970 indexed
CWECWE weaknesses
970 MITRE CWE entries — software weakness types that underlie vulnerabilities (CVE→CWE link). Filter by category. Authored by Adam Lundqvist.
Showing 351–400 of 970 · page 8 of 20
| ID | Title | Summary |
|---|---|---|
| CWE-211 | Externally-Generated Error Message Containing Sensitive Information | The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an… |
| CWE-212 | Improper Removal of Sensitive Information Before Storage or Transfer | The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product ma… |
| CWE-213 | Exposure of Sensitive Information Due to Incompatible Policies | The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded… |
| CWE-214 | Invocation of Process Using Visible Sensitive Information | A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating syste… |
| CWE-215 | Insertion of Sensitive Information Into Debugging Code | The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production. When d… |
| CWE-216 | DEPRECATED: Containment Errors (Container Errors) | This entry has been deprecated, as it was not effective as a weakness and was structured more like a category. In addition, the name is inappropriate, since th… |
| CWE-217 | DEPRECATED: Failure to Protect Stored Data from Modification | This entry has been deprecated because it incorporated and confused multiple weaknesses. The issues formerly covered in this entry can be found at CWE-766 and … |
| CWE-218 | DEPRECATED: Failure to provide confidentiality for stored data | This weakness has been deprecated because it was a duplicate of CWE-493. All content has been transferred to CWE-493. |
| CWE-219 | Storage of File with Sensitive Data Under Web Root | The product stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties. Besi… |
| CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directo… |
| CWE-220 | Storage of File With Sensitive Data Under FTP Root | The product stores sensitive data under the FTP server root with insufficient access control, which might make it accessible to untrusted parties. |
| CWE-221 | Information Loss or Omission | The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis. |
| CWE-222 | Truncation of Security-relevant Information | The product truncates the display, recording, or processing of security-relevant information in a way that can obscure the source or nature of an attack. |
| CWE-223 | Omission of Security-relevant Information | The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is sa… |
| CWE-224 | Obscured Security-relevant Information by Alternate Name | The product records security-relevant information according to an alternate name of the affected entity, instead of the canonical name. |
| CWE-225 | DEPRECATED: General Information Management Problems | This weakness can be found at CWE-199. |
| CWE-226 | Sensitive Information in Resource Not Removed Before Reuse | The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contain… |
| CWE-228 | Improper Handling of Syntactically Invalid Structure | The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification. |
| CWE-229 | Improper Handling of Values | The product does not properly handle when the expected number of values for parameters, fields, or arguments is not provided in input, or if those values are u… |
| CWE-23 | Relative Path Traversal | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as "..… |
| CWE-230 | Improper Handling of Missing Values | The product does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empt… |
| CWE-231 | Improper Handling of Extra Values | The product does not handle or incorrectly handles when more values are provided than expected. |
| CWE-232 | Improper Handling of Undefined Values | The product does not handle or incorrectly handles when a value is not defined or supported for the associated parameter, field, or argument name. |
| CWE-233 | Improper Handling of Parameters | The product does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefine… |
| CWE-234 | Failure to Handle Missing Parameter | If too few arguments are sent to a function, the function will still pop the expected number of arguments from the stack. Potentially, a variable number of arg… |
| CWE-235 | Improper Handling of Extra Parameters | The product does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount. |
| CWE-236 | Improper Handling of Undefined Parameters | The product does not handle or incorrectly handles when a particular parameter, field, or argument name is not defined or supported by the product. |
| CWE-237 | Improper Handling of Structural Elements | The product does not handle or incorrectly handles inputs that are related to complex structures. |
| CWE-238 | Improper Handling of Incomplete Structural Elements | The product does not handle or incorrectly handles when a particular structural element is not completely specified. |
| CWE-239 | Failure to Handle Incomplete Element | The product does not properly handle when a particular element is not completely specified. |
| CWE-24 | Path Traversal: '../filedir' | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that … |
| CWE-240 | Improper Handling of Inconsistent Structural Elements | The product does not handle or incorrectly handles when two or more structural elements should be consistent, but are not. |
| CWE-241 | Improper Handling of Unexpected Data Type | The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a let… |
| CWE-242 | Use of Inherently Dangerous Function | The product calls a function that can never be guaranteed to work safely. Certain functions behave in dangerous ways regardless of how they are used. Function… |
| CWE-243 | Creation of chroot Jail Without Changing Working Directory | The product uses the chroot() system call to create a jail, but does not change the working directory afterward. This does not prevent access to files outside … |
| CWE-244 | Improper Clearing of Heap Memory Before Release ('Heap Inspection') | Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory… |
| CWE-245 | J2EE Bad Practices: Direct Management of Connections | The J2EE application directly manages connections, instead of using the container's connection management facilities. The J2EE standard forbids the direct man… |
| CWE-246 | J2EE Bad Practices: Direct Use of Sockets | The J2EE application directly uses sockets instead of using framework method calls. |
| CWE-247 | DEPRECATED: Reliance on DNS Lookups in a Security Decision | This entry has been deprecated because it was a duplicate of CWE-350. All content has been transferred to CWE-350. |
| CWE-248 | Uncaught Exception | An exception is thrown from a function, but it is not caught. When an exception is not caught, it may cause the program to crash or expose sensitive informati… |
| CWE-249 | DEPRECATED: Often Misused: Path Manipulation | This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to C… |
| CWE-25 | Path Traversal: '/../filedir' | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "/../" sequences that… |
| CWE-250 | Execution with Unnecessary Privileges | The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequenc… |
| CWE-252 | Unchecked Return Value | The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions. Two common progra… |
| CWE-253 | Incorrect Check of Function Return Value | The product incorrectly checks a return value from a function, which prevents it from detecting errors or exceptional conditions. Important and common functio… |
| CWE-256 | Plaintext Storage of a Password | The product stores a password in plaintext within resources such as memory or files. |
| CWE-257 | Storing Passwords in a Recoverable Format | The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable … |
| CWE-258 | Empty Password in Configuration File | Using an empty string as a password is insecure. |
| CWE-259 | Use of Hard-coded Password | The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components. |
| CWE-26 | Path Traversal: '/dir/../filename' | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "/dir/../filename" se… |