970 indexed
CWECWE weaknesses
970 MITRE CWE entries — software weakness types that underlie vulnerabilities (CVE→CWE link). Filter by category. Authored by Adam Lundqvist.
Showing 351–400 of 644 in Other · page 8 of 13
| ID | Title | Summary |
|---|---|---|
| CWE-36 | Absolute Path Traversal | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequenc… |
| CWE-360 | Trust of System Event Data | Security based on event locations are insecure and can be spoofed. Events are a messaging system which may provide control data to programs listening for even… |
| CWE-369 | Divide By Zero | The product divides a value by zero. This weakness typically occurs when an unexpected value is provided to the product, or if an error occurs that is not pro… |
| CWE-37 | Path Traversal: '/absolute/pathname/here' | The product accepts input in the form of a slash absolute path ('/absolute/pathname/here') without appropriate validation, which can allow an attacker to trave… |
| CWE-370 | Missing Check for Certificate Revocation after Initial Check | The product does not check the revocation status of a certificate after its initial revocation check, which can cause the product to perform privileged actions… |
| CWE-372 | Incomplete Internal State Distinction | The product does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorr… |
| CWE-374 | Passing Mutable Objects to an Untrusted Method | The product sends non-cloned mutable data as an argument to a method or function. The function or method that has been called can alter or delete the mutable … |
| CWE-375 | Returning a Mutable Object to an Untrusted Caller | Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function. In situations where functions retu… |
| CWE-377 | Insecure Temporary File | Creating and using insecure temporary files can leave application and system data vulnerable to attack. |
| CWE-38 | Path Traversal: '\absolute\pathname\here' | The product accepts input in the form of a backslash absolute path ('\absolute\pathname\here') without appropriate validation, which can allow an attacker to t… |
| CWE-382 | J2EE Bad Practices: Use of System.exit() | A J2EE application uses System.exit(), which also shuts down its container. It is never a good idea for a web application to attempt to shut down the applicat… |
| CWE-383 | J2EE Bad Practices: Direct Use of Threads | Thread management in a Web application is forbidden in some circumstances and is always highly error prone. Thread management in a web application is forbidde… |
| CWE-385 | Covert Timing Channel | Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe sys… |
| CWE-386 | Symbolic Name not Mapping to Correct Object | A constant symbolic reference to an object is used, even though the reference can resolve to a different object over time. |
| CWE-39 | Path Traversal: 'C:dirname' | The product accepts input that contains a drive letter or Windows volume letter ('C:dirname') that potentially redirects access to an unintended location or ar… |
| CWE-390 | Detection of Error Condition Without Action | The product detects a specific error, but takes no actions to handle the error. |
| CWE-391 | Unchecked Error Condition | [PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attack… |
| CWE-392 | Missing Report of Error Condition | The product encounters an error but does not provide a status code or return value to indicate that an error has occurred. |
| CWE-393 | Return of Wrong Status Code | A function or operation returns an incorrect return value or status code that does not indicate the true result of execution, causing the product to modify its… |
| CWE-394 | Unexpected Status Code or Return Value | The product does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the product. |
| CWE-396 | Declaration of Catch for Generic Exception | Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities. Multiple catch blocks can get u… |
| CWE-397 | Declaration of Throws for Generic Exception | The product throws or raises an overly broad exceptions that can hide important details and produce inappropriate responses to certain conditions. Declaring a… |
| CWE-40 | Path Traversal: '\\UNC\share\name\' (Windows UNC Share) | The product accepts input that identifies a Windows UNC share ('\\UNC\share\name') that potentially redirects access to an unintended location or arbitrary fil… |
| CWE-406 | Insufficient Control of Network Message Volume (Network Amplification) | The product does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the product to transmit more traffic than s… |
| CWE-407 | Inefficient Algorithmic Complexity | An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attac… |
| CWE-408 | Incorrect Behavior Order: Early Amplification | The product allows an entity to perform a legitimate but expensive operation before authentication or authorization has taken place. |
| CWE-409 | Improper Handling of Highly Compressed Data (Data Amplification) | The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. An example of data ampl… |
| CWE-41 | Improper Resolution of Path Equivalence | The product is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and dire… |
| CWE-412 | Unrestricted Externally Accessible Lock | The product properly checks for the existence of a lock, but the lock can be externally controlled or influenced by an actor that is outside of the intended sp… |
| CWE-414 | Missing Lock Check | A product does not check to see if a lock is present before performing sensitive operations on a resource. |
| CWE-415 | Double Free | The product calls free() twice on the same memory address. |
| CWE-419 | Unprotected Primary Channel | The product uses a primary channel for administration or restricted functionality, but it does not properly protect the channel. |
| CWE-42 | Path Equivalence: 'filename.' (Trailing Dot) | The product accepts path input in the form of trailing dot ('filedir.') without appropriate validation, which can lead to ambiguous path resolution and allow a… |
| CWE-420 | Unprotected Alternate Channel | The product protects a primary channel, but it does not use the same level of protection for an alternate channel. |
| CWE-422 | Unprotected Windows Messaging Channel ('Shatter') | The product does not properly verify the source of a message in the Windows Messaging System while running at elevated privileges, creating an alternate channe… |
| CWE-423 | DEPRECATED: Proxied Trusted Channel | This entry has been deprecated because it was a duplicate of CWE-441. All content has been transferred to CWE-441. |
| CWE-424 | Improper Protection of Alternate Path | The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources. |
| CWE-425 | Direct Request ('Forced Browsing') | The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files. |
| CWE-426 | Untrusted Search Path | The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct contro… |
| CWE-427 | Uncontrolled Search Path Element | The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. |
| CWE-428 | Unquoted Search Path or Element | The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to a… |
| CWE-43 | Path Equivalence: 'filename....' (Multiple Trailing Dot) | The product accepts path input in the form of multiple trailing dot ('filedir....') without appropriate validation, which can lead to ambiguous path resolution… |
| CWE-430 | Deployment of Wrong Handler | The wrong "handler" is assigned to process an object. An example of deploying the wrong handler would be calling a servlet to reveal source code of a .JSP fil… |
| CWE-431 | Missing Handler | A handler is not available or implemented. When an exception is thrown and not caught, the process has given up an opportunity to decide if a given failure or… |
| CWE-433 | Unparsed Raw Web Content Delivery | The product stores raw content or supporting code under the web document root with an extension that is not specifically handled by the server. If code is sto… |
| CWE-434 | Unrestricted Upload of File with Dangerous Type | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-435 | Improper Interaction Between Multiple Correctly-Behaving Entities | An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a l… |
| CWE-436 | Interpretation Conflict | Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state. This is genera… |
| CWE-437 | Incomplete Model of Endpoint Features | A product acts as an intermediary or monitor between two or more endpoints, but it does not have a complete model of an endpoint's features, behaviors, or stat… |
| CWE-439 | Behavioral Change in New Version or Environment | A's behavior or functionality changes with a new version of A, or a new environment, which is not known (or manageable) by B. |