970 indexed
CWECWE weaknesses
970 MITRE CWE entries — software weakness types that underlie vulnerabilities (CVE→CWE link). Filter by category. Authored by Adam Lundqvist.
Showing 401–450 of 970 · page 9 of 20
| ID | Title | Summary |
|---|---|---|
| CWE-260 | Password in Configuration File | The product stores a password in a configuration file that might be accessible to actors who do not know the password. This can result in compromise of the sy… |
| CWE-261 | Weak Encoding for Password | Obscuring a password with a trivial encoding does not protect the password. Password management issues occur when a password is stored in plaintext in an appl… |
| CWE-262 | Not Using Password Aging | The product does not have a mechanism in place for managing password aging. |
| CWE-263 | Password Aging with Long Expiration | The product supports password aging, but the expiration period is too long. |
| CWE-264 | CWE-264: Permissions, Privileges, and Access Controls | Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control. |
| CWE-266 | Incorrect Privilege Assignment | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
| CWE-267 | Privilege Defined With Unsafe Actions | A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity. |
| CWE-268 | Privilege Chaining | Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed with… |
| CWE-269 | Improper Privilege Management | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
| CWE-27 | Path Traversal: 'dir/../../filename' | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize multiple internal "..… |
| CWE-270 | Privilege Context Switching Error | The product does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control. |
| CWE-271 | Privilege Dropping / Lowering Errors | The product does not drop privileges before passing control of a resource to an actor that does not have those privileges. In some contexts, a system executin… |
| CWE-272 | Least Privilege Violation | The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed. |
| CWE-273 | Improper Check for Dropped Privileges | The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded. If the drop fails, the product will continue to… |
| CWE-274 | Improper Handling of Insufficient Privileges | The product does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses. |
| CWE-276 | Incorrect Default Permissions | During installation, installed file permissions are set to allow anyone to modify those files. |
| CWE-277 | Insecure Inherited Permissions | A product defines a set of insecure permissions that are inherited by objects that are created by the program. |
| CWE-278 | Insecure Preserved Inherited Permissions | A product inherits a set of insecure permissions for an object, e.g. when copying from an archive file, without user awareness or involvement. |
| CWE-279 | Incorrect Execution-Assigned Permissions | While it is executing, the product sets the permissions of an object in a way that violates the intended permissions that have been specified by the user. |
| CWE-28 | Path Traversal: '..\filedir' | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "..\" sequences that … |
| CWE-280 | Improper Handling of Insufficient Permissions or Privileges | The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. … |
| CWE-281 | Improper Preservation of Permissions | The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less r… |
| CWE-282 | Improper Ownership Management | The product assigns the wrong ownership, or does not properly verify the ownership, of an object or resource. |
| CWE-283 | Unverified Ownership | The product does not properly verify that a critical resource is owned by the proper entity. |
| CWE-284 | Improper Access Control | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-285 | Improper Authorization | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-286 | Incorrect User Management | The product does not properly manage a user within its environment. Users can be assigned to the wrong group (class) of permissions resulting in unintended ac… |
| CWE-287 | Improper Authentication | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
| CWE-288 | Authentication Bypass Using an Alternate Path or Channel | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
| CWE-289 | Authentication Bypass by Alternate Name | The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly ch… |
| CWE-29 | Path Traversal: '\..\filename' | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\..\filename' (leadi… |
| CWE-290 | Authentication Bypass by Spoofing | This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. |
| CWE-291 | Reliance on IP Address for Authentication | The product uses an IP address for authentication. IP addresses can be easily spoofed. Attackers can forge the source IP address of the packets they send, but… |
| CWE-292 | DEPRECATED: Trusting Self-reported DNS Name | This entry has been deprecated because it was a duplicate of CWE-350. All content has been transferred to CWE-350. |
| CWE-293 | Using Referer Field for Authentication | The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking. |
| CWE-294 | Authentication Bypass by Capture-replay | A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replay… |
| CWE-295 | Improper Certificate Validation | The product does not validate, or incorrectly validates, a certificate. |
| CWE-296 | Improper Following of a Certificate's Chain of Trust | The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate. |
| CWE-297 | Improper Validation of Certificate with Host Mismatch | The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with tha… |
| CWE-298 | Improper Validation of Certificate Expiration | A certificate expiration is not validated or is incorrectly validated. |
| CWE-299 | Improper Check for Certificate Revocation | The product does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised. An… |
| CWE-30 | Path Traversal: '\dir\..\filename' | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\dir\..\filename' (l… |
| CWE-300 | Channel Accessible by Non-Endpoint | The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the chann… |
| CWE-301 | Reflection Attack in an Authentication Protocol | Simple authentication protocols are subject to reflection attacks if a malicious user can use the target machine to impersonate a trusted user. |
| CWE-302 | Authentication Bypass by Assumed-Immutable Data | The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker. |
| CWE-303 | Incorrect Implementation of Authentication Algorithm | The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect. This incorr… |
| CWE-304 | Missing Critical Step in Authentication | The product implements an authentication technique, but it skips a step that weakens the technique. Authentication techniques should follow the algorithms tha… |
| CWE-305 | Authentication Bypass by Primary Weakness | The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication… |
| CWE-306 | Missing Authentication for Critical Function | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-307 | Improper Restriction of Excessive Authentication Attempts | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |