CWE Version 1.7

Edited by:Steven M. Christey, Conor O. Harris,

Janis E. Kenderdine, and Brendan Miles

Project Lead:Robert A. Martin

CWE Version 1.72009-12-28

CWE is a Software Assurance strategic initiative sponsored by the NationalCyber Security Division of the U.S. Department of Homeland Security

Copyright 2010, The MITRE Corporation

CWE and the CWE logo are trademarks of The MITRE CorporationContact cwe@mitre.org for more information

CWE Version 1.7Table of Contents

Tab

le of C

on

tents

iii

Table of Contents

Symbols Used in CWE ................................................................................................................... xviiIndividual CWE DefinitionsCWE-1: Location................................................................................................................................................. 1CWE-2: Environment.......................................................................................................................................... 1CWE-3: Technology-specific Environment Issues.............................................................................................. 1CWE-4: J2EE Environment Issues..................................................................................................................... 2CWE-5: J2EE Misconfiguration: Data Transmission Without Encryption............................................................ 2CWE-6: J2EE Misconfiguration: Insufficient Session-ID Length......................................................................... 3CWE-7: J2EE Misconfiguration: Missing Custom Error Page............................................................................ 4CWE-8: J2EE Misconfiguration: Entity Bean Declared Remote......................................................................... 5CWE-9: J2EE Misconfiguration: Weak Access Permissions for EJB Methods................................................... 6CWE-10: ASP.NET Environment Issues............................................................................................................ 7CWE-11: ASP.NET Misconfiguration: Creating Debug Binary........................................................................... 7CWE-12: ASP.NET Misconfiguration: Missing Custom Error Page.................................................................... 8CWE-13: ASP.NET Misconfiguration: Password in Configuration File............................................................... 9CWE-14: Compiler Removal of Code to Clear Buffers..................................................................................... 10CWE-15: External Control of System or Configuration Setting........................................................................ 12CWE-16: Configuration..................................................................................................................................... 13CWE-17: Code.................................................................................................................................................. 13CWE-18: Source Code..................................................................................................................................... 14CWE-19: Data Handling.................................................................................................................................... 14CWE-20: Improper Input Validation.................................................................................................................. 15CWE-21: Pathname Traversal and Equivalence Errors................................................................................... 23CWE-22: Path Traversal................................................................................................................................... 24CWE-23: Relative Path Traversal..................................................................................................................... 26CWE-24: Path Traversal: '../filedir'.................................................................................................................... 28CWE-25: Path Traversal: '/../filedir'................................................................................................................... 29CWE-26: Path Traversal: '/dir/../filename'......................................................................................................... 29CWE-27: Path Traversal: 'dir/../../filename'....................................................................................................... 30CWE-28: Path Traversal: '..\filedir'.................................................................................................................... 31CWE-29: Path Traversal: '\..\filename'.............................................................................................................. 33CWE-30: Path Traversal: '\dir\..\filename'......................................................................................................... 34CWE-31: Path Traversal: 'dir\..\..\filename'....................................................................................................... 35CWE-32: Path Traversal: '...' (Triple Dot)......................................................................................................... 36CWE-33: Path Traversal: '....' (Multiple Dot)..................................................................................................... 37CWE-34: Path Traversal: '....//'......................................................................................................................... 38CWE-35: Path Traversal: '.../...//'...................................................................................................................... 39CWE-36: Absolute Path Traversal.................................................................................................................... 40CWE-37: Path Traversal: '/absolute/pathname/here'........................................................................................ 41CWE-38: Path Traversal: '\absolute\pathname\here'........................................................................................ 42CWE-39: Path Traversal: 'C:dirname'............................................................................................................... 43CWE-40: Path Traversal: '\\UNC\share\name\' (Windows UNC Share)............................................................ 44CWE-41: Improper Resolution of Path Equivalence......................................................................................... 45CWE-42: Path Equivalence: 'filename.' (Trailing Dot)....................................................................................... 47CWE-43: Path Equivalence: 'filename....' (Multiple Trailing Dot)...................................................................... 47CWE-44: Path Equivalence: 'file.name' (Internal Dot)...................................................................................... 48CWE-45: Path Equivalence: 'file...name' (Multiple Internal Dot)....................................................................... 48CWE-46: Path Equivalence: 'filename ' (Trailing Space).................................................................................. 49CWE-47: Path Equivalence: ' filename (Leading Space)................................................................................. 50CWE-48: Path Equivalence: 'file name' (Internal Whitespace)......................................................................... 50CWE-49: Path Equivalence: 'filename/' (Trailing Slash)................................................................................... 51CWE-50: Path Equivalence: '//multiple/leading/slash'....................................................................................... 51CWE-51: Path Equivalence: '/multiple//internal/slash'....................................................................................... 52CWE-52: Path Equivalence: '/multiple/trailing/slash//'....................................................................................... 53CWE-53: Path Equivalence: '\multiple\\internal\backslash'............................................................................... 53CWE-54: Path Equivalence: 'filedir\' (Trailing Backslash)................................................................................. 54CWE-55: Path Equivalence: '/./' (Single Dot Directory).................................................................................... 54CWE-56: Path Equivalence: 'filedir*' (Wildcard)................................................................................................ 55

