970 indexed
CWECWE weaknesses
970 MITRE CWE entries — software weakness types that underlie vulnerabilities (CVE→CWE link). Filter by category. Authored by Adam Lundqvist.
Showing 451–500 of 970 · page 10 of 20
| ID | Title | Summary |
|---|---|---|
| CWE-308 | Use of Single-factor Authentication | The product uses an authentication algorithm that uses a single factor (e.g., a password) in a security context that should require more than one factor. |
| CWE-309 | Use of Password System for Primary Authentication | The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mech… |
| CWE-31 | Path Traversal: 'dir\..\..\filename' | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize 'dir\..\..\filename' … |
| CWE-311 | Missing Encryption of Sensitive Data | The product does not encrypt sensitive or critical information before storage or transmission. |
| CWE-312 | Cleartext Storage of Sensitive Information | The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere. |
| CWE-313 | Cleartext Storage in a File or on Disk | The product stores sensitive information in cleartext in a file, or on disk. The sensitive information could be read by attackers with access to the file, or … |
| CWE-314 | Cleartext Storage in the Registry | The product stores sensitive information in cleartext in the registry. Attackers can read the information by accessing the registry key. Even if the informati… |
| CWE-315 | Cleartext Storage of Sensitive Information in a Cookie | The product stores sensitive information in cleartext in a cookie. Attackers can use widely-available tools to view the cookie and read the sensitive informat… |
| CWE-316 | Cleartext Storage of Sensitive Information in Memory | The product stores sensitive information in cleartext in memory. |
| CWE-317 | Cleartext Storage of Sensitive Information in GUI | The product stores sensitive information in cleartext within the GUI. An attacker can often obtain data from a GUI, even if hidden, by using an API to directl… |
| CWE-318 | Cleartext Storage of Sensitive Information in Executable | The product stores sensitive information in cleartext in an executable. Attackers can reverse engineer binary code to obtain secret data. This is especially e… |
| CWE-319 | Cleartext Transmission of Sensitive Information | The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. |
| CWE-32 | Path Traversal: '...' (Triple Dot) | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '...' (triple dot) se… |
| CWE-321 | Use of Hard-coded Cryptographic Key | The product uses a hard-coded, unchangeable cryptographic key. |
| CWE-322 | Key Exchange without Entity Authentication | The product performs a key exchange with an actor without verifying the identity of that actor. Performing a key exchange will preserve the integrity of the i… |
| CWE-323 | Reusing a Nonce, Key Pair in Encryption | Nonces should be used for the present occasion and only once. |
| CWE-324 | Use of a Key Past its Expiration Date | The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracki… |
| CWE-325 | Missing Cryptographic Step | The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm. |
| CWE-326 | Inadequate Encryption Strength | The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection req… |
| CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | The product uses a broken or risky cryptographic algorithm or protocol. |
| CWE-328 | Use of Weak Hash | The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to re… |
| CWE-329 | Generation of Predictable IV with CBC Mode | The product generates and uses a predictable initialization Vector (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible to dic… |
| CWE-33 | Path Traversal: '....' (Multiple Dot) | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....' (multiple dot)… |
| CWE-330 | Use of Insufficiently Random Values | The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. |
| CWE-331 | Insufficient Entropy | The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others. |
| CWE-332 | Insufficient Entropy in PRNG | The lack of entropy available for, or used by, a Pseudo-Random Number Generator (PRNG) can be a stability and security threat. |
| CWE-333 | Improper Handling of Insufficient Entropy in TRNG | True random number generators (TRNG) generally have a limited source of entropy and therefore can fail or block. The rate at which true random numbers can be … |
| CWE-334 | Small Space of Random Values | The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks. |
| CWE-335 | Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) | The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds. |
| CWE-336 | Same Seed in Pseudo-Random Number Generator (PRNG) | A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized. Given the deterministic nature of PRNGs, using the same seed … |
| CWE-337 | Predictable Seed in Pseudo-Random Number Generator (PRNG) | A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time. The use of predictable seeds significan… |
| CWE-338 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) | The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong. |
| CWE-339 | Small Seed Space in PRNG | A Pseudo-Random Number Generator (PRNG) uses a relatively small seed space, which makes it more susceptible to brute force attacks. PRNGs are entirely d… |
| CWE-34 | Path Traversal: '....//' | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....//' (doubled dot… |
| CWE-340 | Generation of Predictable Numbers or Identifiers | The product uses a scheme that generates numbers or identifiers that are more predictable than required. |
| CWE-341 | Predictable from Observable State | A number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc. |
| CWE-342 | Predictable Exact Value from Previous Values | An exact value or random number can be precisely predicted by observing previous values. |
| CWE-343 | Predictable Value Range from Previous Values | The product's random number generator produces a series of values which, when observed, can be used to infer a relatively small range of possibilities for the … |
| CWE-344 | Use of Invariant Value in Dynamically Changing Context | The product uses a constant value, name, or reference, but this value can (or should) vary across different environments. |
| CWE-345 | Insufficient Verification of Data Authenticity | The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |
| CWE-346 | Origin Validation Error | The product does not properly verify that the source of data or communication is valid. |
| CWE-347 | Improper Verification of Cryptographic Signature | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
| CWE-348 | Use of Less Trusted Source | The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is le… |
| CWE-349 | Acceptance of Extraneous Untrusted Data With Trusted Data | The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were tr… |
| CWE-35 | Path Traversal: '.../...//' | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled … |
| CWE-350 | Reliance on Reverse DNS Resolution for a Security-Critical Action | The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP a… |
| CWE-351 | Insufficient Type Distinction | The product does not properly distinguish between different types of elements in a way that leads to insecure behavior. |
| CWE-352 | Cross-Site Request Forgery (CSRF) | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have or… |
| CWE-353 | Missing Support for Integrity Check | The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum. If… |
| CWE-354 | Improper Validation of Integrity Check Value | The product does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data h… |