View: Weaknesses Introduced During Design
Incomplete
Type: Implicit
Objective
This view (slice) lists weaknesses that can be introduced during design.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1007 | Insufficient Visual Distinction of Homoglyphs Presented to User | This vulnerability occurs when an application shows text or symbols to users without clearly distinguishing between characters that look identical or very similar (called homoglyphs). Because users can't easily tell these characters apart, they might misinterpret information and accidentally perform unsafe actions, like clicking a malicious link. |
| CWE-1037 | Processor Optimization Removal or Modification of Security-critical Code | This vulnerability occurs when a processor's performance optimization unintentionally strips out or alters security-critical code that a developer intentionally placed in the software. |
| CWE-1038 | Insecure Automated Optimizations | This vulnerability occurs when software uses automated tools to optimize code for performance or efficiency, but those optimizations accidentally weaken or bypass critical security protections that the original code relied upon. |
| CWE-1039 | Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism | This vulnerability occurs when a system uses automated AI or machine learning to classify complex inputs like images, audio, or text, but fails to correctly identify or process inputs that have been deliberately altered. Attackers can exploit this by crafting subtle modifications that cause the system to misclassify the input, leading to incorrect and potentially harmful decisions. |
| CWE-1044 | Architecture with Number of Horizontal Layers Outside of Expected Range | This occurs when a software system is built with either too many or too few distinct architectural layers, falling outside a recommended range that supports maintainability and security. |
| CWE-1059 | Insufficient Technical Documentation | This weakness occurs when a software or hardware product lacks comprehensive technical documentation. Missing or incomplete details about the system's architecture, interfaces, design, configuration, or operation make it difficult to understand, maintain, and secure the product effectively. |
| CWE-115 | Misinterpretation of Input | This vulnerability occurs when software incorrectly interprets or processes input data, leading to unintended and potentially harmful security consequences. The flawed interpretation can come from user-provided data, external systems, or other components. |
| CWE-1173 | Improper Use of Validation Framework | This vulnerability occurs when a software application either fails to use or incorrectly implements a built-in or library-provided input validation framework. |
| CWE-1176 | Inefficient CPU Computation | This weakness occurs when software uses inefficient algorithms or suboptimal CPU operations, performing unnecessary or overly complex calculations that waste processing power and slow down performance. |
| CWE-1189 | Improper Isolation of Shared Resources on System-on-a-Chip (SoC) | This vulnerability occurs when a System-on-a-Chip (SoC) fails to properly separate shared hardware resources between secure (trusted) and non-secure (untrusted) components. |
| CWE-1190 | DMA Device Enabled Too Early in Boot Phase | This vulnerability occurs when a device with Direct Memory Access (DMA) capability is activated before the system's security settings are fully locked in during the boot process. This oversight can let an attacker bypass normal protections to read sensitive data from memory or escalate their privileges on the system. |
| CWE-1191 | On-Chip Debug and Test Interface With Improper Access Control | This vulnerability occurs when a hardware chip's debug or test interface (like JTAG) lacks proper access controls. Without correct authorization checks, unauthorized users can read or modify sensitive internal registers and bypass the chip's built-in security protections. |
| CWE-1192 | Improper Identifier for IP Block used in System-On-Chip (SOC) | This weakness occurs when a System-on-Chip (SoC) lacks a secure, unique, and permanent identifier for its internal hardware components (IP blocks). Without this, the system cannot reliably distinguish between different parts of the chip, leading to security and reliability failures. |
| CWE-1209 | Failure to Disable Reserved Bits | This vulnerability occurs when reserved bits in a hardware design are left active in production. Designers sometimes use these bits for debugging or future features, but if not disabled, attackers can manipulate them to compromise the hardware's state. |
| CWE-1220 | Insufficient Granularity of Access Control | This vulnerability occurs when a system's access controls are too broad, allowing unauthorized users or processes to read or modify sensitive resources. Instead of implementing precise, fine-grained permissions, the security policy uses overly permissive rules that fail to properly restrict access to critical assets like configuration data, keys, or system registers. |
| CWE-1223 | Race Condition for Write-Once Attributes | This vulnerability occurs when an untrusted software component wins a race condition and writes to a hardware register before the trusted component can, permanently locking in an insecure value because the register is designed to be written only once. |
| CWE-1224 | Improper Restriction of Write-Once Bit Fields | This vulnerability occurs when hardware write-once protection mechanisms, often called 'sticky bits,' are incorrectly implemented, allowing software to reprogram them multiple times. |
| CWE-1230 | Exposure of Sensitive Information Through Metadata | This vulnerability occurs when an application protects the primary source of sensitive data but fails to secure the metadata derived from it. Attackers can then access this secondary information, which may leak critical details about the original content. |
| CWE-1231 | Improper Prevention of Lock Bit Modification | This vulnerability occurs when hardware or firmware uses a lock bit to protect critical system registers or memory regions, but fails to properly prevent that lock bit from being changed after it has been enabled. This design flaw allows attackers to bypass hardware-enforced security restrictions. |
| CWE-1232 | Improper Lock Behavior After Power State Transition | This vulnerability occurs when a hardware lock bit, designed to protect critical system configuration registers, is improperly reset or becomes programmable after a device transitions between power states, such as entering or waking from a low-power sleep mode. This allows the protected configuration to be altered after it should be permanently locked. |
| CWE-1233 | Security-Sensitive Hardware Controls with Missing Lock Bit Protection | This vulnerability occurs when a hardware device uses a lock bit to protect critical configuration registers, but the lock fails to prevent writes to all registers that can alter the protected system settings. Essentially, the security mechanism is incomplete, allowing software to bypass it and modify sensitive hardware configurations. |
| CWE-1234 | Hardware Internal or Debug Modes Allow Override of Locks | Hardware debug modes or internal states can bypass critical system lock protections, allowing unauthorized changes to device configuration. |
| CWE-1240 | Use of a Cryptographic Primitive with a Risky Implementation | This weakness occurs when a product uses a custom, unverified, or non-compliant implementation of a cryptographic algorithm instead of a trusted, standard solution. |
| CWE-1241 | Use of Predictable Algorithm in Random Number Generator | This vulnerability occurs when a device or application relies on a predictable algorithm to generate pseudo-random numbers, making the output sequence foreseeable. |
| CWE-1242 | Inclusion of Undocumented Features or Chicken Bits | This vulnerability occurs when a hardware device or chip includes undocumented configuration bits (often called 'chicken bits') or hidden features that can disable security controls or enable privileged functions. |
| CWE-1243 | Sensitive Non-Volatile Information Not Protected During Debug | This vulnerability occurs when security-critical data stored in hardware fuses is left unprotected and accessible during debug modes. |
| CWE-1244 | Internal Asset Exposed to Unsafe Debug Access Level or State | This vulnerability occurs when a system's debug or test interface supports multiple access levels, but an internal asset is incorrectly assigned a permissive debug access level. This mistake allows untrusted debug agents to access sensitive internal assets they should not be able to reach. |
| CWE-1245 | Improper Finite State Machines (FSMs) in Hardware Logic | This vulnerability occurs when hardware logic contains flawed Finite State Machines (FSMs). Attackers can exploit these design errors to force the system into an undefined or unstable condition, potentially leading to a denial of service (DoS) or allowing privilege escalation. |
| CWE-1246 | Improper Write Handling in Limited-write Non-Volatile Memories | This vulnerability occurs when a system fails to properly manage write operations on memory hardware that has a limited lifespan, such as Flash or EEPROM. Without correct wear leveling, specific memory cells wear out faster than intended, leading to premature device failure. |
| CWE-1249 | Application-Level Admin Tool with Inconsistent View of Underlying Operating System | This vulnerability occurs when an administrative tool (like a web interface or API) fails to accurately display the true state of the underlying operating system it manages. The tool's view becomes inconsistent with reality, hiding critical resources like user accounts, processes, or files from the administrator. |
