Category: 7PK - Environment
Draft
Summary
This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms."
Membership
| ID | Name | Description |
|---|---|---|
| CWE-11 | ASP.NET Misconfiguration: Creating Debug Binary | Deploying an ASP.NET application with debug binaries enabled exposes detailed system information, which attackers can use to map your infrastructure and plan targeted exploits. |
| CWE-12 | ASP.NET Misconfiguration: Missing Custom Error Page | This vulnerability occurs when an ASP.NET application fails to configure custom error pages, allowing attackers to extract sensitive information from the framework's default error messages. |
| CWE-13 | ASP.NET Misconfiguration: Password in Configuration File | This vulnerability occurs when an ASP.NET application stores passwords or other sensitive credentials in plaintext within configuration files like web.config. This exposes those credentials to anyone with file system access, effectively bypassing security controls and granting unauthorized access to protected resources. |
| CWE-14 | Compiler Removal of Code to Clear Buffers | A compiler optimization can remove security-critical code intended to wipe sensitive data from memory, leaving secrets exposed. This happens when the compiler identifies buffer-clearing operations as unnecessary 'dead stores' and eliminates them. |
| CWE-5 | J2EE Misconfiguration: Data Transmission Without Encryption | This vulnerability occurs when a J2EE application transmits sensitive data, like login credentials or session tokens, across a network without using strong encryption. Attackers monitoring the network can easily intercept, read, or even alter this information if it's sent in plain text or protected by weak cryptographic methods. |
| CWE-6 | J2EE Misconfiguration: Insufficient Session-ID Length | This vulnerability occurs when a J2EE application uses session identifiers that are too short, making them easier for attackers to predict or capture. |
| CWE-7 | J2EE Misconfiguration: Missing Custom Error Page | This vulnerability occurs when a J2EE application uses the server's default error pages instead of custom ones, potentially leaking sensitive system details. |
| CWE-8 | J2EE Misconfiguration: Entity Bean Declared Remote | This vulnerability occurs when an Entity Bean in a J2EE application is incorrectly configured with a remote interface. This exposes data access methods to remote clients, allowing unauthorized users to potentially read sensitive information or manipulate data outside the application's intended security boundaries. |
| CWE-9 | J2EE Misconfiguration: Weak Access Permissions for EJB Methods | This vulnerability occurs when Enterprise JavaBean (EJB) methods are configured with overly permissive access rights, allowing attackers to exploit elevated privileges they should not have. |
| CWE-700 | Seven Pernicious Kingdoms | This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.