CWE Version 1.7Table of Contents

Tab

le o

f C

on

ten

ts

iv

CWE-57: Path Equivalence: 'fakedir/../realdir/filename'.................................................................................... 55CWE-58: Path Equivalence: Windows 8.3 Filename........................................................................................ 56CWE-59: Improper Link Resolution Before File Access ('Link Following')........................................................ 57CWE-60: UNIX Path Link Problems................................................................................................................. 58CWE-61: UNIX Symbolic Link (Symlink) Following.......................................................................................... 58CWE-62: UNIX Hard Link................................................................................................................................. 60CWE-63: Windows Path Link Problems........................................................................................................... 61CWE-64: Windows Shortcut Following (.LNK).................................................................................................. 61CWE-65: Windows Hard Link........................................................................................................................... 62CWE-66: Improper Handling of File Names that Identify Virtual Resources.................................................... 63CWE-67: Improper Handling of Windows Device Names................................................................................ 64CWE-68: Windows Virtual File Problems......................................................................................................... 65CWE-69: Failure to Handle Windows ::DATA Alternate Data Stream.............................................................. 66CWE-70: Mac Virtual File Problems................................................................................................................. 67CWE-71: Apple '.DS_Store'.............................................................................................................................. 67CWE-72: Improper Handling of Apple HFS+ Alternate Data Stream Path....................................................... 68CWE-73: External Control of File Name or Path.............................................................................................. 69CWE-74: Failure to Sanitize Data into a Different Plane ('Injection')................................................................ 72CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)................... 75CWE-76: Failure to Resolve Equivalent Special Elements into a Different Plane............................................ 75CWE-77: Improper Sanitization of Special Elements used in a Command ('Command Injection')................... 76CWE-78: Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')...... 80CWE-79: Failure to Preserve Web Page Structure ('Cross-site Scripting')....................................................... 85CWE-80: Improper Sanitization of Script-Related HTML Tags in a Web Page (Basic XSS)............................ 92CWE-81: Improper Sanitization of Script in an Error Message Web Page....................................................... 94CWE-82: Improper Sanitization of Script in Attributes of IMG Tags in a Web Page......................................... 95CWE-83: Failure to Sanitize Script in Attributes in a Web Page...................................................................... 95CWE-84: Failure to Resolve Encoded URI Schemes in a Web Page.............................................................. 97CWE-85: Doubled Character XSS Manipulations............................................................................................. 98CWE-86: Failure to Sanitize Invalid Characters in Identifiers in Web Pages.................................................... 99CWE-87: Failure to Sanitize Alternate XSS Syntax......................................................................................... 99CWE-88: Argument Injection or Modification.................................................................................................. 100CWE-89: Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')................. 103CWE-90: Failure to Sanitize Data into LDAP Queries ('LDAP Injection')....................................................... 110CWE-91: XML Injection (aka Blind XPath Injection)....................................................................................... 111CWE-92: DEPRECATED: Improper Sanitization of Custom Special Characters........................................... 111CWE-93: Failure to Sanitize CRLF Sequences ('CRLF Injection')................................................................. 112CWE-94: Failure to Control Generation of Code ('Code Injection')................................................................ 113CWE-95: Improper Sanitization of Directives in Dynamically Evaluated Code ('Eval Injection')..................... 115CWE-96: Improper Sanitization of Directives in Statically Saved Code ('Static Code Injection')..................... 118CWE-97: Failure to Sanitize Server-Side Includes (SSI) Within a Web Page................................................ 119CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP FileInclusion')........................................................................................................................................................ 120CWE-99: Improper Control of Resource Identifiers ('Resource Injection')...................................................... 122CWE-100: Technology-Specific Input Validation Problems............................................................................ 124CWE-101: Struts Validation Problems............................................................................................................ 124CWE-102: Struts: Duplicate Validation Forms................................................................................................ 125CWE-103: Struts: Incomplete validate() Method Definition............................................................................. 126CWE-104: Struts: Form Bean Does Not Extend Validation Class.................................................................. 127CWE-105: Struts: Form Field Without Validator............................................................................................. 128CWE-106: Struts: Plug-in Framework not in Use........................................................................................... 129CWE-107: Struts: Unused Validation Form.................................................................................................... 129CWE-108: Struts: Unvalidated Action Form................................................................................................... 130CWE-109: Struts: Validator Turned Off.......................................................................................................... 131CWE-110: Struts: Validator Without Form Field............................................................................................. 132CWE-111: Direct Use of Unsafe JNI.............................................................................................................. 133CWE-112: Missing XML Validation................................................................................................................. 135CWE-113: Failure to Sanitize CRLF Sequences in HTTP Headers ('HTTP Response Splitting')................... 136CWE-114: Process Control............................................................................................................................. 139CWE-115: Misinterpretation of Input............................................................................................................... 141CWE-116: Improper Encoding or Escaping of Output.................................................................................... 141

