Category: Comprehensive Categorization: Poor Coding Practices
Incomplete
Summary
Weaknesses in this category are related to poor coding practices.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1007 | Insufficient Visual Distinction of Homoglyphs Presented to User | This vulnerability occurs when an application shows text or symbols to users without clearly distinguishing between characters that look identical or very similar (called homoglyphs). Because users can't easily tell these characters apart, they might misinterpret information and accidentally perform unsafe actions, like clicking a malicious link. |
| CWE-103 | Struts: Incomplete validate() Method Definition | This vulnerability occurs in a Struts application when a validator form either completely omits a validate() method or includes one but fails to call super.validate() within it. |
| CWE-104 | Struts: Form Bean Does Not Extend Validation Class | This vulnerability occurs in Apache Struts applications when a form bean class does not properly extend the framework's validation class. This bypasses the built-in Validator framework, leaving the application without structured input validation and open to various injection and data manipulation attacks. |
| CWE-1041 | Use of Redundant Code | This weakness occurs when a codebase contains identical or nearly identical logic duplicated across multiple functions, methods, or modules. This redundancy creates unnecessary complexity and maintenance overhead. |
| CWE-1043 | Data Element Aggregating an Excessively Large Number of Non-Primitive Elements | This weakness occurs when a data structure, like a class or object, contains too many complex sub-elements (e.g., other objects or structs) instead of simple primitive types. |
| CWE-1044 | Architecture with Number of Horizontal Layers Outside of Expected Range | This occurs when a software system is built with either too many or too few distinct architectural layers, falling outside a recommended range that supports maintainability and security. |
| CWE-1045 | Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor | This occurs when a base class defines a virtual destructor, but a derived class inherits from it without declaring its own virtual destructor. |
| CWE-1047 | Modules with Circular Dependencies | This weakness occurs when software modules have circular references, meaning Module A depends on Module B, which in turn depends back on Module A, creating a closed loop. |
| CWE-1048 | Invokable Control Element with Large Number of Outward Calls | This weakness occurs when a single function, method, or callable code block makes an excessively high number of calls to other objects or components outside its immediate scope. This creates a complex, tightly-coupled web of dependencies that is difficult to manage. |
| CWE-1053 | Missing Documentation for Design | This weakness occurs when software lacks clear design documentation, making it difficult to understand how the system is structured and intended to work. |
| CWE-1054 | Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer | This weakness occurs when code in one architectural layer directly calls functions or methods in a much deeper layer, skipping over the intermediate layers that should normally handle the request. It bypasses the intended layered structure, similar to a manager going directly to an intern instead of working through the team lead. |
| CWE-1055 | Multiple Inheritance from Concrete Classes | This weakness occurs when a single class inherits functionality and state from more than one concrete (fully implemented) parent class. |
| CWE-1056 | Invokable Control Element with Variadic Parameters | This weakness occurs when a callable function or method is defined to accept a variable number of arguments (variadic parameters). |
| CWE-1057 | Data Access Operations Outside of Expected Data Manager Component | This weakness occurs when an application bypasses its dedicated, central data manager component and performs data access operations through other code paths. |
| CWE-1059 | Insufficient Technical Documentation | This weakness occurs when a software or hardware product lacks comprehensive technical documentation. Missing or incomplete details about the system's architecture, interfaces, design, configuration, or operation make it difficult to understand, maintain, and secure the product effectively. |
| CWE-1060 | Excessive Number of Inefficient Server-Side Data Accesses | This weakness occurs when an application makes an excessive number of individual data queries to a server or database, instead of using more efficient methods like stored procedures or batch operations. |
| CWE-1061 | Insufficient Encapsulation | This weakness occurs when a software component exposes too much of its internal workings, such as data structures or implementation logic. This lack of proper boundaries allows other parts of the system to interact with it in unintended ways, potentially leading to corrupted data, unexpected behavior, or hidden dependencies. |
| CWE-1062 | Parent Class with References to Child Class | This weakness occurs when a parent class directly references its child classes, their methods, or their member variables, creating a problematic and tightly coupled dependency. |
