability occurs when a hardware design maps the same physical memory to multiple addresses (aliasing or mirroring) but fails to apply consistent read/write permissions across all these addresses. An attacker blocked from accessing a protected memory region might still reach the same data through its unprotected aliased address, bypassing security controls. |
| CWE-1259 | Improper Restriction of Security Token Assignment | This vulnerability occurs when a System-on-a-Chip (SoC) fails to properly secure its Security Token mechanism. These tokens control which actions different system components are allowed to perform, but inadequate protection allows them to be manipulated. |
| CWE-1260 | Improper Handling of Overlap Between Protected Memory Ranges | This vulnerability occurs when a system incorrectly allows different memory protection ranges to overlap. This flaw can let attackers bypass security controls and access restricted memory areas. |
| CWE-1262 | Improper Access Control for Register Interface | This vulnerability occurs when a system's hardware registers, which act as a software-to-hardware control panel, lack proper access restrictions. Malicious or flawed software can directly manipulate these registers, leading to unauthorized changes in hardware behavior. |
| CWE-1263 | Improper Physical Access Control | This vulnerability occurs when a device or system has areas meant to be physically secure, but the safeguards in place are too weak to stop someone with direct physical access from reaching restricted components or data. |
| CWE-1267 | Policy Uses Obsolete Encoding | This vulnerability occurs when a hardware system uses outdated or deprecated encoding methods to enforce security policies and access controls. |
| CWE-1268 | Policy Privileges are not Assigned Consistently Between Control and Data Agents | This vulnerability occurs when hardware access control policies are inconsistent, allowing an agent with control privileges to modify write permissions even when it shouldn't have direct write access. |
| CWE-1270 | Generation of Incorrect Security Tokens | This vulnerability occurs when a system's security token mechanism, designed to control permissions for different entities or agents, generates tokens that are fundamentally flawed or incorrect. |
| CWE-1274 | Improper Access Control for Volatile Memory Containing Boot Code | This vulnerability occurs when a system's secure-boot process loads bootloader code into volatile memory (like DRAM or SRAM) but fails to properly lock down that memory region afterward. Without strong access controls, an attacker can modify the boot code in memory, bypassing secure boot and running malicious software. |
| CWE-1275 | Sensitive Cookie with Improper SameSite Attribute | This vulnerability occurs when a sensitive cookie does not have a secure SameSite attribute configured, leaving it exposed to cross-site request forgery (CSRF) attacks. |
| CWE-1276 | Hardware Child Block Incorrectly Connected to Parent System | This vulnerability occurs when a hardware component (IP block) is wired incorrectly to the main system, creating hidden security flaws even if basic functions appear to work. |
| CWE-1283 | Mutable Attestation or Measurement Reporting Data | This vulnerability occurs when the hardware registers storing boot integrity measurements can be altered by an attacker, allowing them to forge verification data and hide a compromised boot process. |
| CWE-1290 | Incorrect Decoding of Security Identifiers | This vulnerability occurs when a hardware decoder incorrectly interprets security identifiers in bus transactions, allowing untrusted agents to gain unauthorized access to protected assets. |
| CWE-1292 | Incorrect Conversion of Security Identifiers | This vulnerability occurs when a hardware system incorrectly translates security identifiers during bus protocol conversion. An improper mapping allows untrusted agents to bypass security checks and gain unauthorized access to protected assets or functions. |
| CWE-1294 | Insecure Security Identifier Mechanism | This vulnerability occurs when a System-on-Chip (SoC) implements a Security Identifier mechanism to control transaction permissions, but the implementation contains flaws that undermine its security. |
| CWE-1296 | Incorrect Chaining or Granularity of Debug Components | This vulnerability occurs when hardware debug components, such as test ports and scan chains, are incorrectly connected or organized within a chip's design. This misconfiguration can create unintended access paths, potentially exposing sensitive internal data or functions. |
| CWE-1297 | Unprotected Confidential Information on Device is Accessible by OSAT Vendors | This vulnerability occurs when a semiconductor chip does not properly secure sensitive data, making it accessible to third-party Outsourced Semiconductor Assembly and Test (OSAT) vendors during the manufacturing process. |
