970 indexed
CWECWE weaknesses
970 MITRE CWE entries — software weakness types that underlie vulnerabilities (CVE→CWE link). Filter by category. Authored by Adam Lundqvist.
Showing 701–750 of 970 · page 15 of 20
| ID | Title | Summary |
|---|---|---|
| CWE-565 | Reliance on Cookies without Validation and Integrity Checking | The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is vali… |
| CWE-566 | Authorization Bypass Through User-Controlled SQL Primary Key | The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can … |
| CWE-567 | Unsynchronized Access to Shared Data in a Multithreaded Context | The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data cha… |
| CWE-568 | finalize() Method Without super.finalize() | The product contains a finalize() method that does not call super.finalize(). The Java Language Specification states that it is a good practice for a finalize… |
| CWE-57 | Path Equivalence: 'fakedir/../realdir/filename' | The product contains protection mechanisms to restrict access to 'realdir/filename', but it constructs pathnames using external input in the form of 'fakedir/.… |
| CWE-570 | Expression is Always False | The product contains an expression that will always evaluate to false. |
| CWE-571 | Expression is Always True | The product contains an expression that will always evaluate to true. |
| CWE-572 | Call to Thread run() instead of start() | The product calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee. In most … |
| CWE-573 | Improper Following of Specification by Caller | The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform… |
| CWE-574 | EJB Bad Practices: Use of Synchronization Primitives | The product violates the Enterprise JavaBeans (EJB) specification by using thread synchronization primitives. The Enterprise JavaBeans specification requires … |
| CWE-575 | EJB Bad Practices: Use of AWT Swing | The product violates the Enterprise JavaBeans (EJB) specification by using AWT/Swing. The Enterprise JavaBeans specification requires that every bean provider… |
| CWE-576 | EJB Bad Practices: Use of Java I/O | The product violates the Enterprise JavaBeans (EJB) specification by using the java.io package. The Enterprise JavaBeans specification requires that every bea… |
| CWE-577 | EJB Bad Practices: Use of Sockets | The product violates the Enterprise JavaBeans (EJB) specification by using sockets. The Enterprise JavaBeans specification requires that every bean provider f… |
| CWE-578 | EJB Bad Practices: Use of Class Loader | The product violates the Enterprise JavaBeans (EJB) specification by using the class loader. The Enterprise JavaBeans specification requires that every bean p… |
| CWE-579 | J2EE Bad Practices: Non-serializable Object Stored in Session | The product stores a non-serializable object as an HttpSession attribute, which can hurt reliability. A J2EE application can make use of multiple JVMs in orde… |
| CWE-58 | Path Equivalence: Windows 8.3 Filename | The product contains a protection mechanism that restricts access to a long filename on a Windows operating system, but it does not properly restrict access to… |
| CWE-580 | clone() Method Without super.clone() | The product contains a clone() method that does not call super.clone() to obtain the new object. All implementations of clone() should obtain the new object b… |
| CWE-581 | Object Model Violation: Just One of Equals and Hashcode Defined | The product does not maintain equal hashcodes for equal objects. Java objects are expected to obey a number of invariants related to equality. One of these in… |
| CWE-582 | Array Declared Public, Final, and Static | The product declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified. Because arrays are mutab… |
| CWE-583 | finalize() Method Declared Public | The product violates secure coding principles for mobile code by declaring a finalize() method public. A product should never call finalize explicitly, except… |
| CWE-584 | Return Inside Finally Block | The code has a return statement inside a finally block, which will cause any thrown exception in the try block to be discarded. |
| CWE-585 | Empty Synchronized Block | The product contains an empty synchronized block. An empty synchronized block does not actually accomplish any synchronization and may indicate a troubled sec… |
| CWE-586 | Explicit Call to Finalize() | The product makes an explicit call to the finalize() method from outside the finalizer. While the Java Language Specification allows an object's finalize() me… |
| CWE-587 | Assignment of a Fixed Address to a Pointer | The product sets a pointer to a specific address other than NULL or 0. Using a fixed address is not portable, because that address will probably not be valid … |
| CWE-588 | Attempt to Access Child of a Non-structure Pointer | Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption. |
| CWE-589 | Call to Non-ubiquitous API | The product uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allo… |
| CWE-59 | Improper Link Resolution Before File Access ('Link Following') | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves t… |
| CWE-590 | Free of Memory not on the Heap | The product calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc(). Wh… |
| CWE-591 | Sensitive Data Storage in Improperly Locked Memory | The product stores sensitive data in memory that is not locked, or that has been incorrectly locked, which might cause the memory to be written to swap files o… |
| CWE-592 | DEPRECATED: Authentication Bypass Issues | This weakness has been deprecated because it covered redundant concepts already described in CWE-287. |
| CWE-593 | Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created | The product modifies the SSL context after connection creation has begun. If the program modifies the SSL_CTX object after creating SSL objects from it, there… |
| CWE-594 | J2EE Framework: Saving Unserializable Objects to Disk | When the J2EE container attempts to write unserializable objects to disk there is no guarantee that the process will complete successfully. In heavy load cond… |
| CWE-595 | Comparison of Object References Instead of Object Contents | The product compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects. For example, in Jav… |
| CWE-596 | DEPRECATED: Incorrect Semantic Object Comparison | This weakness has been deprecated. It was poorly described and difficult to distinguish from other entries. It was also inappropriate to assign a separate ID… |
| CWE-597 | Use of Wrong Operator in String Comparison | The product uses the wrong operator when comparing a string, such as using "==" when the .equals() method should be used instead. In Java, using == or != to c… |
| CWE-598 | Use of HTTP Request With Sensitive Query String | The web application uses an HTTP method to process a request, but the request includes sensitive information in the query string. |
| CWE-599 | Missing Validation of OpenSSL Certificate | The product uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all neces… |
| CWE-6 | J2EE Misconfiguration: Insufficient Session-ID Length | The J2EE application is configured to use an insufficient session ID length. If an attacker can guess or steal a session ID, then they may be able to take ove… |
| CWE-600 | Uncaught Exception in Servlet | The Servlet does not catch all exceptions, which may reveal sensitive debugging information. When a Servlet throws an exception, the default error response th… |
| CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
| CWE-602 | Client-Side Enforcement of Server-Side Security | The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server. When the server relies on prote… |
| CWE-603 | Use of Client-Side Authentication | A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified cl… |
| CWE-605 | Multiple Binds to the Same Port | When multiple sockets are allowed to bind to the same port, other services on that port may be stolen or spoofed. On most systems, a combination of setting th… |
| CWE-606 | Unchecked Input for Loop Condition | The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of exces… |
| CWE-607 | Public Static Final Field References Mutable Object | A public or protected static final field references a mutable object, which allows the object to be changed by malicious code, or accidentally from another pac… |
| CWE-608 | Struts: Non-private Field in ActionForm Class | An ActionForm class contains a field that has not been declared private, which can be accessed without using a setter or getter. |
| CWE-609 | Double-Checked Locking | The product uses double-checked locking to access a resource without the overhead of explicit synchronization, but the locking is insufficient. Double-checked… |
| CWE-61 | UNIX Symbolic Link (Symlink) Following | The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the inte… |
| CWE-610 | Externally Controlled Reference to a Resource in Another Sphere | The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere. |
| CWE-611 | Improper Restriction of XML External Entity Reference | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the … |