970 indexed
CWECWE weaknesses
970 MITRE CWE entries — software weakness types that underlie vulnerabilities (CVE→CWE link). Filter by category. Authored by Adam Lundqvist.
Showing 651–700 of 970 · page 14 of 20
| ID | Title | Summary |
|---|---|---|
| CWE-515 | Covert Storage Channel | A covert storage channel transfers information through the setting of bits by one program and the reading of those bits by another. What distinguishes this cas… |
| CWE-516 | DEPRECATED: Covert Timing Channel | This weakness can be found at CWE-385. |
| CWE-52 | Path Equivalence: '/multiple/trailing/slash//' | The product accepts path input in the form of multiple trailing slash ('/multiple/trailing/slash//') without appropriate validation, which can lead to ambiguou… |
| CWE-520 | .NET Misconfiguration: Use of Impersonation | Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in variou… |
| CWE-521 | Weak Password Requirements | The product does not require that users should have strong passwords. |
| CWE-522 | Insufficiently Protected Credentials | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
| CWE-523 | Unprotected Transport of Credentials | Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server. |
| CWE-524 | Use of Cache Containing Sensitive Information | The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere. Applications may… |
| CWE-525 | Use of Web Browser Cache Containing Sensitive Information | The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached. |
| CWE-526 | Cleartext Storage of Sensitive Information in an Environment Variable | The product uses an environment variable to store unencrypted sensitive information. Information stored in an environment variable can be accessible by other … |
| CWE-527 | Exposure of Version-Control Repository to an Unauthorized Control Sphere | The product stores a CVS, git, or other repository in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unau… |
| CWE-528 | Exposure of Core Dump File to an Unauthorized Control Sphere | The product generates a core dump file in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized act… |
| CWE-529 | Exposure of Access Control List Files to an Unauthorized Control Sphere | The product stores access control list files in a directory or other container that is accessible to actors outside of the intended control sphere. Exposure o… |
| CWE-53 | Path Equivalence: '\multiple\\internal\backslash' | The product accepts path input in the form of multiple internal backslash ('\multiple\trailing\\slash') without appropriate validation, which can lead to ambig… |
| CWE-530 | Exposure of Backup File to an Unauthorized Control Sphere | A backup file is stored in a directory or archive that is made accessible to unauthorized actors. Often, older backup files are renamed with an extension such… |
| CWE-531 | Inclusion of Sensitive Information in Test Code | Accessible test applications can pose a variety of security risks. Since developers or administrators rarely consider that someone besides themselves would eve… |
| CWE-532 | Insertion of Sensitive Information into Log File | The product writes sensitive information to a log file. |
| CWE-533 | DEPRECATED: Information Exposure Through Server Log Files | This entry has been deprecated because its abstraction was too low-level. See CWE-532. |
| CWE-534 | DEPRECATED: Information Exposure Through Debug Log Files | This entry has been deprecated because its abstraction was too low-level. See CWE-532. |
| CWE-535 | Exposure of Information Through Shell Error Message | A command shell error message indicates that there exists an unhandled exception in the web application code. In many cases, an attacker can leverage the condi… |
| CWE-536 | Servlet Runtime Error Message Containing Sensitive Information | A servlet error message indicates that there exists an unhandled exception in the web application code and may provide useful information to an attacker. |
| CWE-537 | Java Runtime Error Message Containing Sensitive Information | In many cases, an attacker can leverage the conditions that cause unhandled exception errors in order to gain unauthorized access to the system. |
| CWE-538 | Insertion of Sensitive Information into Externally-Accessible File or Directory | The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the se… |
| CWE-539 | Use of Persistent Cookies Containing Sensitive Information | The web application uses persistent cookies, but the cookies contain sensitive information. Cookies are small bits of data that are sent by the web applicatio… |
| CWE-54 | Path Equivalence: 'filedir\' (Trailing Backslash) | The product accepts path input in the form of trailing backslash ('filedir\') without appropriate validation, which can lead to ambiguous path resolution and a… |