| CWE-1252 | CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations | This vulnerability occurs when a CPU's hardware is not set up to enforce a strict separation between writing data to memory and executing instructions from it. Without this hardware-level protection, attackers can potentially write malicious code into memory and then run it. |
| CWE-1253 | Incorrect Selection of Fuse Values | This vulnerability occurs when a hardware security fuse is incorrectly programmed to represent a 'secure' state as logic 0 (unblown). An attacker can permanently force the system into an insecure mode simply by blowing the fuse, which flips its value to logic 1. |
| CWE-1254 | Incorrect Comparison Logic Granularity | This vulnerability occurs when a system compares sensitive data, like passwords or authentication tokens, piece-by-piece instead of as a complete unit. If the comparison stops at the first mismatch, attackers can measure tiny timing differences to gradually guess the correct value. |
| CWE-1256 | Improper Restriction of Software Interfaces to Hardware Features | This vulnerability occurs when a system's software interfaces to hardware features—like power, clock, or performance management—are not properly locked down. This allows attackers to misuse these interfaces from software to tamper with hardware memory or registers, or to gather sensitive data by observing physical side effects, without needing physical access to the device. |
| CWE-1257 | Improper Access Control Applied to Mirrored or Aliased Memory Regions | This vulnerability occurs when a hardware design maps the same physical memory to multiple addresses (aliasing or mirroring) but fails to apply consistent read/write permissions across all these addresses. An attacker blocked from accessing a protected memory region might still reach the same data through its unprotected aliased address, bypassing security controls. |
| CWE-1258 | Exposure of Sensitive System Information Due to Uncleared Debug Information | This vulnerability occurs when hardware fails to erase sensitive data like cryptographic keys and intermediate values before entering debug mode, leaving them exposed. |
| CWE-1259 | Improper Restriction of Security Token Assignment | This vulnerability occurs when a System-on-a-Chip (SoC) fails to properly secure its Security Token mechanism. These tokens control which actions different system components are allowed to perform, but inadequate protection allows them to be manipulated. |
| CWE-1260 | Improper Handling of Overlap Between Protected Memory Ranges | This vulnerability occurs when a system incorrectly allows different memory protection ranges to overlap. This flaw can let attackers bypass security controls and access restricted memory areas. |
| CWE-1261 | Improper Handling of Single Event Upsets | This vulnerability occurs when hardware logic fails to properly manage single-event upsets (SEUs), which are temporary bit flips caused by environmental factors. |
| CWE-1262 | Improper Access Control for Register Interface | This vulnerability occurs when a system's hardware registers, which act as a software-to-hardware control panel, lack proper access restrictions. Malicious or flawed software can directly manipulate these registers, leading to unauthorized changes in hardware behavior. |
| CWE-1263 | Improper Physical Access Control | This vulnerability occurs when a device or system has areas meant to be physically secure, but the safeguards in place are too weak to stop someone with direct physical access from reaching restricted components or data. |
| CWE-1264 | Hardware Logic with Insecure De-Synchronization between Control and Data Channels | This vulnerability occurs when a hardware design incorrectly forwards data before its security or permission checks have finished processing. It's a timing flaw where the data channel gets ahead of the control channel, potentially leaking information. |
| CWE-1266 | Improper Scrubbing of Sensitive Data from Decommissioned Device | This vulnerability occurs when a system lacks a reliable method for administrators to permanently erase sensitive information before taking hardware or software out of service. The data scrubbing feature might be missing, ineffective, or flawed, leaving confidential data behind. |
| CWE-1267 | Policy Uses Obsolete Encoding | This vulnerability occurs when a hardware system uses outdated or deprecated encoding methods to enforce security policies and access controls. |
| CWE-1268 | Policy Privileges are not Assigned Consistently Between Control and Data Agents | This vulnerability occurs when hardware access control policies are inconsistent, allowing an agent with control privileges to modify write permissions even when it shouldn't have direct write access. |
| CWE-1270 | Generation of Incorrect Security Tokens | This vulnerability occurs when a system's security token mechanism, designed to control permissions for different entities or agents, generates tokens that are fundamentally flawed or incorrect. |
| CWE-1272 | Sensitive Information Uncleared Before Debug/Power State Transition | This vulnerability occurs when a device changes its power mode or enters a debug state but fails to wipe sensitive data that should become inaccessible after the transition. |
| CWE-1274 | Improper Access Control for Volatile Memory Containing Boot Code | This vulnerability occurs when a system's secure-boot process loads bootloader code into volatile memory (like DRAM or SRAM) but fails to properly lock down that memory region afterward. Without strong access controls, an attacker can modify the boot code in memory, bypassing secure boot and running malicious software. |
| CWE-1277 | Firmware Not Updateable | This vulnerability occurs when a hardware product lacks a mechanism for users to install firmware updates, leaving known security flaws permanently unpatched. |
| CWE-1278 | Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques | This vulnerability occurs when hardware lacks safeguards against physical inspection, allowing attackers to extract sensitive data by capturing and analyzing high-resolution images of the integrated circuit's internal structure. |
| CWE-1279 | Cryptographic Operations are run Before Supporting Units are Ready | This vulnerability occurs when cryptographic processes start before their required dependencies are properly initialized and ready to supply valid data, potentially compromising security. |
| CWE-1281 | Sequence of Processor Instructions Leads to Unexpected Behavior | Certain sequences of valid and invalid processor instructions can cause the CPU to lock up or behave unpredictably, often requiring a hard reset to recover. |
| CWE-1283 | Mutable Attestation or Measurement Reporting Data | This vulnerability occurs when the hardware registers storing boot integrity measurements can be altered by an attacker, allowing them to forge verification data and hide a compromised boot process. |
| CWE-1290 | Incorrect Decoding of Security Identifiers | This vulnerability occurs when a hardware decoder incorrectly interprets security identifiers in bus transactions, allowing untrusted agents to gain unauthorized access to protected assets. |
| CWE-1292 | Incorrect Conversion of Security Identifiers | This vulnerability occurs when a hardware system incorrectly translates security identifiers during bus protocol conversion. An improper mapping allows untrusted agents to bypass security checks and gain unauthorized access to protected assets or functions. |
| CWE-1293 | Missing Source Correlation of Multiple Independent Data | This vulnerability occurs when a system trusts a single source of data without verification, making it impossible to detect if that source has been tampered with or compromised by an attacker. |
| CWE-1294 | Insecure Security Identifier Mechanism | This vulnerability occurs when a System-on-Chip (SoC) implements a Security Identifier mechanism to control transaction permissions, but the implementation contains flaws that undermine its security. |
| CWE-1298 | Hardware Logic Contains Race Conditions | A hardware race condition occurs when security-critical logic circuits receive signals at slightly different times, creating temporary glitches that can bypass system protections. |
| CWE-1299 | Missing Protection Mechanism for Alternate Hardware Interface | This vulnerability occurs when a hardware component's security controls only protect the primary access path, leaving alternate interfaces unprotected. Attackers can bypass intended restrictions by accessing sensitive assets through these unguarded backdoors, such as shadow registers or other external-facing ports. |
| CWE-1302 | Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC) | This vulnerability occurs when a System-On-Chip (SoC) component sends a transaction without its required security identifier. The destination hardware cannot properly verify permissions, leading to unintended access or system failure. |
| CWE-1303 | Non-Transparent Sharing of Microarchitectural Resources | This vulnerability occurs when a processor's internal performance features, like caches and branch predictors, are unintentionally shared between different software contexts. This breaks the expected isolation, allowing data to leak across security boundaries. |
| CWE-1304 | Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation | This vulnerability occurs when a hardware component saves its configuration state during a power-down operation but fails to protect or verify the integrity of that saved data before restoring it. As a result, an attacker can tamper with the stored settings, leading to a compromised state when the device powers back on. |
| CWE-1310 | Missing Ability to Patch ROM Code | A system or System-on-Chip (SoC) lacks a mechanism to update its initial boot code stored in Read-Only Memory (ROM), permanently exposing devices to unfixable security vulnerabilities. |
| CWE-1311 | Improper Translation of Security Attributes by Fabric Bridge | This vulnerability occurs when a hardware bridge incorrectly converts security attributes between different fabric protocols, potentially changing a transaction's identity from trusted to untrusted or vice versa during protocol translation. |
