970 indexed
CWECWE weaknesses
970 MITRE CWE entries — software weakness types that underlie vulnerabilities (CVE→CWE link). Filter by category. Authored by Adam Lundqvist.
Showing 301–350 of 970 · page 7 of 20
| ID | Title | Summary |
|---|---|---|
| CWE-158 | Improper Neutralization of Null Byte or NUL Character | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to… |
| CWE-159 | Improper Handling of Invalid Use of Special Elements | The product does not properly filter, remove, quote, or otherwise manage the invalid use of special elements in user-controlled input, which could cause advers… |
| CWE-160 | Improper Neutralization of Leading Special Elements | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes leading special elements that could be interpreted… |
| CWE-161 | Improper Neutralization of Multiple Leading Special Elements | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple leading special elements that could be in… |
| CWE-162 | Improper Neutralization of Trailing Special Elements | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes trailing special elements that could be interprete… |
| CWE-163 | Improper Neutralization of Multiple Trailing Special Elements | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple trailing special elements that could be i… |
| CWE-164 | Improper Neutralization of Internal Special Elements | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes internal special elements that could be interprete… |
| CWE-165 | Improper Neutralization of Multiple Internal Special Elements | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple internal special elements that could be i… |
| CWE-166 | Improper Handling of Missing Special Element | The product receives input from an upstream component, but it does not handle or incorrectly handles when an expected special element is missing. |
| CWE-167 | Improper Handling of Additional Special Element | The product receives input from an upstream component, but it does not handle or incorrectly handles when an additional unexpected special element is provided. |
| CWE-168 | Improper Handling of Inconsistent Special Elements | The product does not properly handle input in which an inconsistency exists between two or more special characters or reserved words. An example of this probl… |
| CWE-170 | Improper Null Termination | The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator. Null termination errors frequently … |
| CWE-172 | Encoding Error | The product does not properly encode or decode the data, resulting in unexpected values. |
| CWE-173 | Improper Handling of Alternate Encoding | The product does not properly handle when an input uses an alternate encoding that is valid for the control sphere to which the input is being sent. |
| CWE-174 | Double Decoding of the Same Data | The product decodes the same input twice, which can limit the effectiveness of any protection mechanism that occurs in between the decoding operations. |
| CWE-175 | Improper Handling of Mixed Encoding | The product does not properly handle when the same input uses several different (mixed) encodings. |
| CWE-176 | Improper Handling of Unicode Encoding | The product does not properly handle when an input contains Unicode encoding. |
| CWE-177 | Improper Handling of URL Encoding (Hex Encoding) | The product does not properly handle when all or part of an input has been URL encoded. |
| CWE-178 | Improper Handling of Case Sensitivity | The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent r… |
| CWE-179 | Incorrect Behavior Order: Early Validation | The product validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous i… |
| CWE-180 | Incorrect Behavior Order: Validate Before Canonicalize | The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step. T… |
| CWE-181 | Incorrect Behavior Order: Validate Before Filter | The product validates data before it has been filtered, which prevents the product from detecting data that becomes invalid after the filtering step. This can… |
| CWE-182 | Collapse of Data into Unsafe Value | The product filters data in a way that causes it to be reduced or "collapsed" into an unsafe value that violates an expected security property. |
| CWE-183 | Permissive List of Allowed Inputs | The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the input… |
| CWE-184 | Incomplete List of Disallowed Inputs | The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require oth… |
| CWE-185 | Incorrect Regular Expression | The product specifies a regular expression in a way that causes data to be improperly matched or compared. When the regular expression is used in protection m… |
| CWE-186 | Overly Restrictive Regular Expression | A regular expression is overly restrictive, which prevents dangerous values from being detected. This weakness is not about regular expression complexity. Rat… |
| CWE-187 | Partial String Comparison | The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resulta… |
| CWE-188 | Reliance on Data/Memory Layout | The product makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior. |
| CWE-190 | Integer Overflow or Wraparound | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will al… |
| CWE-191 | Integer Underflow (Wrap or Wraparound) | The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal t… |
| CWE-192 | Integer Coercion Error | Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types. Several flaws fall under the categ… |
| CWE-193 | Off-by-one Error | A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value. |
| CWE-194 | Unexpected Sign Extension | The product performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is ne… |
| CWE-195 | Signed to Unsigned Conversion Error | The product uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive ca… |
| CWE-196 | Unsigned to Signed Conversion Error | The product uses an unsigned primitive and performs a cast to a signed primitive, which can produce an unexpected value if the value of the unsigned primitive … |
| CWE-197 | Numeric Truncation Error | Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion. When a primitive is cast to a smaller pr… |
| CWE-198 | Use of Incorrect Byte Ordering | The product receives input from an upstream component, but it does not account for byte ordering (e.g. big-endian and little-endian) when processing the input,… |
| CWE-20 | Improper Input Validation | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to pr… |
| CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-201 | Insertion of Sensitive Information Into Sent Data | The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |
| CWE-202 | Exposure of Sensitive Information Through Data Queries | When trying to keep information confidential, an attacker can often infer some of the information by using statistics. In situations where data should not be … |
| CWE-203 | Observable Discrepancy | The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor. |
| CWE-204 | Observable Response Discrepancy | The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended… |
| CWE-205 | Observable Behavioral Discrepancy | The product's behaviors indicate important differences that may be observed by unauthorized actors in a way that reveals (1) its internal state or decision pro… |
| CWE-206 | Observable Internal Behavioral Discrepancy | The product performs multiple behaviors that are combined to produce a single result, but the individual behaviors are observable separately in a way that allo… |
| CWE-207 | Observable Behavioral Discrepancy With Equivalent Products | The product operates in an environment in which its existence or specific identity should not be known, but it behaves differently than other products with equ… |
| CWE-208 | Observable Timing Discrepancy | Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant infor… |
| CWE-209 | Generation of Error Message Containing Sensitive Information | The product generates an error message that includes sensitive information about its environment, users, or associated data. |
| CWE-210 | Self-generated Error Message Containing Sensitive Information | The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information. |