Category: SFP Secondary Cluster: Architecture
Incomplete
Summary
This category identifies Software Fault Patterns (SFPs) within the Architecture cluster.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-348 | Use of Less Trusted Source | This vulnerability occurs when a system has access to multiple sources for the same critical data, but it chooses to rely on the less secure or less trustworthy one. This creates a security gap because the system ignores better-protected alternatives that offer stronger verification or are harder for attackers to compromise. |
| CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | This vulnerability occurs when an application fails to adequately protect sensitive personal data, allowing access to individuals who either lack proper authorization or haven't provided necessary consent for its use. |
| CWE-602 | Client-Side Enforcement of Server-Side Security | This vulnerability occurs when a server incorrectly trusts the client to enforce critical security rules, such as input validation or access controls, instead of performing these checks itself. |
| CWE-637 | Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism') | This weakness occurs when a security feature is implemented with excessive complexity, creating unnecessary risk. Overly intricate protection mechanisms are harder to understand, configure, and implement correctly, often leading to security gaps and misconfigurations. |
| CWE-649 | Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking | This vulnerability occurs when an application uses obfuscation or encryption to hide security-sensitive data (like tokens or parameters) but fails to verify whether that data has been altered. Without integrity checks, the system cannot detect if an attacker has tampered with these inputs. |
| CWE-654 | Reliance on a Single Factor in a Security Decision | This vulnerability occurs when a system's security check depends almost entirely on just one condition, object, or piece of data to decide whether to grant access to sensitive resources or actions. It's like having a single, easily compromised lock on a vault, instead of a layered defense. |
| CWE-656 | Reliance on Security Through Obscurity | This weakness occurs when a system's primary defense relies on hiding how it works, rather than using a robust, well-tested security mechanism. If an attacker discovers the hidden details—like a secret algorithm or hardcoded key—the protection fails completely. |
| CWE-657 | Violation of Secure Design Principles | This weakness occurs when a system's architecture or design fails to follow fundamental security principles, creating a flawed foundation that can lead to multiple vulnerabilities. |
| CWE-671 | Lack of Administrator Control over Security | This weakness occurs when a system's built-in security settings cannot be adjusted by its administrator. This prevents tailoring security to the specific deployment environment, forcing the system to operate at a lower or inappropriate security level than required. |
| CWE-693 | Protection Mechanism Failure | This weakness occurs when software either lacks a necessary security control, implements one that is too weak, or fails to activate an existing control in a critical area, leaving it vulnerable to targeted attacks. |
| CWE-749 | Exposed Dangerous Method or Function | This vulnerability occurs when a software component exposes an API or interface containing a high-risk function that lacks proper access controls, allowing unauthorized actors to trigger it. |
| CWE-888 | Software Fault Pattern (SFP) Clusters | CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs). |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.