| CWE-1312 | Missing Protection for Mirrored Regions in On-Chip Fabric Firewall | An on-chip fabric firewall fails to apply its security rules to mirrored memory or MMIO regions, only protecting the primary address range. This allows attackers to bypass read/write restrictions by targeting the unprotected mirrored copies. |
| CWE-1313 | Hardware Allows Activation of Test or Debug Logic at Runtime | This vulnerability occurs when hardware includes test or debug features that remain accessible during normal operation. An attacker can activate these features at runtime to alter the hardware's state, bypass security controls, and potentially leak or manipulate sensitive data. |
| CWE-1314 | Missing Write Protection for Parametric Data Values | This vulnerability occurs when a hardware device fails to protect the scaling parameters used to convert raw sensor readings. Untrusted software can alter these conversion factors, making dangerous conditions appear safe and potentially leading to hardware damage or system failure. |
| CWE-1315 | Improper Setting of Bus Controlling Capability in Fabric End-point | This vulnerability occurs when a hardware fabric endpoint is incorrectly configured to grant bus controller privileges to a device that should only respond to requests. This allows an unauthorized device to initiate and control data transactions across the system bus. |
| CWE-1316 | Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges | This vulnerability occurs when a hardware fabric's address map incorrectly allows protected and unprotected memory regions to overlap. Attackers can exploit this overlap to bypass security controls and access restricted data or functions. |
| CWE-1317 | Improper Access Control in Fabric Bridge | This vulnerability occurs when a hardware fabric bridge, which connects different IP blocks on a chip, fails to properly verify access permissions for transactions passing through it. The bridge forwards requests without checking the master's privilege level or the hardware identity, effectively bypassing critical security controls. |
| CWE-1318 | Missing Support for Security Features in On-chip Fabrics or Buses | This vulnerability occurs when the communication channels (fabrics or buses) within a chip lack built-in or enabled security features, such as privilege separation or access controls, leaving data transfers unprotected. |
| CWE-1319 | Improper Protection against Electromagnetic Fault Injection (EM-FI) | This vulnerability occurs when a hardware device lacks sufficient shielding against electromagnetic interference, allowing attackers to disrupt its internal operations. By inducing targeted electromagnetic pulses, an attacker can force the device to malfunction, potentially bypassing security checks or leaking sensitive data. |
| CWE-1320 | Improper Protection for Outbound Error Messages and Alert Signals | This vulnerability occurs when hardware alert systems for critical conditions, like overheating or power surges, lack proper security. Untrusted software or agents can disable these warnings or trigger false alarms, preventing the system from taking protective actions. |
| CWE-1323 | Improper Management of Sensitive Trace Data | This vulnerability occurs when sensitive trace data from a System-on-Chip (SoC), such as information from CPUs or cryptographic modules, is stored in unsecured memory or transmitted to unauthorized debuggers, potentially exposing confidential information. |
| CWE-1326 | Missing Immutable Root of Trust in Hardware | This vulnerability occurs when a hardware chip lacks a permanent, unchangeable root of trust. Without this immutable foundation, attackers can bypass secure boot protections and run unauthorized or malicious code during the system startup process. |
| CWE-1328 | Security Version Number Mutable to Older Versions | This vulnerability occurs when a hardware system's security version number can be changed, allowing an attacker to downgrade or roll back the boot firmware to older, vulnerable versions. |
| CWE-1329 | Reliance on Component That is Not Updateable | This vulnerability occurs when a product depends on a component that cannot be updated or patched to fix security flaws or critical bugs. |
| CWE-1331 | Improper Isolation of Shared Resources in Network On Chip (NoC) | This vulnerability occurs when a Network on Chip (NoC) fails to properly separate its internal, shared resources—like buffers, switches, and channels—between trusted and untrusted components. This lack of isolation creates a timing side-channel, allowing untrusted agents to potentially infer sensitive data from trusted ones. |
| CWE-1332 | Improper Handling of Faults that Lead to Instruction Skips | This vulnerability occurs when a hardware device lacks or incorrectly implements the necessary circuitry or sensors to detect and respond to the skipping of critical security instructions during CPU execution. |
| CWE-1334 | Unauthorized Error Injection Can Degrade Hardware Redundancy | This vulnerability occurs when an attacker without proper permissions can deliberately inject faults into a hardware system's backup components. This action disables the redundancy, forcing the system into a less secure, degraded state. |
| CWE-1336 | Improper Neutralization of Special Elements Used in a Template Engine | This vulnerability occurs when an application uses a template engine to process user-controlled input but fails to properly sanitize special syntax characters. Attackers can inject template expressions or directives that the engine executes, leading to unintended code execution. |
| CWE-1338 | Improper Protections Against Hardware Overheating | This vulnerability occurs when a hardware device lacks sufficient safeguards to prevent dangerous temperature increases during operation. |
| CWE-1342 | Information Exposure through Microarchitectural State after Transient Execution | This vulnerability occurs when a CPU fails to completely erase temporary data traces left behind by speculative execution or error recovery processes. These lingering microarchitectural hints can be analyzed through side-channels to leak sensitive information. |
| CWE-1351 | Improper Handling of Hardware Behavior in Exceptionally Cold Environments | This weakness occurs when a hardware device or its firmware lacks proper safeguards to maintain security functions when operated in extremely cold temperatures. Designers may fail to anticipate how critical components, like memory or security primitives, behave outside their standard operating range, creating exploitable gaps. |
| CWE-1357 | Reliance on Insufficiently Trustworthy Component | This weakness occurs when a system integrates a component that cannot be fully trusted to meet security, reliability, and maintenance standards, creating risk for the entire product. |
| CWE-1384 | Improper Handling of Physical or Environmental Conditions | This weakness occurs when a hardware device fails to manage unexpected physical or environmental situations, whether they happen naturally or are deliberately caused by an attacker. These conditions can force the hardware into an insecure state. |
| CWE-1390 | Weak Authentication | This vulnerability occurs when a system's login or identity verification process is too easy to bypass or fool. While it attempts to check who a user claims to be, the checks are insufficient, allowing attackers to impersonate legitimate users. |
| CWE-1391 | Use of Weak Credentials | This vulnerability occurs when a system relies on weak authentication credentials—like default passwords, hard-coded keys, or easily guessable values—that an attacker can deduce, reuse, or predict without needing to perform a full brute-force attack. |
| CWE-1392 | Use of Default Credentials | This vulnerability occurs when a system, device, or application relies on pre-configured, publicly known credentials like passwords or encryption keys for access to critical functions. |
| CWE-1393 | Use of Default Password | This vulnerability occurs when a system or device uses a pre-configured, publicly known password for authentication, often for administrative or critical functions. |
| CWE-1394 | Use of Default Cryptographic Key | This vulnerability occurs when a system uses a pre-configured, publicly known cryptographic key for security-critical operations instead of generating a unique one. |
| CWE-1395 | Dependency on Vulnerable Third-Party Component | This vulnerability occurs when your software relies on an external library, framework, or module that contains known security flaws. |
| CWE-1420 | Exposure of Sensitive Information during Transient Execution | Transient execution vulnerabilities occur when a processor speculatively runs operations that don't officially commit, potentially leaking sensitive data through covert side channels like cache timing. |
| CWE-1421 | Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution | This vulnerability occurs when a processor's speculative execution (transient operations) can temporarily access restricted data from another security domain. This sensitive information can leave traces in shared hardware structures like CPU caches, where an attacker could potentially retrieve it using a covert channel attack. |
| CWE-1422 | Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution | This vulnerability occurs when a CPU incorrectly forwards outdated or incorrect data during speculative execution. This allows sensitive information to leak through covert side-channel attacks, even when software-level protections are in place. |
| CWE-1423 | Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution | This vulnerability occurs when separate software components, like different processes or virtual machines, share the processor's internal prediction mechanisms. An attacker can manipulate these shared predictors to trigger speculative execution in a victim component, potentially leaking sensitive data across a security boundary via covert side channels. |
