970 indexed
CWECWE weaknesses
970 MITRE CWE entries — software weakness types that underlie vulnerabilities (CVE→CWE link). Filter by category. Authored by Adam Lundqvist.
Showing 101–150 of 644 in Other · page 3 of 13
| ID | Title | Summary |
|---|---|---|
| CWE-1164 | Irrelevant Code | The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow,… |
| CWE-117 | Improper Output Neutralization for Logs | The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to… |
| CWE-1173 | Improper Use of Validation Framework | The product does not use, or incorrectly uses, an input validation framework that is provided by the source language or an independent library. Many modern co… |
| CWE-1176 | Inefficient CPU Computation | The product performs CPU computations using algorithms that are not as efficient as they could be for the needs of the developer, i.e., the c… |
| CWE-1177 | Use of Prohibited Code | The product uses a function, library, or third party component that has been explicitly prohibited, whether by the developer or the customer. |
| CWE-1190 | DMA Device Enabled Too Early in Boot Phase | The product enables a Direct Memory Access (DMA) capable device before the security configuration settings are established, which allows an attacker to extract… |
| CWE-1192 | Improper Identifier for IP Block used in System-On-Chip (SOC) | The System-on-Chip (SoC) does not have unique, immutable identifiers for each of its components. |
| CWE-1193 | Power-On of Untrusted Execution Core Before Enabling Fabric Access Control | The product enables components that contain untrusted firmware before memory and fabric access controls have been enabled. |
| CWE-1204 | Generation of Weak Initialization Vector (IV) | The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredict… |
| CWE-1209 | Failure to Disable Reserved Bits | The reserved bits in a hardware design are not disabled prior to production. Typically, reserved bits are used for future capabilities and should not support a… |
| CWE-1220 | Insufficient Granularity of Access Control | The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a sy… |
| CWE-1222 | Insufficient Granularity of Address Regions Protected by Register Locks | The product defines a large address region protected from modification by the same register lock control bit. This results in a conflict between the functional… |
| CWE-1224 | Improper Restriction of Write-Once Bit Fields | The hardware design control register "sticky bits" or write-once bit fields are improperly implemented, such that they can be reprogrammed by software. |
| CWE-123 | Write-what-where Condition | Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow. |
| CWE-1231 | Improper Prevention of Lock Bit Modification | The product uses a trusted lock bit for restricting access to registers, address regions, or other resources, but the product does not prevent the value of the… |
| CWE-1232 | Improper Lock Behavior After Power State Transition | Register lock bit protection disables changes to system configuration once the bit is set. Some of the protected registers or lock bits become programmable aft… |
| CWE-1235 | Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations | The code uses boxed primitives, which may introduce inefficiencies into performance-critical operations. |
| CWE-1236 | Improper Neutralization of Formula Elements in a CSV File | The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements tha… |
| CWE-1239 | Improper Zeroization of Hardware Register | The hardware product does not properly clear sensitive information from built-in registers when the user of the hardware block changes. Hardware logic operate… |
| CWE-1240 | Use of a Cryptographic Primitive with a Risky Implementation | To fulfill the need for a cryptographic primitive, the product implements a cryptographic algorithm using a non-standard, unproven, or disallowed/non-compliant… |
| CWE-1241 | Use of Predictable Algorithm in Random Number Generator | The device uses an algorithm that is predictable and generates a pseudo-random number. |
| CWE-1242 | Inclusion of Undocumented Features or Chicken Bits | The device includes chicken bits or undocumented features that can create entry points for unauthorized actors. |
| CWE-1245 | Improper Finite State Machines (FSMs) in Hardware Logic | Faulty finite state machines (FSMs) in the hardware logic allow an attacker to put the system in an undefined state, to cause a denial of service (DoS) or gain… |
| CWE-1246 | Improper Write Handling in Limited-write Non-Volatile Memories | The product does not implement or incorrectly implements wear leveling operations in limited-write non-volatile memories. |
| CWE-1247 | Improper Protection Against Voltage and Clock Glitches | The device does not contain or contains incorrectly implemented circuitry or sensors to detect and mitigate voltage and clock glitches and protect sensitive in… |