| CWE-1064 | Invokable Control Element with Signature Containing an Excessive Number of Parameters | This weakness occurs when a function, method, or subroutine is defined with an unnecessarily high number of parameters in its signature. |
| CWE-1065 | Runtime Resource Management Control Element in a Component Built to Run on Application Servers | This weakness occurs when an application built to run on a managed application server bypasses the server's high-level APIs and instead uses low-level operating system calls to directly control resources like memory, files, or threads. |
| CWE-1066 | Missing Serialization Control Element | This weakness occurs when a class or data structure is marked as serializable but lacks the required control methods to properly handle the serialization and deserialization process. |
| CWE-1068 | Inconsistency Between Implementation and Documented Design | This weakness occurs when the actual code implementation deviates from the intended design described in its official documentation, creating a mismatch between how the system is supposed to work and how it actually does. |
| CWE-1069 | Empty Exception Block | This weakness occurs when a try-catch or try-finally block is present but contains no code to handle the caught exception or perform cleanup. |
| CWE-107 | Struts: Unused Validation Form | This vulnerability occurs when a Struts application contains validation form definitions that are no longer linked to any active form or action, leaving outdated security rules in the codebase. |
| CWE-1070 | Serializable Data Element Containing non-Serializable Item Elements | This weakness occurs when a class or data structure is marked as serializable, but it contains one or more member elements that cannot be serialized. This mismatch prevents the entire object from being properly saved or transmitted. |
| CWE-1071 | Empty Code Block | An empty code block occurs when a section of source code, such as a conditional statement or function body, contains no executable statements. |
| CWE-1074 | Class with Excessively Deep Inheritance | This weakness occurs when a class inherits from an excessive number of parent classes, creating a deep and complex inheritance hierarchy. |
| CWE-1075 | Unconditional Control Flow Transfer outside of Switch Block | This weakness occurs when code uses an unconditional jump, like a 'goto' statement, outside of a structured control flow block like a switch statement. This bypasses the intended logic and makes the program's execution path unpredictable and difficult to follow. |
| CWE-1076 | Insufficient Adherence to Expected Conventions | This weakness occurs when software code, design, documentation, or other components fail to follow established industry or project-specific standards and conventions. |
| CWE-1078 | Inappropriate Source Code Style or Formatting | This weakness occurs when source code violates established style guidelines for formatting, indentation, whitespace, or commenting, making it difficult to read and maintain. |
| CWE-1079 | Parent Class without Virtual Destructor Method | This occurs when a base class, designed to be inherited from, does not declare its destructor as virtual. This oversight prevents proper cleanup when objects are deleted through a pointer to the parent class. |
| CWE-1080 | Source Code File with Excessive Number of Lines of Code | This weakness occurs when a single source code file grows excessively large, containing too many lines of code. |
| CWE-1082 | Class Instance Self Destruction Control Element | This vulnerability occurs when an object's code contains logic that triggers its own deletion or destruction during runtime. |
| CWE-1083 | Data Access from Outside Expected Data Manager Component | This weakness occurs when an application is designed to handle all data operations through a dedicated manager component (like a database layer), but code elsewhere bypasses it and accesses data directly. |
| CWE-1085 | Invokable Control Element with Excessive Volume of Commented-out Code | This weakness occurs when a callable function, method, or procedure contains a large amount of inactive, commented-out code within its implementation body. |
| CWE-1086 | Class with Excessive Number of Child Classes | This weakness occurs when a parent class has an excessive number of child classes that inherit from it, creating a deep and overly complex inheritance tree. |
| CWE-1087 | Class with Virtual Method without a Virtual Destructor | This occurs when a class defines a virtual method but does not also provide a virtual destructor. |
| CWE-1090 | Method Containing Access of a Member Element from Another Class | This weakness occurs when a method in one class directly accesses a private or internal member (like a field or property) of a different class, bypassing proper interfaces. |
| CWE-1092 | Use of Same Invokable Control Element in Multiple Architectural Layers | This weakness occurs when the same piece of code or control logic is duplicated across different architectural layers of an application, such as the presentation, business, and data layers. |
| CWE-1093 | Excessively Complex Data Representation | This weakness occurs when software uses an overly complicated internal model to represent its data or the relationships between data elements. |