| CWE-1426 | Improper Validation of Generative AI Output | This vulnerability occurs when an application uses a generative AI model (like an LLM) but fails to properly check the AI's output before using it. Without this validation, the AI's responses might contain security flaws, harmful content, or data leaks that violate the application's intended policies. |
| CWE-1427 | Improper Neutralization of Input Used for LLM Prompting | This vulnerability occurs when an application builds prompts for a Large Language Model (LLM) using external data, but does so in a way that the LLM cannot tell the difference between the developer's intended instructions and the user's potentially malicious input. This allows an attacker to 'hijack' the prompt and make the model ignore its original guidelines. |
| CWE-1428 | Reliance on HTTP instead of HTTPS | This vulnerability occurs when an application uses unencrypted HTTP connections instead of the secure HTTPS alternative, even when HTTPS is available. |
| CWE-1429 | Missing Security-Relevant Feedback for Unexecuted Operations in Hardware Interface | This vulnerability occurs when a hardware interface discards operations without providing any security-relevant feedback, such as error notifications or logs. This silence prevents the timely detection of critical failures or active attacks, leaving systems vulnerable to undetected compromise. |
| CWE-184 | Incomplete List of Disallowed Inputs | This vulnerability occurs when a security filter or validation mechanism relies on a 'denylist'—a predefined list of forbidden inputs—but that list is missing critical entries. Attackers can bypass the protection by using variations or inputs the developers didn't anticipate. |
| CWE-20 | Improper Input Validation | This vulnerability occurs when an application accepts data from an external source but fails to properly verify that the data is safe and correctly formatted before using it. This missing or flawed validation check allows malicious or malformed inputs to disrupt the application's logic or security. |
| CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | This weakness occurs when an application unintentionally reveals sensitive data to someone who shouldn't have access to it. |
| CWE-201 | Insertion of Sensitive Information Into Sent Data | This vulnerability occurs when an application sends data to an external party, but accidentally includes sensitive information—like passwords, keys, or personal data—that the recipient should not be able to access. |
| CWE-202 | Exposure of Sensitive Information Through Data Queries | This vulnerability occurs when an attacker uses statistical analysis on aggregated or anonymized data to uncover sensitive details about individuals, even when direct identifiers are removed. |
| CWE-203 | Observable Discrepancy | This vulnerability occurs when an application responds differently to unauthorized users based on internal conditions. Attackers can observe these variations—like changes in error messages, timing, or system behavior—to infer sensitive information, such as whether a username exists, a password is incorrect, or a specific operation succeeded. |
| CWE-204 | Observable Response Discrepancy | This vulnerability occurs when an application responds differently to similar requests, unintentionally leaking details about its internal state or logic to unauthorized users. |
| CWE-205 | Observable Behavioral Discrepancy | This vulnerability occurs when an application behaves differently in ways that unauthorized users can detect. These observable differences can reveal internal system logic, state information, or how the product varies from similar applications, providing attackers with valuable clues. |
| CWE-208 | Observable Timing Discrepancy | This vulnerability occurs when an application takes measurably different amounts of time to perform different operations, such as checking a password or processing a request. An attacker can observe these timing differences to learn sensitive information, like whether a username is valid or a cryptographic key guess is correct. |
| CWE-209 | Generation of Error Message Containing Sensitive Information | This vulnerability occurs when an application reveals sensitive details about its internal systems, user data, or environment within error messages shown to users. |
| CWE-210 | Self-generated Error Message Containing Sensitive Information | This vulnerability occurs when an application detects a problem and generates its own error messages that accidentally expose sensitive system or user data. |
| CWE-211 | Externally-Generated Error Message Containing Sensitive Information | This vulnerability occurs when an application triggers an error message from an external component—like a database, interpreter, or operating system—and that error reveals sensitive details about the system's internal workings, configuration, or data. |
| CWE-212 | Improper Removal of Sensitive Information Before Storage or Transfer | This vulnerability occurs when an application stores or transmits a resource containing sensitive data without properly cleaning it first, potentially exposing that information to unauthorized parties. |
| CWE-213 | Exposure of Sensitive Information Due to Incompatible Policies | This vulnerability occurs when a system's data handling aligns with the developer's security rules but accidentally reveals information that other stakeholders—like users or administrators—consider confidential. Essentially, the developer's policy conflicts with the security expectations of the people who use or manage the product. |
| CWE-214 | Invocation of Process Using Visible Sensitive Information | This vulnerability occurs when a process is started with sensitive data, such as passwords or API keys, passed directly in its command-line arguments or environment variables. Because this information is often visible to other processes on the system, it can be easily exposed. |
| CWE-221 | Information Loss or Omission | This weakness occurs when an application fails to log critical security events or records them inaccurately, which can misguide security decisions and hinder incident investigation. |
| CWE-223 | Omission of Security-relevant Information | This vulnerability occurs when an application fails to capture or present crucial security-related details, such as the origin of a request or the specifics of a security event. Without this information, developers and security teams cannot effectively trace attacks or validate whether an operation is legitimate. |
| CWE-250 | Execution with Unnecessary Privileges | This vulnerability occurs when software runs with higher permissions than it actually needs to perform its tasks. This excessive privilege creates security risks by opening doors to new attacks or making existing weaknesses more dangerous. |
| CWE-256 | Plaintext Storage of a Password | This vulnerability occurs when an application stores user passwords as readable text instead of using secure, one-way hashing. This insecure practice exposes credentials in memory, files, or databases where attackers can easily retrieve them. |
| CWE-257 | Storing Passwords in a Recoverable Format | This vulnerability occurs when an application stores user passwords in a format that can be easily reversed or decrypted back to their original plaintext form. This practice, often called storing 'recoverable' passwords, defeats the core purpose of password protection. It allows anyone with access to the stored data—including attackers who breach the system or even malicious insiders—to obtain and reuse the actual passwords on other accounts, offering no real security advantage over storing them in plain text. |
| CWE-260 | Password in Configuration File | This vulnerability occurs when an application stores sensitive passwords directly within a configuration file, making them easily readable to anyone with access to that file. |
| CWE-261 | Weak Encoding for Password | Using simple encoding like Base64 to hide a password provides no real security, as it can be easily reversed. |
| CWE-262 | Not Using Password Aging | This vulnerability occurs when a system lacks password expiration policies, allowing users to keep the same password indefinitely. |
| CWE-263 | Password Aging with Long Expiration | The system enforces password changes, but the time allowed between changes is excessively long, weakening security. |
| CWE-267 | Privilege Defined With Unsafe Actions | This vulnerability occurs when a system grants a user, role, or process a specific permission that can be misused to perform dangerous, unintended actions. The permission itself is correctly assigned, but its scope is too broad or allows for unsafe operations. |
| CWE-268 | Privilege Chaining | Privilege chaining occurs when an attacker combines two separate permissions or capabilities, neither of which is dangerous on its own, to perform a harmful action that neither permission should individually allow. |
| CWE-269 | Improper Privilege Management | This vulnerability occurs when an application fails to correctly manage user permissions, allowing someone to perform actions or access data beyond their intended authority. |
| CWE-270 | Privilege Context Switching Error | This vulnerability occurs when an application fails to properly manage user permissions while moving between different security contexts, potentially allowing unauthorized actions. |
| CWE-271 | Privilege Dropping / Lowering Errors | This vulnerability occurs when a system or process fails to reduce its elevated permissions before transferring control of a resource to a less-privileged user or component. |
| CWE-276 | Incorrect Default Permissions | This vulnerability occurs when software installation scripts set overly permissive file or directory access rights by default. Instead of restricting write access to authorized users or processes, the installation allows unintended actors to modify, delete, or corrupt critical application files. |
