Category: OWASP Top Ten 2004 Category A10 - Insecure Configuration Management
Obsolete
Summary
Weaknesses in this category are related to the A10 category in the OWASP Top Ten 2004.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-11 | ASP.NET Misconfiguration: Creating Debug Binary | Deploying an ASP.NET application with debug binaries enabled exposes detailed system information, which attackers can use to map your infrastructure and plan targeted exploits. |
| CWE-12 | ASP.NET Misconfiguration: Missing Custom Error Page | This vulnerability occurs when an ASP.NET application fails to configure custom error pages, allowing attackers to extract sensitive information from the framework's default error messages. |
| CWE-13 | ASP.NET Misconfiguration: Password in Configuration File | This vulnerability occurs when an ASP.NET application stores passwords or other sensitive credentials in plaintext within configuration files like web.config. This exposes those credentials to anyone with file system access, effectively bypassing security controls and granting unauthorized access to protected resources. |
| CWE-209 | Generation of Error Message Containing Sensitive Information | This vulnerability occurs when an application reveals sensitive details about its internal systems, user data, or environment within error messages shown to users. |
| CWE-215 | Insertion of Sensitive Information Into Debugging Code | This vulnerability occurs when developers embed sensitive data, such as passwords or API keys, within debugging statements like logs or console outputs, and fail to remove or disable this code before deploying to a live environment. |
| CWE-219 | Storage of File with Sensitive Data Under Web Root | This vulnerability occurs when an application saves sensitive files, such as configuration data or private keys, inside the web server's publicly accessible directory. Without proper access restrictions, attackers can directly request and download these files. |
| CWE-295 | Improper Certificate Validation | This vulnerability occurs when an application fails to properly verify the authenticity of a digital certificate, or performs the verification incorrectly, allowing untrusted connections to appear legitimate. |
| CWE-459 | Incomplete Cleanup | This vulnerability occurs when an application fails to properly remove temporary files, data structures, or system resources after they are no longer needed. |
| CWE-489 | Active Debug Code | This vulnerability occurs when software is deployed to production with debugging or diagnostic features still enabled and accessible. |
| CWE-5 | J2EE Misconfiguration: Data Transmission Without Encryption | This vulnerability occurs when a J2EE application transmits sensitive data, like login credentials or session tokens, across a network without using strong encryption. Attackers monitoring the network can easily intercept, read, or even alter this information if it's sent in plain text or protected by weak cryptographic methods. |
| CWE-520 | .NET Misconfiguration: Use of Impersonation | This vulnerability occurs when a .NET application is configured to run with impersonation, potentially granting it excessive system-level permissions that attackers could exploit. |
| CWE-526 | Cleartext Storage of Sensitive Information in an Environment Variable | This vulnerability occurs when an application stores sensitive data, such as passwords or API keys, as plain text in an environment variable. |
| CWE-527 | Exposure of Version-Control Repository to an Unauthorized Control Sphere | This vulnerability occurs when a version control repository, like Git or SVN, is accidentally placed in a location accessible to unauthorized users, such as a web server directory or a public archive. |
| CWE-528 | Exposure of Core Dump File to an Unauthorized Control Sphere | This vulnerability occurs when an application creates a core dump file (a snapshot of memory at the time of a crash) and places it in a location accessible to unauthorized users or systems. |
| CWE-529 | Exposure of Access Control List Files to an Unauthorized Control Sphere | This vulnerability occurs when an application stores sensitive access control list (ACL) files in a location that is accessible to unauthorized users or systems. |
| CWE-530 | Exposure of Backup File to an Unauthorized Control Sphere | This vulnerability occurs when backup or temporary files are stored in locations that unauthorized users can access, such as web directories. |
| CWE-531 | Inclusion of Sensitive Information in Test Code | This vulnerability occurs when sensitive data, such as credentials, API keys, or internal logic, is embedded within test code or debugging applications that remain accessible in production environments. Attackers can discover and exploit these forgotten endpoints to gain unauthorized access or gather critical intelligence about the system. |
| CWE-532 | Insertion of Sensitive Information into Log File | This vulnerability occurs when an application unintentionally writes confidential data, such as passwords or API keys, into its log files. |
| CWE-540 | Inclusion of Sensitive Information in Source Code | This vulnerability occurs when sensitive information like passwords, API keys, or internal logic is exposed within source code that remains accessible on a web server or in a public repository. |
| CWE-541 | Inclusion of Sensitive Information in an Include File | This vulnerability occurs when sensitive data like passwords or system details is placed inside a publicly accessible include file. Attackers can directly request these files to steal credentials and compromise the application. |
| CWE-548 | Exposure of Information Through Directory Listing | This vulnerability occurs when a web server is misconfigured to display a full list of files within a directory instead of serving a default web page, unintentionally exposing sensitive resources to anyone who visits the URL. |
| CWE-552 | Files or Directories Accessible to External Parties | This vulnerability occurs when an application exposes files or directories to users who shouldn't have access to them. |
| CWE-554 | ASP.NET Misconfiguration: Not Using Input Validation Framework | This vulnerability occurs when an ASP.NET application fails to implement a structured input validation framework, relying instead on ad-hoc or missing validation checks. |
| CWE-555 | J2EE Misconfiguration: Plaintext Password in Configuration File | A J2EE application insecurely stores an unprotected password within a configuration file. |
| CWE-556 | ASP.NET Misconfiguration: Use of Identity Impersonation | This vulnerability occurs when an ASP.NET application is configured to run using impersonated credentials, which can grant the application excessive and unnecessary system privileges. |
| CWE-6 | J2EE Misconfiguration: Insufficient Session-ID Length | This vulnerability occurs when a J2EE application uses session identifiers that are too short, making them easier for attackers to predict or capture. |
| CWE-7 | J2EE Misconfiguration: Missing Custom Error Page | This vulnerability occurs when a J2EE application uses the server's default error pages instead of custom ones, potentially leaking sensitive system details. |
| CWE-8 | J2EE Misconfiguration: Entity Bean Declared Remote | This vulnerability occurs when an Entity Bean in a J2EE application is incorrectly configured with a remote interface. This exposes data access methods to remote clients, allowing unauthorized users to potentially read sensitive information or manipulate data outside the application's intended security boundaries. |
| CWE-9 | J2EE Misconfiguration: Weak Access Permissions for EJB Methods | This vulnerability occurs when Enterprise JavaBean (EJB) methods are configured with overly permissive access rights, allowing attackers to exploit elevated privileges they should not have. |
| CWE-711 | Weaknesses in OWASP Top Ten (2004) | CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top Ten is available. |
| CWE-275 | Permission Issues | Weaknesses in this category are related to improper assignment or handling of permissions. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.