| CWE-1095 | Loop Condition Value Update within the Loop | This vulnerability occurs when a loop's exit condition depends on a variable that is also modified inside the loop body. This creates a complex and often unpredictable control flow that is difficult to analyze. |
| CWE-1097 | Persistent Storable Data Element without Associated Comparison Control Element | This weakness occurs when a persistent data object lacks the necessary methods to be properly compared, which can lead to inconsistent or incorrect behavior when the system checks for equality or manages collections. |
| CWE-1098 | Data Element containing Pointer Item without Proper Copy Control Element | This weakness occurs when a data structure contains a pointer, but the code lacks proper methods to copy or initialize that pointer safely. |
| CWE-1099 | Inconsistent Naming Conventions for Identifiers | This weakness occurs when a codebase uses mixed naming styles for elements like variables, functions, data types, or files, creating an inconsistent and confusing structure. |
| CWE-11 | ASP.NET Misconfiguration: Creating Debug Binary | Deploying an ASP.NET application with debug binaries enabled exposes detailed system information, which attackers can use to map your infrastructure and plan targeted exploits. |
| CWE-110 | Struts: Validator Without Form Field | This vulnerability occurs when a Struts application's validation configuration file references form fields that no longer exist in the corresponding ActionForm class. This mismatch indicates outdated validation logic that can fail to properly check user input. |
| CWE-1100 | Insufficient Isolation of System-Dependent Functions | This weakness occurs when an application fails to separate its core logic from functions that depend on a specific operating system, hardware, or external platform. Instead of being contained in dedicated modules, these system-dependent calls are scattered throughout the codebase. |
| CWE-1101 | Reliance on Runtime Component in Generated Code | This vulnerability occurs when software depends on automatically generated code that requires a specific, often external, runtime component to function. Without this component, the code cannot execute, creating a fragile and non-portable foundation. |
| CWE-1102 | Reliance on Machine-Dependent Data Representation | This weakness occurs when software directly depends on how a specific machine, processor, or operating system represents data in memory. Code that makes assumptions about byte order, data type sizes, or memory alignment becomes fragile and non-portable. |
| CWE-1103 | Use of Platform-Dependent Third Party Components | This weakness occurs when software depends on third-party libraries or components that behave differently or lack support across various target platforms or operating systems. |
| CWE-1105 | Insufficient Encapsulation of Machine-Dependent Functionality | This weakness occurs when an application relies on hardware-specific or platform-dependent features but fails to isolate that code from the rest of the system. This poor separation creates tight coupling between the core logic and low-level machine details. |
| CWE-1106 | Insufficient Use of Symbolic Constants | This weakness occurs when developers embed raw numbers or text strings directly in code instead of using named symbolic constants, making future updates and maintenance more difficult. |
| CWE-1107 | Insufficient Isolation of Symbolic Constant Definitions | This weakness occurs when a codebase uses symbolic constants (like named values for numbers or strings) but scatters their definitions across many files instead of centralizing them in one isolated location, such as a dedicated configuration file or module. |
| CWE-1108 | Excessive Reliance on Global Variables | This weakness occurs when a codebase depends too heavily on global variables to store and manage state, rather than keeping data within appropriate local scopes like functions or classes. |
| CWE-1109 | Use of Same Variable for Multiple Purposes | This weakness occurs when a single variable is reused to handle multiple, unrelated tasks or to store different pieces of data throughout the code. This practice muddies the variable's purpose and makes the logic harder to follow. |
| CWE-111 | Direct Use of Unsafe JNI | This weakness occurs when a Java application directly calls native code through the Java Native Interface (JNI), exposing the entire application to security risks present in that external code, even if Java itself is safe from those specific flaws. |
| CWE-1110 | Incomplete Design Documentation | This vulnerability occurs when a system's design documentation is missing critical details about how the software actually works. Key omissions include unclear control flow, undefined data movement, missing system startup procedures, vague component relationships, or unexplained design decisions. |
| CWE-1111 | Incomplete I/O Documentation | This weakness occurs when a product's documentation fails to clearly and completely define its inputs, outputs, or how it interacts with other systems or software components. |
| CWE-1112 | Incomplete Documentation of Program Execution | This weakness occurs when a system's documentation fails to completely list all the ways its behavior can be controlled or changed during execution. |
