Category: Comprehensive Categorization: Protection Mechanism Failure
Incomplete
Summary
Weaknesses in this category are related to protection mechanism failure.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1039 | Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism | This vulnerability occurs when a system uses automated AI or machine learning to classify complex inputs like images, audio, or text, but fails to correctly identify or process inputs that have been deliberately altered. Attackers can exploit this by crafting subtle modifications that cause the system to misclassify the input, leading to incorrect and potentially harmful decisions. |
| CWE-1248 | Semiconductor Defects in Hardware Logic with Security-Sensitive Implications | A security-critical hardware component contains physical flaws in its semiconductor material, which can cause it to malfunction and undermine its security features. |
| CWE-1253 | Incorrect Selection of Fuse Values | This vulnerability occurs when a hardware security fuse is incorrectly programmed to represent a 'secure' state as logic 0 (unblown). An attacker can permanently force the system into an insecure mode simply by blowing the fuse, which flips its value to logic 1. |
| CWE-1269 | Product Released in Non-Release Configuration | This vulnerability occurs when a product ships to customers while still configured with its pre-production or manufacturing settings, which typically include powerful debugging and testing features not intended for real-world use. |
| CWE-1278 | Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques | This vulnerability occurs when hardware lacks safeguards against physical inspection, allowing attackers to extract sensitive data by capturing and analyzing high-resolution images of the integrated circuit's internal structure. |
| CWE-1291 | Public Key Re-Use for Signing both Debug and Production Code | This vulnerability occurs when the same cryptographic key is used to sign both development/debug software builds and final production releases. This insecure practice allows debug versions, which often contain powerful diagnostic features, to be validated and run on live production systems. |
| CWE-1318 | Missing Support for Security Features in On-chip Fabrics or Buses | This vulnerability occurs when the communication channels (fabrics or buses) within a chip lack built-in or enabled security features, such as privilege separation or access controls, leaving data transfers unprotected. |
| CWE-1319 | Improper Protection against Electromagnetic Fault Injection (EM-FI) | This vulnerability occurs when a hardware device lacks sufficient shielding against electromagnetic interference, allowing attackers to disrupt its internal operations. By inducing targeted electromagnetic pulses, an attacker can force the device to malfunction, potentially bypassing security checks or leaking sensitive data. |
| CWE-1326 | Missing Immutable Root of Trust in Hardware | This vulnerability occurs when a hardware chip lacks a permanent, unchangeable root of trust. Without this immutable foundation, attackers can bypass secure boot protections and run unauthorized or malicious code during the system startup process. |
| CWE-1338 | Improper Protections Against Hardware Overheating | This vulnerability occurs when a hardware device lacks sufficient safeguards to prevent dangerous temperature increases during operation. |
| CWE-1429 | Missing Security-Relevant Feedback for Unexecuted Operations in Hardware Interface | This vulnerability occurs when a hardware interface discards operations without providing any security-relevant feedback, such as error notifications or logs. This silence prevents the timely detection of critical failures or active attacks, leaving systems vulnerable to undetected compromise. |
| CWE-182 | Collapse of Data into Unsafe Value | This vulnerability occurs when an application's data filtering or transformation process incorrectly merges or simplifies information, producing a result that violates security rules. Essentially, safe input gets collapsed into a dangerous value. |
| CWE-184 | Incomplete List of Disallowed Inputs | This vulnerability occurs when a security filter or validation mechanism relies on a 'denylist'—a predefined list of forbidden inputs—but that list is missing critical entries. Attackers can bypass the protection by using variations or inputs the developers didn't anticipate. |
| CWE-222 | Truncation of Security-relevant Information | This vulnerability occurs when a system shortens or cuts off security-critical data during display, logging, or processing. This truncation can hide the true details of an attack, making it harder to detect, investigate, and respond to threats. |
| CWE-223 | Omission of Security-relevant Information | This vulnerability occurs when an application fails to capture or present crucial security-related details, such as the origin of a request or the specifics of a security event. Without this information, developers and security teams cannot effectively trace attacks or validate whether an operation is legitimate. |
| CWE-224 | Obscured Security-relevant Information by Alternate Name | This vulnerability occurs when a system logs or reports security-critical events using a nickname or alias for a component, instead of its official, unique identifier. |
| CWE-356 | Product UI does not Warn User of Unsafe Actions | This vulnerability occurs when a software interface fails to alert users before they perform a risky action. Without clear warnings, users can be more easily misled into taking steps that harm their system or data. |
| CWE-357 | Insufficient UI Warning of Dangerous Operations | This vulnerability occurs when a software application does present a warning to a user before a risky action, but the warning is designed or placed in a way that makes it too easy to miss, ignore, or accidentally dismiss. |
| CWE-450 | Multiple Interpretations of UI Input | This vulnerability occurs when a user interface can interpret the same input in multiple ways, but automatically chooses a less secure option without warning the user. |
| CWE-602 | Client-Side Enforcement of Server-Side Security | This vulnerability occurs when a server incorrectly trusts the client to enforce critical security rules, such as input validation or access controls, instead of performing these checks itself. |
| CWE-693 | Protection Mechanism Failure | This weakness occurs when software either lacks a necessary security control, implements one that is too weak, or fails to activate an existing control in a critical area, leaving it vulnerable to targeted attacks. |
| CWE-757 | Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') | This vulnerability occurs when a protocol or system allows negotiating a security algorithm (like encryption) but chooses a weaker option than the strongest one both parties support, creating an unnecessary security gap. |
| CWE-778 | Insufficient Logging | This weakness occurs when an application fails to properly record important security events or captures them with insufficient detail, making it hard to spot and investigate suspicious activity. |
| CWE-807 | Reliance on Untrusted Inputs in a Security Decision | This vulnerability occurs when an application's security check depends on user-controlled data that can be manipulated to bypass protection mechanisms, such as authentication or authorization gates. |
| CWE-1400 | Comprehensive Categorization for Software Assurance Trends |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330].
Comment:
See member weaknesses of this category.