970 indexed
CWECWE weaknesses
970 MITRE CWE entries — software weakness types that underlie vulnerabilities (CVE→CWE link). Filter by category. Authored by Adam Lundqvist.
Showing 451–500 of 644 in Other · page 10 of 13
| ID | Title | Summary |
|---|---|---|
| CWE-507 | Trojan Horse | The product appears to contain benign or useful functionality, but it also contains code that is hidden from normal operation that violates the intended securi… |
| CWE-508 | Non-Replicating Malicious Code | Non-replicating malicious code only resides on the target system or product that is attacked; it does not attempt to spread to other systems. |
| CWE-509 | Replicating Malicious Code (Virus or Worm) | Replicating malicious code, including viruses and worms, will attempt to attack other systems once it has successfully compromised the target system or the pro… |
| CWE-51 | Path Equivalence: '/multiple//internal/slash' | The product accepts path input in the form of multiple internal slash ('/multiple//internal/slash/') without appropriate validation, which can lead to ambiguou… |
| CWE-510 | Trapdoor | A trapdoor is a hidden piece of code that responds to a special input, allowing its user access to resources without passing through the normal security enforc… |
| CWE-511 | Logic/Time Bomb | The product contains code that is designed to disrupt the legitimate operation of the product (or its environment) when a certain time passes, or when a certai… |
| CWE-512 | Spyware | The product collects personally identifiable information about a human user or the user's activities, but the product accesses this information using other res… |
| CWE-514 | Covert Channel | A covert channel is a path that can be used to transfer information in a way not intended by the system's designers. Typically the system has not given author… |
| CWE-515 | Covert Storage Channel | A covert storage channel transfers information through the setting of bits by one program and the reading of those bits by another. What distinguishes this cas… |
| CWE-516 | DEPRECATED: Covert Timing Channel | This weakness can be found at CWE-385. |
| CWE-52 | Path Equivalence: '/multiple/trailing/slash//' | The product accepts path input in the form of multiple trailing slash ('/multiple/trailing/slash//') without appropriate validation, which can lead to ambiguou… |
| CWE-53 | Path Equivalence: '\multiple\\internal\backslash' | The product accepts path input in the form of multiple internal backslash ('\multiple\trailing\\slash') without appropriate validation, which can lead to ambig… |
| CWE-54 | Path Equivalence: 'filedir\' (Trailing Backslash) | The product accepts path input in the form of trailing backslash ('filedir\') without appropriate validation, which can lead to ambiguous path resolution and a… |
| CWE-544 | Missing Standardized Error Handling Mechanism | The product does not use a standardized method for handling errors throughout the code, which might introduce inconsistent error handling and resultant weaknes… |
| CWE-545 | DEPRECATED: Use of Dynamic Class Loading | This weakness has been deprecated because it partially overlaps CWE-470, it describes legitimate programmer behavior, and other portions will need to be integr… |
| CWE-546 | Suspicious Comment | The code contains comments that suggest the presence of bugs, incomplete functionality, or weaknesses. Many suspicious comments, such as BUG, HACK, FIXME, LAT… |
| CWE-547 | Use of Hard-coded, Security-relevant Constants | The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenanc… |
| CWE-55 | Path Equivalence: '/./' (Single Dot Directory) | The product accepts path input in the form of single dot directory exploit ('/./') without appropriate validation, which can lead to ambiguous path resolution … |
| CWE-552 | Files or Directories Accessible to External Parties | The product makes files or directories accessible to unauthorized actors, even though they should not be. |
| CWE-553 | Command Shell in Externally Accessible Directory | A possible shell file exists in /cgi-bin/ or other accessible directories. This is extremely dangerous and can be used by an attacker to execute commands on th… |
| CWE-558 | Use of getlogin() in Multithreaded Application | The product uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values. The getlogin() function returns a poin… |
| CWE-56 | Path Equivalence: 'filedir*' (Wildcard) | The product accepts path input in the form of asterisk wildcard ('filedir*') without appropriate validation, which can lead to ambiguous path resolution and al… |
| CWE-560 | Use of umask() with chmod-style Argument | The product calls umask() with an incorrect argument that is specified as if it is an argument to chmod(). |
| CWE-561 | Dead Code | The product contains dead code, which can never be executed. Dead code is code that can never be executed in a running program. The surrounding code makes it … |
| CWE-562 | Return of Stack Variable Address | A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash. Because local variables ar… |
| CWE-563 | Assignment to Variable without Use | The variable's value is assigned but never used, making it a dead store. After the assignment, the variable is either assigned another value or goes out of sc… |
| CWE-565 | Reliance on Cookies without Validation and Integrity Checking | The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is vali… |
| CWE-568 | finalize() Method Without super.finalize() | The product contains a finalize() method that does not call super.finalize(). The Java Language Specification states that it is a good practice for a finalize… |
| CWE-57 | Path Equivalence: 'fakedir/../realdir/filename' | The product contains protection mechanisms to restrict access to 'realdir/filename', but it constructs pathnames using external input in the form of 'fakedir/.… |
| CWE-570 | Expression is Always False | The product contains an expression that will always evaluate to false. |
| CWE-571 | Expression is Always True | The product contains an expression that will always evaluate to true. |
| CWE-572 | Call to Thread run() instead of start() | The product calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee. In most … |
| CWE-573 | Improper Following of Specification by Caller | The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform… |
| CWE-575 | EJB Bad Practices: Use of AWT Swing | The product violates the Enterprise JavaBeans (EJB) specification by using AWT/Swing. The Enterprise JavaBeans specification requires that every bean provider… |
| CWE-576 | EJB Bad Practices: Use of Java I/O | The product violates the Enterprise JavaBeans (EJB) specification by using the java.io package. The Enterprise JavaBeans specification requires that every bea… |
| CWE-577 | EJB Bad Practices: Use of Sockets | The product violates the Enterprise JavaBeans (EJB) specification by using sockets. The Enterprise JavaBeans specification requires that every bean provider f… |
| CWE-578 | EJB Bad Practices: Use of Class Loader | The product violates the Enterprise JavaBeans (EJB) specification by using the class loader. The Enterprise JavaBeans specification requires that every bean p… |
| CWE-58 | Path Equivalence: Windows 8.3 Filename | The product contains a protection mechanism that restricts access to a long filename on a Windows operating system, but it does not properly restrict access to… |
| CWE-580 | clone() Method Without super.clone() | The product contains a clone() method that does not call super.clone() to obtain the new object. All implementations of clone() should obtain the new object b… |
| CWE-581 | Object Model Violation: Just One of Equals and Hashcode Defined | The product does not maintain equal hashcodes for equal objects. Java objects are expected to obey a number of invariants related to equality. One of these in… |
| CWE-582 | Array Declared Public, Final, and Static | The product declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified. Because arrays are mutab… |
| CWE-583 | finalize() Method Declared Public | The product violates secure coding principles for mobile code by declaring a finalize() method public. A product should never call finalize explicitly, except… |
| CWE-584 | Return Inside Finally Block | The code has a return statement inside a finally block, which will cause any thrown exception in the try block to be discarded. |
| CWE-586 | Explicit Call to Finalize() | The product makes an explicit call to the finalize() method from outside the finalizer. While the Java Language Specification allows an object's finalize() me… |
| CWE-589 | Call to Non-ubiquitous API | The product uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allo… |
| CWE-59 | Improper Link Resolution Before File Access ('Link Following') | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves t… |
| CWE-594 | J2EE Framework: Saving Unserializable Objects to Disk | When the J2EE container attempts to write unserializable objects to disk there is no guarantee that the process will complete successfully. In heavy load cond… |
| CWE-595 | Comparison of Object References Instead of Object Contents | The product compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects. For example, in Jav… |
| CWE-596 | DEPRECATED: Incorrect Semantic Object Comparison | This weakness has been deprecated. It was poorly described and difficult to distinguish from other entries. It was also inappropriate to assign a separate ID… |
| CWE-597 | Use of Wrong Operator in String Comparison | The product uses the wrong operator when comparing a string, such as using "==" when the .equals() method should be used instead. In Java, using == or != to c… |