| CWE-1113 | Inappropriate Comment Style | This weakness occurs when source code comments are written in a style or format that doesn't match the project's established standards or common conventions for the language. |
| CWE-1114 | Inappropriate Whitespace Style | This weakness occurs when source code uses inconsistent or non-standard whitespace formatting, such as irregular indentation, spacing, or line breaks. |
| CWE-1115 | Source Code Element without Standard Prologue | This weakness occurs when source code files or modules lack a consistent, standardized header or prologue that the development team has agreed upon. |
| CWE-1116 | Inaccurate Comments | This weakness occurs when code comments do not correctly describe or explain the actual behavior of the associated code. Misleading comments create a disconnect between what the documentation says and what the program actually does. |
| CWE-1117 | Callable with Insufficient Behavioral Summary | This weakness occurs when a function, method, or API lacks clear documentation about its behavior. The signature or comments fail to properly explain what inputs it expects, what outputs it returns, what side effects it causes, or what assumptions it makes. |
| CWE-1118 | Insufficient Documentation of Error Handling Techniques | This weakness occurs when software documentation fails to clearly explain how the system manages errors, exceptions, or unexpected conditions. Developers are left guessing about the proper handling mechanisms. |
| CWE-1119 | Excessive Use of Unconditional Branching | This weakness occurs when code relies heavily on unconditional jumps like 'goto' statements, making the program flow difficult to follow. |
| CWE-1120 | Excessive Code Complexity | This weakness occurs when software contains sections of code that are unnecessarily intricate, as measured by established complexity metrics like cyclomatic complexity or cognitive load scores. |
| CWE-1121 | Excessive McCabe Cyclomatic Complexity | This weakness occurs when a function or method has an overly complex control flow, measured by a high McCabe Cyclomatic Complexity score. This makes the code difficult to read, test, and maintain. |
| CWE-1122 | Excessive Halstead Complexity | This weakness occurs when code has an excessively high Halstead complexity score, indicating it is overly intricate and difficult to analyze. |
| CWE-1123 | Excessive Use of Self-Modifying Code | The software relies heavily on code that rewrites itself during execution, making it difficult to analyze and maintain. |
| CWE-1124 | Excessively Deep Nesting | This weakness occurs when a function, method, or code block contains too many levels of nested loops, conditionals, or other control structures, making the logic path difficult to follow. |
| CWE-1125 | Excessive Attack Surface | This weakness occurs when a software product has an unnecessarily large number of entry and exit points that an attacker can target, exceeding a reasonable and secure threshold. |
| CWE-1126 | Declaration of Variable with Unnecessarily Wide Scope | This weakness occurs when a variable is declared with a broader scope than it actually needs, such as declaring a variable at a global or function level when it's only used inside a loop or conditional block. |
| CWE-1127 | Compilation with Insufficient Warnings or Errors | This weakness occurs when source code is compiled without enabling a comprehensive set of warning flags from the compiler. This practice allows subtle bugs, insecure coding patterns, and quality issues to go undetected during the build process. |
| CWE-1164 | Irrelevant Code | Irrelevant code refers to sections of a program that have no impact on its execution, data, or logic. Removing this code would not change the software's behavior or correctness, as it performs no meaningful operations. |
| CWE-1177 | Use of Prohibited Code | This vulnerability occurs when software incorporates a function, library, or third-party component that has been explicitly banned by the development team or the customer. |
| CWE-1209 | Failure to Disable Reserved Bits | This vulnerability occurs when reserved bits in a hardware design are left active in production. Designers sometimes use these bits for debugging or future features, but if not disabled, attackers can manipulate them to compromise the hardware's state. |
| CWE-1245 | Improper Finite State Machines (FSMs) in Hardware Logic | This vulnerability occurs when hardware logic contains flawed Finite State Machines (FSMs). Attackers can exploit these design errors to force the system into an undefined or unstable condition, potentially leading to a denial of service (DoS) or allowing privilege escalation. |
| CWE-1341 | Multiple Releases of Same Resource or Handle | This vulnerability occurs when a program incorrectly tries to close or release the same system resource—like memory, a file, or a network connection—more than once. This double-free or double-close violates the API's contract and leads to unpredictable and often dangerous behavior. |
| CWE-1357 | Reliance on Insufficiently Trustworthy Component | This weakness occurs when a system integrates a component that cannot be fully trusted to meet security, reliability, and maintenance standards, creating risk for the entire product. |