| CWE-540 | Inclusion of Sensitive Information in Source Code | Source code on a web server or repository often contains sensitive information and should generally not be accessible to users. There are situations where it … |
| CWE-541 | Inclusion of Sensitive Information in an Include File | If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and syste… |
| CWE-542 | DEPRECATED: Information Exposure Through Cleanup Log Files | This entry has been deprecated because its abstraction was too low-level. See CWE-532. |
| CWE-543 | Use of Singleton Pattern Without Synchronization in a Multithreaded Context | The product uses the singleton pattern when creating a resource within a multithreaded environment. The use of a singleton pattern may not be thread-safe. |
| CWE-544 | Missing Standardized Error Handling Mechanism | The product does not use a standardized method for handling errors throughout the code, which might introduce inconsistent error handling and resultant weaknes… |
| CWE-545 | DEPRECATED: Use of Dynamic Class Loading | This weakness has been deprecated because it partially overlaps CWE-470, it describes legitimate programmer behavior, and other portions will need to be integr… |
| CWE-546 | Suspicious Comment | The code contains comments that suggest the presence of bugs, incomplete functionality, or weaknesses. Many suspicious comments, such as BUG, HACK, FIXME, LAT… |
| CWE-547 | Use of Hard-coded, Security-relevant Constants | The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenanc… |
| CWE-548 | Exposure of Information Through Directory Listing | The product inappropriately exposes a directory listing with an index of all the resources located inside of the directory. |
| CWE-549 | Missing Password Field Masking | The product does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords. |
| CWE-55 | Path Equivalence: '/./' (Single Dot Directory) | The product accepts path input in the form of single dot directory exploit ('/./') without appropriate validation, which can lead to ambiguous path resolution … |
| CWE-550 | Server-generated Error Message Containing Sensitive Information | Certain conditions, such as network failure, will cause a server error message to be displayed. While error messages in and of themselves are not dangerous, p… |
| CWE-551 | Incorrect Behavior Order: Authorization Before Parsing and Canonicalization | If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization prote… |
| CWE-552 | Files or Directories Accessible to External Parties | The product makes files or directories accessible to unauthorized actors, even though they should not be. |
| CWE-553 | Command Shell in Externally Accessible Directory | A possible shell file exists in /cgi-bin/ or other accessible directories. This is extremely dangerous and can be used by an attacker to execute commands on th… |
| CWE-554 | ASP.NET Misconfiguration: Not Using Input Validation Framework | The ASP.NET application does not use an input validation framework. |
| CWE-555 | J2EE Misconfiguration: Plaintext Password in Configuration File | The J2EE application stores a plaintext password in a configuration file. Storing a plaintext password in a configuration file allows anyone who can read the … |
| CWE-556 | ASP.NET Misconfiguration: Use of Identity Impersonation | Configuring an ASP.NET application to run with impersonated credentials may give the application unnecessary privileges. The use of impersonated credentials a… |
| CWE-558 | Use of getlogin() in Multithreaded Application | The product uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values. The getlogin() function returns a poin… |
| CWE-56 | Path Equivalence: 'filedir*' (Wildcard) | The product accepts path input in the form of asterisk wildcard ('filedir*') without appropriate validation, which can lead to ambiguous path resolution and al… |
| CWE-560 | Use of umask() with chmod-style Argument | The product calls umask() with an incorrect argument that is specified as if it is an argument to chmod(). |
| CWE-561 | Dead Code | The product contains dead code, which can never be executed. Dead code is code that can never be executed in a running program. The surrounding code makes it … |
| CWE-562 | Return of Stack Variable Address | A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash. Because local variables ar… |
| CWE-563 | Assignment to Variable without Use | The variable's value is assigned but never used, making it a dead store. After the assignment, the variable is either assigned another value or goes out of sc… |
| CWE-564 | SQL Injection: Hibernate | Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbit… |