| CWE-282 | Improper Ownership Management | This vulnerability occurs when a system incorrectly assigns or fails to verify which user or process rightfully controls a specific object or resource. |
| CWE-283 | Unverified Ownership | This vulnerability occurs when an application fails to confirm that a user has legitimate ownership rights to a sensitive resource before allowing them to perform actions on it. |
| CWE-285 | Improper Authorization | This vulnerability occurs when an application fails to properly verify whether a user has permission to access specific data or perform certain actions before allowing the request. |
| CWE-286 | Incorrect User Management | This vulnerability occurs when an application incorrectly handles user accounts, roles, or group memberships, leading to improper access control. |
| CWE-287 | Improper Authentication | Improper Authentication occurs when a system fails to properly verify a user's claimed identity, allowing access without sufficient proof of who they are. |
| CWE-288 | Authentication Bypass Using an Alternate Path or Channel | This vulnerability occurs when a system has a primary login requirement, but attackers can find an unprotected backdoor or alternative route that completely bypasses those checks. |
| CWE-289 | Authentication Bypass by Alternate Name | This vulnerability occurs when a system checks access based on a resource or user name, but fails to account for all the different names or aliases that could refer to the same entity, allowing attackers to bypass authentication. |
| CWE-294 | Authentication Bypass by Capture-replay | This vulnerability occurs when an attacker can intercept and record legitimate authentication traffic, then replay it later to gain unauthorized access. The system accepts the replayed data as valid, effectively bypassing normal authentication checks. |
| CWE-295 | Improper Certificate Validation | This vulnerability occurs when an application fails to properly verify the authenticity of a digital certificate, or performs the verification incorrectly, allowing untrusted connections to appear legitimate. |
| CWE-300 | Channel Accessible by Non-Endpoint | This vulnerability occurs when a system fails to properly verify who is on the other end of a communication link or to secure the channel itself. This allows an unauthorized third party to access or manipulate the communication as if they were a legitimate participant. |
| CWE-301 | Reflection Attack in an Authentication Protocol | A reflection attack is a flaw in mutual authentication protocols that allows an attacker to impersonate a legitimate user without knowing the secret key. This happens when an attacker can bounce, or 'reflect,' a server's own challenge back to it using a second connection, tricking the system into granting access. |
| CWE-302 | Authentication Bypass by Assumed-Immutable Data | This vulnerability occurs when an authentication system incorrectly treats certain data as unchangeable, when in fact an attacker can manipulate it to bypass login or verification checks. |
| CWE-306 | Missing Authentication for Critical Function | This vulnerability occurs when a software feature that performs a sensitive action or uses significant system resources does not verify the user's identity before executing. Attackers can exploit this to trigger critical functions without any credentials. |
| CWE-307 | Improper Restriction of Excessive Authentication Attempts | This vulnerability occurs when an application fails to properly limit how many times someone can attempt to log in or verify their identity in rapid succession, allowing attackers to systematically guess credentials. |
| CWE-308 | Use of Single-factor Authentication | Relying solely on single-factor authentication, like a password, exposes systems to significant security risks because it depends on only one type of proof for verifying a user's identity. |
| CWE-309 | Use of Password System for Primary Authentication | This weakness occurs when an application relies solely on password-based authentication as its main security gate. This single-factor approach is inherently vulnerable to a range of attacks that can compromise user accounts. |
| CWE-311 | Missing Encryption of Sensitive Data | This vulnerability occurs when an application stores or sends sensitive information without first encrypting it, leaving the data exposed. |
| CWE-312 | Cleartext Storage of Sensitive Information | This vulnerability occurs when an application stores sensitive data like passwords, credit card numbers, or personal information in plain text, without any encryption. This unsecured data is kept in files, databases, caches, or logs that could be accessed by unauthorized users or systems. |
| CWE-319 | Cleartext Transmission of Sensitive Information | This vulnerability occurs when an application sends sensitive data, such as passwords or personal information, over a network connection without using encryption. Attackers can easily intercept and read this unprotected data as it travels. |
| CWE-322 | Key Exchange without Entity Authentication | This vulnerability occurs when a system establishes a cryptographic key with another party without first confirming that party's true identity. |
| CWE-323 | Reusing a Nonce, Key Pair in Encryption | This vulnerability occurs when a cryptographic nonce or key pair is reused, compromising the security of the encrypted data. |
| CWE-324 | Use of a Key Past its Expiration Date | This vulnerability occurs when an application continues to use a cryptographic key or password after its designated expiration date. Doing so dramatically increases the security risk by giving attackers more time to discover or crack the key. |
| CWE-326 | Inadequate Encryption Strength | This vulnerability occurs when an application protects sensitive information with encryption, but the specific algorithm or key strength used is too weak to withstand modern attack methods. |
| CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | The software relies on a cryptographic algorithm or protocol that is either fundamentally flawed or considered too weak by modern security standards. |
| CWE-328 | Use of Weak Hash | This vulnerability occurs when software uses a hashing algorithm that is cryptographically weak, allowing attackers to feasibly reverse the hash to find the original input, find a different input that creates the same hash, or discover collisions where two inputs produce identical hash values. |
| CWE-330 | Use of Insufficiently Random Values | This vulnerability occurs when an application uses random values that are not sufficiently unpredictable in security-sensitive operations, making them easier for attackers to guess or calculate. |
| CWE-331 | Insufficient Entropy | This vulnerability occurs when a system's random number generator or algorithm lacks sufficient unpredictability, creating patterns or predictable outputs that are easier for attackers to guess. |
| CWE-334 | Small Space of Random Values | This vulnerability occurs when a system uses a random number generator that produces too few possible values. Attackers can easily predict or guess these values through brute force attacks. |
| CWE-338 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) | This vulnerability occurs when software uses a pseudo-random number generator (PRNG) that is not cryptographically strong for security-sensitive operations, such as generating keys, tokens, or initialization vectors. |
| CWE-340 | Generation of Predictable Numbers or Identifiers | This vulnerability occurs when a system creates numbers or identifiers that are too easy to guess, undermining security mechanisms that rely on unpredictability. |
| CWE-341 | Predictable from Observable State | This vulnerability occurs when an attacker can guess or deduce sensitive values, like random numbers or identifiers, by observing predictable system or network characteristics such as timestamps, process IDs, or other public information. |
| CWE-342 | Predictable Exact Value from Previous Values | This vulnerability occurs when a system uses a predictable sequence for generating values, allowing an attacker to accurately guess future numbers by analyzing past ones. |
| CWE-343 | Predictable Value Range from Previous Values | This vulnerability occurs when a system's random number generator produces values that, after observing previous outputs, allow an attacker to predict a limited range for the next value. |
| CWE-344 | Use of Invariant Value in Dynamically Changing Context | This vulnerability occurs when code uses a fixed, unchanging value (like a hardcoded string, number, or reference) in a situation where that value should actually be flexible and adapt to different runtime conditions or environments. |
| CWE-345 | Insufficient Verification of Data Authenticity | This vulnerability occurs when an application fails to properly check where data comes from or confirm its legitimacy, allowing untrusted or forged information to be processed as valid. |
| CWE-346 | Origin Validation Error | This vulnerability occurs when an application fails to properly confirm the true origin of incoming data or communication, allowing attackers to spoof their source. |
| CWE-347 | Improper Verification of Cryptographic Signature | This vulnerability occurs when an application fails to properly check the digital signature on data, or skips the verification step entirely, allowing tampered or forged information to be accepted as legitimate. |
| CWE-348 | Use of Less Trusted Source | This vulnerability occurs when a system has access to multiple sources for the same critical data, but it chooses to rely on the less secure or less trustworthy one. This creates a security gap because the system ignores better-protected alternatives that offer stronger verification or are harder for attackers to compromise. |