| CWE-1434 | Insecure Setting of Generative AI/ML Model Inference Parameters | This vulnerability occurs when a generative AI or ML model is deployed with inference parameters that are too permissive, causing it to frequently generate incorrect, nonsensical, or unpredictable outputs. |
| CWE-242 | Use of Inherently Dangerous Function | This vulnerability occurs when code uses functions that are inherently unsafe and cannot be reliably secured, posing a direct risk to application stability and security. |
| CWE-245 | J2EE Bad Practices: Direct Management of Connections | This vulnerability occurs when a J2EE application handles database connections directly instead of using the container's built-in connection management system. |
| CWE-246 | J2EE Bad Practices: Direct Use of Sockets | This vulnerability occurs when a J2EE application creates network sockets directly, bypassing the container-managed communication framework provided by the platform. |
| CWE-253 | Incorrect Check of Function Return Value | This vulnerability occurs when a program misinterprets or improperly validates the return value from a function, causing it to miss critical error states or unexpected conditions. |
| CWE-358 | Improperly Implemented Security Check for Standard | This vulnerability occurs when software fails to correctly implement one or more critical security checks required by a standard protocol, algorithm, or security technique. |
| CWE-383 | J2EE Bad Practices: Direct Use of Threads | Creating or managing threads directly within a J2EE application is a risky practice that violates the platform's standards and often leads to unstable applications. |
| CWE-392 | Missing Report of Error Condition | This vulnerability occurs when a system fails to properly signal that an error has happened. Instead of returning a clear error code, status, or exception, the software continues as if nothing went wrong, leaving other components unaware of the failure. |
| CWE-393 | Return of Wrong Status Code | This vulnerability occurs when a function returns an inaccurate status code or value that misrepresents the actual outcome of an operation. This false signal can cause the application to behave in unexpected and potentially insecure ways. |
| CWE-440 | Expected Behavior Violation | This weakness occurs when a software component, such as a function, API, or feature, fails to act as documented or intended. The system's actual behavior deviates from its promised specification, leading to unpredictable results. |
| CWE-446 | UI Discrepancy for Security Feature | This vulnerability occurs when a user interface incorrectly displays a security feature as active or properly configured, misleading users into believing they are protected when they are not. |
| CWE-448 | Obsolete Feature in UI | This vulnerability occurs when a user interface (UI) includes outdated or deprecated features, but fails to alert users about their obsolete status. This can mislead users into relying on functionality that may be broken, unsupported, or pose a security risk. |
| CWE-449 | The UI Performs the Wrong Action | This vulnerability occurs when a user interface (UI) element or command performs a different, unintended action than what the user requested, potentially leading to security bypass, data corruption, or unexpected system behavior. |
| CWE-451 | User Interface (UI) Misrepresentation of Critical Information | This vulnerability occurs when a user interface fails to accurately display or highlight crucial information, potentially misleading users about the true state of the system or the source of data. Attackers exploit this weakness to trick users into performing unintended actions, often as part of phishing campaigns or other deception-based attacks. |
| CWE-462 | Duplicate Key in Associative List (Alist) | This vulnerability occurs when an associative list (alist) contains duplicate keys, which can cause unexpected behavior when software incorrectly handles or interprets these duplicates. |
| CWE-474 | Use of Function with Inconsistent Implementations | This vulnerability occurs when code relies on a function whose behavior changes across different operating systems or versions, leading to unpredictable security risks when the software runs in an unexpected environment. |
| CWE-475 | Undefined Behavior for Input to API | This API function exhibits unpredictable or undefined behavior when its control parameter is not set to the exact, required value. |
| CWE-476 | NULL Pointer Dereference | This vulnerability occurs when a program attempts to access or manipulate memory using a pointer that is set to NULL, causing a crash or unexpected behavior. |
| CWE-477 | Use of Obsolete Function | This vulnerability occurs when code relies on deprecated or obsolete functions, indicating outdated practices and insufficient maintenance that can introduce security gaps. |
| CWE-484 | Omitted Break Statement in Switch | This vulnerability occurs when a developer forgets to include a 'break' statement inside a switch-case block. Without it, the code execution 'falls through' and unintentionally runs the logic for subsequent cases, leading to unexpected behavior. |