| CWE-1299 | Missing Protection Mechanism for Alternate Hardware Interface | This vulnerability occurs when a hardware component's security controls only protect the primary access path, leaving alternate interfaces unprotected. Attackers can bypass intended restrictions by accessing sensitive assets through these unguarded backdoors, such as shadow registers or other external-facing ports. |
| CWE-13 | ASP.NET Misconfiguration: Password in Configuration File | This vulnerability occurs when an ASP.NET application stores passwords or other sensitive credentials in plaintext within configuration files like web.config. This exposes those credentials to anyone with file system access, effectively bypassing security controls and granting unauthorized access to protected resources. |
| CWE-1302 | Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC) | This vulnerability occurs when a System-On-Chip (SoC) component sends a transaction without its required security identifier. The destination hardware cannot properly verify permissions, leading to unintended access or system failure. |
| CWE-1304 | Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation | This vulnerability occurs when a hardware component saves its configuration state during a power-down operation but fails to protect or verify the integrity of that saved data before restoring it. As a result, an attacker can tamper with the stored settings, leading to a compromised state when the device powers back on. |
| CWE-1311 | Improper Translation of Security Attributes by Fabric Bridge | This vulnerability occurs when a hardware bridge incorrectly converts security attributes between different fabric protocols, potentially changing a transaction's identity from trusted to untrusted or vice versa during protocol translation. |
| CWE-1312 | Missing Protection for Mirrored Regions in On-Chip Fabric Firewall | An on-chip fabric firewall fails to apply its security rules to mirrored memory or MMIO regions, only protecting the primary address range. This allows attackers to bypass read/write restrictions by targeting the unprotected mirrored copies. |
| CWE-1313 | Hardware Allows Activation of Test or Debug Logic at Runtime | This vulnerability occurs when hardware includes test or debug features that remain accessible during normal operation. An attacker can activate these features at runtime to alter the hardware's state, bypass security controls, and potentially leak or manipulate sensitive data. |
| CWE-1314 | Missing Write Protection for Parametric Data Values | This vulnerability occurs when a hardware device fails to protect the scaling parameters used to convert raw sensor readings. Untrusted software can alter these conversion factors, making dangerous conditions appear safe and potentially leading to hardware damage or system failure. |
| CWE-1315 | Improper Setting of Bus Controlling Capability in Fabric End-point | This vulnerability occurs when a hardware fabric endpoint is incorrectly configured to grant bus controller privileges to a device that should only respond to requests. This allows an unauthorized device to initiate and control data transactions across the system bus. |
| CWE-1316 | Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges | This vulnerability occurs when a hardware fabric's address map incorrectly allows protected and unprotected memory regions to overlap. Attackers can exploit this overlap to bypass security controls and access restricted data or functions. |
| CWE-1317 | Improper Access Control in Fabric Bridge | This vulnerability occurs when a hardware fabric bridge, which connects different IP blocks on a chip, fails to properly verify access permissions for transactions passing through it. The bridge forwards requests without checking the master's privilege level or the hardware identity, effectively bypassing critical security controls. |
| CWE-1320 | Improper Protection for Outbound Error Messages and Alert Signals | This vulnerability occurs when hardware alert systems for critical conditions, like overheating or power surges, lack proper security. Untrusted software or agents can disable these warnings or trigger false alarms, preventing the system from taking protective actions. |
| CWE-1323 | Improper Management of Sensitive Trace Data | This vulnerability occurs when sensitive trace data from a System-on-Chip (SoC), such as information from CPUs or cryptographic modules, is stored in unsecured memory or transmitted to unauthorized debuggers, potentially exposing confidential information. |
| CWE-1328 | Security Version Number Mutable to Older Versions | This vulnerability occurs when a hardware system's security version number can be changed, allowing an attacker to downgrade or roll back the boot firmware to older, vulnerable versions. |
