970 indexed
CWECWE weaknesses
970 MITRE CWE entries — software weakness types that underlie vulnerabilities (CVE→CWE link). Filter by category. Authored by Adam Lundqvist.
Showing 151–200 of 644 in Other · page 4 of 13
| ID | Title | Summary |
|---|---|---|
| CWE-1288 | Improper Validation of Consistency within Input | The product receives a complex input with multiple elements or fields that must be consistent with each other, but it does not validate or incorrectly validate… |
| CWE-1289 | Improper Validation of Unsafe Equivalence in Input | The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that th… |
| CWE-129 | Improper Validation of Array Index | The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the i… |
| CWE-1290 | Incorrect Decoding of Security Identifiers | The product implements a decoding mechanism to decode certain bus-transaction signals to security identifiers. If the decoding is implemented incorrectly, then… |
| CWE-1292 | Incorrect Conversion of Security Identifiers | The product implements a conversion mechanism to map certain bus-transaction signals to security identifiers. However, if the conversion is incorrectly impleme… |
| CWE-1293 | Missing Source Correlation of Multiple Independent Data | The product relies on one source of data, preventing the ability to detect if an adversary has compromised a data source. |
| CWE-1294 | Insecure Security Identifier Mechanism | The System-on-Chip (SoC) implements a Security Identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from … |
| CWE-1297 | Unprotected Confidential Information on Device is Accessible by OSAT Vendors | The product does not adequately protect confidential information on the device from being accessed by Outsourced Semiconductor Assembly and Test (OSAT) vendors. |
| CWE-1299 | Missing Protection Mechanism for Alternate Hardware Interface | The lack of protections on alternate paths to access control-protected assets (such as unprotected shadow registers and other e… |
| CWE-130 | Improper Handling of Length Parameter Inconsistency | The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length o… |
| CWE-1300 | Improper Protection of Physical Side Channels | The device does not contain sufficient protection mechanisms to prevent physical side channels from exposing sensitive information due to patterns in physica… |
| CWE-1301 | Insufficient or Incomplete Data Removal within Hardware Component | The product's data removal process does not completely delete all data and potentially sensitive information within hardware components. |
| CWE-1302 | Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC) | The product implements a security identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. A … |
| CWE-1310 | Missing Ability to Patch ROM Code | Missing an ability to patch ROM code may leave a System or System-on-Chip (SoC) in a vulnerable state. |
| CWE-1311 | Improper Translation of Security Attributes by Fabric Bridge | The bridge incorrectly translates security attributes from either trusted to untrusted or from untrusted to trusted when converting from one fabric protocol to… |
| CWE-1312 | Missing Protection for Mirrored Regions in On-Chip Fabric Firewall | The firewall in an on-chip fabric protects the main addressed region, but it does not protect any mirrored memory or memory-mapped-IO (MMIO) regions. |
| CWE-1314 | Missing Write Protection for Parametric Data Values | The device does not write-protect the parametric data values for sensors that scale the sensor value, allowing untrusted software to manipulate the apparent re… |
| CWE-1315 | Improper Setting of Bus Controlling Capability in Fabric End-point | The bus controller enables bits in the fabric end-point to allow responder devices to control transactions on the fabric. |
| CWE-1316 | Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges | The address map of the on-chip fabric has protected and unprotected regions overlapping, allowing an attacker to bypass access control to the overlapping porti… |
| CWE-1317 | Improper Access Control in Fabric Bridge | The product uses a fabric bridge for transactions between two Intellectual Property (IP) blocks, but the bridge does not properly perform the expected privileg… |
| CWE-1318 | Missing Support for Security Features in On-chip Fabrics or Buses | On-chip fabrics or buses either do not support or are not configured to support privilege separation or other security features, such as access control. |
| CWE-132 | DEPRECATED: Miscalculated Null Termination | This entry has been deprecated because it was a duplicate of CWE-170. All content has been transferred to CWE-170. |
| CWE-1320 | Improper Protection for Outbound Error Messages and Alert Signals | Untrusted agents can disable alerts about signal conditions exceeding limits or the response mechanism that handles such alerts. |