| CWE-1249 | Application-Level Admin Tool with Inconsistent View of Underlying Operating System | The product provides an application for administrators to manage parts of the underlying operating system, but the application does not accurately identify all… |
| CWE-1250 | Improper Preservation of Consistency Between Independent Representations of Shared State | The product has or supports multiple distributed components or sub-systems that are each required to keep their own local copy of shared data - such as state o… |
| CWE-1251 | Mirrored Regions with Different Values | The product's architecture mirrors regions without ensuring that their contents always stay in sync. |
| CWE-1253 | Incorrect Selection of Fuse Values | The logic level used to set a system to a secure state relies on a fuse being unblown. |
| CWE-1254 | Incorrect Comparison Logic Granularity | The product's comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failur… |
| CWE-1255 | Comparison Logic is Vulnerable to Power Side-Channel Attacks | A device's real time power consumption may be monitored during security token evaluation and the information gleaned may be used to determine the value of the … |
| CWE-1256 | Improper Restriction of Software Interfaces to Hardware Features | The product provides software-controllable device functionality for capabilities such as power and clock management, but it does not properly limit fu… |
| CWE-1261 | Improper Handling of Single Event Upsets | The hardware logic does not effectively handle when single-event upsets (SEUs) occur. |
| CWE-1262 | Improper Access Control for Register Interface | The product uses memory-mapped I/O registers that act as an interface to hardware functionality from software, but there is improper access control to those re… |
| CWE-1263 | Improper Physical Access Control | The product is designed with access restricted to certain information, but it does not sufficiently protect against an unauthorized actor with physical access … |
| CWE-1265 | Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls | The product invokes code that is believed to be reentrant, but the code performs a call that unintentionally produces a nested invocation of the non-reentrant … |
| CWE-1267 | Policy Uses Obsolete Encoding | The product uses an obsolete encoding mechanism to implement access controls. |
| CWE-1271 | Uninitialized Value on Reset for Registers Holding Security Settings | Security-critical logic is not set to a known value on reset. |
| CWE-1276 | Hardware Child Block Incorrectly Connected to Parent System | Signals between a hardware IP and the parent system design are incorrectly connected causing security risks. |
| CWE-1277 | Firmware Not Updateable | The product does not provide its users with the ability to update or patch its firmware to address any vulnerabilities or weaknesses that may be prese… |
| CWE-1278 | Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques | Information stored in hardware may be recovered by an attacker with the capability to capture and analyze images of the integrated circuit using techniques suc… |
| CWE-1279 | Cryptographic Operations are run Before Supporting Units are Ready | Performing cryptographic operations without ensuring that the supporting inputs are ready to supply valid data may compromise the cryptographic result. Many c… |
| CWE-128 | Wrap-around Error | Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore "wraps around" to a very small, negative, or undefin… |
| CWE-1280 | Access Control Check Implemented After Asset is Accessed | A product's hardware-based access control check occurs after the asset has been accessed. |
| CWE-1281 | Sequence of Processor Instructions Leads to Unexpected Behavior | Specific combinations of processor instructions lead to undesirable behavior such as locking the processor until a hard reset performed. |
| CWE-1283 | Mutable Attestation or Measurement Reporting Data | The register contents used for attestation or measurement reporting data to verify boot flow are modifiable by an adversary. |
| CWE-1284 | Improper Validation of Specified Quantity in Input | The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity… |
| CWE-1285 | Improper Validation of Specified Index, Position, or Offset in Input | The product receives input that is expected to specify an index, position, or offset into an indexable resource such as a buffer or file, but it does not valid… |
| CWE-1286 | Improper Validation of Syntactic Correctness of Input | The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that … |
| CWE-1287 | Improper Validation of Specified Type of Input | The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expect… |