Category: Data Processing Errors
Draft
Summary
Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1024 | Comparison of Incompatible Types | This vulnerability occurs when code directly compares two values of fundamentally different data types, which can lead to unreliable or incorrect results because the comparison logic doesn't handle the type mismatch properly. |
| CWE-130 | Improper Handling of Length Parameter Inconsistency | This vulnerability occurs when a program reads a structured data packet or message but fails to properly validate that the declared length field matches the actual amount of data provided. |
| CWE-166 | Improper Handling of Missing Special Element | This vulnerability occurs when software expects a specific delimiter, terminator, or other special marker in its input but fails to properly handle situations where that element is absent. The application may then misinterpret boundaries, leading to crashes, data corruption, or security breaches. |
| CWE-167 | Improper Handling of Additional Special Element | This vulnerability occurs when software receives data from another component but fails to properly process or validate unexpected special characters or control elements within that input. |
| CWE-168 | Improper Handling of Inconsistent Special Elements | This vulnerability occurs when software fails to correctly process input containing conflicting or mismatched special elements like characters, symbols, or reserved keywords. |
| CWE-178 | Improper Handling of Case Sensitivity | This vulnerability occurs when software fails to consistently handle uppercase and lowercase letters when checking or accessing resources, leading to unpredictable behavior and security gaps. |
| CWE-182 | Collapse of Data into Unsafe Value | This vulnerability occurs when an application's data filtering or transformation process incorrectly merges or simplifies information, producing a result that violates security rules. Essentially, safe input gets collapsed into a dangerous value. |
| CWE-186 | Overly Restrictive Regular Expression | This weakness occurs when a regular expression is too narrow, failing to detect all the dangerous or unexpected input values it was designed to catch. |
| CWE-229 | Improper Handling of Values | This vulnerability occurs when software fails to correctly process situations where input contains too few values, too many values, or undefined values for expected parameters, fields, or arguments. |
| CWE-233 | Improper Handling of Parameters | This vulnerability occurs when software fails to correctly process input that contains an unexpected number of parameters, missing fields, or undefined arguments. It often leads to crashes, unexpected behavior, or security bypasses. |
| CWE-237 | Improper Handling of Structural Elements | This vulnerability occurs when an application fails to properly validate, sanitize, or interpret the complex internal parts of structured data, such as file headers, network packet fields, or document metadata. |
| CWE-241 | Improper Handling of Unexpected Data Type | This vulnerability occurs when software fails to properly validate or safely process data that arrives in an unexpected format. For example, the system might expect a numeric input but receives text instead, leading to crashes, errors, or security issues. |
| CWE-409 | Improper Handling of Highly Compressed Data (Data Amplification) | This vulnerability occurs when software fails to safely process highly compressed data, where a small input file can trigger the creation of an extremely large amount of data during decompression, overwhelming system resources. |
| CWE-472 | External Control of Assumed-Immutable Web Parameter | This vulnerability occurs when a web application incorrectly trusts data that appears to be fixed or hidden from the user, such as values in hidden form fields, cookies, or URL parameters. Because this data is actually controllable by the client, attackers can modify it to bypass security checks or corrupt application logic. |
| CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') | An open redirect vulnerability occurs when a web application uses unvalidated user input to determine the destination of a redirect, allowing an attacker to send users to an untrusted, external website. |
| CWE-611 | Improper Restriction of XML External Entity Reference | This vulnerability occurs when an application processes XML input without properly restricting external entity references. Attackers can exploit this to read local files, trigger internal network requests, or cause denial of service. |
| CWE-624 | Executable Regular Expression Error | This vulnerability occurs when an application uses a regular expression that can execute code, either because it directly contains executable logic with unsafe user input, or because an attacker can inject pattern modifiers that enable code execution. |
| CWE-625 | Permissive Regular Expression | This weakness occurs when a regular expression is too permissive, failing to properly validate or sanitize input by allowing unintended values or patterns. |
| CWE-776 | Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') | This vulnerability occurs when an XML parser allows Document Type Definitions (DTDs) to contain recursively defined entities without proper limits, enabling malicious data structures. |
| CWE-699 | Software Development | This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.