970 indexed
CWECWE weaknesses
970 MITRE CWE entries — software weakness types that underlie vulnerabilities (CVE→CWE link). Filter by category. Authored by Adam Lundqvist.
Showing 151–200 of 970 · page 4 of 20
| ID | Title | Summary |
|---|---|---|
| CWE-1241 | Use of Predictable Algorithm in Random Number Generator | The device uses an algorithm that is predictable and generates a pseudo-random number. |
| CWE-1242 | Inclusion of Undocumented Features or Chicken Bits | The device includes chicken bits or undocumented features that can create entry points for unauthorized actors. |
| CWE-1243 | Sensitive Non-Volatile Information Not Protected During Debug | Access to security-sensitive information stored in fuses is not limited during debug. |
| CWE-1244 | Internal Asset Exposed to Unsafe Debug Access Level or State | The product uses physical debug or test interfaces with support for multiple access levels, but it assigns the wrong debug access level to an i… |
| CWE-1245 | Improper Finite State Machines (FSMs) in Hardware Logic | Faulty finite state machines (FSMs) in the hardware logic allow an attacker to put the system in an undefined state, to cause a denial of service (DoS) or gain… |
| CWE-1246 | Improper Write Handling in Limited-write Non-Volatile Memories | The product does not implement or incorrectly implements wear leveling operations in limited-write non-volatile memories. |
| CWE-1247 | Improper Protection Against Voltage and Clock Glitches | The device does not contain or contains incorrectly implemented circuitry or sensors to detect and mitigate voltage and clock glitches and protect sensitive in… |
| CWE-1248 | Semiconductor Defects in Hardware Logic with Security-Sensitive Implications | The security-sensitive hardware module contains semiconductor defects. |
| CWE-1249 | Application-Level Admin Tool with Inconsistent View of Underlying Operating System | The product provides an application for administrators to manage parts of the underlying operating system, but the application does not accurately identify all… |
| CWE-125 | Out-of-bounds Read | The product reads data past the end, or before the beginning, of the intended buffer. |
| CWE-1250 | Improper Preservation of Consistency Between Independent Representations of Shared State | The product has or supports multiple distributed components or sub-systems that are each required to keep their own local copy of shared data - such as state o… |
| CWE-1251 | Mirrored Regions with Different Values | The product's architecture mirrors regions without ensuring that their contents always stay in sync. |
| CWE-1252 | CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations | The CPU is not configured to provide hardware support for exclusivity of write and execute operations on memory. This allows an attacker to execute data from a… |
| CWE-1253 | Incorrect Selection of Fuse Values | The logic level used to set a system to a secure state relies on a fuse being unblown. |
| CWE-1254 | Incorrect Comparison Logic Granularity | The product's comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failur… |
| CWE-1255 | Comparison Logic is Vulnerable to Power Side-Channel Attacks | A device's real time power consumption may be monitored during security token evaluation and the information gleaned may be used to determine the value of the … |
| CWE-1256 | Improper Restriction of Software Interfaces to Hardware Features | The product provides software-controllable device functionality for capabilities such as power and clock management, but it does not properly limit fu… |
| CWE-1257 | Improper Access Control Applied to Mirrored or Aliased Memory Regions | Aliased or mirrored memory regions in hardware designs may have inconsistent read/write permissions enforced by the hardware. A possible result is that an untr… |
| CWE-1258 | Exposure of Sensitive System Information Due to Uncleared Debug Information | The hardware does not fully clear security-sensitive values, such as keys and intermediate values in cryptographic operations, when debug mode is entered. |
| CWE-1259 | Improper Restriction of Security Token Assignment | The System-On-A-Chip (SoC) implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an … |
| CWE-126 | Buffer Over-read | The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer. |
| CWE-1260 | Improper Handling of Overlap Between Protected Memory Ranges | The product allows address regions to overlap, which can result in the bypassing of intended memory protection. |
| CWE-1261 | Improper Handling of Single Event Upsets | The hardware logic does not effectively handle when single-event upsets (SEUs) occur. |
| CWE-1262 | Improper Access Control for Register Interface | The product uses memory-mapped I/O registers that act as an interface to hardware functionality from software, but there is improper access control to those re… |