CWE Version 1.7Table of Contents

Tab

le of C

on

tents

v

CWE-117: Improper Output Sanitization for Logs.......................................................................................... 146CWE-118: Improper Access of Indexable Resource ('Range Error').............................................................. 148CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer....................................... 149CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')........................................ 154CWE-121: Stack-based Buffer Overflow......................................................................................................... 157CWE-122: Heap-based Buffer Overflow......................................................................................................... 159CWE-123: Write-what-where Condition.......................................................................................................... 160CWE-124: Buffer Underwrite ('Buffer Underflow')........................................................................................... 161CWE-125: Out-of-bounds Read...................................................................................................................... 163CWE-126: Buffer Over-read............................................................................................................................ 164CWE-127: Buffer Under-read.......................................................................................................................... 165CWE-128: Wrap-around Error........................................................................................................................ 165CWE-129: Improper Validation of Array Index............................................................................................... 167CWE-130: Improper Handling of Length Parameter Inconsistency ............................................................... 169CWE-131: Incorrect Calculation of Buffer Size............................................................................................... 171CWE-132: DEPRECATED (Duplicate): Miscalculated Null Termination......................................................... 173CWE-133: String Errors.................................................................................................................................. 173CWE-134: Uncontrolled Format String........................................................................................................... 173CWE-135: Incorrect Calculation of Multi-Byte String Length.......................................................................... 176CWE-136: Type Errors.................................................................................................................................... 177CWE-137: Representation Errors................................................................................................................... 178CWE-138: Improper Sanitization of Special Elements................................................................................... 178CWE-139: DEPRECATED: General Special Element Problems.................................................................... 180CWE-140: Failure to Sanitize Delimiters........................................................................................................ 180CWE-141: Failure to Sanitize Parameter/Argument Delimiters...................................................................... 181CWE-142: Failure to Sanitize Value Delimiters.............................................................................................. 182CWE-143: Failure to Sanitize Record Delimiters............................................................................................ 183CWE-144: Failure to Sanitize Line Delimiters................................................................................................ 183CWE-145: Failure to Sanitize Section Delimiters........................................................................................... 184CWE-146: Failure to Sanitize Expression/Command Delimiters.................................................................... 185CWE-147: Improper Sanitization of Input Terminators................................................................................... 186CWE-148: Failure to Sanitize Input Leaders.................................................................................................. 187CWE-149: Failure to Sanitize Quoting Syntax................................................................................................ 187CWE-150: Failure to Sanitize Escape, Meta, or Control Sequences.............................................................. 188CWE-151: Improper Sanitization of Comment Delimiters............................................................................... 189CWE-152: Improper Sanitization of Macro Symbols...................................................................................... 190CWE-153: Improper Sanitization of Substitution Characters.......................................................................... 191CWE-154: Improper Sanitization of Variable Name Delimiters...................................................................... 192CWE-155: Improper Sanitization of Wildcards or Matching Symbols............................................................. 193CWE-156: Improper Sanitization of Whitespace............................................................................................ 194CWE-157: Failure to Sanitize Paired Delimiters............................................................................................. 195CWE-158: Failure to Sanitize Null Byte or NUL Character............................................................................ 196CWE-159: Failure to Sanitize Special Element.............................................................................................. 197CWE-160: Improper Sanitization of Leading Special Elements...................................................................... 198CWE-161: Improper Sanitization of Multiple Leading Special Elements........................................................ 199CWE-162: Improper Sanitization of Trailing Special Elements....................................................................... 200CWE-163: Improper Sanitization of Multiple Trailing Special Elements......................................................... 201CWE-164: Improper Sanitization of Internal Special Elements...................................................................... 201CWE-165: Improper Sanitization of Multiple Internal Special Elements......................................................... 202CWE-166: Improper Handling of Missing Special Element............................................................................ 203CWE-167: Improper Handling of Additional Special Element......................................................................... 204CWE-168: Failure to Resolve Inconsistent Special Elements........................................................................ 205CWE-169: Technology-Specific Special Elements......................................................................................... 205CWE-170: Improper Null Termination............................................................................................................. 206CWE-171: Cleansing, Canonicalization, and Comparison Errors................................................................... 209CWE-172: Encoding Error.............................................................................................................................. 211CWE-173: Failure to Handle Alternate Encoding........................................................................................... 212CWE-174: Double Decoding of the Same Data............................................................................................. 213CWE-175: Failure to Handle Mixed Encoding................................................................................................ 213CWE-176: Failure to Handle Unicode Encoding............................................................................................ 214CWE-177: Failure to Handle URL Encoding (Hex Encoding)......................................................................... 215

CWE Version 1.7Table of Contents

Tab

le o

f C

on

ten

ts

vi

CWE-178: Failure to Resolve Case Sensitivity.............................................................................................. 216CWE-179: Incorrect Behavior Order: Early Validation.................................................................................... 218CWE-180: Incorrect Behavior Order: Validate Before Canonicalize............................................................... 219CWE-181: Incorrect Behavior Order: Validate Before Filter........................................................................... 220CWE-182: Collapse of Data Into Unsafe Value.............................................................................................. 221CWE-183: Permissive Whitelist...................................................................................................................... 222CWE-184: Incomplete Blacklist....................................................................................................................... 223CWE-185: Incorrect Regular Expression........................................................................................................ 224CWE-186: Overly Restrictive Regular Expression.......................................................................................... 226CWE-187: Partial Comparison........................................................................................................................ 226CWE-188: Reliance on Data/Memory Layout................................................................................................. 228CWE-189: Numeric Errors.............................................................................................................................. 229CWE-190: Integer Overflow or Wraparound................................................................................................... 230CWE-191: Integer Underflow (Wrap or Wraparound)..................................................................................... 232CWE-192: Integer Coercion Error................................................................................................................... 233CWE-193: Off-by-one Error............................................................................................................................ 234CWE-194: Unexpected Sign Extension.......................................................................................................... 237CWE-195: Signed to Unsigned Conversion Error.......................................................................................... 239CWE-196: Unsigned to Signed Conversion Error.......................................................................................... 240CWE-197: Numeric Truncation Error.............................................................................................................. 242CWE-198: Use of Incorrect Byte Ordering..................................................................................................... 243CWE-199: Information Management Errors.................................................................................................... 244CWE-200: Information Exposure.................................................................................................................... 244CWE-201: Information Leak Through Sent Data............................................................................................ 246CWE-202: Privacy Leak through Data Queries.............................................................................................. 247CWE-203: Information Exposure Through Discrepancy................................................................................. 248CWE-204: Response Discrepancy Information Leak...................................................................................... 248CWE-205: Information Exposure Through Behavioral Discrepancy............................................................... 250CWE-206: Internal Behavioral Inconsistency Information Leak...................................................................... 251CWE-207: Information Exposure Through an External Behavioral Inconsistency.......................................... 251CWE-208: Timing Discrepancy Information Leak........................................................................................... 252CWE-209: Information Exposure Through an Error Message........................................................................ 253CWE-210: Product-Generated Error Message Information Leak.................................................................... 256CWE-211: Product-External Error Message Information Leak....................................................................... 257CWE-212: Improper Cross-boundary Cleansing............................................................................................. 258CWE-213: Intended Information Leak............................................................................................................ 259CWE-214: Process Environment Information Leak........................................................................................ 260CWE-215: Information Leak Through Debug Information.............................................................................. 261CWE-216: Containment Errors (Container Errors)......................................................................................... 262CWE-217: DEPRECATED: Failure to Protect Stored Data from Modification................................................ 263CWE-218: DEPRECATED (Duplicate): Failure to provide confidentiality for stored data............................... 263CWE-219: Sensitive Data Under Web Root................................................................................................... 263CWE-220: Sensitive Data Under FTP Root................................................................................................... 264CWE-221: Information Loss or Omission....................................................................................................... 264CWE-222: Truncation of Security-relevant Information.................................................................................. 265CWE-223: Omission of Security-relevant Information.................................................................................... 265CWE-224: Obscured Security-relevant Information by Alternate Name......................................................... 266CWE-225: DEPRECATED (Duplicate): General Information Management Problems.................................... 267CWE-226: Sensitive Information Uncleared Before Release.......................................................................... 267CWE-227: Failure to Fulfill API Contract ('API Abuse').................................................................................. 268CWE-228: Improper Handling of Syntactically Invalid Structure..................................................................... 269CWE-229: Improper Handling of Values........................................................................................................ 270CWE-230: Improper Handling of Missing Values........................................................................................... 271CWE-231: Improper Handling of Extra Values............................................................................................... 271CWE-232: Improper Handling of Undefined Values....................................................................................... 272CWE-233: Parameter Problems..................................................................................................................... 272CWE-234: Failure to Handle Missing Parameter............................................................................................ 273CWE-235: Improper Handling of Extra Parameters........................................................................................ 274CWE-236: Improper Handling of Undefined Parameters................................................................................ 275CWE-237: Improper Handling of Structural Elements.................................................................................... 275CWE-238: Improper Handling of Incomplete Structural Elements.................................................................. 276

CWE Version 1.7Table of Contents

Tab

le of C

on

tents

vii

CWE-239: Failure to Handle Incomplete Element.......................................................................................... 276CWE-240: Improper Handling of Inconsistent Structural Elements................................................................ 277CWE-241: Improper Handling of Unexpected Data Type............................................................................... 277CWE-242: Use of Inherently Dangerous Function......................................................................................... 278CWE-243: Failure to Change Working Directory in chroot Jail...................................................................... 279CWE-244: Failure to Clear Heap Memory Before Release ('Heap Inspection').............................................. 280CWE-245: J2EE Bad Practices: Direct Management of Connections............................................................ 281CWE-246: J2EE Bad Practices: Direct Use of Sockets................................................................................. 282CWE-247: Reliance on DNS Lookups in a Security Decision........................................................................ 283CWE-248: Uncaught Exception...................................................................................................................... 284CWE-249: DEPRECATED: Often Misused: Path Manipulation...................................................................... 285CWE-250: Execution with Unnecessary Privileges......................................................................................... 285CWE-251: Often Misused: String Management.............................................................................................. 288CWE-252: Unchecked Return Value.............................................................................................................. 288CWE-253: Incorrect Check of Function Return Value.................................................................................... 292CWE-254: Security Features.......................................................................................................................... 293CWE-255: Credentials Management.............................................................................................................. 294CWE-256: Plaintext Storage of a Password................................................................................................... 294CWE-257: Storing Passwords in a Recoverable Format................................................................................ 296CWE-258: Empty Password in Configuration File.......................................................................................... 297CWE-259: Hard-Coded Password.................................................................................................................. 298CWE-260: Password in Configuration File..................................................................................................... 301CWE-261: Weak Cryptography for Passwords............................................................................................... 302CWE-262: Not Using Password Aging........................................................................................................... 303CWE-263: Password Aging with Long Expiration........................................................................................... 304CWE-264: Permissions, Privileges, and Access Controls.............................................................................. 305CWE-265: Privilege / Sandbox Issues............................................................................................................ 305CWE-266: Incorrect Privilege Assignment...................................................................................................... 306CWE-267: Privilege Defined With Unsafe Actions......................................................................................... 307CWE-268: Privilege Chaining......................................................................................................................... 308CWE-269: Improper Privilege Management................................................................................................... 309CWE-270: Privilege Context Switching Error.................................................................................................. 310CWE-271: Privilege Dropping / Lowering Errors............................................................................................ 311CWE-272: Least Privilege Violation................................................................................................................ 313CWE-273: Improper Check for Dropped Privileges........................................................................................ 314CWE-274: Improper Handling of Insufficient Privileges.................................................................................. 316CWE-275: Permission Issues......................................................................................................................... 317CWE-276: Incorrect Default Permissions....................................................................................................... 317CWE-277: Insecure Inherited Permissions..................................................................................................... 318CWE-278: Insecure Preserved Inherited Permissions.................................................................................... 319CWE-279: Incorrect Execution-Assigned Permissions................................................................................... 320CWE-280: Improper Handling of Insufficient Permissions or Privileges ........................................................ 320CWE-281: Improper Preservation of Permissions.......................................................................................... 322CWE-282: Improper Ownership Management................................................................................................ 322CWE-283: Unverified Ownership.................................................................................................................... 323CWE-284: Access Control (Authorization) Issues.......................................................................................... 324CWE-285: Improper Access Control (Authorization)...................................................................................... 325CWE-286: Incorrect User Management.......................................................................................................... 328CWE-287: Improper Authentication................................................................................................................ 329CWE-288: Authentication Bypass Using an Alternate Path or Channel......................................................... 332CWE-289: Authentication Bypass by Alternate Name.................................................................................... 333CWE-290: Authentication Bypass by Spoofing............................................................................................... 334CWE-291: Trusting Self-reported IP Address................................................................................................. 335CWE-292: Trusting Self-reported DNS Name................................................................................................ 336CWE-293: Using Referer Field for Authentication.......................................................................................... 338CWE-294: Authentication Bypass by Capture-replay..................................................................................... 339CWE-295: Certificate Issues........................................................................................................................... 340CWE-296: Improper Following of Chain of Trust for Certificate Validation..................................................... 341CWE-297: Improper Validation of Host-specific Certificate Data.................................................................... 342CWE-298: Improper Validation of Certificate Expiration................................................................................. 343CWE-299: Improper Check for Certificate Revocation................................................................................... 344