| CWE-1334 | Unauthorized Error Injection Can Degrade Hardware Redundancy | This vulnerability occurs when an attacker without proper permissions can deliberately inject faults into a hardware system's backup components. This action disables the redundancy, forcing the system into a less secure, degraded state. |
| CWE-1390 | Weak Authentication | This vulnerability occurs when a system's login or identity verification process is too easy to bypass or fool. While it attempts to check who a user claims to be, the checks are insufficient, allowing attackers to impersonate legitimate users. |
| CWE-1391 | Use of Weak Credentials | This vulnerability occurs when a system relies on weak authentication credentials—like default passwords, hard-coded keys, or easily guessable values—that an attacker can deduce, reuse, or predict without needing to perform a full brute-force attack. |
| CWE-1392 | Use of Default Credentials | This vulnerability occurs when a system, device, or application relies on pre-configured, publicly known credentials like passwords or encryption keys for access to critical functions. |
| CWE-1393 | Use of Default Password | This vulnerability occurs when a system or device uses a pre-configured, publicly known password for authentication, often for administrative or critical functions. |
| CWE-1394 | Use of Default Cryptographic Key | This vulnerability occurs when a system uses a pre-configured, publicly known cryptographic key for security-critical operations instead of generating a unique one. |
| CWE-202 | Exposure of Sensitive Information Through Data Queries | This vulnerability occurs when an attacker uses statistical analysis on aggregated or anonymized data to uncover sensitive details about individuals, even when direct identifiers are removed. |
| CWE-256 | Plaintext Storage of a Password | This vulnerability occurs when an application stores user passwords as readable text instead of using secure, one-way hashing. This insecure practice exposes credentials in memory, files, or databases where attackers can easily retrieve them. |
| CWE-257 | Storing Passwords in a Recoverable Format | This vulnerability occurs when an application stores user passwords in a format that can be easily reversed or decrypted back to their original plaintext form. This practice, often called storing 'recoverable' passwords, defeats the core purpose of password protection. It allows anyone with access to the stored data—including attackers who breach the system or even malicious insiders—to obtain and reuse the actual passwords on other accounts, offering no real security advantage over storing them in plain text. |
| CWE-258 | Empty Password in Configuration File | This vulnerability occurs when a configuration file, script, or application uses an empty string as a password, effectively disabling authentication for a service or account. |
| CWE-259 | Use of Hard-coded Password | This vulnerability occurs when an application embeds a password directly into its source code or configuration files. This hard-coded secret is then used either to authenticate incoming users or to connect to external services and databases. |
| CWE-260 | Password in Configuration File | This vulnerability occurs when an application stores sensitive passwords directly within a configuration file, making them easily readable to anyone with access to that file. |
| CWE-261 | Weak Encoding for Password | Using simple encoding like Base64 to hide a password provides no real security, as it can be easily reversed. |
| CWE-262 | Not Using Password Aging | This vulnerability occurs when a system lacks password expiration policies, allowing users to keep the same password indefinitely. |
| CWE-263 | Password Aging with Long Expiration | The system enforces password changes, but the time allowed between changes is excessively long, weakening security. |
| CWE-266 | Incorrect Privilege Assignment | This vulnerability occurs when a system mistakenly grants a user, process, or entity a specific permission or privilege they should not have. This error creates an unintended level of access, allowing the actor to perform actions beyond their intended authority. |
| CWE-267 | Privilege Defined With Unsafe Actions | This vulnerability occurs when a system grants a user, role, or process a specific permission that can be misused to perform dangerous, unintended actions. The permission itself is correctly assigned, but its scope is too broad or allows for unsafe operations. |
| CWE-268 | Privilege Chaining | Privilege chaining occurs when an attacker combines two separate permissions or capabilities, neither of which is dangerous on its own, to perform a harmful action that neither permission should individually allow. |
| CWE-269 | Improper Privilege Management | This vulnerability occurs when an application fails to correctly manage user permissions, allowing someone to perform actions or access data beyond their intended authority. |