| CWE-489 | Active Debug Code | This vulnerability occurs when software is deployed to production with debugging or diagnostic features still enabled and accessible. |
| CWE-506 | Embedded Malicious Code | This vulnerability occurs when an application or codebase contains intentionally harmful code inserted by a developer or third party. |
| CWE-507 | Trojan Horse | A Trojan Horse vulnerability occurs when software presents itself as legitimate and useful, but secretly contains malicious functionality that bypasses security controls. This hidden code operates without the user's knowledge, violating the intended security policy of the system or its administrator. |
| CWE-508 | Non-Replicating Malicious Code | This type of malicious code is designed to operate only on the specific system it initially infects. Unlike viruses or worms, it does not contain mechanisms to copy itself or spread to other devices or networks. |
| CWE-509 | Replicating Malicious Code (Virus or Worm) | This weakness describes software that is vulnerable to infection by self-replicating malicious programs like viruses or worms. Once such malware compromises a system, it can use that system as a launchpad to automatically spread and attack others. |
| CWE-510 | Trapdoor | A trapdoor, often called a backdoor, is a hidden piece of code intentionally placed within software. It activates in response to a specific, often secret, input—like a special password or sequence—bypassing standard authentication and authorization checks to grant unauthorized access. |
| CWE-511 | Logic/Time Bomb | A logic or time bomb is malicious code intentionally placed within software to trigger harmful actions when a specific condition is met or a predetermined time is reached. |
| CWE-512 | Spyware | Spyware is software that secretly gathers personal information about a user or their activities. It does this by accessing data from other sources on the system, without the user's direct input or explicit consent. |
| CWE-546 | Suspicious Comment | This weakness occurs when code contains comments that flag potential issues, such as bugs, security gaps, or unfinished work, which can expose underlying problems or oversights. |
| CWE-547 | Use of Hard-coded, Security-relevant Constants | This vulnerability occurs when code directly embeds security-critical values like passwords, cryptographic keys, or access levels as raw numbers or strings, instead of using named constants or configuration files. This practice makes the code brittle and error-prone during updates or security reviews. |
| CWE-560 | Use of umask() with chmod-style Argument | This vulnerability occurs when a program incorrectly uses the `umask()` system call with an argument formatted for `chmod()`, leading to unintended and overly permissive file permissions. |
| CWE-561 | Dead Code | Dead code refers to sections of a program that can never run during normal execution, effectively making them inactive and unreachable. |
| CWE-563 | Assignment to Variable without Use | This vulnerability occurs when a value is stored in a variable, but that variable is never read or used in subsequent code, creating a 'dead store.' |
| CWE-570 | Expression is Always False | This vulnerability occurs when code contains a conditional expression that can never evaluate to true, causing a section of the program to be permanently unreachable. |
| CWE-571 | Expression is Always True | This vulnerability occurs when code contains a conditional expression that will always evaluate to 'true', making the check ineffective and potentially bypassing critical security or logic gates. |
| CWE-573 | Improper Following of Specification by Caller | This weakness occurs when software fails to properly follow the documented rules, protocols, or requirements of an external component it uses, such as a library, API, framework, or platform. |
| CWE-575 | EJB Bad Practices: Use of AWT Swing | This vulnerability occurs when an Enterprise JavaBeans (EJB) component incorrectly uses AWT or Swing UI toolkits, violating the EJB specification's design principles. |
| CWE-576 | EJB Bad Practices: Use of Java I/O | This vulnerability occurs when an Enterprise JavaBeans (EJB) component incorrectly uses Java I/O (java.io) operations to access the file system, violating the EJB specification's design principles. |
| CWE-577 | EJB Bad Practices: Use of Sockets | This vulnerability occurs when an Enterprise JavaBeans (EJB) component breaks the EJB specification by directly creating or using network sockets. |
| CWE-578 | EJB Bad Practices: Use of Class Loader | This vulnerability occurs when an Enterprise JavaBeans (EJB) component directly manipulates the Java class loader, violating the EJB specification's security and portability rules. |
| CWE-579 | J2EE Bad Practices: Non-serializable Object Stored in Session | This vulnerability occurs when a Java application stores an object in the user's session that cannot be serialized, which can break critical application features and hurt reliability. |
| CWE-581 | Object Model Violation: Just One of Equals and Hashcode Defined | This vulnerability occurs when a Java class defines either the equals() method or the hashCode() method, but not both, breaking a fundamental contract of object equality. |
