970 indexed
CWECWE weaknesses
970 MITRE CWE entries — software weakness types that underlie vulnerabilities (CVE→CWE link). Filter by category. Authored by Adam Lundqvist.
Showing 101–150 of 970 · page 3 of 20
| ID | Title | Summary |
|---|---|---|
| CWE-1120 | Excessive Code Complexity | The code is too complex, as calculated using a well-defined, quantitative measure. |
| CWE-1121 | Excessive McCabe Cyclomatic Complexity | The code contains McCabe cyclomatic complexity that exceeds a desirable maximum. |
| CWE-1122 | Excessive Halstead Complexity | The code is structured in a way that a Halstead complexity measure exceeds a desirable maximum. |
| CWE-1123 | Excessive Use of Self-Modifying Code | The product uses too much self-modifying code. |
| CWE-1124 | Excessively Deep Nesting | The code contains a callable or other code grouping in which the nesting / branching is too deep. |
| CWE-1125 | Excessive Attack Surface | The product has an attack surface whose quantitative measurement exceeds a desirable maximum. |
| CWE-1126 | Declaration of Variable with Unnecessarily Wide Scope | The source code declares a variable in one scope, but the variable is only used within a narrower scope. |
| CWE-1127 | Compilation with Insufficient Warnings or Errors | The code is compiled without sufficient warnings enabled, which may prevent the detection of subtle bugs or quality issues. |
| CWE-113 | Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') | The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and L… |
| CWE-114 | Process Control | Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and pay… |
| CWE-115 | Misinterpretation of Input | The product misinterprets an input, whether from an attacker or another product, in a security-relevant fashion. |
| CWE-116 | Improper Encoding or Escaping of Output | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly.… |
| CWE-1164 | Irrelevant Code | The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow,… |
| CWE-117 | Improper Output Neutralization for Logs | The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to… |
| CWE-1173 | Improper Use of Validation Framework | The product does not use, or incorrectly uses, an input validation framework that is provided by the source language or an independent library. Many modern co… |
| CWE-1174 | ASP.NET Misconfiguration: Improper Model Validation | The ASP.NET application does not use, or incorrectly uses, the model validation framework. |
| CWE-1176 | Inefficient CPU Computation | The product performs CPU computations using algorithms that are not as efficient as they could be for the needs of the developer, i.e., the c… |
| CWE-1177 | Use of Prohibited Code | The product uses a function, library, or third party component that has been explicitly prohibited, whether by the developer or the customer. |
| CWE-118 | Incorrect Access of Indexable Resource ('Range Error') | The product does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memor… |
| CWE-1187 | DEPRECATED: Use of Uninitialized Resource | This entry has been deprecated because it was a duplicate of CWE-908. All content has been transferred to CWE-908. |
| CWE-1188 | Initialization of a Resource with an Insecure Default | The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the defa… |
| CWE-1189 | Improper Isolation of Shared Resources on System-on-a-Chip (SoC) | The System-On-a-Chip (SoC) does not properly isolate shared resources between trusted and untrusted agents. |
| CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in… |
| CWE-1190 | DMA Device Enabled Too Early in Boot Phase | The product enables a Direct Memory Access (DMA) capable device before the security configuration settings are established, which allows an attacker to extract… |
| CWE-1191 | On-Chip Debug and Test Interface With Improper Access Control | The chip does not implement or does not correctly perform access control to check whether users are authorized to access internal registers and test modes thro… |
| CWE-1192 | Improper Identifier for IP Block used in System-On-Chip (SOC) | The System-on-Chip (SoC) does not have unique, immutable identifiers for each of its components. |
| CWE-1193 | Power-On of Untrusted Execution Core Before Enabling Fabric Access Control | The product enables components that contain untrusted firmware before memory and fabric access controls have been enabled. |
| CWE-12 | ASP.NET Misconfiguration: Missing Custom Error Page | An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses. |
| CWE-120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') | The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. |
| CWE-1204 | Generation of Weak Initialization Vector (IV) | The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredict… |
| CWE-1209 | Failure to Disable Reserved Bits | The reserved bits in a hardware design are not disabled prior to production. Typically, reserved bits are used for future capabilities and should not support a… |
| CWE-121 | Stack-based Buffer Overflow | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a pa… |
| CWE-122 | Heap-based Buffer Overflow | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the… |
| CWE-1220 | Insufficient Granularity of Access Control | The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a sy… |
| CWE-1221 | Incorrect Register Defaults or Module Parameters | Hardware description language code incorrectly defines register defaults or hardware Intellectual Property (IP) parameters to insecure values. |
| CWE-1222 | Insufficient Granularity of Address Regions Protected by Register Locks | The product defines a large address region protected from modification by the same register lock control bit. This results in a conflict between the functional… |
| CWE-1223 | Race Condition for Write-Once Attributes | A write-once register in hardware design is programmable by an untrusted software component earlier than the trusted software component, resulting in a race co… |
| CWE-1224 | Improper Restriction of Write-Once Bit Fields | The hardware design control register "sticky bits" or write-once bit fields are improperly implemented, such that they can be reprogrammed by software. |
| CWE-1229 | Creation of Emergent Resource | The product manages resources or behaves in a way that indirectly creates a new, distinct resource that can be used by attackers in violation of the intended p… |
| CWE-123 | Write-what-where Condition | Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow. |
| CWE-1230 | Exposure of Sensitive Information Through Metadata | The product prevents direct access to a resource containing sensitive information, but it does not sufficiently limit access to metadata that is derived from t… |
| CWE-1231 | Improper Prevention of Lock Bit Modification | The product uses a trusted lock bit for restricting access to registers, address regions, or other resources, but the product does not prevent the value of the… |
| CWE-1232 | Improper Lock Behavior After Power State Transition | Register lock bit protection disables changes to system configuration once the bit is set. Some of the protected registers or lock bits become programmable aft… |
| CWE-1233 | Security-Sensitive Hardware Controls with Missing Lock Bit Protection | The product uses a register lock bit protection mechanism, but it does not ensure that the lock bit prevents modification of system registers or controls that … |
| CWE-1234 | Hardware Internal or Debug Modes Allow Override of Locks | System configuration protection may be bypassed during debug mode. |
| CWE-1235 | Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations | The code uses boxed primitives, which may introduce inefficiencies into performance-critical operations. |
| CWE-1236 | Improper Neutralization of Formula Elements in a CSV File | The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements tha… |
| CWE-1239 | Improper Zeroization of Hardware Register | The hardware product does not properly clear sensitive information from built-in registers when the user of the hardware block changes. Hardware logic operate… |
| CWE-124 | Buffer Underwrite ('Buffer Underflow') | The product writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer. |
| CWE-1240 | Use of a Cryptographic Primitive with a Risky Implementation | To fulfill the need for a cryptographic primitive, the product implements a cryptographic algorithm using a non-standard, unproven, or disallowed/non-compliant… |