| CWE-270 | Privilege Context Switching Error | This vulnerability occurs when an application fails to properly manage user permissions while moving between different security contexts, potentially allowing unauthorized actions. |
| CWE-271 | Privilege Dropping / Lowering Errors | This vulnerability occurs when a system or process fails to reduce its elevated permissions before transferring control of a resource to a less-privileged user or component. |
| CWE-272 | Least Privilege Violation | This vulnerability occurs when software fails to reduce its elevated system privileges after completing a sensitive operation, leaving it with unnecessary and dangerous access rights. |
| CWE-273 | Improper Check for Dropped Privileges | This vulnerability occurs when an application tries to lower its system privileges but fails to verify that the operation was successful. |
| CWE-274 | Improper Handling of Insufficient Privileges | This vulnerability occurs when an application fails to properly manage situations where it lacks the necessary permissions to execute an action. This flawed handling can lead to crashes, data corruption, or unintended security bypasses. |
| CWE-276 | Incorrect Default Permissions | This vulnerability occurs when software installation scripts set overly permissive file or directory access rights by default. Instead of restricting write access to authorized users or processes, the installation allows unintended actors to modify, delete, or corrupt critical application files. |
| CWE-277 | Insecure Inherited Permissions | This vulnerability occurs when an application sets default file or directory permissions that are too permissive, and these insecure settings are automatically passed down to new files or objects the program creates. |
| CWE-278 | Insecure Preserved Inherited Permissions | This vulnerability occurs when a software product copies or extracts files while unintentionally preserving insecure permissions from their original source, such as an archive, without the user's knowledge or consent. |
| CWE-279 | Incorrect Execution-Assigned Permissions | This vulnerability occurs when a running application incorrectly changes an object's access permissions, overriding the security settings that a user or administrator intentionally configured. |
| CWE-280 | Improper Handling of Insufficient Permissions or Privileges | This vulnerability occurs when a system fails to properly manage situations where it lacks the necessary permissions to perform an action or access a resource. This flawed handling can force the application into unintended states or error paths, potentially leading to crashes, data corruption, or security bypasses. |
| CWE-281 | Improper Preservation of Permissions | This vulnerability occurs when a system fails to correctly maintain file or object permissions during operations like copying, sharing, or restoring data. As a result, these resources can end up with weaker, more permissive security settings than the original owner intended. |
| CWE-282 | Improper Ownership Management | This vulnerability occurs when a system incorrectly assigns or fails to verify which user or process rightfully controls a specific object or resource. |
| CWE-283 | Unverified Ownership | This vulnerability occurs when an application fails to confirm that a user has legitimate ownership rights to a sensitive resource before allowing them to perform actions on it. |
| CWE-284 | Improper Access Control | The software fails to properly limit who can access a resource, allowing unauthorized users or systems to interact with it. |
| CWE-285 | Improper Authorization | This vulnerability occurs when an application fails to properly verify whether a user has permission to access specific data or perform certain actions before allowing the request. |
| CWE-286 | Incorrect User Management | This vulnerability occurs when an application incorrectly handles user accounts, roles, or group memberships, leading to improper access control. |
| CWE-287 | Improper Authentication | Improper Authentication occurs when a system fails to properly verify a user's claimed identity, allowing access without sufficient proof of who they are. |
| CWE-288 | Authentication Bypass Using an Alternate Path or Channel | This vulnerability occurs when a system has a primary login requirement, but attackers can find an unprotected backdoor or alternative route that completely bypasses those checks. |
| CWE-289 | Authentication Bypass by Alternate Name | This vulnerability occurs when a system checks access based on a resource or user name, but fails to account for all the different names or aliases that could refer to the same entity, allowing attackers to bypass authentication. |
| CWE-290 | Authentication Bypass by Spoofing | This weakness occurs when an application's authentication system can be tricked into accepting forged or manipulated credentials, allowing unauthorized access without proper verification. |