CWE Version 1.7Table of Contents

Tab

le o

f C

on

ten

ts

viii

CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle').......................................................... 345CWE-301: Reflection Attack in an Authentication Protocol............................................................................ 346CWE-302: Authentication Bypass by Assumed-Immutable Data.................................................................... 348CWE-303: Incorrect Implementation of Authentication Algorithm................................................................... 349CWE-304: Missing Critical Step in Authentication.......................................................................................... 349CWE-305: Authentication Bypass by Primary Weakness............................................................................... 350CWE-306: No Authentication for Critical Function.......................................................................................... 350CWE-307: Failure to Restrict Excessive Authentication Attempts.................................................................. 351CWE-308: Use of Single-factor Authentication............................................................................................... 352CWE-309: Use of Password System for Primary Authentication.................................................................... 353CWE-310: Cryptographic Issues..................................................................................................................... 354CWE-311: Failure to Encrypt Sensitive Data.................................................................................................. 355CWE-312: Cleartext Storage of Sensitive Information.................................................................................... 357CWE-313: Plaintext Storage in a File or on Disk........................................................................................... 358CWE-314: Plaintext Storage in the Registry.................................................................................................. 358CWE-315: Plaintext Storage in a Cookie....................................................................................................... 359CWE-316: Plaintext Storage in Memory......................................................................................................... 359CWE-317: Plaintext Storage in GUI............................................................................................................... 360CWE-318: Plaintext Storage in Executable.................................................................................................... 361CWE-319: Cleartext Transmission of Sensitive Information........................................................................... 361CWE-320: Key Management Errors............................................................................................................... 363CWE-321: Use of Hard-coded Cryptographic Key......................................................................................... 364CWE-322: Key Exchange without Entity Authentication................................................................................. 365CWE-323: Reusing a Nonce, Key Pair in Encryption..................................................................................... 366CWE-324: Use of a Key Past its Expiration Date.......................................................................................... 368CWE-325: Missing Required Cryptographic Step........................................................................................... 368CWE-326: Inadequate Encryption Strength.................................................................................................... 369CWE-327: Use of a Broken or Risky Cryptographic Algorithm...................................................................... 370CWE-328: Reversible One-Way Hash............................................................................................................ 373CWE-329: Not Using a Random IV with CBC Mode...................................................................................... 374CWE-330: Use of Insufficiently Random Values............................................................................................ 375CWE-331: Insufficient Entropy........................................................................................................................ 378CWE-332: Insufficient Entropy in PRNG........................................................................................................ 379CWE-333: Improper Handling of Insufficient Entropy in TRNG...................................................................... 380CWE-334: Small Space of Random Values................................................................................................... 381CWE-335: PRNG Seed Error......................................................................................................................... 382CWE-336: Same Seed in PRNG.................................................................................................................... 382CWE-337: Predictable Seed in PRNG........................................................................................................... 383CWE-338: Use of Cryptographically Weak PRNG......................................................................................... 383CWE-339: Small Seed Space in PRNG......................................................................................................... 384CWE-340: Predictability Problems.................................................................................................................. 385CWE-341: Predictable from Observable State............................................................................................... 385CWE-342: Predictable Exact Value from Previous Values............................................................................. 386CWE-343: Predictable Value Range from Previous Values........................................................................... 387CWE-344: Use of Invariant Value in Dynamically Changing Context............................................................. 387CWE-345: Insufficient Verification of Data Authenticity.................................................................................. 388CWE-346: Origin Validation Error................................................................................................................... 389CWE-347: Improper Verification of Cryptographic Signature......................................................................... 390CWE-348: Use of Less Trusted Source......................................................................................................... 391CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data..................................................... 392CWE-350: Improperly Trusted Reverse DNS................................................................................................. 392CWE-351: Insufficient Type Distinction........................................................................................................... 393CWE-352: Cross-Site Request Forgery (CSRF)............................................................................................ 394CWE-353: Failure to Add Integrity Check Value............................................................................................ 397CWE-354: Improper Validation of Integrity Check Value................................................................................ 399CWE-355: User Interface Security Issues...................................................................................................... 400CWE-356: Product UI does not Warn User of Unsafe Actions...................................................................... 400CWE-357: Insufficient UI Warning of Dangerous Operations......................................................................... 401CWE-358: Improperly Implemented Security Check for Standard.................................................................. 402CWE-359: Privacy Violation............................................................................................................................ 402CWE-360: Trust of System Event Data.......................................................................................................... 404

