970 indexed
CWECWE weaknesses
970 MITRE CWE entries — software weakness types that underlie vulnerabilities (CVE→CWE link). Filter by category. Authored by Adam Lundqvist.
Showing 501–550 of 970 · page 11 of 20
| ID | Title | Summary |
|---|---|---|
| CWE-356 | Product UI does not Warn User of Unsafe Actions | The product's user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick use… |
| CWE-357 | Insufficient UI Warning of Dangerous Operations | The user interface provides a warning to a user regarding dangerous or sensitive operations, but the warning is not noticeable enough to warrant attention. |
| CWE-358 | Improperly Implemented Security Check for Standard | The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol,… |
| CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to ac… |
| CWE-36 | Absolute Path Traversal | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequenc… |
| CWE-360 | Trust of System Event Data | Security based on event locations are insecure and can be spoofed. Events are a messaging system which may provide control data to programs listening for even… |
| CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared … |
| CWE-363 | Race Condition Enabling Link Following | The product checks the status of a file or directory before accessing it, which produces a race condition in which the file can be replaced with a link before … |
| CWE-364 | Signal Handler Race Condition | The product uses a signal handler that introduces a race condition. |
| CWE-365 | DEPRECATED: Race Condition in Switch | This entry has been deprecated. There are no documented cases in which a switch's control expression is evaluated more than once. It is likely that this entry… |
| CWE-366 | Race Condition within a Thread | If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of e… |
| CWE-367 | Time-of-check Time-of-use (TOCTOU) Race Condition | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalida… |
| CWE-368 | Context Switching Race Condition | A product performs a series of non-atomic actions to switch between contexts that cross privilege or other security boundaries, but a race condition allows an … |
| CWE-369 | Divide By Zero | The product divides a value by zero. This weakness typically occurs when an unexpected value is provided to the product, or if an error occurs that is not pro… |
| CWE-37 | Path Traversal: '/absolute/pathname/here' | The product accepts input in the form of a slash absolute path ('/absolute/pathname/here') without appropriate validation, which can allow an attacker to trave… |
| CWE-370 | Missing Check for Certificate Revocation after Initial Check | The product does not check the revocation status of a certificate after its initial revocation check, which can cause the product to perform privileged actions… |
| CWE-372 | Incomplete Internal State Distinction | The product does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorr… |
| CWE-373 | DEPRECATED: State Synchronization Error | This entry was deprecated because it overlapped the same concepts as race condition (CWE-362) and Improper Synchronization (CWE-662). |
| CWE-374 | Passing Mutable Objects to an Untrusted Method | The product sends non-cloned mutable data as an argument to a method or function. The function or method that has been called can alter or delete the mutable … |
| CWE-375 | Returning a Mutable Object to an Untrusted Caller | Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function. In situations where functions retu… |
| CWE-377 | Insecure Temporary File | Creating and using insecure temporary files can leave application and system data vulnerable to attack. |
| CWE-378 | Creation of Temporary File With Insecure Permissions | Opening temporary files without appropriate measures or controls can leave the file, its contents and any function that it impacts vulnerable to attack. |
| CWE-379 | Creation of Temporary File in Directory with Insecure Permissions | The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file. … |
| CWE-38 | Path Traversal: '\absolute\pathname\here' | The product accepts input in the form of a backslash absolute path ('\absolute\pathname\here') without appropriate validation, which can allow an attacker to t… |
| CWE-382 | J2EE Bad Practices: Use of System.exit() | A J2EE application uses System.exit(), which also shuts down its container. It is never a good idea for a web application to attempt to shut down the applicat… |
| CWE-383 | J2EE Bad Practices: Direct Use of Threads | Thread management in a Web application is forbidden in some circumstances and is always highly error prone. Thread management in a web application is forbidde… |
| CWE-384 | Session Fixation | Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to … |
| CWE-385 | Covert Timing Channel | Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe sys… |
| CWE-386 | Symbolic Name not Mapping to Correct Object | A constant symbolic reference to an object is used, even though the reference can resolve to a different object over time. |
| CWE-39 | Path Traversal: 'C:dirname' | The product accepts input that contains a drive letter or Windows volume letter ('C:dirname') that potentially redirects access to an unintended location or ar… |
| CWE-390 | Detection of Error Condition Without Action | The product detects a specific error, but takes no actions to handle the error. |
| CWE-391 | Unchecked Error Condition | [PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attack… |
| CWE-392 | Missing Report of Error Condition | The product encounters an error but does not provide a status code or return value to indicate that an error has occurred. |
| CWE-393 | Return of Wrong Status Code | A function or operation returns an incorrect return value or status code that does not indicate the true result of execution, causing the product to modify its… |
| CWE-394 | Unexpected Status Code or Return Value | The product does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the product. |
| CWE-395 | Use of NullPointerException Catch to Detect NULL Pointer Dereference | Catching NullPointerException should not be used as an alternative to programmatic checks to prevent dereferencing a null pointer. |
| CWE-396 | Declaration of Catch for Generic Exception | Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities. Multiple catch blocks can get u… |
| CWE-397 | Declaration of Throws for Generic Exception | The product throws or raises an overly broad exceptions that can hide important details and produce inappropriate responses to certain conditions. Declaring a… |
| CWE-40 | Path Traversal: '\\UNC\share\name\' (Windows UNC Share) | The product accepts input that identifies a Windows UNC share ('\\UNC\share\name') that potentially redirects access to an unintended location or arbitrary fil… |
| CWE-400 | Uncontrolled Resource Consumption | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-401 | Missing Release of Memory after Effective Lifetime | The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse. |
| CWE-402 | Transmission of Private Resources into a New Sphere ('Resource Leak') | The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product. |
| CWE-403 | Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak') | A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those … |
| CWE-404 | Improper Resource Shutdown or Release | The product does not release or incorrectly releases a resource before it is made available for re-use. When a resource is created or allocated, the developer… |
| CWE-405 | Asymmetric Resource Consumption (Amplification) | The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the ad… |
| CWE-406 | Insufficient Control of Network Message Volume (Network Amplification) | The product does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the product to transmit more traffic than s… |
| CWE-407 | Inefficient Algorithmic Complexity | An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attac… |
| CWE-408 | Incorrect Behavior Order: Early Amplification | The product allows an entity to perform a legitimate but expensive operation before authentication or authorization has taken place. |
| CWE-409 | Improper Handling of Highly Compressed Data (Data Amplification) | The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. An example of data ampl… |
| CWE-41 | Improper Resolution of Path Equivalence | The product is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and dire… |