| CWE-291 | Reliance on IP Address for Authentication | This vulnerability occurs when a system uses a client's IP address as the sole or primary method to verify their identity. |
| CWE-293 | Using Referer Field for Authentication | This vulnerability occurs when a web application uses the HTTP Referer header as a sole or primary method for authentication or authorization decisions. Since this header is entirely controlled by the user's browser or client and can be easily forged, it provides no reliable security. |
| CWE-294 | Authentication Bypass by Capture-replay | This vulnerability occurs when an attacker can intercept and record legitimate authentication traffic, then replay it later to gain unauthorized access. The system accepts the replayed data as valid, effectively bypassing normal authentication checks. |
| CWE-295 | Improper Certificate Validation | This vulnerability occurs when an application fails to properly verify the authenticity of a digital certificate, or performs the verification incorrectly, allowing untrusted connections to appear legitimate. |
| CWE-296 | Improper Following of a Certificate's Chain of Trust | This vulnerability occurs when software fails to properly validate the entire certificate chain back to a trusted root authority. This mistake can cause the system to incorrectly trust a certificate and the resource it represents, creating a security gap. |
| CWE-297 | Improper Validation of Certificate with Host Mismatch | This vulnerability occurs when an application accepts a valid SSL/TLS certificate without properly verifying that it actually belongs to the specific host it's connecting to. Even a correctly signed certificate from a trusted authority can be misused if the hostname check is missing or flawed. |
| CWE-298 | Improper Validation of Certificate Expiration | This vulnerability occurs when an application fails to properly check if a digital certificate has expired, potentially trusting certificates that are no longer valid due to their age. |
| CWE-299 | Improper Check for Certificate Revocation | This vulnerability occurs when an application fails to properly verify whether a security certificate has been revoked, potentially allowing it to accept and use a compromised or untrustworthy certificate. |
| CWE-300 | Channel Accessible by Non-Endpoint | This vulnerability occurs when a system fails to properly verify who is on the other end of a communication link or to secure the channel itself. This allows an unauthorized third party to access or manipulate the communication as if they were a legitimate participant. |
| CWE-301 | Reflection Attack in an Authentication Protocol | A reflection attack is a flaw in mutual authentication protocols that allows an attacker to impersonate a legitimate user without knowing the secret key. This happens when an attacker can bounce, or 'reflect,' a server's own challenge back to it using a second connection, tricking the system into granting access. |
| CWE-302 | Authentication Bypass by Assumed-Immutable Data | This vulnerability occurs when an authentication system incorrectly treats certain data as unchangeable, when in fact an attacker can manipulate it to bypass login or verification checks. |
| CWE-303 | Incorrect Implementation of Authentication Algorithm | This weakness occurs when a developer implements a standard authentication algorithm, but makes critical mistakes in the code that cause it to function incorrectly. |
| CWE-304 | Missing Critical Step in Authentication | This vulnerability occurs when a software authentication process omits a required step, weakening its overall security. |
| CWE-305 | Authentication Bypass by Primary Weakness | This vulnerability occurs when a system's core authentication logic is technically correct, but an attacker can completely bypass it by exploiting a separate, more fundamental flaw in the application. |
| CWE-306 | Missing Authentication for Critical Function | This vulnerability occurs when a software feature that performs a sensitive action or uses significant system resources does not verify the user's identity before executing. Attackers can exploit this to trigger critical functions without any credentials. |
| CWE-307 | Improper Restriction of Excessive Authentication Attempts | This vulnerability occurs when an application fails to properly limit how many times someone can attempt to log in or verify their identity in rapid succession, allowing attackers to systematically guess credentials. |
| CWE-308 | Use of Single-factor Authentication | Relying solely on single-factor authentication, like a password, exposes systems to significant security risks because it depends on only one type of proof for verifying a user's identity. |