| CWE-353 | Missing Support for Integrity Check | This vulnerability occurs when a system uses a communication protocol that lacks built-in integrity verification, such as a checksum or cryptographic hash, to detect if data has been altered or corrupted during transmission. |
| CWE-354 | Improper Validation of Integrity Check Value | This vulnerability occurs when software fails to properly check the integrity of data by validating its checksum or hash value. Without this verification, the application cannot reliably detect if information has been altered, corrupted, or tampered with during storage or transmission. |
| CWE-356 | Product UI does not Warn User of Unsafe Actions | This vulnerability occurs when a software interface fails to alert users before they perform a risky action. Without clear warnings, users can be more easily misled into taking steps that harm their system or data. |
| CWE-357 | Insufficient UI Warning of Dangerous Operations | This vulnerability occurs when a software application does present a warning to a user before a risky action, but the warning is designed or placed in a way that makes it too easy to miss, ignore, or accidentally dismiss. |
| CWE-358 | Improperly Implemented Security Check for Standard | This vulnerability occurs when software fails to correctly implement one or more critical security checks required by a standard protocol, algorithm, or security technique. |
| CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | This vulnerability occurs when an application fails to adequately protect sensitive personal data, allowing access to individuals who either lack proper authorization or haven't provided necessary consent for its use. |
| CWE-360 | Trust of System Event Data | This vulnerability occurs when software blindly trusts system event data without verifying its source, allowing attackers to spoof events and manipulate application behavior. |
| CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | A race condition occurs when multiple processes or threads access a shared resource simultaneously without proper coordination, creating a timing window where the resource's state can be unexpectedly altered, leading to unpredictable behavior or security vulnerabilities. |
| CWE-363 | Race Condition Enabling Link Following | This vulnerability occurs when a program checks a file's status before using it, creating a brief window where an attacker can replace that file with a malicious link. This causes the program to follow the link and access an unintended, potentially dangerous location. |
| CWE-368 | Context Switching Race Condition | This vulnerability occurs when an application switches between different security contexts (like privilege levels or domains) using a series of steps that can be interrupted. An attacker can exploit the timing gap during this switch to trick the application into performing actions with the wrong permissions or resources. |
| CWE-385 | Covert Timing Channel | A covert timing channel is a security flaw where an attacker can deduce secret information by observing how long certain operations take to execute. Instead of directly reading data, they analyze timing variations in system behavior to infer protected details. |
| CWE-386 | Symbolic Name not Mapping to Correct Object | This vulnerability occurs when a program uses a fixed symbolic name (like a constant or identifier) to refer to an object, but that name can later point to a different, unintended object during execution. |
| CWE-400 | Uncontrolled Resource Consumption | This vulnerability occurs when an application fails to properly manage a finite resource, allowing an attacker to exhaust it and cause a denial of service. |
| CWE-402 | Transmission of Private Resources into a New Sphere ('Resource Leak') | This vulnerability occurs when an application unintentionally exposes internal resources, like files, memory, or database connections, to unauthorized users or systems. Essentially, it's a type of resource leak where sensitive assets cross a security boundary. |
| CWE-405 | Asymmetric Resource Consumption (Amplification) | This vulnerability occurs when a system allows an attacker to trigger a disproportionate amount of resource consumption—like CPU, memory, or bandwidth—with minimal effort on their part. The attacker's small input causes a large, inefficient output, creating an unfair 'asymmetric' advantage. |
| CWE-406 | Insufficient Control of Network Message Volume (Network Amplification) | This vulnerability occurs when a system fails to properly limit the amount of network traffic it can generate in response to a request, allowing an attacker to abuse it to send a disproportionately large volume of data. |
| CWE-407 | Inefficient Algorithmic Complexity | This vulnerability occurs when a software component uses an algorithm with poor worst-case performance. An attacker can exploit this by providing specially crafted input that forces the algorithm into its slowest possible execution path, leading to severe performance degradation or denial of service. |
| CWE-408 | Incorrect Behavior Order: Early Amplification | This vulnerability occurs when a system allows a user to trigger a resource-intensive operation before verifying their identity or checking their permissions. |
| CWE-409 | Improper Handling of Highly Compressed Data (Data Amplification) | This vulnerability occurs when software fails to safely process highly compressed data, where a small input file can trigger the creation of an extremely large amount of data during decompression, overwhelming system resources. |
| CWE-410 | Insufficient Resource Pool | This vulnerability occurs when a system's resource pool is too small to handle maximum usage. Attackers can exploit this by making a high volume of requests, consuming all available resources and blocking legitimate users. |
| CWE-412 | Unrestricted Externally Accessible Lock | This vulnerability occurs when a system correctly checks for a lock's existence, but an unauthorized external actor can control or influence that lock. |
| CWE-413 | Improper Resource Locking | This vulnerability occurs when an application fails to properly lock a shared resource, such as a file or memory location, before performing operations that require exclusive access. |
| CWE-414 | Missing Lock Check | This vulnerability occurs when software fails to verify that a proper synchronization lock is active before accessing or modifying a shared resource, potentially leading to race conditions and data corruption. |
| CWE-419 | Unprotected Primary Channel | This vulnerability occurs when an application exposes a privileged administrative interface or restricted functionality through a primary channel (like a specific port, endpoint, or protocol) without implementing adequate security controls to protect it. |
| CWE-420 | Unprotected Alternate Channel | This vulnerability occurs when an application secures its main communication path but leaves a backup or alternative channel with weaker or no protection. |
| CWE-421 | Race Condition During Access to Alternate Channel | A race condition occurs when an application opens a secondary communication channel intended for an authorized user, but fails to secure it, allowing other actors to potentially access it first. |
| CWE-424 | Improper Protection of Alternate Path | This vulnerability occurs when an application fails to secure every possible route a user could take to reach sensitive features or data, leaving backdoors or unintended access points open. |
| CWE-434 | Unrestricted Upload of File with Dangerous Type | This vulnerability occurs when an application accepts file uploads without properly restricting the file types, allowing attackers to upload and execute malicious files on the server. |
| CWE-436 | Interpretation Conflict | An interpretation conflict occurs when two systems process the same data or sequence of events differently, leading one system to make incorrect decisions based on its flawed understanding of the other's state. |
| CWE-437 | Incomplete Model of Endpoint Features | This vulnerability occurs when a security product, proxy, or monitoring system sits between endpoints but lacks a full understanding of what those endpoints can do or their current state. Because it's working with incomplete information, it can make wrong decisions, allowing malicious traffic to pass or incorrectly blocking legitimate requests. |
| CWE-439 | Behavioral Change in New Version or Environment | This vulnerability occurs when a component's behavior unexpectedly changes after an update or when deployed to a different environment, and the systems or users depending on it are unaware of and cannot manage this change. |
| CWE-440 | Expected Behavior Violation | This weakness occurs when a software component, such as a function, API, or feature, fails to act as documented or intended. The system's actual behavior deviates from its promised specification, leading to unpredictable results. |
| CWE-441 | Unintended Proxy or Intermediary ('Confused Deputy') | A confused deputy vulnerability occurs when a system receives a request from a client and forwards it to an external destination without properly identifying the original source. This makes the system appear to be the originator of the request, effectively turning it into an unintended proxy for the client. |
| CWE-446 | UI Discrepancy for Security Feature | This vulnerability occurs when a user interface incorrectly displays a security feature as active or properly configured, misleading users into believing they are protected when they are not. |
| CWE-451 | User Interface (UI) Misrepresentation of Critical Information | This vulnerability occurs when a user interface fails to accurately display or highlight crucial information, potentially misleading users about the true state of the system or the source of data. Attackers exploit this weakness to trick users into performing unintended actions, often as part of phishing campaigns or other deception-based attacks. |
