Category: Comprehensive Categorization: Resource Control
Incomplete
Summary
Weaknesses in this category are related to resource control.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1104 | Use of Unmaintained Third Party Components | This weakness occurs when software depends on third-party libraries, frameworks, or modules that are no longer actively updated or supported by their creators or a trusted maintainer. |
| CWE-1249 | Application-Level Admin Tool with Inconsistent View of Underlying Operating System | This vulnerability occurs when an administrative tool (like a web interface or API) fails to accurately display the true state of the underlying operating system it manages. The tool's view becomes inconsistent with reality, hiding critical resources like user accounts, processes, or files from the administrator. |
| CWE-1251 | Mirrored Regions with Different Values | This vulnerability occurs when a system maintains duplicate copies of data or resources (like cached memory or shadow registers) but fails to keep them synchronized. When mirrored regions hold different values, it can lead to incorrect system behavior, data corruption, or security breaches. |
| CWE-1277 | Firmware Not Updateable | This vulnerability occurs when a hardware product lacks a mechanism for users to install firmware updates, leaving known security flaws permanently unpatched. |
| CWE-1310 | Missing Ability to Patch ROM Code | A system or System-on-Chip (SoC) lacks a mechanism to update its initial boot code stored in Read-Only Memory (ROM), permanently exposing devices to unfixable security vulnerabilities. |
| CWE-1321 | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | Prototype pollution occurs when an application takes user-supplied input and uses it to improperly modify the properties of a JavaScript object's prototype. This allows attackers to inject key-value pairs into the base object, potentially altering the application's logic, crashing it, or escalating privileges. |
| CWE-1329 | Reliance on Component That is Not Updateable | This vulnerability occurs when a product depends on a component that cannot be updated or patched to fix security flaws or critical bugs. |
| CWE-385 | Covert Timing Channel | A covert timing channel is a security flaw where an attacker can deduce secret information by observing how long certain operations take to execute. Instead of directly reading data, they analyze timing variations in system behavior to infer protected details. |
| CWE-470 | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') | This vulnerability occurs when an application uses unvalidated external input, like a URL parameter or form field, to dynamically decide which class to load or which method to execute via reflection. An attacker can manipulate this input to force the application to load unexpected, potentially malicious code. |
| CWE-473 | PHP External Variable Modification | This vulnerability occurs when a PHP application fails to properly validate or sanitize variables that originate from outside the application, such as HTTP query strings, cookies, or POST data. Attackers can exploit this to inject unexpected values, altering the program's logic and security controls. |
| CWE-502 | Deserialization of Untrusted Data | This vulnerability occurs when an application accepts and processes serialized data from an untrusted source without proper validation, allowing an attacker to manipulate the data to execute malicious code or cause unexpected behavior. |
| CWE-514 | Covert Channel | A covert channel is a hidden communication path that allows data to be transmitted in a way that bypasses the system's intended security controls and monitoring. |
| CWE-515 | Covert Storage Channel | A covert storage channel is a type of security flaw where one process secretly encodes data into a shared system resource (like a file, memory bit, or status flag), and another unauthorized process later reads that resource to extract the hidden information. |
| CWE-672 | Operation on a Resource after Expiration or Release | This vulnerability occurs when a program continues to use a resource—like memory, a file handle, or a network connection—after it has been freed, closed, or is no longer valid. |
| CWE-826 | Premature Release of Resource During Expected Lifetime | This happens when software incorrectly frees or closes a resource—like memory, a file handle, or a network connection—while that resource is still supposed to be in active use by the program or another component. |
| CWE-910 | Use of Expired File Descriptor | This vulnerability occurs when a program attempts to use a file descriptor after it has been closed, treating it as if it were still valid. |
| CWE-915 | Improperly Controlled Modification of Dynamically-Determined Object Attributes | This vulnerability occurs when an application accepts user input that specifies which object attributes or fields to create or update, but fails to restrict which specific attributes can be changed. Attackers can exploit this to modify sensitive internal properties they shouldn't have access to. |
| CWE-1400 | Comprehensive Categorization for Software Assurance Trends |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330].
Comment:
See member weaknesses of this category.