| CWE-309 | Use of Password System for Primary Authentication | This weakness occurs when an application relies solely on password-based authentication as its main security gate. This single-factor approach is inherently vulnerable to a range of attacks that can compromise user accounts. |
| CWE-321 | Use of Hard-coded Cryptographic Key | This vulnerability occurs when an application embeds a fixed, unchangeable cryptographic key directly within its source code or configuration files. |
| CWE-322 | Key Exchange without Entity Authentication | This vulnerability occurs when a system establishes a cryptographic key with another party without first confirming that party's true identity. |
| CWE-350 | Reliance on Reverse DNS Resolution for a Security-Critical Action | This vulnerability occurs when an application uses a reverse DNS lookup on an IP address to get a hostname and then uses that hostname for a security decision—like access control or logging—without verifying that the IP address actually belongs to that hostname. |
| CWE-370 | Missing Check for Certificate Revocation after Initial Check | This vulnerability occurs when software only verifies a certificate's revocation status once, then continues to trust it for subsequent privileged actions without re-checking. This allows operations to proceed even if the certificate is revoked later. |
| CWE-384 | Session Fixation | Session fixation occurs when an application authenticates a user without first destroying the previous session ID. This allows an attacker who knows that session identifier to hijack the user's authenticated session. |
| CWE-419 | Unprotected Primary Channel | This vulnerability occurs when an application exposes a privileged administrative interface or restricted functionality through a primary channel (like a specific port, endpoint, or protocol) without implementing adequate security controls to protect it. |
| CWE-420 | Unprotected Alternate Channel | This vulnerability occurs when an application secures its main communication path but leaves a backup or alternative channel with weaker or no protection. |
| CWE-421 | Race Condition During Access to Alternate Channel | A race condition occurs when an application opens a secondary communication channel intended for an authorized user, but fails to secure it, allowing other actors to potentially access it first. |
| CWE-422 | Unprotected Windows Messaging Channel ('Shatter') | This vulnerability, often called a 'Shatter' attack, occurs when a Windows application running with high privileges accepts messages from the Windows messaging system without verifying their source. This allows a less-privileged or malicious application to send commands directly to the privileged application, potentially hijacking its functionality. |
| CWE-425 | Direct Request ('Forced Browsing') | This vulnerability occurs when a web application fails to verify user permissions for every protected page, file, or API endpoint, allowing attackers to access them directly. |
| CWE-441 | Unintended Proxy or Intermediary ('Confused Deputy') | A confused deputy vulnerability occurs when a system receives a request from a client and forwards it to an external destination without properly identifying the original source. This makes the system appear to be the originator of the request, effectively turning it into an unintended proxy for the client. |
| CWE-520 | .NET Misconfiguration: Use of Impersonation | This vulnerability occurs when a .NET application is configured to run with impersonation, potentially granting it excessive system-level permissions that attackers could exploit. |
| CWE-521 | Weak Password Requirements | This vulnerability occurs when an application fails to enforce strong password policies, making user accounts easier to compromise through guessing or automated attacks. |
| CWE-522 | Insufficiently Protected Credentials | This vulnerability occurs when an application handles sensitive credentials like passwords or API keys in an insecure way, making them easy for attackers to steal during transmission or while stored. |
| CWE-523 | Unprotected Transport of Credentials | This vulnerability occurs when a login page or authentication system transmits user credentials (like usernames and passwords) over a network without proper encryption, exposing them to interception. |
| CWE-549 | Missing Password Field Masking | This vulnerability occurs when an application fails to hide password characters as they are typed, making them visible to anyone who can see the screen. This exposes user credentials to onlookers or screen-capturing malware. |
| CWE-551 | Incorrect Behavior Order: Authorization Before Parsing and Canonicalization | This vulnerability occurs when a web server checks access permissions before fully processing and normalizing a URL, potentially allowing attackers to bypass security controls. |
| CWE-555 | J2EE Misconfiguration: Plaintext Password in Configuration File | A J2EE application insecurely stores an unprotected password within a configuration file. |