| CWE-1263 | Improper Physical Access Control | The product is designed with access restricted to certain information, but it does not sufficiently protect against an unauthorized actor with physical access … |
| CWE-1264 | Hardware Logic with Insecure De-Synchronization between Control and Data Channels | The hardware logic for error handling and security checks can incorrectly forward data before the security check is complete. |
| CWE-1265 | Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls | The product invokes code that is believed to be reentrant, but the code performs a call that unintentionally produces a nested invocation of the non-reentrant … |
| CWE-1266 | Improper Scrubbing of Sensitive Data from Decommissioned Device | The product does not properly provide a capability for the product administrator to remove sensitive data at the time the product is decommissioned. A scrubbi… |
| CWE-1267 | Policy Uses Obsolete Encoding | The product uses an obsolete encoding mechanism to implement access controls. |
| CWE-1268 | Policy Privileges are not Assigned Consistently Between Control and Data Agents | The product's hardware-enforced access control for a particular resource improperly accounts for privilege discrepancies between control and write policies. … |
| CWE-1269 | Product Released in Non-Release Configuration | The product released to market is released in pre-production or manufacturing configuration. |
| CWE-127 | Buffer Under-read | The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer. |
| CWE-1270 | Generation of Incorrect Security Tokens | The product implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However… |
| CWE-1271 | Uninitialized Value on Reset for Registers Holding Security Settings | Security-critical logic is not set to a known value on reset. |
| CWE-1272 | Sensitive Information Uncleared Before Debug/Power State Transition | The product performs a power or debug state transition, but it does not clear sensitive information that should no longer be accessible due to changes to infor… |
| CWE-1273 | Device Unlock Credential Sharing | The credentials necessary for unlocking a device are shared across multiple parties and may expose sensitive information. |
| CWE-1274 | Improper Access Control for Volatile Memory Containing Boot Code | The product conducts a secure-boot process that transfers bootloader code from Non-Volatile Memory (NVM) into Volatile Memory (VM), but it does not have suffic… |
| CWE-1275 | Sensitive Cookie with Improper SameSite Attribute | The SameSite attribute for sensitive cookies is not set, or an insecure value is used. The SameSite attribute controls how cookies are sent for cross-domain r… |
| CWE-1276 | Hardware Child Block Incorrectly Connected to Parent System | Signals between a hardware IP and the parent system design are incorrectly connected causing security risks. |
| CWE-1277 | Firmware Not Updateable | The product does not provide its users with the ability to update or patch its firmware to address any vulnerabilities or weaknesses that may be prese… |
| CWE-1278 | Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques | Information stored in hardware may be recovered by an attacker with the capability to capture and analyze images of the integrated circuit using techniques suc… |
| CWE-1279 | Cryptographic Operations are run Before Supporting Units are Ready | Performing cryptographic operations without ensuring that the supporting inputs are ready to supply valid data may compromise the cryptographic result. Many c… |
| CWE-128 | Wrap-around Error | Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore "wraps around" to a very small, negative, or undefin… |
| CWE-1280 | Access Control Check Implemented After Asset is Accessed | A product's hardware-based access control check occurs after the asset has been accessed. |
| CWE-1281 | Sequence of Processor Instructions Leads to Unexpected Behavior | Specific combinations of processor instructions lead to undesirable behavior such as locking the processor until a hard reset performed. |
| CWE-1282 | Assumed-Immutable Data is Stored in Writable Memory | Immutable data, such as a first-stage bootloader, device identifiers, and "write-once" configuration settings are stored in writable memory that can be re-prog… |
| CWE-1283 | Mutable Attestation or Measurement Reporting Data | The register contents used for attestation or measurement reporting data to verify boot flow are modifiable by an adversary. |
| CWE-1284 | Improper Validation of Specified Quantity in Input | The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity… |
| CWE-1285 | Improper Validation of Specified Index, Position, or Offset in Input | The product receives input that is expected to specify an index, position, or offset into an indexable resource such as a buffer or file, but it does not valid… |
| CWE-1286 | Improper Validation of Syntactic Correctness of Input | The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that … |