CWE Version 1.7Table of Contents

Tab

le of C

on

tents

ix

CWE-361: Time and State.............................................................................................................................. 405CWE-362: Race Condition.............................................................................................................................. 406CWE-363: Race Condition Enabling Link Following....................................................................................... 409CWE-364: Signal Handler Race Condition..................................................................................................... 410CWE-365: Race Condition in Switch.............................................................................................................. 412CWE-366: Race Condition within a Thread.................................................................................................... 413CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition............................................................... 414CWE-368: Context Switching Race Condition................................................................................................ 417CWE-369: Divide By Zero.............................................................................................................................. 418CWE-370: Missing Check for Certificate Revocation after Initial Check......................................................... 420CWE-371: State Issues................................................................................................................................... 421CWE-372: Incomplete Internal State Distinction............................................................................................. 422CWE-373: State Synchronization Error.......................................................................................................... 422CWE-374: Mutable Objects Passed by Reference......................................................................................... 424CWE-375: Passing Mutable Objects to an Untrusted Method........................................................................ 425CWE-376: Temporary File Issues................................................................................................................... 426CWE-377: Insecure Temporary File............................................................................................................... 426CWE-378: Creation of Temporary File With Insecure Permissions................................................................ 428CWE-379: Creation of Temporary File in Directory with Incorrect Permissions.............................................. 429CWE-380: Technology-Specific Time and State Issues................................................................................. 430CWE-381: J2EE Time and State Issues........................................................................................................ 431CWE-382: J2EE Bad Practices: Use of System.exit().................................................................................... 431CWE-383: J2EE Bad Practices: Direct Use of Threads................................................................................. 432CWE-384: Session Fixation............................................................................................................................ 433CWE-385: Covert Timing Channel................................................................................................................. 435CWE-386: Symbolic Name not Mapping to Correct Object............................................................................ 436CWE-387: Signal Errors.................................................................................................................................. 437CWE-388: Error Handling............................................................................................................................... 438CWE-389: Error Conditions, Return Values, Status Codes............................................................................ 439CWE-390: Detection of Error Condition Without Action................................................................................. 440CWE-391: Unchecked Error Condition........................................................................................................... 443CWE-392: Failure to Report Error in Status Code......................................................................................... 445CWE-393: Return of Wrong Status Code....................................................................................................... 446CWE-394: Unexpected Status Code or Return Value.................................................................................... 446CWE-395: Use of NullPointerException Catch to Detect NULL Pointer Dereference..................................... 447CWE-396: Declaration of Catch for Generic Exception.................................................................................. 448CWE-397: Declaration of Throws for Generic Exception............................................................................... 449CWE-398: Indicator of Poor Code Quality...................................................................................................... 450CWE-399: Resource Management Errors...................................................................................................... 451CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')..................................................... 452CWE-401: Failure to Release Memory Before Removing Last Reference ('Memory Leak')........................... 456CWE-402: Transmission of Private Resources into a New Sphere ('Resource Leak')................................... 458CWE-403: UNIX File Descriptor Leak............................................................................................................ 458CWE-404: Improper Resource Shutdown or Release.................................................................................... 459CWE-405: Asymmetric Resource Consumption (Amplification)..................................................................... 463CWE-406: Insufficient Control of Network Message Volume (Network Amplification).................................... 464CWE-407: Algorithmic Complexity.................................................................................................................. 465CWE-408: Incorrect Behavior Order: Early Amplification............................................................................... 466CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)............................................ 466CWE-410: Insufficient Resource Pool............................................................................................................ 467CWE-411: Resource Locking Problems......................................................................................................... 468CWE-412: Unrestricted Externally Accessible Lock....................................................................................... 468CWE-413: Insufficient Resource Locking....................................................................................................... 470CWE-414: Missing Lock Check...................................................................................................................... 471CWE-415: Double Free................................................................................................................................... 471CWE-416: Use After Free............................................................................................................................... 473CWE-417: Channel and Path Errors.............................................................................................................. 475CWE-418: Channel Errors.............................................................................................................................. 476CWE-419: Unprotected Primary Channel....................................................................................................... 476CWE-420: Unprotected Alternate Channel..................................................................................................... 477CWE-421: Race Condition During Access to Alternate Channel.................................................................... 478

CWE Version 1.7Table of Contents

Tab

le o

f C

on

ten

ts

x

CWE-422: Unprotected Windows Messaging Channel ('Shatter').................................................................. 479CWE-423: DEPRECATED (Duplicate): Proxied Trusted Channel.................................................................. 480CWE-424: Failure to Protect Alternate Path................................................................................................... 480CWE-425: Direct Request ('Forced Browsing')............................................................................................... 480CWE-426: Untrusted Search Path.................................................................................................................. 482CWE-427: Uncontrolled Search Path Element............................................................................................... 485CWE-428: Unquoted Search Path or Element............................................................................................... 486CWE-429: Handler Errors............................................................................................................................... 487CWE-430: Deployment of Wrong Handler...................................................................................................... 488CWE-431: Missing Handler............................................................................................................................. 488CWE-432: Dangerous Handler not Disabled During Sensitive Operations..................................................... 489CWE-433: Unparsed Raw Web Content Delivery.......................................................................................... 490CWE-434: Unrestricted File Upload................................................................................................................ 490CWE-435: Interaction Error............................................................................................................................. 492CWE-436: Interpretation Conflict.................................................................................................................... 493CWE-437: Incomplete Model of Endpoint Features....................................................................................... 494CWE-438: Behavioral Problems..................................................................................................................... 495CWE-439: Behavioral Change in New Version or Environment..................................................................... 495CWE-440: Expected Behavior Violation......................................................................................................... 496CWE-441: Unintended Proxy/Intermediary..................................................................................................... 497CWE-442: Web Problems............................................................................................................................... 497CWE-443: DEPRECATED (Duplicate): HTTP response splitting................................................................... 498CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')................................ 498CWE-445: User Interface Errors..................................................................................................................... 499CWE-446: UI Discrepancy for Security Feature............................................................................................. 500CWE-447: Unimplemented or Unsupported Feature in UI............................................................................. 500CWE-448: Obsolete Feature in UI.................................................................................................................. 501CWE-449: The UI Performs the Wrong Action............................................................................................... 501CWE-450: Multiple Interpretations of UI Input................................................................................................ 502CWE-451: UI Misrepresentation of Critical Information.................................................................................. 503CWE-452: Initialization and Cleanup Errors................................................................................................... 504CWE-453: Insecure Default Variable Initialization.......................................................................................... 505CWE-454: External Initialization of Trusted Variables.................................................................................... 505CWE-455: Non-exit on Failed Initialization..................................................................................................... 506CWE-456: Missing Initialization...................................................................................................................... 507CWE-457: Use of Uninitialized Variable......................................................................................................... 508CWE-458: DEPRECATED: Incorrect Initialization.......................................................................................... 510CWE-459: Incomplete Cleanup...................................................................................................................... 510CWE-460: Improper Cleanup on Thrown Exception....................................................................................... 512CWE-461: Data Structure Issues.................................................................................................................... 513CWE-462: Duplicate Key in Associative List (Alist)........................................................................................ 513CWE-463: Deletion of Data Structure Sentinel............................................................................................... 514CWE-464: Addition of Data Structure Sentinel............................................................................................... 515CWE-465: Pointer Issues................................................................................................................................ 516CWE-466: Return of Pointer Value Outside of Expected Range.................................................................... 517CWE-467: Use of sizeof() on a Pointer Type................................................................................................. 517CWE-468: Incorrect Pointer Scaling............................................................................................................... 520CWE-469: Use of Pointer Subtraction to Determine Size.............................................................................. 521CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')...................... 522CWE-471: Modification of Assumed-Immutable Data (MAID)........................................................................ 524CWE-472: External Control of Assumed-Immutable Web Parameter............................................................. 525CWE-473: PHP External Variable Modification.............................................................................................. 527CWE-474: Use of Function with Inconsistent Implementations...................................................................... 528CWE-475: Undefined Behavior for Input to API............................................................................................. 528CWE-476: NULL Pointer Dereference............................................................................................................ 529CWE-477: Use of Obsolete Functions............................................................................................................ 532CWE-478: Missing Default Case in Switch Statement................................................................................... 533CWE-479: Unsafe Function Call from a Signal Handler................................................................................. 535CWE-480: Use of Incorrect Operator............................................................................................................. 536CWE-481: Assigning instead of Comparing................................................................................................... 537CWE-482: Comparing instead of Assigning................................................................................................... 539