| CWE-556 | ASP.NET Misconfiguration: Use of Identity Impersonation | This vulnerability occurs when an ASP.NET application is configured to run using impersonated credentials, which can grant the application excessive and unnecessary system privileges. |
| CWE-566 | Authorization Bypass Through User-Controlled SQL Primary Key | This vulnerability occurs when an application allows a user to directly control the primary key value used in a SQL query, enabling them to access database records they are not authorized to view. |
| CWE-593 | Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created | This vulnerability occurs when an application modifies an OpenSSL context object after it has already been used to create active SSL/TLS connections. |
| CWE-599 | Missing Validation of OpenSSL Certificate | This vulnerability occurs when an application uses OpenSSL but fails to properly verify server certificates by not calling SSL_get_verify_result(). Without this validation, the application may accept insecure or fraudulent certificates. |
| CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') | An open redirect vulnerability occurs when a web application uses unvalidated user input to determine the destination of a redirect, allowing an attacker to send users to an untrusted, external website. |
| CWE-603 | Use of Client-Side Authentication | This vulnerability occurs when an application places its authentication logic solely within the client-side code, such as in a mobile app or web browser, without enforcing the same checks on the server. Attackers can bypass authentication by modifying the client to skip these checks entirely. |
| CWE-611 | Improper Restriction of XML External Entity Reference | This vulnerability occurs when an application processes XML input without properly restricting external entity references. Attackers can exploit this to read local files, trigger internal network requests, or cause denial of service. |
| CWE-612 | Improper Authorization of Index Containing Sensitive Information | This vulnerability occurs when a system indexes sensitive documents for search but fails to properly restrict who can query that index. Attackers can then discover and extract confidential information from the indexed content without having direct access to the original files. |
| CWE-613 | Insufficient Session Expiration | Insufficient session expiration occurs when an application allows old session tokens or IDs to remain valid for too long, letting attackers reuse them to gain unauthorized access. |
| CWE-620 | Unverified Password Change | This vulnerability occurs when an application allows a user to set a new password without first verifying their identity through the old password or a secure secondary authentication method. |
| CWE-623 | Unsafe ActiveX Control Marked Safe For Scripting | This vulnerability occurs when an ActiveX control designed for limited use is incorrectly flagged as safe for scripting, allowing web pages to access its potentially dangerous functions. |
| CWE-639 | Authorization Bypass Through User-Controlled Key | This vulnerability occurs when an application's authorization system fails to verify that a user is allowed to access specific data before retrieving it, allowing an attacker to access another user's information by manipulating an identifier they control. |
| CWE-640 | Weak Password Recovery Mechanism for Forgotten Password | This vulnerability occurs when an application's password reset or recovery feature is poorly designed or implemented, allowing attackers to bypass authentication and hijack user accounts. |
| CWE-645 | Overly Restrictive Account Lockout Mechanism | This vulnerability occurs when an application's account lockout feature is too strict, allowing attackers to easily trigger it and lock legitimate users out of their accounts, causing a denial of service. |
| CWE-647 | Use of Non-Canonical URL Paths for Authorization Decisions | This vulnerability occurs when an application's authorization logic relies on specific URL paths but fails to enforce a single, standardized format. Attackers can bypass access controls by using alternative, equivalent URL formats that the system doesn't recognize as the same protected resource. |
| CWE-648 | Incorrect Use of Privileged APIs | This vulnerability occurs when software incorrectly uses functions that require special permissions. Attackers can exploit these mistakes to gain unauthorized access, elevate their privileges, or steal sensitive data. |
| CWE-708 | Incorrect Ownership Assignment | This vulnerability occurs when a system grants ownership of a resource to an entity that should not have that level of control, placing it outside the intended security boundary. |
| CWE-732 | Incorrect Permission Assignment for Critical Resource | This vulnerability occurs when a system grants overly permissive access to a sensitive resource, allowing unauthorized users or processes to read or alter it. |
