Category: Comprehensive Categorization: Component Interaction
Incomplete
Summary
Weaknesses in this category are related to component interaction.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1037 | Processor Optimization Removal or Modification of Security-critical Code | This vulnerability occurs when a processor's performance optimization unintentionally strips out or alters security-critical code that a developer intentionally placed in the software. |
| CWE-1038 | Insecure Automated Optimizations | This vulnerability occurs when software uses automated tools to optimize code for performance or efficiency, but those optimizations accidentally weaken or bypass critical security protections that the original code relied upon. |
| CWE-115 | Misinterpretation of Input | This vulnerability occurs when software incorrectly interprets or processes input data, leading to unintended and potentially harmful security consequences. The flawed interpretation can come from user-provided data, external systems, or other components. |
| CWE-14 | Compiler Removal of Code to Clear Buffers | A compiler optimization can remove security-critical code intended to wipe sensitive data from memory, leaving secrets exposed. This happens when the compiler identifies buffer-clearing operations as unnecessary 'dead stores' and eliminates them. |
| CWE-435 | Improper Interaction Between Multiple Correctly-Behaving Entities | This weakness occurs when individually secure components interact in unexpected ways within a larger system, creating new security flaws that weren't present in isolation. |
| CWE-436 | Interpretation Conflict | An interpretation conflict occurs when two systems process the same data or sequence of events differently, leading one system to make incorrect decisions based on its flawed understanding of the other's state. |
| CWE-437 | Incomplete Model of Endpoint Features | This vulnerability occurs when a security product, proxy, or monitoring system sits between endpoints but lacks a full understanding of what those endpoints can do or their current state. Because it's working with incomplete information, it can make wrong decisions, allowing malicious traffic to pass or incorrectly blocking legitimate requests. |
| CWE-439 | Behavioral Change in New Version or Environment | This vulnerability occurs when a component's behavior unexpectedly changes after an update or when deployed to a different environment, and the systems or users depending on it are unaware of and cannot manage this change. |
| CWE-444 | Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') | This weakness occurs when a proxy, firewall, or other intermediary HTTP agent interprets a malformed HTTP request or response differently than the final destination server or client. This inconsistency allows an attacker to craft messages that bypass the intermediary's security checks. |
| CWE-650 | Trusting HTTP Permission Methods on the Server Side | This vulnerability occurs when a server incorrectly assumes that HTTP GET requests are always safe and cannot change server-side data. Attackers can exploit this flawed assumption to bypass security controls and perform unauthorized actions like modifying or deleting resources. |
| CWE-733 | Compiler Optimization Removal or Modification of Security-critical Code | This vulnerability occurs when a compiler's optimization process unintentionally strips out or alters security-critical code that a developer intentionally wrote, leaving the application exposed. |
| CWE-1400 | Comprehensive Categorization for Software Assurance Trends |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330].
Comment:
See member weaknesses of this category.