CWE Version 1.7Table of Contents

Tab

le of C

on

tents

xi

CWE-483: Incorrect Block Delimitation........................................................................................................... 540CWE-484: Omitted Break Statement in Switch.............................................................................................. 541CWE-485: Insufficient Encapsulation.............................................................................................................. 543CWE-486: Comparison of Classes by Name................................................................................................. 544CWE-487: Reliance on Package-level Scope................................................................................................ 545CWE-488: Data Leak Between Sessions....................................................................................................... 546CWE-489: Leftover Debug Code.................................................................................................................... 547CWE-490: Mobile Code Issues....................................................................................................................... 548CWE-491: Public cloneable() Method Without Final ('Object Hijack')............................................................. 549CWE-492: Use of Inner Class Containing Sensitive Data.............................................................................. 550CWE-493: Critical Public Variable Without Final Modifier.............................................................................. 555CWE-494: Download of Code Without Integrity Check.................................................................................. 557CWE-495: Private Array-Typed Field Returned From A Public Method......................................................... 559CWE-496: Public Data Assigned to Private Array-Typed Field...................................................................... 560CWE-497: Exposure of System Data to an Unauthorized Control Sphere..................................................... 560CWE-498: Information Leak through Class Cloning....................................................................................... 562CWE-499: Serializable Class Containing Sensitive Data............................................................................... 563CWE-500: Public Static Field Not Marked Final............................................................................................. 564CWE-501: Trust Boundary Violation............................................................................................................... 565CWE-502: Deserialization of Untrusted Data................................................................................................. 566CWE-503: Byte/Object Code.......................................................................................................................... 567CWE-504: Motivation/Intent............................................................................................................................ 568CWE-505: Intentionally Introduced Weakness............................................................................................... 568CWE-506: Embedded Malicious Code........................................................................................................... 569CWE-507: Trojan Horse.................................................................................................................................. 569CWE-508: Non-Replicating Malicious Code................................................................................................... 570CWE-509: Replicating Malicious Code (Virus or Worm)................................................................................ 571CWE-510: Trapdoor........................................................................................................................................ 571CWE-511: Logic/Time Bomb.......................................................................................................................... 571CWE-512: Spyware......................................................................................................................................... 572CWE-513: Intentionally Introduced Nonmalicious Weakness......................................................................... 573CWE-514: Covert Channel............................................................................................................................. 573CWE-515: Covert Storage Channel................................................................................................................ 573CWE-516: DEPRECATED (Duplicate): Covert Timing Channel..................................................................... 574CWE-517: Other Intentional, Nonmalicious Weakness.................................................................................. 575CWE-518: Inadvertently Introduced Weakness.............................................................................................. 575CWE-519: .NET Environment Issues.............................................................................................................. 575CWE-520: .NET Misconfiguration: Use of Impersonation............................................................................... 576CWE-521: Weak Password Requirements..................................................................................................... 576CWE-522: Insufficiently Protected Credentials............................................................................................... 577CWE-523: Unprotected Transport of Credentials........................................................................................... 578CWE-524: Information Leak Through Caching............................................................................................... 579CWE-525: Information Leak Through Browser Caching................................................................................. 579CWE-526: Information Leak Through Environmental Variables..................................................................... 580CWE-527: Exposure of CVS Repository to an Unauthorized Control Sphere................................................ 580CWE-528: Exposure of Core Dump File to an Unauthorized Control Sphere................................................ 581CWE-529: Exposure of Access Control List Files to an Unauthorized Control Sphere.................................. 581CWE-530: Exposure of Backup File to an Unauthorized Control Sphere....................................................... 582CWE-531: Information Leak Through Test Code........................................................................................... 583CWE-532: Information Leak Through Log Files............................................................................................. 583CWE-533: Information Leak Through Server Log Files.................................................................................. 584CWE-534: Information Leak Through Debug Log Files.................................................................................. 585CWE-535: Information Leak Through Shell Error Message........................................................................... 585CWE-536: Information Leak Through Servlet Runtime Error Message.......................................................... 585CWE-537: Information Leak Through Java Runtime Error Message.............................................................. 586CWE-538: File and Directory Information Exposure....................................................................................... 587CWE-539: Information Leak Through Persistent Cookies.............................................................................. 588CWE-540: Information Leak Through Source Code....................................................................................... 589CWE-541: Information Leak Through Include Source Code.......................................................................... 590CWE-542: Information Leak Through Cleanup Log Files............................................................................... 590CWE-543: Use of Singleton Pattern in a Non-thread-safe Manner................................................................ 590