| CWE-798 | Use of Hard-coded Credentials | This vulnerability occurs when software contains built-in, unchangeable authentication secrets like passwords or encryption keys within its source code or configuration files. |
| CWE-804 | Guessable CAPTCHA | This vulnerability occurs when a CAPTCHA challenge is too easy for automated bots to solve, either by guessing or using pattern recognition, allowing them to bypass the human verification step. |
| CWE-836 | Use of Password Hash Instead of Password for Authentication | This vulnerability occurs when an application's authentication system accepts a password hash directly from the client for verification, instead of receiving and hashing the plaintext password on the server. |
| CWE-842 | Placement of User into Incorrect Group | This vulnerability occurs when a system or administrator assigns a user to the wrong security group or role. |
| CWE-862 | Missing Authorization | This vulnerability occurs when an application fails to verify whether a user has permission to access specific data or execute certain actions before allowing the request to proceed. |
| CWE-863 | Incorrect Authorization | This vulnerability occurs when an application checks if a user is allowed to perform an action or access data, but the check is flawed or incomplete, allowing unauthorized access. |
| CWE-9 | J2EE Misconfiguration: Weak Access Permissions for EJB Methods | This vulnerability occurs when Enterprise JavaBean (EJB) methods are configured with overly permissive access rights, allowing attackers to exploit elevated privileges they should not have. |
| CWE-918 | Server-Side Request Forgery (SSRF) | Server-Side Request Forgery (SSRF) occurs when a web application fetches a remote resource based on user-controlled input, but fails to properly validate or restrict where those requests are sent. This allows an attacker to trick the server into making unauthorized connections to internal systems or external domains. |
| CWE-921 | Storage of Sensitive Data in a Mechanism without Access Control | This vulnerability occurs when an application saves sensitive information to a storage location that lacks proper access restrictions, allowing unauthorized users or applications to view or modify the data. |
| CWE-923 | Improper Restriction of Communication Channel to Intended Endpoints | This vulnerability occurs when a system opens a communication channel for a sensitive task but fails to properly verify that it's actually talking to the correct, intended destination. This allows a malicious actor to impersonate the legitimate endpoint. |
| CWE-925 | Improper Verification of Intent by Broadcast Receiver | This vulnerability occurs when an Android app's Broadcast Receiver accepts an Intent without confirming it originated from a trusted, authorized source, such as the operating system. |
| CWE-926 | Improper Export of Android Application Components | This vulnerability occurs when an Android app makes a component (like an Activity, Service, or Content Provider) available to other apps without enforcing proper security checks. This allows unintended or malicious applications to interact with the component, potentially leading to data theft, unauthorized actions, or application compromise. |
| CWE-927 | Use of Implicit Intent for Sensitive Communication | This vulnerability occurs when an Android app uses an implicit intent to send sensitive data, allowing any other app on the device to potentially intercept and read that information. |
| CWE-939 | Improper Authorization in Handler for Custom URL Scheme | This vulnerability occurs when an app implements a custom URL scheme handler but fails to properly verify which other apps or sources are allowed to trigger it. |
| CWE-940 | Improper Verification of Source of a Communication Channel | This vulnerability occurs when an application accepts incoming communication requests without properly checking where they originate from, allowing potentially malicious sources to establish a connection. |
| CWE-941 | Incorrectly Specified Destination in a Communication Channel | This vulnerability occurs when an application establishes an outgoing communication channel but fails to correctly define or enforce the intended recipient. This misdirection can allow data to be sent to an untrusted or malicious destination. |
| CWE-942 | Permissive Cross-domain Security Policy with Untrusted Domains | This vulnerability occurs when a web application's cross-domain security policy, like a Content Security Policy (CSP), explicitly allows communication with untrusted or overly permissive external domains. |
| CWE-1400 | Comprehensive Categorization for Software Assurance Trends |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330].
Comment:
See member weaknesses of this category.