970 indexed
CWECWE weaknesses
970 MITRE CWE entries — software weakness types that underlie vulnerabilities (CVE→CWE link). Filter by category. Authored by Adam Lundqvist.
Showing 301–350 of 644 in Other · page 7 of 13
| ID | Title | Summary |
|---|---|---|
| CWE-282 | Improper Ownership Management | The product assigns the wrong ownership, or does not properly verify the ownership, of an object or resource. |
| CWE-283 | Unverified Ownership | The product does not properly verify that a critical resource is owned by the proper entity. |
| CWE-284 | Improper Access Control | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-286 | Incorrect User Management | The product does not properly manage a user within its environment. Users can be assigned to the wrong group (class) of permissions resulting in unintended ac… |
| CWE-29 | Path Traversal: '\..\filename' | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\..\filename' (leadi… |
| CWE-292 | DEPRECATED: Trusting Self-reported DNS Name | This entry has been deprecated because it was a duplicate of CWE-350. All content has been transferred to CWE-350. |
| CWE-295 | Improper Certificate Validation | The product does not validate, or incorrectly validates, a certificate. |
| CWE-296 | Improper Following of a Certificate's Chain of Trust | The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate. |
| CWE-297 | Improper Validation of Certificate with Host Mismatch | The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with tha… |
| CWE-298 | Improper Validation of Certificate Expiration | A certificate expiration is not validated or is incorrectly validated. |
| CWE-299 | Improper Check for Certificate Revocation | The product does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised. An… |
| CWE-30 | Path Traversal: '\dir\..\filename' | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\dir\..\filename' (l… |
| CWE-300 | Channel Accessible by Non-Endpoint | The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the chann… |
| CWE-31 | Path Traversal: 'dir\..\..\filename' | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize 'dir\..\..\filename' … |
| CWE-32 | Path Traversal: '...' (Triple Dot) | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '...' (triple dot) se… |
| CWE-321 | Use of Hard-coded Cryptographic Key | The product uses a hard-coded, unchangeable cryptographic key. |
| CWE-324 | Use of a Key Past its Expiration Date | The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracki… |
| CWE-325 | Missing Cryptographic Step | The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm. |
| CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | The product uses a broken or risky cryptographic algorithm or protocol. |
| CWE-328 | Use of Weak Hash | The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to re… |
| CWE-329 | Generation of Predictable IV with CBC Mode | The product generates and uses a predictable initialization Vector (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible to dic… |
| CWE-33 | Path Traversal: '....' (Multiple Dot) | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....' (multiple dot)… |
| CWE-330 | Use of Insufficiently Random Values | The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. |
| CWE-331 | Insufficient Entropy | The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others. |
| CWE-332 | Insufficient Entropy in PRNG | The lack of entropy available for, or used by, a Pseudo-Random Number Generator (PRNG) can be a stability and security threat. |
| CWE-333 | Improper Handling of Insufficient Entropy in TRNG | True random number generators (TRNG) generally have a limited source of entropy and therefore can fail or block. The rate at which true random numbers can be … |
| CWE-334 | Small Space of Random Values | The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks. |
| CWE-335 | Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) | The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds. |
| CWE-336 | Same Seed in Pseudo-Random Number Generator (PRNG) | A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized. Given the deterministic nature of PRNGs, using the same seed … |
| CWE-337 | Predictable Seed in Pseudo-Random Number Generator (PRNG) | A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time. The use of predictable seeds significan… |
| CWE-338 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) | The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong. |
| CWE-339 | Small Seed Space in PRNG | A Pseudo-Random Number Generator (PRNG) uses a relatively small seed space, which makes it more susceptible to brute force attacks. PRNGs are entirely d… |
| CWE-34 | Path Traversal: '....//' | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....//' (doubled dot… |
| CWE-340 | Generation of Predictable Numbers or Identifiers | The product uses a scheme that generates numbers or identifiers that are more predictable than required. |
| CWE-341 | Predictable from Observable State | A number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc. |
| CWE-342 | Predictable Exact Value from Previous Values | An exact value or random number can be precisely predicted by observing previous values. |
| CWE-343 | Predictable Value Range from Previous Values | The product's random number generator produces a series of values which, when observed, can be used to infer a relatively small range of possibilities for the … |
| CWE-344 | Use of Invariant Value in Dynamically Changing Context | The product uses a constant value, name, or reference, but this value can (or should) vary across different environments. |
| CWE-346 | Origin Validation Error | The product does not properly verify that the source of data or communication is valid. |
| CWE-347 | Improper Verification of Cryptographic Signature | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
| CWE-348 | Use of Less Trusted Source | The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is le… |
| CWE-349 | Acceptance of Extraneous Untrusted Data With Trusted Data | The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were tr… |
| CWE-35 | Path Traversal: '.../...//' | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled … |
| CWE-350 | Reliance on Reverse DNS Resolution for a Security-Critical Action | The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP a… |
| CWE-351 | Insufficient Type Distinction | The product does not properly distinguish between different types of elements in a way that leads to insecure behavior. |
| CWE-353 | Missing Support for Integrity Check | The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum. If… |
| CWE-354 | Improper Validation of Integrity Check Value | The product does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data h… |
| CWE-356 | Product UI does not Warn User of Unsafe Actions | The product's user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick use… |
| CWE-357 | Insufficient UI Warning of Dangerous Operations | The user interface provides a warning to a user regarding dangerous or sensitive operations, but the warning is not noticeable enough to warrant attention. |
| CWE-358 | Improperly Implemented Security Check for Standard | The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol,… |