CWE Version 1.7Table of Contents

Tab

le o

f C

on

ten

ts

xii

CWE-544: Failure to Use a Standardized Error Handling Mechanism........................................................... 591CWE-545: Use of Dynamic Class Loading..................................................................................................... 592CWE-546: Suspicious Comment.................................................................................................................... 593CWE-547: Use of Hard-coded, Security-relevant Constants.......................................................................... 593CWE-548: Information Leak Through Directory Listing.................................................................................. 594CWE-549: Missing Password Field Masking.................................................................................................. 595CWE-550: Information Leak Through Server Error Message......................................................................... 595CWE-551: Incorrect Behavior Order: Authorization Before Parsing and Canonicalization............................. 596CWE-552: Files or Directories Accessible to External Parties....................................................................... 596CWE-553: Command Shell in Externally Accessible Directory...................................................................... 597CWE-554: ASP.NET Misconfiguration: Not Using Input Validation Framework.............................................. 598CWE-555: J2EE Misconfiguration: Plaintext Password in Configuration File................................................. 598CWE-556: ASP.NET Misconfiguration: Use of Identity Impersonation........................................................... 599CWE-557: Concurrency Issues....................................................................................................................... 599CWE-558: Use of getlogin() in Multithreaded Application.............................................................................. 600CWE-559: Often Misused: Arguments and Parameters................................................................................. 600CWE-560: Use of umask() with chmod-style Argument................................................................................. 601CWE-561: Dead Code.................................................................................................................................... 601CWE-562: Return of Stack Variable Address................................................................................................. 603CWE-563: Unused Variable............................................................................................................................ 604CWE-564: SQL Injection: Hibernate............................................................................................................... 604CWE-565: Reliance on Cookies without Validation and Integrity Checking................................................... 605CWE-566: Access Control Bypass Through User-Controlled SQL Primary Key............................................ 606CWE-567: Unsynchronized Access to Shared Data....................................................................................... 607CWE-568: finalize() Method Without super.finalize()...................................................................................... 608CWE-569: Expression Issues......................................................................................................................... 609CWE-570: Expression is Always False.......................................................................................................... 609CWE-571: Expression is Always True............................................................................................................ 611CWE-572: Call to Thread run() instead of start()........................................................................................... 612CWE-573: Failure to Follow Specification...................................................................................................... 613CWE-574: EJB Bad Practices: Use of Synchronization Primitives................................................................. 614CWE-575: EJB Bad Practices: Use of AWT Swing........................................................................................ 614CWE-576: EJB Bad Practices: Use of Java I/O............................................................................................. 616CWE-577: EJB Bad Practices: Use of Sockets.............................................................................................. 617CWE-578: EJB Bad Practices: Use of Class Loader..................................................................................... 619CWE-579: J2EE Bad Practices: Non-serializable Object Stored in Session.................................................. 620CWE-580: clone() Method Without super.clone()........................................................................................... 621CWE-581: Object Model Violation: Just One of Equals and Hashcode Defined............................................ 622CWE-582: Array Declared Public, Final, and Static....................................................................................... 622CWE-583: finalize() Method Declared Public................................................................................................. 623CWE-584: Return Inside Finally Block........................................................................................................... 624CWE-585: Empty Synchronized Block........................................................................................................... 624CWE-586: Explicit Call to Finalize()................................................................................................................ 625CWE-587: Assignment of a Fixed Address to a Pointer................................................................................ 626CWE-588: Attempt to Access Child of a Non-structure Pointer...................................................................... 627CWE-589: Call to Non-ubiquitous API............................................................................................................ 628CWE-590: Free of Memory not on the Heap................................................................................................. 628CWE-591: Sensitive Data Storage in Improperly Locked Memory................................................................. 630CWE-592: Authentication Bypass Issues....................................................................................................... 631CWE-593: Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created............... 632CWE-594: J2EE Framework: Saving Unserializable Objects to Disk............................................................. 633CWE-595: Comparison of Object References Instead of Object Contents..................................................... 634CWE-596: Incorrect Semantic Object Comparison......................................................................................... 634CWE-597: Use of Wrong Operator in String Comparison.............................................................................. 635CWE-598: Information Leak Through Query Strings in GET Request........................................................... 636CWE-599: Trust of OpenSSL Certificate Without Validation.......................................................................... 636CWE-600: Failure to Catch All Exceptions in Servlet .................................................................................... 637CWE-601: URL Redirection to Untrusted Site ('Open Redirect').................................................................... 638CWE-602: Client-Side Enforcement of Server-Side Security......................................................................... 639CWE-603: Use of Client-Side Authentication................................................................................................. 642CWE-604: Deprecated Entries........................................................................................................................ 643

CWE Version 1.7Table of Contents

Tab

le of C

on

tents

xiii

CWE-605: Multiple Binds to the Same Port................................................................................................... 643CWE-606: Unchecked Input for Loop Condition............................................................................................. 644CWE-607: Public Static Final Field References Mutable Object.................................................................... 645CWE-608: Struts: Non-private Field in ActionForm Class.............................................................................. 645CWE-609: Double-Checked Locking.............................................................................................................. 646CWE-610: Externally Controlled Reference to a Resource in Another Sphere.............................................. 647CWE-611: Information Leak Through XML External Entity File Disclosure.................................................... 648CWE-612: Information Leak Through Indexing of Private Data..................................................................... 648CWE-613: Insufficient Session Expiration...................................................................................................... 649CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute.................................................... 650CWE-615: Information Leak Through Comments........................................................................................... 651CWE-616: Incomplete Identification of Uploaded File Variables (PHP).......................................................... 651CWE-617: Reachable Assertion..................................................................................................................... 653CWE-618: Exposed Unsafe ActiveX Method.................................................................................................. 654CWE-619: Dangling Database Cursor ('Cursor Injection').............................................................................. 654CWE-620: Unverified Password Change........................................................................................................ 655CWE-621: Variable Extraction Error............................................................................................................... 656CWE-622: Unvalidated Function Hook Arguments......................................................................................... 657CWE-623: Unsafe ActiveX Control Marked Safe For Scripting...................................................................... 658CWE-624: Executable Regular Expression Error........................................................................................... 658CWE-625: Permissive Regular Expression.................................................................................................... 659CWE-6