Category: Comprehensive Categorization: Encryption
Incomplete
Summary
Weaknesses in this category are related to encryption.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1240 | Use of a Cryptographic Primitive with a Risky Implementation | This weakness occurs when a product uses a custom, unverified, or non-compliant implementation of a cryptographic algorithm instead of a trusted, standard solution. |
| CWE-1428 | Reliance on HTTP instead of HTTPS | This vulnerability occurs when an application uses unencrypted HTTP connections instead of the secure HTTPS alternative, even when HTTPS is available. |
| CWE-311 | Missing Encryption of Sensitive Data | This vulnerability occurs when an application stores or sends sensitive information without first encrypting it, leaving the data exposed. |
| CWE-312 | Cleartext Storage of Sensitive Information | This vulnerability occurs when an application stores sensitive data like passwords, credit card numbers, or personal information in plain text, without any encryption. This unsecured data is kept in files, databases, caches, or logs that could be accessed by unauthorized users or systems. |
| CWE-313 | Cleartext Storage in a File or on Disk | This vulnerability occurs when an application writes sensitive data, such as passwords or personal information, directly to a file or disk without using encryption. |
| CWE-314 | Cleartext Storage in the Registry | This vulnerability occurs when an application saves sensitive data, like passwords or keys, as plain text in the Windows Registry. |
| CWE-315 | Cleartext Storage of Sensitive Information in a Cookie | This vulnerability occurs when an application directly stores sensitive data, like session tokens or personal details, in a browser cookie without encryption. |
| CWE-316 | Cleartext Storage of Sensitive Information in Memory | This vulnerability occurs when an application stores sensitive data, such as passwords or encryption keys, in memory without any form of encryption or protection. |
| CWE-317 | Cleartext Storage of Sensitive Information in GUI | This vulnerability occurs when an application stores sensitive data, such as passwords or personal information, in plain text within its graphical user interface (GUI) elements. |
| CWE-318 | Cleartext Storage of Sensitive Information in Executable | This vulnerability occurs when an application embeds sensitive information, like passwords or keys, directly within its executable code without encryption. |
| CWE-319 | Cleartext Transmission of Sensitive Information | This vulnerability occurs when an application sends sensitive data, such as passwords or personal information, over a network connection without using encryption. Attackers can easily intercept and read this unprotected data as it travels. |
| CWE-324 | Use of a Key Past its Expiration Date | This vulnerability occurs when an application continues to use a cryptographic key or password after its designated expiration date. Doing so dramatically increases the security risk by giving attackers more time to discover or crack the key. |
| CWE-325 | Missing Cryptographic Step | This vulnerability occurs when a software implementation skips a critical step in a cryptographic process, resulting in security that is significantly weaker than the intended algorithm provides. |
| CWE-326 | Inadequate Encryption Strength | This vulnerability occurs when an application protects sensitive information with encryption, but the specific algorithm or key strength used is too weak to withstand modern attack methods. |
| CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | The software relies on a cryptographic algorithm or protocol that is either fundamentally flawed or considered too weak by modern security standards. |
| CWE-328 | Use of Weak Hash | This vulnerability occurs when software uses a hashing algorithm that is cryptographically weak, allowing attackers to feasibly reverse the hash to find the original input, find a different input that creates the same hash, or discover collisions where two inputs produce identical hash values. |
| CWE-347 | Improper Verification of Cryptographic Signature | This vulnerability occurs when an application fails to properly check the digital signature on data, or skips the verification step entirely, allowing tampered or forged information to be accepted as legitimate. |
| CWE-5 | J2EE Misconfiguration: Data Transmission Without Encryption | This vulnerability occurs when a J2EE application transmits sensitive data, like login credentials or session tokens, across a network without using strong encryption. Attackers monitoring the network can easily intercept, read, or even alter this information if it's sent in plain text or protected by weak cryptographic methods. |
| CWE-614 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | This vulnerability occurs when a web application transmits sensitive cookies over an HTTPS connection but fails to set the 'Secure' attribute on those cookies. |
| CWE-759 | Use of a One-Way Hash without a Salt | This vulnerability occurs when a system uses a one-way hash function (like MD5 or SHA-256) to protect sensitive data like passwords, but fails to add a unique random value called a salt before hashing. |
| CWE-760 | Use of a One-Way Hash with a Predictable Salt | This vulnerability occurs when an application uses a one-way hash (like for password storage) but combines it with a predictable or easily guessed salt. This undermines the security benefit of salting, making pre-computed attack methods like rainbow tables highly effective. |
| CWE-780 | Use of RSA Algorithm without OAEP | This vulnerability occurs when an application implements RSA encryption but fails to use Optimal Asymmetric Encryption Padding (OAEP), significantly weakening the cryptographic protection. |
| CWE-916 | Use of Password Hash With Insufficient Computational Effort | This vulnerability occurs when a system protects passwords by hashing them, but uses a hashing algorithm that is too fast or computationally cheap. This makes it easy for attackers to crack the stored password hashes using brute-force methods. |
| CWE-1400 | Comprehensive Categorization for Software Assurance Trends |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330].
Comment:
See member weaknesses of this category.