Category: The CERT Oracle Secure Coding Standard for Java (2011) Chapter 16 - Platform Security (SEC)
Obsolete
Summary
Weaknesses in this category are related to rules in the Platform Security (SEC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Membership
| ID | Name | Description |
|---|---|---|
| CWE-111 | Direct Use of Unsafe JNI | This weakness occurs when a Java application directly calls native code through the Java Native Interface (JNI), exposing the entire application to security risks present in that external code, even if Java itself is safe from those specific flaws. |
| CWE-266 | Incorrect Privilege Assignment | This vulnerability occurs when a system mistakenly grants a user, process, or entity a specific permission or privilege they should not have. This error creates an unintended level of access, allowing the actor to perform actions beyond their intended authority. |
| CWE-272 | Least Privilege Violation | This vulnerability occurs when software fails to reduce its elevated system privileges after completing a sensitive operation, leaving it with unnecessary and dangerous access rights. |
| CWE-300 | Channel Accessible by Non-Endpoint | This vulnerability occurs when a system fails to properly verify who is on the other end of a communication link or to secure the channel itself. This allows an unauthorized third party to access or manipulate the communication as if they were a legitimate participant. |
| CWE-302 | Authentication Bypass by Assumed-Immutable Data | This vulnerability occurs when an authentication system incorrectly treats certain data as unchangeable, when in fact an attacker can manipulate it to bypass login or verification checks. |
| CWE-319 | Cleartext Transmission of Sensitive Information | This vulnerability occurs when an application sends sensitive data, such as passwords or personal information, over a network connection without using encryption. Attackers can easily intercept and read this unprotected data as it travels. |
| CWE-347 | Improper Verification of Cryptographic Signature | This vulnerability occurs when an application fails to properly check the digital signature on data, or skips the verification step entirely, allowing tampered or forged information to be accepted as legitimate. |
| CWE-470 | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') | This vulnerability occurs when an application uses unvalidated external input, like a URL parameter or form field, to dynamically decide which class to load or which method to execute via reflection. An attacker can manipulate this input to force the application to load unexpected, potentially malicious code. |
| CWE-494 | Download of Code Without Integrity Check | This vulnerability occurs when an application fetches and runs code from an external source—like a remote server or CDN—without properly verifying where it came from or ensuring it hasn't been tampered with. |
| CWE-732 | Incorrect Permission Assignment for Critical Resource | This vulnerability occurs when a system grants overly permissive access to a sensitive resource, allowing unauthorized users or processes to read or alter it. |
| CWE-807 | Reliance on Untrusted Inputs in a Security Decision | This vulnerability occurs when an application's security check depends on user-controlled data that can be manipulated to bypass protection mechanisms, such as authentication or authorization gates. |
| CWE-844 | Weaknesses Addressed by The CERT Oracle Secure Coding Standard for Java (2011) | CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.