| CWE-1321 | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly co… |
| CWE-1322 | Use of Blocking Code in Single-threaded, Non-blocking Context | The product uses a non-blocking model that relies on a single threaded process for features such as scalability, but it contains code that can block when it… |
| CWE-1326 | Missing Immutable Root of Trust in Hardware | A missing immutable root of trust in the hardware results in the ability to bypass secure boot or execute untrusted or adversarial boot code. |
| CWE-1327 | Binding to an Unrestricted IP Address | The product assigns the address 0.0.0.0 for a database server, a cloud service/instance, or any computing resource that communicates remotely. |
| CWE-1328 | Security Version Number Mutable to Older Versions | Security-version number in hardware is mutable, resulting in the ability to downgrade (roll-back) the boot firmware to vulnerable code versions. |
| CWE-1329 | Reliance on Component That is Not Updateable | The product contains a component that cannot be updated or patched in order to remove vulnerabilities or significant bugs. |
| CWE-1332 | Improper Handling of Faults that Lead to Instruction Skips | The device is missing or incorrectly implements circuitry or sensors that detect and mitigate the skipping of security-critical CPU instructions when they occu… |
| CWE-1333 | Inefficient Regular Expression Complexity | The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential. |
| CWE-1335 | Incorrect Bitwise Shift of Integer | An integer value is specified to be shifted by a negative amount or an amount greater than or equal to the number of bits contained in the value causing an une… |
| CWE-1336 | Improper Neutralization of Special Elements Used in a Template Engine | The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or … |
| CWE-1338 | Improper Protections Against Hardware Overheating | A hardware device is missing or has inadequate protection features to prevent overheating. |
| CWE-1339 | Insufficient Precision or Accuracy of a Real Number | The product processes a real number with an implementation in which the number's representation does not preserve required accuracy and precision in its fracti… |
| CWE-134 | Use of Externally-Controlled Format String | The product uses a function that accepts a format string as an argument, but the format string originates from an external source. |
| CWE-135 | Incorrect Calculation of Multi-Byte String Length | The product does not correctly calculate the length of strings that can contain wide or multi-byte characters. |
| CWE-1351 | Improper Handling of Hardware Behavior in Exceptionally Cold Environments | A hardware device, or the firmware running on it, is missing or has incorrect protection features to maintain goals of security… |
| CWE-1357 | Reliance on Insufficiently Trustworthy Component | The product is built from multiple separate components, but it uses a component that is not sufficiently trusted to meet expectations for security, reliability… |
| CWE-138 | Improper Neutralization of Special Elements | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as cont… |
| CWE-1384 | Improper Handling of Physical or Environmental Conditions | The product does not properly handle unexpected physical or environmental conditions that occur naturally or are artificially induced. |
| CWE-1385 | Missing Origin Validation in WebSockets | The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid. |
| CWE-1386 | Insecure Operation on Windows Junction / Mount Point | The product opens a file or directory, but it does not properly prevent the name from being associated with a junction or mount point to a destination that is … |
| CWE-1389 | Incorrect Parsing of Numbers with Different Radices | The product parses numeric input assuming base 10 (decimal) values, but it does not account for inputs that use a different base number (radix). |
| CWE-1395 | Dependency on Vulnerable Third-Party Component | The product has a dependency on a third-party component that contains one or more known vulnerabilities. |
| CWE-140 | Improper Neutralization of Delimiters | The product does not neutralize or incorrectly neutralizes delimiters. |
| CWE-141 | Improper Neutralization of Parameter/Argument Delimiters | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as para… |
| CWE-142 | Improper Neutralization of Value Delimiters | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as valu… |
| CWE-1426 | Improper Validation of Generative AI Output | The product invokes a generative AI/ML component whose behaviors and outputs cannot be directly controlled, but the product does not validate or insuf… |
| CWE-1427 | Improper Neutralization of Input Used for LLM Prompting | The product uses externally-provided data to build prompts provided to large language models (LLMs), but the way these prompts are constructed causes the LLM t… |