970 indexed
CWECWE weaknesses
970 MITRE CWE entries — software weakness types that underlie vulnerabilities (CVE→CWE link). Filter by category. Authored by Adam Lundqvist.
Showing 551–600 of 970 · page 12 of 20
| ID | Title | Summary |
|---|---|---|
| CWE-410 | Insufficient Resource Pool | The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relat… |
| CWE-412 | Unrestricted Externally Accessible Lock | The product properly checks for the existence of a lock, but the lock can be externally controlled or influenced by an actor that is outside of the intended sp… |
| CWE-413 | Improper Resource Locking | The product does not lock or does not correctly lock a resource when the product must have exclusive access to the resource. When a resource is not properly l… |
| CWE-414 | Missing Lock Check | A product does not check to see if a lock is present before performing sensitive operations on a resource. |
| CWE-415 | Double Free | The product calls free() twice on the same memory address. |
| CWE-416 | Use After Free | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while… |
| CWE-419 | Unprotected Primary Channel | The product uses a primary channel for administration or restricted functionality, but it does not properly protect the channel. |
| CWE-42 | Path Equivalence: 'filename.' (Trailing Dot) | The product accepts path input in the form of trailing dot ('filedir.') without appropriate validation, which can lead to ambiguous path resolution and allow a… |
| CWE-420 | Unprotected Alternate Channel | The product protects a primary channel, but it does not use the same level of protection for an alternate channel. |
| CWE-421 | Race Condition During Access to Alternate Channel | The product opens an alternate channel to communicate with an authorized user, but the channel is accessible to other actors. This creates a race condition th… |
| CWE-422 | Unprotected Windows Messaging Channel ('Shatter') | The product does not properly verify the source of a message in the Windows Messaging System while running at elevated privileges, creating an alternate channe… |
| CWE-423 | DEPRECATED: Proxied Trusted Channel | This entry has been deprecated because it was a duplicate of CWE-441. All content has been transferred to CWE-441. |
| CWE-424 | Improper Protection of Alternate Path | The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources. |
| CWE-425 | Direct Request ('Forced Browsing') | The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files. |
| CWE-426 | Untrusted Search Path | The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct contro… |
| CWE-427 | Uncontrolled Search Path Element | The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. |
| CWE-428 | Unquoted Search Path or Element | The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to a… |
| CWE-43 | Path Equivalence: 'filename....' (Multiple Trailing Dot) | The product accepts path input in the form of multiple trailing dot ('filedir....') without appropriate validation, which can lead to ambiguous path resolution… |
| CWE-430 | Deployment of Wrong Handler | The wrong "handler" is assigned to process an object. An example of deploying the wrong handler would be calling a servlet to reveal source code of a .JSP fil… |
| CWE-431 | Missing Handler | A handler is not available or implemented. When an exception is thrown and not caught, the process has given up an opportunity to decide if a given failure or… |
| CWE-432 | Dangerous Signal Handler not Disabled During Sensitive Operations | The product uses a signal handler that shares state with other signal handlers, but it does not properly mask or prevent those signal handlers from being invok… |
| CWE-433 | Unparsed Raw Web Content Delivery | The product stores raw content or supporting code under the web document root with an extension that is not specifically handled by the server. If code is sto… |
| CWE-434 | Unrestricted Upload of File with Dangerous Type | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-435 | Improper Interaction Between Multiple Correctly-Behaving Entities | An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a l… |
| CWE-436 | Interpretation Conflict | Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state. This is genera… |
| CWE-437 | Incomplete Model of Endpoint Features | A product acts as an intermediary or monitor between two or more endpoints, but it does not have a complete model of an endpoint's features, behaviors, or stat… |
| CWE-439 | Behavioral Change in New Version or Environment | A's behavior or functionality changes with a new version of A, or a new environment, which is not known (or manageable) by B. |
| CWE-44 | Path Equivalence: 'file.name' (Internal Dot) | The product accepts path input in the form of internal dot ('file.ordir') without appropriate validation, which can lead to ambiguous path resolution and allow… |
| CWE-440 | Expected Behavior Violation | A feature, API, or function does not perform according to its specification. |
| CWE-441 | Unintended Proxy or Intermediary ('Confused Deputy') | The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the req… |
| CWE-443 | DEPRECATED: HTTP response splitting | This weakness can be found at CWE-113. |
| CWE-444 | Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and serve… |
| CWE-446 | UI Discrepancy for Security Feature | The user interface does not correctly enable or configure a security feature, but the interface provides feedback that causes the user to believe that the feat… |
| CWE-447 | Unimplemented or Unsupported Feature in UI | A UI function for a security feature appears to be supported and gives feedback to the user that suggests that it is supported, but the underlying functionalit… |
| CWE-448 | Obsolete Feature in UI | A UI function is obsolete and the product does not warn the user. |
| CWE-449 | The UI Performs the Wrong Action | The UI performs the wrong action with respect to the user's request. |
| CWE-45 | Path Equivalence: 'file...name' (Multiple Internal Dot) | The product accepts path input in the form of multiple internal dot ('file...dir') without appropriate validation, which can lead to ambiguous path resolution … |
| CWE-450 | Multiple Interpretations of UI Input | The UI has multiple interpretations of user input but does not prompt the user when it selects the less secure interpretation. |
| CWE-451 | User Interface (UI) Misrepresentation of Critical Information | The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. Thi… |
| CWE-453 | Insecure Default Variable Initialization | The product, by default, initializes an internal variable with an insecure or less secure value than is possible. |
| CWE-454 | External Initialization of Trusted Variables or Data Stores | The product initializes critical internal variables or data stores using inputs that can be modified by untrusted actors. A product system should be reluctant… |
| CWE-455 | Non-exit on Failed Initialization | The product does not exit or otherwise modify its operation when security-relevant errors occur during initialization, such as when a configuration file has a … |
| CWE-456 | Missing Initialization of a Variable | The product does not initialize critical variables, which causes the execution environment to use unexpected values. |
| CWE-457 | Use of Uninitialized Variable | The code uses a variable that has not been initialized, leading to unpredictable or unintended results. In some languages such as C and C++, stack variables a… |
| CWE-458 | DEPRECATED: Incorrect Initialization | This weakness has been deprecated because its name and description did not match. The description duplicated CWE-454, while the name suggested a more abstract … |
| CWE-459 | Incomplete Cleanup | The product does not properly "clean up" and remove temporary or supporting resources after they have been used. |
| CWE-46 | Path Equivalence: 'filename ' (Trailing Space) | The product accepts path input in the form of trailing space ('filedir ') without appropriate validation, which can lead to ambiguous path resolution and allow… |
| CWE-460 | Improper Cleanup on Thrown Exception | The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow. Often, wh… |
| CWE-462 | Duplicate Key in Associative List (Alist) | Duplicate keys in associative lists can lead to non-unique keys being mistaken for an error. A duplicate key entry -- if the alist is designed properly -- cou… |
| CWE-463 | Deletion of Data Structure Sentinel | The accidental deletion of a data-structure sentinel can cause serious programming logic problems. Often times data-structure sentinels are used to mark struc… |