Category: Comprehensive Categorization: Improper Neutralization
Incomplete
Summary
Weaknesses in this category are related to improper neutralization.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-116 | Improper Encoding or Escaping of Output | This vulnerability occurs when an application builds a structured message—like a query, command, or request—for another component but fails to properly encode or escape user-supplied data. Because the output's structure isn't preserved, an attacker can inject malicious instructions that the receiving component will execute. |
| CWE-117 | Improper Output Neutralization for Logs | This vulnerability occurs when an application creates log entries using unvalidated external data, allowing attackers to inject malicious characters or commands that can corrupt log files, trigger parsing errors, or enable log injection attacks. |
| CWE-130 | Improper Handling of Length Parameter Inconsistency | This vulnerability occurs when a program reads a structured data packet or message but fails to properly validate that the declared length field matches the actual amount of data provided. |
| CWE-138 | Improper Neutralization of Special Elements | This vulnerability occurs when an application accepts external input but fails to properly sanitize special characters or syntax that have specific meanings in the target interpreter or protocol. This allows attackers to inject control elements that alter how downstream components process the data. |
| CWE-140 | Improper Neutralization of Delimiters | This vulnerability occurs when an application fails to properly handle or sanitize delimiter characters within data inputs, allowing them to be misinterpreted by downstream systems. |
| CWE-141 | Improper Neutralization of Parameter/Argument Delimiters | This vulnerability occurs when an application fails to properly sanitize special characters that act as delimiters in data being passed between system components. Attackers can inject these characters to manipulate how downstream processes interpret command arguments or parameter lists. |
| CWE-142 | Improper Neutralization of Value Delimiters | This vulnerability occurs when an application fails to properly sanitize or escape special characters that act as data separators (delimiters) before passing that data to another system or component. An attacker can inject these characters to manipulate how the downstream process interprets the data structure. |
| CWE-143 | Improper Neutralization of Record Delimiters | This vulnerability occurs when an application fails to properly sanitize or escape special characters that function as record separators in data streams. When untrusted input containing these delimiters is passed to a downstream system, it can corrupt data structures, cause misinterpretation of records, or trigger unauthorized actions. |
| CWE-144 | Improper Neutralization of Line Delimiters | This vulnerability occurs when an application fails to properly sanitize or escape line break characters (like newline or carriage return) in user-supplied input before passing that data to another system or component. |
| CWE-145 | Improper Neutralization of Section Delimiters | This vulnerability occurs when an application fails to properly sanitize or validate special characters that act as section delimiters in data streams. When this unsanitized input is passed to another component, these delimiters can be misinterpreted, leading to incorrect data parsing or unintended behavior. |
| CWE-146 | Improper Neutralization of Expression/Command Delimiters | This vulnerability occurs when an application fails to properly sanitize input that contains special characters used as delimiters in expressions or commands. When this unsanitized input is passed to another component for processing, those characters can be misinterpreted, altering the intended logic or structure. |
| CWE-147 | Improper Neutralization of Input Terminators | This vulnerability occurs when an application accepts external input but fails to properly handle special characters that downstream systems interpret as commands to stop processing data. |
| CWE-148 | Improper Neutralization of Input Leaders | This vulnerability occurs when an application fails to properly validate or handle input that begins with special control characters or sequences, known as 'leaders.' Issues arise when a required leader is missing, malformed, or when too many leaders are present where only one is expected. |
| CWE-149 | Improper Neutralization of Quoting Syntax | This vulnerability occurs when an application fails to properly validate or escape quote characters (like single ' or double " quotes) in user input. Attackers can inject these quotes to manipulate how the system interprets data, often breaking out of intended data fields to execute unauthorized commands or alter program logic. |
| CWE-150 | Improper Neutralization of Escape, Meta, or Control Sequences | This vulnerability occurs when an application fails to properly sanitize or escape special character sequences in user-supplied input before passing that data to another system or component. Attackers can inject escape, meta, or control sequences to manipulate how the downstream component interprets the data, often leading to command execution, data corruption, or unauthorized actions. |