| CWE-454 | External Initialization of Trusted Variables or Data Stores | This vulnerability occurs when an application sets up its critical internal variables or storage systems using data from untrusted, external sources that an attacker could control. |
| CWE-470 | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') | This vulnerability occurs when an application uses unvalidated external input, like a URL parameter or form field, to dynamically decide which class to load or which method to execute via reflection. An attacker can manipulate this input to force the application to load unexpected, potentially malicious code. |
| CWE-471 | Modification of Assumed-Immutable Data (MAID) | This vulnerability occurs when an application fails to protect data it assumes cannot be changed, allowing an attacker to alter it. |
| CWE-475 | Undefined Behavior for Input to API | This API function exhibits unpredictable or undefined behavior when its control parameter is not set to the exact, required value. |
| CWE-494 | Download of Code Without Integrity Check | This vulnerability occurs when an application fetches and runs code from an external source—like a remote server or CDN—without properly verifying where it came from or ensuring it hasn't been tampered with. |
| CWE-501 | Trust Boundary Violation | This vulnerability occurs when an application incorrectly stores or processes trusted and untrusted data together within the same structure, such as an object, array, or message. |
| CWE-502 | Deserialization of Untrusted Data | This vulnerability occurs when an application accepts and processes serialized data from an untrusted source without proper validation, allowing an attacker to manipulate the data to execute malicious code or cause unexpected behavior. |
| CWE-510 | Trapdoor | A trapdoor, often called a backdoor, is a hidden piece of code intentionally placed within software. It activates in response to a specific, often secret, input—like a special password or sequence—bypassing standard authentication and authorization checks to grant unauthorized access. |
| CWE-511 | Logic/Time Bomb | A logic or time bomb is malicious code intentionally placed within software to trigger harmful actions when a specific condition is met or a predetermined time is reached. |
| CWE-512 | Spyware | Spyware is software that secretly gathers personal information about a user or their activities. It does this by accessing data from other sources on the system, without the user's direct input or explicit consent. |
| CWE-521 | Weak Password Requirements | This vulnerability occurs when an application fails to enforce strong password policies, making user accounts easier to compromise through guessing or automated attacks. |
| CWE-522 | Insufficiently Protected Credentials | This vulnerability occurs when an application handles sensitive credentials like passwords or API keys in an insecure way, making them easy for attackers to steal during transmission or while stored. |
| CWE-523 | Unprotected Transport of Credentials | This vulnerability occurs when a login page or authentication system transmits user credentials (like usernames and passwords) over a network without proper encryption, exposing them to interception. |
| CWE-532 | Insertion of Sensitive Information into Log File | This vulnerability occurs when an application unintentionally writes confidential data, such as passwords or API keys, into its log files. |
| CWE-544 | Missing Standardized Error Handling Mechanism | This weakness occurs when software lacks a unified, consistent approach to managing errors across its codebase, leading to unpredictable security gaps and unreliable behavior. |
| CWE-552 | Files or Directories Accessible to External Parties | This vulnerability occurs when an application exposes files or directories to users who shouldn't have access to them. |
| CWE-565 | Reliance on Cookies without Validation and Integrity Checking | This vulnerability occurs when an application uses cookies to make security decisions—like granting access or changing settings—but fails to verify that the cookie data is legitimate, unaltered, and belongs to the current user. |
| CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') | An open redirect vulnerability occurs when a web application uses unvalidated user input to determine the destination of a redirect, allowing an attacker to send users to an untrusted, external website. |
| CWE-602 | Client-Side Enforcement of Server-Side Security | This vulnerability occurs when a server incorrectly trusts the client to enforce critical security rules, such as input validation or access controls, instead of performing these checks itself. |
| CWE-603 | Use of Client-Side Authentication | This vulnerability occurs when an application places its authentication logic solely within the client-side code, such as in a mobile app or web browser, without enforcing the same checks on the server. Attackers can bypass authentication by modifying the client to skip these checks entirely. |
| CWE-610 | Externally Controlled Reference to a Resource in Another Sphere | This vulnerability occurs when an application uses user-supplied input to reference a resource located outside its intended security boundary, allowing attackers to redirect operations to unintended locations. |
| CWE-612 | Improper Authorization of Index Containing Sensitive Information | This vulnerability occurs when a system indexes sensitive documents for search but fails to properly restrict who can query that index. Attackers can then discover and extract confidential information from the indexed content without having direct access to the original files. |
| CWE-613 | Insufficient Session Expiration | Insufficient session expiration occurs when an application allows old session tokens or IDs to remain valid for too long, letting attackers reuse them to gain unauthorized access. |
| CWE-620 | Unverified Password Change | This vulnerability occurs when an application allows a user to set a new password without first verifying their identity through the old password or a secure secondary authentication method. |
| CWE-636 | Not Failing Securely ('Failing Open') | This vulnerability occurs when a system, upon encountering an error or failure, defaults to its least secure configuration instead of a safer alternative. Examples include reverting to the weakest encryption or the most permissive access rules. |
| CWE-637 | Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism') | This weakness occurs when a security feature is implemented with excessive complexity, creating unnecessary risk. Overly intricate protection mechanisms are harder to understand, configure, and implement correctly, often leading to security gaps and misconfigurations. |
| CWE-639 | Authorization Bypass Through User-Controlled Key | This vulnerability occurs when an application's authorization system fails to verify that a user is allowed to access specific data before retrieving it, allowing an attacker to access another user's information by manipulating an identifier they control. |
| CWE-640 | Weak Password Recovery Mechanism for Forgotten Password | This vulnerability occurs when an application's password reset or recovery feature is poorly designed or implemented, allowing attackers to bypass authentication and hijack user accounts. |
| CWE-641 | Improper Restriction of Names for Files and Other Resources | This vulnerability occurs when an application creates file or resource names using unvalidated user input, failing to properly limit what characters or paths can be used. |
| CWE-642 | External Control of Critical State Data | This vulnerability occurs when an application stores security-sensitive state data in locations that unauthorized users can access and modify. |
| CWE-645 | Overly Restrictive Account Lockout Mechanism | This vulnerability occurs when an application's account lockout feature is too strict, allowing attackers to easily trigger it and lock legitimate users out of their accounts, causing a denial of service. |
| CWE-648 | Incorrect Use of Privileged APIs | This vulnerability occurs when software incorrectly uses functions that require special permissions. Attackers can exploit these mistakes to gain unauthorized access, elevate their privileges, or steal sensitive data. |
| CWE-649 | Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking | This vulnerability occurs when an application uses obfuscation or encryption to hide security-sensitive data (like tokens or parameters) but fails to verify whether that data has been altered. Without integrity checks, the system cannot detect if an attacker has tampered with these inputs. |
| CWE-653 | Improper Isolation or Compartmentalization | This vulnerability occurs when an application fails to enforce strong boundaries between components that operate at different security levels, allowing lower-privileged functions to improperly interact with higher-privileged ones. |
| CWE-654 | Reliance on a Single Factor in a Security Decision | This vulnerability occurs when a system's security check depends almost entirely on just one condition, object, or piece of data to decide whether to grant access to sensitive resources or actions. It's like having a single, easily compromised lock on a vault, instead of a layered defense. |
| CWE-655 | Insufficient Psychological Acceptability | This weakness occurs when security features are so cumbersome or confusing that well-intentioned users feel forced to turn them off or find workarounds, defeating their purpose entirely. |
| CWE-656 | Reliance on Security Through Obscurity | This weakness occurs when a system's primary defense relies on hiding how it works, rather than using a robust, well-tested security mechanism. If an attacker discovers the hidden details—like a secret algorithm or hardcoded key—the protection fails completely. |