| CWE-585 | Empty Synchronized Block | An empty synchronized block is a Java code construct where a synchronized block exists but contains no executable statements inside it. |
| CWE-586 | Explicit Call to Finalize() | This vulnerability occurs when code directly calls an object's finalize() method from outside its designated finalizer context. |
| CWE-589 | Call to Non-ubiquitous API | This vulnerability occurs when software relies on an operating system function that isn't available on all versions of the target platform. This can cause crashes, unexpected behavior, or security failures when the software runs in an environment where the API is missing. |
| CWE-594 | J2EE Framework: Saving Unserializable Objects to Disk | This vulnerability occurs when a J2EE application framework attempts to save objects to disk that cannot be properly serialized, risking application failure. |
| CWE-605 | Multiple Binds to the Same Port | This vulnerability occurs when a system's socket configuration allows multiple applications to bind to the same network port simultaneously. This can let a malicious process hijack or impersonate legitimate services running on that port. |
| CWE-628 | Function Call with Incorrectly Specified Arguments | This weakness occurs when a function is called with arguments that are incorrectly specified, causing the function to behave in an unintended and consistently wrong manner. |
| CWE-675 | Multiple Operations on Resource in Single-Operation Context | This vulnerability occurs when a software component performs the same action on a resource multiple times, even though the action is designed to be executed only once. This redundant execution can lead to unintended side effects, data corruption, or resource exhaustion. |
| CWE-676 | Use of Potentially Dangerous Function | This vulnerability occurs when code calls a function that can be dangerous if misused, but can also be used safely with proper precautions. The risk lies not in the function itself, but in how it's implemented. |
| CWE-683 | Function Call With Incorrect Order of Arguments | This vulnerability occurs when a program calls a function but supplies the arguments in the wrong order, which can cause unexpected behavior or security flaws. |
| CWE-684 | Incorrect Provision of Specified Functionality | This weakness occurs when software behaves differently than its documented specifications, which can mislead users and create security risks. |
| CWE-685 | Function Call With Incorrect Number of Arguments | This weakness occurs when a program calls a function, method, or subroutine but provides the wrong number of arguments—either too many or too few. This mismatch can cause the program to behave unpredictably, access incorrect memory, or crash, creating a security vulnerability. |
| CWE-686 | Function Call With Incorrect Argument Type | This vulnerability occurs when a program calls a function or method but passes an argument of the wrong data type, which can cause unexpected behavior or security flaws. |
| CWE-687 | Function Call With Incorrectly Specified Argument Value | This vulnerability occurs when a function is called with an argument that holds an incorrect or unexpected value, leading to unintended program behavior or security flaws. |
| CWE-688 | Function Call With Incorrect Variable or Reference as Argument | This vulnerability occurs when a function is called with the wrong variable or reference passed as an argument. This simple coding mistake can cause the program to behave unpredictably, access incorrect data, or trigger other security flaws. |
| CWE-695 | Use of Low-Level Functionality | This vulnerability occurs when code bypasses high-level framework controls by directly using low-level system functions, violating the intended security model. |
| CWE-710 | Improper Adherence to Coding Standards | This weakness occurs when developers don't consistently follow established coding standards and best practices, which can introduce security flaws or make existing vulnerabilities more severe. |
| CWE-758 | Reliance on Undefined, Unspecified, or Implementation-Defined Behavior | This weakness occurs when software depends on specific behaviors of an API, data structure, or system component that are not formally guaranteed by its specification. The code assumes these behaviors will always work a certain way, but they might change or fail under different conditions. |
| CWE-766 | Critical Data Element Declared Public | This vulnerability occurs when a critical piece of data—like a variable, field, or class member—is mistakenly declared as public when it should be kept private according to the application's security design. |
| CWE-785 | Use of Path Manipulation Function without Maximum-sized Buffer | This vulnerability occurs when a program uses a path manipulation function but supplies an output buffer that is too small to hold the maximum possible path length, such as PATH_MAX. |
| CWE-912 | Hidden Functionality | Hidden functionality refers to undocumented features, commands, or code within a product that are not part of its official specification and are not obvious to users or administrators. |
| CWE-1400 | Comprehensive Categorization for Software Assurance Trends |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330].
Comment:
See member weaknesses of this category.