| CWE-151 | Improper Neutralization of Comment Delimiters | This vulnerability occurs when an application accepts user input and fails to properly sanitize characters that can be interpreted as comment markers (like /*, */, //, #, or <!--) before passing that data to another system component. This allows an attacker to inject malicious comments that can break data processing, alter logic, or expose sensitive information. |
| CWE-152 | Improper Neutralization of Macro Symbols | This vulnerability occurs when an application accepts user input containing macro symbols (like those used in templates or configuration files) and passes it along without properly sanitizing it. This allows attackers to inject malicious macro commands that get executed by downstream systems, potentially leading to data manipulation, system access, or other unintended behaviors. |
| CWE-153 | Improper Neutralization of Substitution Characters | This vulnerability occurs when an application accepts user input and fails to properly sanitize special characters that can trigger command or variable substitution before passing that data to another system component. This allows attackers to inject malicious substitutions that alter the system's intended behavior. |
| CWE-154 | Improper Neutralization of Variable Name Delimiters | This vulnerability occurs when an application fails to properly sanitize or escape special characters that act as delimiters for variable names before passing data to another component. Attackers can inject these delimiters to manipulate how variables are interpreted. |
| CWE-155 | Improper Neutralization of Wildcards or Matching Symbols | This vulnerability occurs when an application fails to properly sanitize user-supplied input containing wildcard characters (like *, ?, or [ ]) before passing it to a command or function that interprets them as pattern-matching symbols. |
| CWE-156 | Improper Neutralization of Whitespace | This vulnerability occurs when an application fails to properly handle or sanitize whitespace characters in input before passing that data to another system component. This allows special whitespace elements to be interpreted incorrectly downstream, potentially altering how the data is processed. |
| CWE-157 | Failure to Sanitize Paired Delimiters | This vulnerability occurs when an application fails to properly validate or neutralize the special characters that come in pairs to define boundaries, such as parentheses, brackets, quotes, or braces. Attackers can exploit this oversight to manipulate data structure, inject malicious code, or cause the application to crash. |
| CWE-158 | Improper Neutralization of Null Byte or NUL Character | This weakness occurs when an application receives data but fails to properly handle or remove NUL characters (\0) before passing that data to another system component. |
| CWE-159 | Improper Handling of Invalid Use of Special Elements | This vulnerability occurs when an application fails to properly validate or neutralize special characters and control elements within user-supplied input. Without this filtering, attackers can inject these elements to manipulate the application's logic, leading to security breaches or system instability. |
| CWE-160 | Improper Neutralization of Leading Special Elements | This vulnerability occurs when an application accepts external input but fails to properly sanitize leading special characters or commands before passing that data to another system component. This allows an attacker to inject unexpected instructions at the beginning of the data stream. |
| CWE-161 | Improper Neutralization of Multiple Leading Special Elements | This vulnerability occurs when an application accepts external input but fails to properly sanitize multiple special characters or sequences at the beginning of that input before passing it to another system component. This allows an attacker to inject unexpected commands or data structures. |
| CWE-162 | Improper Neutralization of Trailing Special Elements | This vulnerability occurs when an application fails to properly sanitize or remove trailing special characters from user-supplied input before passing it to another system component. These leftover characters can trick the downstream parser into executing unintended commands or altering the data flow. |
| CWE-163 | Improper Neutralization of Multiple Trailing Special Elements | This vulnerability occurs when software accepts external input but fails to properly sanitize or incorrectly handles multiple trailing special characters or elements. When this unsanitized data is passed to another system component, these elements can be interpreted in harmful, unintended ways. |
| CWE-164 | Improper Neutralization of Internal Special Elements | This vulnerability occurs when an application accepts data from a source but fails to properly sanitize internal control elements or metadata before passing it to another internal component. This can cause the downstream component to misinterpret the data and perform unintended actions. |
| CWE-165 | Improper Neutralization of Multiple Internal Special Elements | This vulnerability occurs when an application accepts external input but fails to properly sanitize multiple internal control characters or delimiters before passing that data to another internal component. This can cause the downstream component to misinterpret the data and execute unintended commands. |
