970 indexed
CWECWE weaknesses
970 MITRE CWE entries — software weakness types that underlie vulnerabilities (CVE→CWE link). Filter by category. Authored by Adam Lundqvist.
Showing 51–68 of 68 in Auth · page 2 of 2
| ID | Title | Summary |
|---|---|---|
| CWE-579 | J2EE Bad Practices: Non-serializable Object Stored in Session | The product stores a non-serializable object as an HttpSession attribute, which can hurt reliability. A J2EE application can make use of multiple JVMs in orde… |
| CWE-592 | DEPRECATED: Authentication Bypass Issues | This weakness has been deprecated because it covered redundant concepts already described in CWE-287. |
| CWE-593 | Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created | The product modifies the SSL context after connection creation has begun. If the program modifies the SSL_CTX object after creating SSL objects from it, there… |
| CWE-6 | J2EE Misconfiguration: Insufficient Session-ID Length | The J2EE application is configured to use an insufficient session ID length. If an attacker can guess or steal a session ID, then they may be able to take ove… |
| CWE-603 | Use of Client-Side Authentication | A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified cl… |
| CWE-612 | Improper Authorization of Index Containing Sensitive Information | The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the origi… |
| CWE-613 | Insufficient Session Expiration | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
| CWE-614 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | The Secure attribute for sensitive cookies in HTTPS sessions is not set. |
| CWE-620 | Unverified Password Change | When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication. This could b… |
| CWE-639 | Authorization Bypass Through User-Controlled Key | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying … |
| CWE-640 | Weak Password Recovery Mechanism for Forgotten Password | The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. |
| CWE-647 | Use of Non-Canonical URL Paths for Authorization Decisions | The product defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to … |
| CWE-798 | Use of Hard-coded Credentials | The product contains hard-coded credentials, such as a password or cryptographic key. |
| CWE-836 | Use of Password Hash Instead of Password for Authentication | The product records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the … |
| CWE-862 | Missing Authorization | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-863 | Incorrect Authorization | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
| CWE-916 | Use of Password Hash With Insufficient Computational Effort | The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cra… |
| CWE-939 | Improper Authorization in Handler for Custom URL Scheme | The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme. Mobile platforms a… |