| CWE-657 | Violation of Secure Design Principles | This weakness occurs when a system's architecture or design fails to follow fundamental security principles, creating a flawed foundation that can lead to multiple vulnerabilities. |
| CWE-662 | Improper Synchronization | This vulnerability occurs when a multi-threaded or multi-process application allows shared resources to be accessed by multiple threads or processes simultaneously, without proper safeguards to enforce exclusive access. |
| CWE-667 | Improper Locking | This vulnerability occurs when a program fails to correctly acquire or release a lock on a shared resource, such as a file, database record, or memory location. This improper synchronization allows other processes or threads to interfere, leading to corrupted data, crashes, or unpredictable behavior. |
| CWE-668 | Exposure of Resource to Wrong Sphere | This vulnerability occurs when an application unintentionally makes a resource accessible to users or systems that should not have permission to use it. |
| CWE-669 | Incorrect Resource Transfer Between Spheres | This vulnerability occurs when an application incorrectly moves or shares a resource (like data, permissions, or functionality) between different trust boundaries or security contexts. This improper transfer can give unintended actors control over that resource, leading to security breaches. |
| CWE-671 | Lack of Administrator Control over Security | This weakness occurs when a system's built-in security settings cannot be adjusted by its administrator. This prevents tailoring security to the specific deployment environment, forcing the system to operate at a lower or inappropriate security level than required. |
| CWE-673 | External Influence of Sphere Definition | The application allows external parties to modify its security boundaries or trusted zones, which should be defined and controlled internally. |
| CWE-694 | Use of Multiple Resources with Duplicate Identifier | This vulnerability occurs when a system uses multiple resources that can share the same identifier, even though the application logic requires each identifier to be unique. |
| CWE-696 | Incorrect Behavior Order | This weakness occurs when a system executes multiple dependent actions in the wrong sequence, leading to unexpected and potentially vulnerable states. |
| CWE-706 | Use of Incorrectly-Resolved Name or Reference | This vulnerability occurs when software uses a name, path, or reference to access a resource, but that identifier points to something outside the area the application is supposed to control, leading to unauthorized access or manipulation. |
| CWE-708 | Incorrect Ownership Assignment | This vulnerability occurs when a system grants ownership of a resource to an entity that should not have that level of control, placing it outside the intended security boundary. |
| CWE-73 | External Control of File Name or Path | This vulnerability occurs when an application uses unvalidated user input to construct file or directory paths for filesystem operations. |
| CWE-732 | Incorrect Permission Assignment for Critical Resource | This vulnerability occurs when a system grants overly permissive access to a sensitive resource, allowing unauthorized users or processes to read or alter it. |
| CWE-749 | Exposed Dangerous Method or Function | This vulnerability occurs when a software component exposes an API or interface containing a high-risk function that lacks proper access controls, allowing unauthorized actors to trigger it. |
| CWE-757 | Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') | This vulnerability occurs when a protocol or system allows negotiating a security algorithm (like encryption) but chooses a weaker option than the strongest one both parties support, creating an unnecessary security gap. |
| CWE-770 | Allocation of Resources Without Limits or Throttling | This vulnerability occurs when a system allows users or processes to request resources without any built-in caps or rate limits. Think of it as a buffet with no rules on how much one person can take, eventually leaving nothing for others and causing the system to fail. |
| CWE-798 | Use of Hard-coded Credentials | This vulnerability occurs when software contains built-in, unchangeable authentication secrets like passwords or encryption keys within its source code or configuration files. |
| CWE-799 | Improper Control of Interaction Frequency | This vulnerability occurs when an application fails to properly restrict how often or how many times a user or automated system can interact with it. |
| CWE-804 | Guessable CAPTCHA | This vulnerability occurs when a CAPTCHA challenge is too easy for automated bots to solve, either by guessing or using pattern recognition, allowing them to bypass the human verification step. |
| CWE-807 | Reliance on Untrusted Inputs in a Security Decision | This vulnerability occurs when an application's security check depends on user-controlled data that can be manipulated to bypass protection mechanisms, such as authentication or authorization gates. |
| CWE-862 | Missing Authorization | This vulnerability occurs when an application fails to verify whether a user has permission to access specific data or execute certain actions before allowing the request to proceed. |
| CWE-863 | Incorrect Authorization | This vulnerability occurs when an application checks if a user is allowed to perform an action or access data, but the check is flawed or incomplete, allowing unauthorized access. |
| CWE-912 | Hidden Functionality | Hidden functionality refers to undocumented features, commands, or code within a product that are not part of its official specification and are not obvious to users or administrators. |
| CWE-913 | Improper Control of Dynamically-Managed Code Resources | This vulnerability occurs when an application fails to properly secure access to code resources that can be created or altered at runtime, such as variables, functions, or objects. |
| CWE-915 | Improperly Controlled Modification of Dynamically-Determined Object Attributes | This vulnerability occurs when an application accepts user input that specifies which object attributes or fields to create or update, but fails to restrict which specific attributes can be changed. Attackers can exploit this to modify sensitive internal properties they shouldn't have access to. |
| CWE-916 | Use of Password Hash With Insufficient Computational Effort | This vulnerability occurs when a system protects passwords by hashing them, but uses a hashing algorithm that is too fast or computationally cheap. This makes it easy for attackers to crack the stored password hashes using brute-force methods. |
| CWE-917 | Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') | Expression Language Injection occurs when an application uses untrusted, external input to build an expression language statement—common in frameworks like Java Server Pages (JSP)—without properly sanitizing it. This allows an attacker to inject malicious expressions that alter the intended logic and execute arbitrary code when the statement is processed. |
| CWE-918 | Server-Side Request Forgery (SSRF) | Server-Side Request Forgery (SSRF) occurs when a web application fetches a remote resource based on user-controlled input, but fails to properly validate or restrict where those requests are sent. This allows an attacker to trick the server into making unauthorized connections to internal systems or external domains. |
| CWE-920 | Improper Restriction of Power Consumption | This vulnerability occurs when software running on a power-constrained device, like a battery-powered mobile or embedded system, fails to actively manage and limit its own energy usage. |
| CWE-921 | Storage of Sensitive Data in a Mechanism without Access Control | This vulnerability occurs when an application saves sensitive information to a storage location that lacks proper access restrictions, allowing unauthorized users or applications to view or modify the data. |
| CWE-922 | Insecure Storage of Sensitive Information | This vulnerability occurs when an application stores sensitive data—like credentials, personal information, or encryption keys—without enforcing proper access controls, allowing unauthorized users to read or modify it. |
| CWE-923 | Improper Restriction of Communication Channel to Intended Endpoints | This vulnerability occurs when a system opens a communication channel for a sensitive task but fails to properly verify that it's actually talking to the correct, intended destination. This allows a malicious actor to impersonate the legitimate endpoint. |
| CWE-924 | Improper Enforcement of Message Integrity During Transmission in a Communication Channel | This vulnerability occurs when an application receives data over a network but fails to properly verify that the information wasn't altered in transit. |
| CWE-940 | Improper Verification of Source of a Communication Channel | This vulnerability occurs when an application accepts incoming communication requests without properly checking where they originate from, allowing potentially malicious sources to establish a connection. |
| CWE-941 | Incorrectly Specified Destination in a Communication Channel | This vulnerability occurs when an application establishes an outgoing communication channel but fails to correctly define or enforce the intended recipient. This misdirection can allow data to be sent to an untrusted or malicious destination. |
| CWE-99 | Improper Control of Resource Identifiers ('Resource Injection') | This vulnerability occurs when an application accepts user input as a resource identifier (like a file path or port number) without proper validation, allowing an attacker to access or manipulate resources outside the intended scope. |
Mapping Notes
Usage: Prohibited
Reasons: View
Rationale:
This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities.
Comment:
Use this View or other Views to search and navigate for the appropriate weakness.