| CWE-166 | Improper Handling of Missing Special Element | This vulnerability occurs when software expects a specific delimiter, terminator, or other special marker in its input but fails to properly handle situations where that element is absent. The application may then misinterpret boundaries, leading to crashes, data corruption, or security breaches. |
| CWE-167 | Improper Handling of Additional Special Element | This vulnerability occurs when software receives data from another component but fails to properly process or validate unexpected special characters or control elements within that input. |
| CWE-168 | Improper Handling of Inconsistent Special Elements | This vulnerability occurs when software fails to correctly process input containing conflicting or mismatched special elements like characters, symbols, or reserved keywords. |
| CWE-170 | Improper Null Termination | This weakness occurs when software fails to properly end a string or array with the required null character or equivalent terminator. |
| CWE-172 | Encoding Error | This vulnerability occurs when software incorrectly transforms data between different formats, leading to corrupted or misinterpreted information that can break functionality or create security gaps. |
| CWE-173 | Improper Handling of Alternate Encoding | This vulnerability occurs when software fails to correctly process input that arrives in a different character encoding than expected, allowing that input to bypass security checks or cause misinterpretation. |
| CWE-174 | Double Decoding of the Same Data | This vulnerability occurs when an application decodes the same piece of data twice in sequence. This double processing can bypass or neutralize security checks that happen after the first decode, leaving the system exposed. |
| CWE-175 | Improper Handling of Mixed Encoding | This vulnerability occurs when software fails to correctly process input that contains multiple character encodings within the same data stream. |
| CWE-176 | Improper Handling of Unicode Encoding | This vulnerability occurs when software fails to correctly process or interpret Unicode-encoded input, leading to security bypasses, data corruption, or unexpected behavior. |
| CWE-177 | Improper Handling of URL Encoding (Hex Encoding) | This vulnerability occurs when an application fails to correctly process URL-encoded (also known as percent-encoded or hex-encoded) input, either by double-decoding it, not decoding it at all, or inconsistently handling encoded characters across different security checks. |
| CWE-228 | Improper Handling of Syntactically Invalid Structure | This vulnerability occurs when software fails to properly reject or process input that doesn't follow the expected format or structure, often leading to crashes or unexpected behavior. |
| CWE-229 | Improper Handling of Values | This vulnerability occurs when software fails to correctly process situations where input contains too few values, too many values, or undefined values for expected parameters, fields, or arguments. |
| CWE-230 | Improper Handling of Missing Values | This vulnerability occurs when software fails to properly check for or handle missing data values. It happens when a parameter, field, or argument name is provided, but its corresponding value is empty, blank, or null, and the system doesn't manage this absence safely. |
| CWE-231 | Improper Handling of Extra Values | This vulnerability occurs when software receives more input values than it was designed to handle, and fails to properly manage or reject the excess data. |
| CWE-232 | Improper Handling of Undefined Values | This vulnerability occurs when software fails to properly check for or handle undefined, null, or unsupported values passed to parameters, configuration fields, or function arguments. Instead of rejecting or safely converting these values, the system proceeds with an unexpected state, often leading to crashes or security flaws. |
| CWE-233 | Improper Handling of Parameters | This vulnerability occurs when software fails to correctly process input that contains an unexpected number of parameters, missing fields, or undefined arguments. It often leads to crashes, unexpected behavior, or security bypasses. |
| CWE-234 | Failure to Handle Missing Parameter | This vulnerability occurs when a function or method receives fewer arguments than it expects. The function will still attempt to process its expected number of parameters, which can lead to reading undefined, stale, or arbitrary values from the program's memory or stack, causing crashes or unexpected behavior. |
| CWE-235 | Improper Handling of Extra Parameters | This vulnerability occurs when a system fails to properly manage situations where it receives more parameters, fields, or arguments with the same name than it was designed to handle. |
| CWE-236 | Improper Handling of Undefined Parameters | This vulnerability occurs when software fails to properly manage input parameters, field names, or arguments that it doesn't recognize or support. Instead of rejecting or safely ignoring the undefined input, the system may behave unpredictably, leading to errors or security issues. |
| CWE-237 | Improper Handling of Structural Elements | This vulnerability occurs when an application fails to properly validate, sanitize, or interpret the complex internal parts of structured data, such as file headers, network packet fields, or document metadata. |
| CWE-238 | Improper Handling of Incomplete Structural Elements | This vulnerability occurs when software fails to properly process or validate data structures that are missing required components or are only partially formed. |
| CWE-239 | Failure to Handle Incomplete Element | This vulnerability occurs when a system fails to properly manage or validate data elements that are missing required parts or are only partially defined. |
| CWE-240 | Improper Handling of Inconsistent Structural Elements | This vulnerability occurs when a system fails to properly manage situations where related data structures or elements should match but are inconsistent. |
| CWE-241 | Improper Handling of Unexpected Data Type | This vulnerability occurs when software fails to properly validate or safely process data that arrives in an unexpected format. For example, the system might expect a numeric input but receives text instead, leading to crashes, errors, or security issues. |
| CWE-463 | Deletion of Data Structure Sentinel | This vulnerability occurs when a program accidentally removes or corrupts a special marker used to define the boundaries of a data structure, leading to logic errors and unexpected behavior. |
| CWE-464 | Addition of Data Structure Sentinel | This vulnerability occurs when a program unintentionally adds or modifies a special marker, known as a sentinel, within a data structure, leading to critical logic errors. |
| CWE-626 | Null Byte Interaction Error (Poison Null Byte) | This vulnerability occurs when software incorrectly processes null bytes (NUL characters) as data moves between different systems or programming languages, leading to unexpected and potentially dangerous behavior. |
| CWE-644 | Improper Neutralization of HTTP Headers for Scripting Syntax | This vulnerability occurs when an application fails to properly sanitize or escape user-controlled data placed within HTTP response headers. Malicious scripting syntax can then be injected and executed by client-side components like Flash that process raw headers. |
| CWE-707 | Improper Neutralization | This vulnerability occurs when an application fails to properly validate or sanitize structured data before it's received from an external source or sent to another component. This allows malformed messages to be processed, which can lead to misinterpretation and security breaches. |
| CWE-790 | Improper Filtering of Special Elements | This vulnerability occurs when an application accepts data from a source but fails to properly sanitize or incorrectly filters out special characters or control elements before passing that data to another system component. |
| CWE-791 | Incomplete Filtering of Special Elements | This vulnerability occurs when an application accepts data from a source but fails to properly clean or neutralize all special characters or commands before passing that data to another system component. |
| CWE-792 | Incomplete Filtering of One or More Instances of Special Elements | This vulnerability occurs when an application receives external data but fails to properly neutralize all instances of potentially dangerous characters or code patterns before passing that data to another system component. |
| CWE-793 | Only Filtering One Instance of a Special Element | This vulnerability occurs when an application processes incoming data but only removes or neutralizes one occurrence of a dangerous element, leaving other identical or similar elements untouched before passing the data along. |
| CWE-794 | Incomplete Filtering of Multiple Instances of Special Elements | This vulnerability occurs when an application receives data from a source but fails to remove or neutralize every instance of a potentially dangerous element before passing that data to another component. |
| CWE-795 | Only Filtering Special Elements at a Specified Location | This vulnerability occurs when a security filter only checks for dangerous input patterns at specific, predefined locations within the data. It fails to scan the entire input stream, allowing malicious elements that appear outside the expected location to pass through and potentially harm downstream components. |
| CWE-796 | Only Filtering Special Elements Relative to a Marker | This vulnerability occurs when software filters dangerous inputs or characters, but only checks for them in specific, expected locations (like the start or end of a string). It fails to detect and remove the same dangerous elements if they appear elsewhere in the data, allowing them to pass through to critical system components. |
| CWE-797 | Only Filtering Special Elements at an Absolute Position | This vulnerability occurs when software checks for dangerous characters or patterns only at a fixed, hardcoded location in input data. Because it ignores these same elements if they appear anywhere else, attackers can bypass the filter by simply moving the malicious content to a different position. |
| CWE-838 | Inappropriate Encoding for Output Context | This vulnerability occurs when a system uses one type of encoding for its output, but the component receiving that data expects a different encoding. The mismatch causes the downstream component to interpret the data incorrectly. |
| CWE-1400 | Comprehensive Categorization for Software Assurance Trends |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330].
Comment:
See member weaknesses of this category.